This is part of Out-Law's series of news and insights from Pinsent Masons experts on the impact of the UK's EU referendum. Watch our video on the issues facing businesses and sign up to receive our 'What next?' checklist.
While the EU's General Data Protection Regulation (GDPR), finalised last month, is schedule to come into force on 25 May 2018, the uncertainty of the outcome of UK negotiations on the terms of its exit from the EU brings into question whether or for how long the Regulation will directly apply in the UK.
Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that UK data protection laws will remain unchanged in the short term and that the GDPR will apply directly in the UK unless the UK government takes specific action in the area of data protection prior to the Regulation coming into force.
In a statement a spokesperson for the Information Commissioner's Office (ICO) in the UK confirmed that the Data Protection Act "remains the law of the land" at the moment. It said that UK data protection reforms are "necessary" and that the data protection framework in the UK would need to accord to the standards outlined in the GDPR if the UK wishes to "trade with the [EU] single market on equal terms" in the event that the Regulation does not "directly apply to the UK".
The ICO spokesperson said: "If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the single market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018."
"With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary," they said.
Dautlich said that if action is taken to prevent the GDPR applying directly in the UK, UK data protection laws would probably be changed to "reflect standards similar to GDPR after May 2018, to the extent that the UK wants to trade with the EU on equal terms, albeit there may be differences in relation to some of the mechanisms and provisions".
"The theme of mutual recognition of laws is central to the future shape of UK data protection legislation, as many other areas of law," Dautlich said. "The UK broadly has a choice of four possible models of relationship with the EU after formal notification is given to withdraw membership, Dautlich said. The UK's data protection regime will be shaped by whichever model it negotiates. The existing Data Protection Act will be with us for some time to come, and precisely how GDPR is likely to be dealt with is difficult to assess until the new relationship model has been established following political manoeuvring."
"The Norwegian model (EEA model) provides for free movement of services as well as goods, and of EU nationals, between the UK and the rest of Europe," Dautlich said. "Norway complies with about three quarters of EU legislation but has very little influence over its content. Under this model, it would be unlikely that the UK would move significantly away from GDPR or the EU's Network and Information Security (NIS) Directive that has also been finalised in recent times."
"In terms of likelihood of this model applying, the view has been expressed that it might serve as a transitional model, given the volume of work involved for the UK government in negotiating the trading deals with the EU and with the rest of the world too. However, people favouring Brexit might be opposed to free movement of EU nationals between the UK and the rest of Europe continuing untouched, given the centrality of that issue to the referendum debate," he said.
Dautlich said that the Swiss model that the UK could adopt is similar to Norway's relationship with the EU, aside from that there is limited free movement of services and entails compliance with fewer elements of EU legislation. A long list of detailed trade agreements between the EU and UK would be needed if the UK wished to adopt the Swiss model, he said.
"The impact on data protection legislation would depend on the extent to which as trading partners the EU and UK wished to make the free flow of services, such as financial services, payment services, technology services, and of capital, as easy as possible," Dautlich said. "To the extent that they did, the impact on data protection legislation would also be likely to be smaller than otherwise would be the case. One might perhaps see, for example, that the UK information commissioner might be given more freedom of manoeuvre on enforcement."
Dautlich said the UK could also adopt a Canadian-style model relationship with the EU, an entirely bespoke arrangement, dubbed as such to reflect the free trade agreement negotiated between Canada and the EU over a seven year period. The agreement is not yet in force.
"The Canadian model provides for a la carte access for UK goods and services through the EU," Dautlich said. "The length of time taken to negotiate the Canadian deal is a reflection of the number of goods and services that negotiation teams worked through. But what price would the UK would have to pay for such a deal? Free movement of EU nationals into the UK, as would apply under the Norwegian and Swiss models, is currently expected to be a key EU negotiation point."
"Legal uncertainty over UK data protection legislation during the intervening period of negotiation would be highly likely but in practical terms one would expect services businesses in both the EU and UK that depended upon one another, and goods businesses that depended on free movement of large numbers of staff to and from the EU, to seek commitments from government to ensure free flow of personal data between the UK and the EU. This would mean the UK having to reassure the EU that its data protection laws were adequate, in line with EU requirements for data transfers from the EU outside of the EEA, which in practice would tend towards a GDPR-friendly legal framework," he said.
Dautlich said that the information commissioner's enforcement powers would be expected to reflect some independence from the position of EU data protection authorities under the Canadian model, as would be the case with the Swiss-style deal.
"As for CJEU case law, this of course remains to be decided too, but one could foresee that existing case law might be stipulated in relevant legislation to be persuasive, and that future CJEU case law would not be binding on UK courts," said Dautlich.
Failing successful negotiations, the World Trade Organisation model to govern UK trade with the EU would apply without the need for negotiation, which would see tariffs applied to that trade, Dautlich said. Under that deal there would be limited access between the EU and the UK for services, and no free movement of EU nationals into the UK or vice versa, he said.