Brexit and GDPR: potentially the two topics literally NO ONE wants to talk about anymore. Funnily enough, they’re also two topics that people can’t stop talking about, no matter how much we maybe wish we could. As Brexit fast approaches (in one form or another at least) there are data issues that need to be taken into consideration. So, could Brexit save us from GDPR?
GDPR came into force on 25 May 2018 and operates at a European legal level. This means that every nation within the European Economic Area (EEA) is subject to compliance, whether their national laws dictate this or not. Most nations beefed up their own data protection laws alongside GDPR’s launch. In the UK, the Data Protection Act 2018 (previously the Data Protection Act 1998) facilitates GDPR in the UK. Break either of those laws and you answer to the Information Commissioner’s Office (ICO). As we’re all probably aware by now, GDPR has global consequences because it doesn’t just deal with nations within the EEA; it applies to EEA citizen data. So even if you’re not in the EEA, you have to comply and have suitable data protection laws in place to be able to handle EEA citizen data.
The ‘third country’ problem
The first problem that rears its head is that when the UK leaves the EU, we will become what is known as a ‘third country’ under GDPR. Currently, GDPR allows personal data to be transferred between EEA nations. What it also does is make it illegal to transfer to any nation outside of the EEA unless they have suitable data protection at a national level to safeguard the data that is being transferred.
Now you might be thinking ‘well that’s ok; the Data Protection Act would make us compliant so no big deal.’ Actually, it is quite a big deal: just because we may have adequate laws in place doesn’t mean we’ll automatically be approved. We’ll have to apply just like everyone else who isn’t in the EEA. Which leads us on to the next problem…
The ‘Adequacy’ Application problem
So, we’ll have to pass the ‘adequacy test’ to be allowed to handle EEA data. There are three possible outcomes to this application:
- We pass with flying colours and earn an ‘Enhanced Adequacy’ decision. Yay! We get to carry on handling EEA data and the ICO would be allowed to participate in the European Data Protection Board. This would basically mean that absolutely nothing would change.
- We pass with ok colours and earn an ‘Adequacy’ decision. Woohoo! We get to carry on handling EEA data. Not-so-woohoo: the ICO wouldn’t be able to take part in the European Data Protection Board. That might not sound so bad on the surface, but it means that we would have no say in how GDPR is enforced or administered. Inconsistencies could cause major issues.
- We’re rejected. The UK won’t be allowed to handle EEA data. That would cause MAJOR disruption for pretty much everyone, but especially businesses who operate across more than one EEA nation.
The national law problem
Our national laws as they currently stand could actually hamper our chances of being approved for EEA data handling. As it currently stands, the UK intends to withdraw from the EU Charter of Fundamental Rights. Part of this agreement covers privacy and data protection, which the UK would no longer need to agree to once we leave the EU. Another issue is the controversial Investigatory Powers Act 2016. In a nutshell, this act (also known as the Snoopers’ Charter) expands the electronic surveillance powers of the UK intelligence community and the police. Back in April 2018, the UK High Court ruled that the act violated EU law and the Data Retention and Acquisition Regulations 2018 was devised to address the violation. It’s still fiercely debated and could be one of the things that stands in the way of an adequacy decision.
What happens next?
In short, Brexit will not save us from GDPR. As with everything Brexit-related, we have no idea what’s going to happen next. It’s impossible to predict the decision the EU would make on an adequacy application from the UK. Everything will stay the same until the end of the transition period which, at the moment, is set to take place on 31 December 2020. With that in mind, it’s probably best to expect the worst (a hard rejection) and hope for the best (an all-singing, all-dancing enhanced adequacy decision).