This is part of Out-Law's series of news and insights from Pinsent Masons experts on the impact of the UK's EU referendum. Watch our video on the issues facing businesses and sign up to receive our 'What next?' checklist.
Baroness Neville-Rolfe, the UK minister responsible for data protection, acknowledged that the UK's decision to leave the EU means that "for a period the future will be more uncertain" and that it is not certain if the General Data Protection Regulation (GDPR) will apply in the UK.
"We do not know how closely the UK will be involved with the EU system in future," Neville-Rolfe said in a speech at the Privacy Laws & Business annual conference on data protection. "On one hand if the UK remains within the single market EU rules on data might continue to apply fully in the UK. On other scenarios we will need to replace all EU rules with national ones. Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way."
"Until recently my main focus in matters digital was on the impact of the EU Data Protection Regulation. As matters stood and perhaps still stand, it was expected to take effect in the UK by 25 May 2018… All of us … need to consider carefully what might be done either to replace it if and when it ceases to have effect or, instead, if in the event it never comes into force. As I have pointed out the future might take several different forms and we need to identify as quickly as possible how to best to react to whatever path is eventually chosen," she said.
"One thing we can say with reasonable confidence is that if any country wishes to share data with EU member states, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection," Neville-Rolfe said. "This will be a major consideration in the UK’s negotiations going forward."
The minister said the UK government will "maintain close contact with the Information Commissioner’s Office during this transitional period". She said the watchdog has "an important role in helping to guide organisations who are already working hard to prepare for implementation of the Regulation".
Christopher Graham, who recently left his role as information commissioner, said late last month that UK data protection laws need to be updated regardless of whether that happens via the GDPR coming into force in the country.
UK-based organisations that offer goods or services to EU-resident individuals, or whose processing activities are related to such offering, will be directly subject to the GDPR regardless of whether the Regulation is in force in the UK, said data protection law expert Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com. Organisations may well wish to continue with their preparations for GDPR compliance, notwithstanding the current Brexit uncertainties, she said.
In her speech Neville-Rolfe also admitted that there is uncertainty on what impact the vote for Brexit will have on the EU-US Privacy Shield from a UK perspective. The Privacy Shield is a proposed new framework intended to help organisations transfer personal data from the EU to the US in a way which accords with EU data protection law requirements.
The minister said: "I should mention the negotiations to agree a renewed ‘Safe Harbor’ agreement by means of the new EU-US Privacy Shield. Again it is not quite clear how this will affect the UK, but we will need a satisfactory understanding with the US of the rules to be applied."
Neville-Rolfe said it is expected that officials in the Article 31 Committee, which is scrutinising the Privacy Shield proposals, hope to "come to a swift conclusion on the text in the upcoming weeks".
Bruno Gencarelli, head of European Commission's data protection unit, said the Committee could vote on the Privacy Shield as early as later this week and, if approved, the framework could even be ratified in a final adequacy decision of the Commission next week, according to a report by Privacy Laws & Business.
"If the UK leaves the EU, in order for it to be found 'adequate' so that personal data may be transferred to the UK from EU member states, its data protection laws must be 'essentially equivalent' to the GDPR," Hon of Pinsent Masons said.
"The GDPR also catches 'onward transfers' from the first recipient country, for example from the UK to the US. If the Privacy Shield is approved for transfers from the EU to certain US organisations, and the UK agrees separately with the US arrangements identical or at least equivalent to the Privacy Shield, then that is one way to regularise such onward transfers to the US, which would simplify matters for UK organisations that transfer EU personal data to the US, for example by using US processors. So there is an incentive for the UK to agree a parallel Privacy Shield directly with the US even if the UK leaves the EU," she said.