The referendum vote in favour of Brexit means that, as we all know, in due course the UK (well, at least England and Wales) will probably no longer be members of the EU. This of course assumes that the Government (whoever that may be) heed the result of the poll, which it is not bound to do. The referendum is not binding, merely advisory. In order to start the formal divorce from the EU, the Government needs to commence what is known as the Article 50 process. Article 50 is part of the Lisbon treaty and is the mechanism by which a country leaves the EU. David Cameron did not trigger that process before he resigned so this leaves many questions unanswered. Those questions often stray way beyond employment law and into the outer reaches of constitutional law. Suffice to say that as at the time of writing there is plenty of uncertainty about whether the UK will even trigger the process at all, or if it does when that will happen. This uncertainty could drag on for several years.
In the meantime, what happens to our EU-based data protection laws in the immediate aftermath of the Brexit vote?
What do we already know?
We updated you in our April Newsletter Government reforms (1): Data protection – changing times… and our June Newsletter Government reforms (2): data protection changes – guidance on its way about the new General Data Protection Regulation (GDPR), which will replace the current EU Data Protection Directive and national data protection legislation.
The GDPR is due to apply to all EU member states from 25 May 2018.
In light of the Brexit vote, you might well wonder about the future of the GDPR and whether it will apply to the UK.
On the face of it, the answer ought to be simple: because we’re leaving the EU, the GDPR will never apply to the UK. However, if we’ve learnt one thing during the EU referendum, it’s that nothing on this subject is simple.
First of all, there remains a chance, of course, that we may not end up leaving the EU, at not least in the next 2 years (talk of a second referendum, years of negotiations, etc.) It’s possible that we may still be an EU member state by the time the GDPR comes into force and currently there is no exemption in its rules to say that we would not have to comply just because we might be heading towards leaving the EU on the date on which it comes into force.
Second, even assuming we do leave the EU, if we want to trade with the EU single market on equal terms the EU will almost certainly require us to meet EU data protection standards, meaning that we would in effect still have to comply with the GDPR. Indeed, the ICO has been clear throughout the referendum process that businesses should continue to make arrangements to comply with the GDPR, even in the event of a Brexit.
Therefore, despite the temptation to ‘down tools’ on preparing for GDPR, it would be wise to continue to get ready since, even if the GDPR does not ever directly apply to us, it is likely that we may end up having to comply with it anyway and no doubt the UK’s data protection laws will evolve to keep up with the GDPR too.
For further updates we recommend that you check the ICO’s website at https://ico.org.uk and watch this space for further developments…