The UK Information Commissioner's Office (ICO) has made clear (19th April) that "the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU."
The brief statement from the ICO goes on to say that:
"The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on."
The latter point, in particular, is one of enormous significance, especially with the ongoing uncertainty around data exports following the invalidation of EU-US Safe Harbor framework in 2015. So, how could the various permutations play out given the impending EU Referendum?
First and foremost, if the UK stays in the EU then the proposed changes to the UK's data protection framework will proceed and we will see an adoption of the EU General Data Protection Regulation (GDPR). The GDPR would apply to all data controllers (and also to data processors) operating in the UK as well as those based outside of EU with a focus on UK-based data subjects.
If, however, the Referendum vote swings in the other direction with the UK voting to leave the EU, then the situation becomes far from clear. The range of options that are available in relation to the future of UK data privacy laws becomes far more uncertain.
A case for light touch data privacy laws?
It is possible that a Brexit event may allow the UK to consider this as a fresh opportunity to review law-making in this area, with a possible move to a lighter touch regime than the one under the GDPR. This would inevitably mean shunning the complete adoption of the GDPR. What would follow and how much 'lighter' such a new privacy regime could be, well no amount of gazing into the crystal ball can answer that now.
Reality hits home?
The UK as a 'data protection haven' (in the sense of a 'tax haven') may be appealing to some but the reality is likely to be more prosaic. Should the UK vote to leave Europe then we believe that only a casual glance at the crystal ball is required. Why? Because in all reality it is difficult to see how the UK could not implement privacy laws that are substantially similar and, arguably, at least equivalent to the GDPR.
Geographically, the UK may be separated from the European mainland, but in terms of its global positioning and the vast number of multinational businesses based in the UK, the international picture cannot be ignored when it comes to understanding what type of data privacy laws we will need to have in place. For example, exporting (often also referred to as 'transferring') personal data from Europe to countries outside of the EEA is subject to restrictions. The EU views local data privacy laws as important to establish that an adequate regime of data privacy law exists in the recipient country and also that robust solutions exist to legitimise such exports, for example, by using Binding Corporate Rules and Model Clauses. There has been significant disruption around the need to establish valid solutions for US data flows because of concerns in this regard.
In the event of the UK leaving Europe, and against the uncertainty of not knowing whether we would join the EEA and what the future relationship with Europe would look like, it is almost inevitable that the European Commission would be pushed to consider whether the UK provides for a data protection regime which is 'adequate' i.e. provides an equivalent level of data protection to the EU. A Commission-issued adequacy decision (of the type already issued for a select number of countries) would allow for the free movement of personal data to the UK from Europe without the need for taking further steps to put tools of legitimisation in place. The Commission would, of course, need to consider the robustness of the data protection law regime in the UK before making such a decision and this, in itself, would create a level of uncertainty.
Putting aside the difficult task of predicting what the exact shape of the UK data protection law could be, if judged by previous actions of the Commission, it is as clear as day is that a lighter touch data protection regime in the UK would not impress the Commission enough for it to grant the UK an adequacy finding.
Add to the equation that the UK and the Commission have a history of not seeing eye to eye regarding the UK's ability to implement data protection laws to the standards required by Europe and it becomes an even more uphill task for the UK to feel confident that a deal over adequacy could be struck in the short term.
There are parallels to be drawn here with the furore around the striking down of the adequacy decision which underpinned Safe Harbor. Recently, we saw the Article 29 Working Party (WP) provide a cautious response to the proposed replacement for Safe Harbor, the EU-US Privacy Shield, and this lack of endorsement has meant that the uncertainty around data exports between Europe and the US continues. It is difficult to see a resolution of that very soon, and certainly not in any way that will lay this issue to bed and provide certainty. It is not, however, difficult to see that the UK could fall into a similar situation of uncertainty should any 'arrangement' be sought to pave the way for an adequacy finding for the UK after Brexit. Of course, Model Clauses and Binding Corporate Rules remain viable options subject to further twists and turns of the data exports roller-coaster, but the range of options would most likely be considerably restricted under any data protection regime which did not mirror that of the GDPR.
The invalidation of Safe Harbor following the Schrems decision handed down by the Court of Justice of the European Union (CJEU) is likely to inform the approach of the Commission if it has to make an adequacy assessment of the UK's post-Brexit data protection regime. One of the key concerns of the CJEU in Schrems was the difficulty of being able to assess the proportionality and necessity of the access to EU personal data by US public authorities for national security and related purposes. The WP, when presenting its findings on the Privacy Shield, has laboured the fact the consideration for adequate data protection in line with the requirements of EU law in this regard is not just a matter for the US, but also applies to other countries and that is not the first time that there have been rumblings that the UK is already pushing at the limits of what is permissible under EU data protection law in this area.
Whatever the outcome of the Referendum, and following the statement from the ICO, the UK will need to continue to 'box clever' and strike a balance between privacy laws that are robust yet also smart for its global positioning and encouraging growth in areas such as technology, big data, life sciences and medical research. Should the outcome be a vote to leave Europe, then the UK would have to tackle these uncertainties to ensure that data privacy obstacles do not become a barrier to trade and commerce, especially given the UK's major role as a hub, base and launch-pad for international business.
As to how the UK would strike that balance, less reliance on that crystal ball and more leadership in terms of the UK's positioning on the world privacy stage would be required. Anything less would be short-changing the UK and the businesses that wish to internationalise from and through the UK.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.