Brexit - will the UK deliver the GDPR and do we need an "adequacy decision"?
June 15, 2017
Now that the General Election is done and we're through purdah, we can return to the issue of Brexit. A big question for data protection is will the GDPR apply in the UK after Brexit?
The best answer, taking account of the political, economic, social and legal issues, is yes, it will apply, for many reasons. The most obvious ones are:
- The GDPR will automatically come into force next May, nearly a year before the expiry of the two year Article 50 Brexit negotiation window, and none of the major political parties have argued for the UK to pull back from that position. In fact, the clearest political statements are supportive of GDPR post-Brexit. Without an overriding political will to pull back, the GDPR must continue to have effect. However, a legal mechanism will be needed to achieve this outcome. The mechanism will be found in the solution to the "cliff edge" dilemma.
- To avoid a cliff edge at the end of the Article 50 period the Government will need a practical legal mechanism to manage the transition from the sovereignty of EU law to the sovereignty of UK law. The previous Government identified "The Great Repeal Bill" as that mechanism. Whether we get that, or something else, remains to be seen, but the substantive result of managing the cliff edge will be the same - the GDPR should remain in force after Brexit. The Great Repeal Bill identified an obvious solution, namely a UK law saying that all EU laws will continue to have effect post-Brexit until they are repealed.
- The UK is a Parliamentary democracy and an advanced economy, subject to the Rule of Law. These characteristics make adherence to data protection inevitable (hence why data protection laws are being adopted all over the world). The UK has one of the world's strongest legal and regulatory environments for personal data (see the latest PwC Enforcement Tracker for some perspectives). The UK regulator, the ICO, is one of the world's best resourced, most skilful and most active data protection regulators, while our domestic courts are consistently supportive of data protection and privacy rights. The UK is undoubtedly a global leader in this field. Our leadership is not dependant on being in or out of the EU.
- Plainly, it is in the UK's economic interest to be strong on data protection, as this reduces the barriers to world trade.
- Plainly, it is also in the UK's social interest to provide the highest protections for data protection rights. Again, no major political party is arguing for the erosion of UK citizen (i.e., voter) data protection rights relative to those of other citizens in the EU.
Therefore, GDPR seems inevitable in post-Brexit UK, albeit there are choices on the legal mechanisms to deliver it. I would not be surprised if the UK adopted a "GDPR Act", perhaps by way of amendment to the Data Protection Act, because there is certainly going to have to be a mechanism to deal with the DPA and the many pieces of secondary legislation that support it: this might nudge the balance of the argument towards a combination of a Great Repeal Bill plus GDPR Act.
Another big question is whether the UK will require an "adequacy decision" from the EU in order to maintain data flows to our shores. As a matter of law, an adequacy decision will not be required. Most countries in the world cope quite happily without one (there are around 11 adequacy decisions): there are other mechanisms that can be used to maintain the flow of personal data from Europe to the UK (eg, BCR, approved "model contracts", individual consents and ad hoc B2C contracts). Of course, an adequacy decision would be beneficial, particularly because it would remove any doubts and misconceptions; because everyone recognises that business thrives on certainty; and because it would reduce administrative burdens - but in a legal sense the UK will be fine without one.
If you're interested in understanding more of the issues, you might want to watch this video of proceedings before the House of Lords Home Affairs EU Sub-Committee, where the GDPR issues arising from Brexit were examined in some detail: