Brexit and the Future of Data Protection


As we all reel in shock at today’s news, thoughts will inevitably turn to how our impending divorce from Europe will impact on the sphere of data protection. Our own data protection laws have of course been profoundly shaped by Europe. Until yesterday, many had assumed that Europe’s control over our data protection laws would in due course become even more intensive, as we journeyed into a world in which the EU Data Protection Regulation reigned supreme across Europe. However, the clocks have stopped. The Regulation is not to become law in the UK. The future of data protection law is therefore necessarily shrouded in mystery.

It will be many months (if not years) before we start to have an appreciation of how precisely Brexit will impact on domestic laws relating to data protection, and I for one am not going to indulge in any creative crystal ball gazing. However, here’s what we do know:

–          first, on the (possibly unsound) assumption that Brexit has not sounded the death knell for the entire European project, UK businesses which offer services into the EU, or whose data processing activities otherwise fall within the wide jurisdictional scope of EU data protection laws, will still need to have a complete understanding of the Regulation and how compliance with the Regulation is to be achieved;

–          second, again assuming the entire European Union does not crater following Brexit, when addressing its own data protection regime, the UK will have to have in mind the ramifications of the CJEU’s judgment in Schrems and, by extension, will have to ensure that our laws are formulated in a way that does not have a chilling effect on data sharing from Europe into the EU;

–          third, UK legislators will otherwise have to ponder carefully the extent to which the changes embodied in the Regulation are in any event consonant both with: (a) domestic appetites with respect to the protection of data privacy rights and also (b) developing principles relating to the application of Article 8 of the European Convention on Human Rights (On the latter point, our divorce from the EU does not per se break our legislative and jurisprudential ties with the European Convention on Human Rights, although who can now say with any confidence that that break does not itself lie in our near future?);

–          fourth, judgments such as the pivotal judgment of the Court of Appeal in Vidal-Hall v Google,  which rely heavily on European law principles, including the principles embodied in the European Charter of Fundamental Rights, will inevitably have to be revisited in a post-Brexit world.

11KBW, as the undoubted leader in the field of data protection rights, will in due course be holding events to address these issues, along with other information rights issues arising out of Brexit, including the impact on the regime governing access to environmental information. Those events will of course be advertised on this blog.

In the meantime, I leave you to ponder whether Caliban’s sweet reveries in the Tempest reflect the world to which we have all awakened this morning, or whether we are now living in an altogether darker ‘Isle’:

Be not afeard; the isle is full of noises, Sounds, and sweet airs, that give delight and hurt not. Sometimes a thousand twangling instruments Will hum about mine ears; and sometime voices That, if I then had waked after long sleep, Will make me sleep again; and then in dreaming, The clouds methought would open, and show riches Ready to drop upon me, that when I waked I cried to dream again.

Anya Proops QC