There will far more erudite commentators than I recording their thoughts in respect of the Brexit and its impact on privacy and data protection over the next few days – but I still thought it useful to commit my thoughts to “paper” for our clients and staff. The gist is that things are somewhat up in the air – but we still have legal obligations to comply with the Data Protection Act and the Privacy and Electronic Communications Regulations (and other SIs) and we are reminded on a weekly basis that organisations continue to struggle with these.
The population of the UK voted to leave the EU but we remain members until the Prime Minister writes to the EU expressing a wish to leave under Article 50 of the Treaty of Lisbon. As soon as Article 50 is invoked a two-year period begins to enable the UK to exit the Union. The two-year period may by agreement be extended for a further year.
I’ve read articles suggesting that because Article 50 will not be invoked before the deadline for the implantation of General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) it is possible that UK data controllers would be expected to comply with the provisions of the Regulation between the 25th May 2018 and the date of exit from the EU. I wonder if it is realistic to expect controllers to raise their game as significantly as the GDPR demands for the window of time that the UK remains in the Union post the GDPR implementation date? I guess that this depends on the next big question: what statutory instrument will we be working to?
DPA or GDPR or both or none?
Scraping the DPA
DPA of course implements the European Privacy Directive (Directive 95/46/EC) and has been one of the statutory instruments governing information processing in the UK for nearly 20 years. DPA was due to be repealed by the Regulation on 25th May 2018 but if we are no longer to be in Europe what is likely to happen? Is it feasible that the DPA will be thrown out as un-necessary Euro red tape? I can’t imagine so – it is well established and is valued by UK citizens but theoretically this scenario exists as a possible outcome at one extreme of possibilities: UK repeals DPA considering the Directive to be trashable European legislation! Looking around the world at countries implementing and improving their data protection legislation over the last decade or so I cannot imagine this outcome and in his blog of 24th June the ICO said that his office, “… will be speaking to government to present our view that reform of the UK law remains necessary.” In addition only last week (17 June 2016) the House of Commons Select Committee for Culture, Media and Sport published its report on the inquiry into the current state of cyber security and protection of personal data recommending a number of measures to strengthen the ICO and data protection regulation in the UK.
Adopt GDPR
The ICO has been campaigning for the DPA to be improved and strengthened for some time so it’s quite possible that the UK government would strengthen data protection law in due course – but where will this rank on the list of jobs to do after Article 50 has been invoked? Given the influence that the UK has had on the development of the GDPR it would seem sensible to simply convert it word for word into domestic legislation and as a privacy practitioner my view is that the GDPR is a great improvement on DPA. However, I fear that many people see it as an example of one of those areas of “red tape” and un-necessary EU regulation that has contributed towards diving Brexit. If government were to adopt the text of the Regulation as domestic legislation replacing DPA then we’d all know where we stood and we could continue on our DPA to GDPR migration strategies and that to me is at the other extreme of possibilities: UK adopts GDPR as domestic law.
However, I doubt that determining data protection and privacy law in an age of GB outside of EU will at the top of the “to do” list for government so I should imagine that we will be in a state of flux for some time not knowing whether to begin working towards GDPR compliance or not. Over the last few months I have come across the view that the GDPR is simply too tough and that a Brexit would be a great idea to alleviate the United Kingdom of such burdensome legislation and it is possible that GDPR is seen as un-necessary Euro regulation for British data controllers and not implemented. And to be honest concepts such as the European Data Protection Board having jurisdiction over our own ICO, and the consistency mechanism within GDPR represent much of what the Brexiteers voted against – which means that we may end up with one of a range of possibilities in the middle ground.
Stick with DPA
One such middle-ground outcome may be that we stick with the existing DPA – we don’t scrap it and we either leave it “as is” or make some adjustments to improve it. The problem for UK data controllers is that there are already infraction proceedings brought by the European Commission against the United Kingdom for the incorrect application of the Directive into the DPA – so not to put too fine a point on it – the UK’s DPA is already considered not fit for purpose against the Directive by the Europeans and we know that it is far from fit for purpose against the Regulation. In short the UK outside of the EU would be classified as a third country with inadequate levels of protection by reason of its domestic law in regard to the protection of personal data.
For the large number of organisations who do not process any data of EU citizens the lack of an adequacy decision is largely irrelevant but for those organisations who do process the personal data of EU citizens, the 3rd Article of the Regulation sets its territorial scope to include the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the provision of goods or services or the monitoring of their behaviour. So in order to continue to process such data they are likely to have to comply with the Regulation and appoint a representative in the Union etc. etc. Therefore controllers in this position would appear to be advised continuing with their plans for compliance migration so that they can continue processing personal data within the scope of the Regulation and be able to demonstrate that they have adequate controls in place.
Two-Tier DP
Which nicely leads to yet another outcome in which we end up with a two-tier data protection compliance landscape: those organisations who are working to GDPR and those who are working to DPA or DPA2. I guess that this scenario could be compared to the US whereby State/Federal law dictates the domestic compliance and Privacy Shield/Safe Harbour/BCRs/Model Clauses etc. is adopted in the cases where compliance with the Directive is required. In this two-tier scenario a growing organisation wishing to expand into Europe would have a significant uplift in their compliance burden. In the next few months there will be a plethora of advice and guidance emanating from a variety of sources clarifying areas of uncertainty within the Regulation etc. and in the first year of so of it operation there may be a more lenient view of non-compliance in respect of regulatory action. But if we as a nation are not officially signed up to GDPR could our regulator justify spending time and money helping UK controllers to understand and implement the GDPR? A UK controller coming to the GDPR party late may well find themselves unable to benefit from the European guidance and any honeymoon period. They may also find themselves pretty much on their own without the benefit of working with other organisations and industry bodies which undoubtedly would have occurred had we voted to stay in and were continuing to work as a continent towards GDPR compliance. A two-tier system might put UK organisations at a disadvantage and increase their compliance risk.
I may have written a simplistic overview here but I am sure mine and everyone else’s thoughts will mature over time. I also know that there are other factors to consider: PECR are also based on a Directive and of equal importance we should also consider that privacy legislation is positioned as enabling a fundamental human right derived from Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms: the right to privacy. Readers will note that the UK has somewhat thrown its position on human and citizens’ rights up in the air too with talk of a British Bill of Rights.
Philip Brining
24th June 2016