The UK government in May 2018 has implemented the Data Protection Act (DPA) in accordance with some of the European General Data Protection Regulations (GDPR). However, with Brexit negotiations materialising and declarations that the UK will be leaving the EU Digital Single Market, there is uncertainty surrounding whether the UK's DPA will change, and subsequently how data will be handled between the UK and Europe. The UK government has requested that a co-operative relationship between the UK and the EU is achieved to ensure a free-flow of data. However, Brexit does have the potential to revise and reshape the protection regulations in the UK. Therefore, organisations need to consider and prepare for how the DPA will apply to the UK post-Brexit.
Which aspects of the DPA will potentially cause problems following Britain's exit from the EU?
The UK needs to have a free-flow of data between the EU and the UK for business, economic and security interests. However, the European GDPR may prevent this from happening, especially due to Article 45. The UK's exit from the EU will initiate its status as a third country, when referenced in EU law, and Article 45 specifies that the UK would have to achieve an adequacy arrangement to enjoy a transmission of data between the UK and the EU. This status as a third country will demand action from the UK government, to ensure that there is still a relationship of mutual co-operation between the UK and the EU. The transfer and protection of personal data between data controllers is essential, as data privacy and data protection are vital in terms of personal rights, as well as the digital economy.
The EU Commission has ten adequacy arrangements with third countries outside of the EU already, in line with the 1995 Directive. To achieve this adequacy arrangement, the UK would have to meet the EU Commission's expectations regarding the UK's own commitment to data protection and the effectiveness of its legal framework. The UK government has mostly aligned UK data protection law with the GDPR to try and ensure a smooth transition and to mitigate the risks to businesses.
However, if the UK is denied an adequacy arrangement then businesses would experience the repercussions, in the form of EU safeguards which would initiate added costs to businesses. Businesses which are reliant upon personal data capture, such as marketing, telecommunications and finance organisations, would suffer the most if this post-Brexit situation was to occur. These organisations are reliant on free-flowing channels of data between the UK and the EU, yet if there are economic obstacles then these organisations will experience detrimental effects.
Furthermore, the EU-US Privacy Shield has allowed the EU and the US free access to data; however, if the UK does not achieve an adequacy arrangement from the EU, the UK will not have access to data from the US. If this happens, the UK will have to confront economic and security challenges.
What has the UK data protection bill put into place to create a smooth transition out of the EU in 2019?
Whilst implementing the DPA, the UK government did so with the consideration that Britain is leaving the EU. Therefore, the UK bill factors in the differentiations between the European data regulations and the UK data regulations, and therefore the UK government apply the new standards to all UK data, not just areas which are under EU competence.
The UK government have expressed a desire for the continuation of the UK's Information Commissioner's Office (ICO) role, which would be used to ensure UK businesses are still represented in the EU, and to ensure that the UK are fairly represented in disputes. However, this attempt to streamline the process of communication between the UK and the EU has not yet been put into effect, and there is no guarantee that by 2019 the UK ICO will be given a role in the EU data regulation process.
Effects on Immigration in a post-Brexit UK:
Some commentators on the UK's DPA have suggested that Brexit could allow the UK government to establish discriminatory immigration laws. The UK government has implemented aspects of the EU's GDPR, such as allowing some organisations exemption from the DPA. For example, the Home Office is exempt from the DPA and have the legal right to reject data subject's access requests to their immigration documents. This has been particularly controversial because Brexit means that over 3 million EU citizens will have to register their residence, and this will be hard due to data subjects not being able to retrieve their personal data from the Home Office.
The uncertainty which surrounds Brexit has instigated an atmosphere of apprehension within the business sector, and therefore it is vital to gain a well-informed stance on the implications of a post-Brexit UK. Organisations and staff members need to be aware and prepared for the repercussions they might have to confront, if the UK government do not achieve an adequacy agreement post-Brexit.