Brexit & the Future of Data Protection Revisited

So five days on from the Brexit referendum and it is clear that that there is no clear, carefully thought out strategy for extricating ourselves from the EU legal edifice. If you feel that this ‘make it up as we go along’ approach to the biggest legal and political challenge which our country has faced in decades is somewhat less than satisfactory, you will be pleased to learn you are not alone.

But if the path to Brexit is unclear you can at least assume that the journey will not be swift. Indeed, it seems likely that it will take at least two years and probably more before we part company with our EU brethren. Why does this matter, apart from the fact that it leaves our country in a protracted state of general confusion and uncertainty? Well for the readers of this blog it matters because there is at least one major piece of EU legislation which is due to take effect within the next two years, namely the EU General Data Protection Regulation.

The GDPR is due to become law automatically in the UK on 25 May 2018. Whilst it may be that technically the UK could agree an exit from the EU prior to that date, it seems most unlikely that we will arrive at that state of affairs. Indeed, with the current vacillations over even commencing the Article 50 exit process and the fact that that process itself envisages that there will be a minimum two year period before a Member State can leave the EU, it seems that Brexit is unlikely to occur any time prior to late 2018, early 2019.

But if the GDPR is to become part of our law, how long will it remain so? Of course none of us have any definitive answers to this particular question. That said, there are certainly good reasons for supposing that the provisions embodied in the GDPR will remain subsumed within our domestic laws for some years to come. Those reasons include not least that: (a) post-Brexit, incumbent governments are likely to have more important legislative and administrative fish to fry than tackling the GDPR; (b) a heavy tinkering with the GDPR principles may well threaten our ability to secure a finding of ‘adequacy’ when it comes to cross-border data transfers from the EU, with the inevitable knock on effect on cross-border EU/UK commerce; (c) the EU may well require compliance with the GDPR as one of the pre-conditions for participation in the single market (as per the Norwegian model) and (d) there may well in any event be no public appetite within the UK to reduce the levels of protection for personal data embodied in the GDPR.

Of course there is the point that, even if we retain the GDPR provisions post-Brexit (through some form of automatic domestic legislative incorporation), our courts will be free to apply those provisions free from the shackles of CJEU jurisprudence. In that sense there will be an important departure. However, even there, the question we have to ask ourselves is whether our domestic courts will continue to be influenced by the European approach to data protection, either because they consider that that approach closely chimes with a modern, universal approach to data privacy or because they are conscious of the ‘adequacy’ issue. Notably, the ICO itself appears to take the view that there should be no seismic divergence of approach to data protection in the post-Brexit world – see his news release here.

Of course, all this is to say nothing of the fact that some elements of the GDPR in any event require domestic implementation. This is the case not least with respect to those data protection rights which may conflict with the fundamental right to free expression. What this means is that, whatever the future holds in terms of applicability of GDPR principles, the relevant incumbent government will not be able to avoid engaging in at least some active legislative debate around the data protection regime.

The good news is that all of these issues are to be canvassed and no doubt debated at length at 11KBW’s forthcoming all day conference on the GDPR – see details here.

Anya Proops QC