For months, data protection lawyers have been warning businesses in the UK to make preparations for the pending General Data Protection Regulation (the “Regulation“), due to come into force in May 2018. The Regulation provides for a ratcheting up of data protection obligations and a hefty new fining regime for breaches of these obligations of up to 4% of global turnover.
The question which arises is whether in light of the referendum vote in favour of Brexit, those preparations are still appropriate. We consider that they are, because we believe that the Regulation is still likely to constitute our data protection law as from May 2018. This is for the following reasons.
EEA members must comply with European Union data protection law
One likely option for the UK will be to join the European Economic Area (the “EEA“), along with Norway, Iceland and Lichtenstein. The rules of the EEA and in particular its agreement with the EU mean that while some EU legal provisions do not apply, EEA members must fully subscribe to the four freedoms, that is freedom of movement of persons, capital, goods and services. This includes the law of data protection.
It may be that even as a member of the EEA, the UK seeks and succeeds in obtaining a bespoke deal, so that it does not have to comply fully with these laws. However, any exceptions if permitted at all are likely to be extremely limited and restricted to areas where there is an overwhelming political imperative, such as in relation to free movement of persons. In respect of data protection, there is no such political imperative and it is thus likely that the UK will accept EU law in this area in full, including the Regulation.
Even if the UK opts to be outside of the EEA and instead has some other arrangements with the EU, it is very likely to want to be in a position where there can be a free transfer of personal data between entities within the remaining EU Member States and those in the UK. In the information age, anything else seems unthinkable with our major trading partners.
Under the Regulation, that can be achieved only in particular circumstances, the most encompassing being if under Article 45 of the Regulation, the European Commission decides that the UK “ensures an adequate level of protection” in respect of personal data. But in order to obtain this status, the UK is likely to have to adopt a reasonably high degree of protection for personal data, likely to be broadly akin to the Regulation. Indeed, the UK’s data protection authority, the Information Commissioner’s Office, has already expressed the view that notwithstanding the referendum result, the current reform of UK data protection law remains necessary in order to ensure international consistency around data protection laws and rights.
In any event, the timing points to the retention of the Regulation or similar at least into the medium term. As stated above, the Regulation is due to come into effect in May 2018. Being a Regulation it has direct effect in Member States without any domestic legislation. Under Article 50 of the Lisbon Treaty, the UK must (at least ostensibly) give two years’ notice to leave the EU. That means that unless a special deal can be done (which is unlikely) the UK will still be in the EU in May 2018 and the Regulation will come into force.
When the UK finally leaves the EU, there will no doubt be legislation in effect generally keeping in force the corpus of existing EU law, including Regulations, extant on the date of departure. Otherwise, there is a danger of large gaps emerging in our law, given how much of it is provided for by EU at present.
From that point on, the UK Parliament may be able to make changes to this corpus, repealing some provisions and amending others. But there will be an enormous schedule of work and data protection is unlikely to be a priority. Indeed, it is difficult to see any significant political constituency advocating any reversal of data protection laws. Shortly after the referendum vote, the Information Commissioner, when issuing his annual report, emphasised:
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
So for these reasons as well, we can expect the Regulation to remain in effect for a considerable period.
Accordingly, it seems very likely that the Regulation or something very much like it will be our substantive law on data protection from May 2018 and for some time after.
But potentially different interpretation
Where things may be different is in respect of the interpretation of that law. Data protection is perhaps the area where the Court of Justice of the European Union (the “CJEU“) has been at its most adventurous and exorbitant. For example, the CJEU’s decisions in Digital Rights Ireland, Google Spain and Schrems have radically altered the understanding of data protection law in the EU and had significant effects on governments and commercial operators. Moreover, much of the reasoning in the judgments in these cases and indeed other judgments of the CJEU seems somewhat alien to UK legal traditions.
If and when the UK leaves the EU, the courts of the UK will no longer have access to the CJEU and the CJEU will no longer be the final arbiter of the interpretation of data protection law in the UK. Instead, should the UK opt to join the EEA the UK courts will be able to refer matters to a different court, the EFTA Court. This is currently something of a relative judicial backwater, comprised of three judges, one from each of the EFTA States (Norway, Iceland and Lichtenstein). But with the UK in the EEA, one could see that the EFTA Court could be much more influenced by UK judges and UK judicial reasoning. Although there has always been a substantial cross reference between decisions of the CJEU and the EFTA Court, there is no reason why the latter could not seek to chart an independent identity. That could possibly in time result in a different application of data protection law for EEA states.
Equally, if the UK is outside the EEA, the final arbiter of the interpretation of data protection law in the UK will be our own Supreme Court. Given that the wording of the law is likely to remain identical or nearly identical to that in the EU, no doubt decisions of the CJEU are likely to remain highly influential on the reasoning of the Supreme Court on such matters. But they are unlikely to be determinative. Indeed, given the political context of the Brexit vote, for the UK to exert greater independence, the Supreme Court may well be minded to take a different approach.
But all this is for the future and remains highly speculative. For the present, the best view must be for commercial entities simply to assume that the Regulation will come into force in May 2018 and will remain in force for the foreseeable future and all preparations for that should continue.