Brexit: Data protection and cyber security law implications

24 June 2016

James Mullock, Simon Shooter

Even though the UK has voted to leave the European Union (EU), UK organisations are likely to face a data protection and cyber security law landscape heavily influenced by EU laws for the foreseeable future.

The cornerstone of the UK’s current regulatory regime (the Data Protection Act (DPA)), is based on laws written in 1995, when Google was 3 years from incorporation, Mark Zuckerberg was 11 and cloud computing was in its infancy as compared to today. It is long overdue a significant refresh.

A date for that refresh is already diarised for Friday 25th May 2018 – when the General Data Protection Regulation (GDPR) will come into force across the European Union. The UK will also very likely shortly be committed to implementing the so-called Cyber Directive – the Network & Information Security (NIS) Directive – along with other EU Member States, most likely by Spring 2018. A new directive for the police and criminal justice sector has also been finalised and must be passed into EU Member State law by 6th May 2018.

So what are the data protection and cyber security law consequences for the UK, now that it has voted to leave the EU?

Interesting timing

The first point to note is that the GDPR is due to apply less than two years from the UK’s likely departure from the EU. That's significant because it means that the UK will almost certainly experience life under the GDPR given the rules which will regulate its exit from the EU. Under Article 50 of the Lisbon Treaty, the UK will have to serve notice of its intention to exit the EU and negotiate a withdrawal agreement. Unless there is unanimous agreement to the contrary, the earliest that any withdrawal agreement will take effect under Article 50 seems likely to be two years from service of notice of the UK's desire to Brexit. In reality it may take considerably longer.

So unless withdrawal arrangements can now be negotiated and unanimously agreed in less than the two year period mentioned in Article 50, the GDPR will apply in the UK on 25th May 2018.

The GDPR's 'long arm' approach to jurisdiction

The second point to note is that even if the overlap between the UK's EU membership and the application of the GDPR in the UK were to be short lived, any UK business which trades in the EU will have to comply with the GDPR despite any Brexit taking effect.

That's because the GDPR's many obligations will apply to organisations located anywhere in the world which process EU citizen’s personal data in connection with their offer of goods or services, or their "monitoring" activities (defined to pick up many online behavioural marketing activities). Also, any UK business which has a group company or staff operating within the EU will have to comply with the GDPR's provisions. Likewise the amendments to the e-Privacy Directive when they are finalised in due course.

The UK's post-Brexit options and 'adequacy'

In light of the Brexit vote on 23 June, the most obvious options for the UK for interacting and trading with the EU are particularly interesting when looked at through a data protection law lens:

The European Free Trade Association (EFTA) model: often referred to as the Norwegian model, if it takes this route, the UK will remain a party to the European Economic Area (EEA) Agreement. It will therefore benefit from free trade arrangements and be included in the EU single market but will have to commit to comply with certain fundamental EU rules and restrictions. For Norway, Iceland and Lichtenstein (the existing non-EU members of the EEA) this currently means that they have each implemented the Data Protection Directive and the e-Privacy Directive into their respective local laws. It seems unlikely that the UK will be able to avoid accepting the GDPR as is if this option is adopted.

The Swiss model: Switzerland is not a member of the EEA, but is a member of the EFTA. It accesses the EU single market via a regularly updated bilateral agreement. Switzerland has its own data protection laws which look and feel very similar to the laws of an EU Member State which has implemented the Data Protection Directive. Indeed, Switzerland's laws have been recognised as "adequate" by the European Commission (EC) – i.e. adequately protective of the rights of EU citizens thereby enabling transfers of personal data from EU data controllers to Swiss based importers to legitimately take place. It remains to be seen whether, when and how Switzerland will update its current data protection laws to mirror the GDPR to ensure that its 'adequacy' decision is not revoked by the EC after the GDPR comes into force, although the Swiss government has already indicated its intention to seek to retain its adequacy status after May 2018. The U.K. would face the same decision in relation to GDPR adoption were it to adopt a Swiss style relationship with the EU.

The 'go it alone' model: the UK might now seek to strike deals with the EU independently or via collective organisations, such as the WTO (i.e. following the approach currently adopted by countries such as Canada and the USA.) If it does so then, on the face of it (and as with the Swiss model), it will have free rein to choose the form of data protection laws which it introduces to update the DPA. However, recent history tells us that, when it comes to the question of data transfers, EU regulators and courts take an extremely dim view of countries which do not adopt EU-strength data protection laws. The current stand-off with the USA in respect of the now invalid Safe Harbor data sharing arrangement is a case in point. The UK economy, in particular its financial services sector, relies on an ability for data to be freely transferred to and from the UK.

If the UK were to decide to not upgrade its data protection laws to a GDPR level standard, the question will inevitably arise soon after the GDPR's 25th May 2018 introduction whether the UK laws offer data protection 'adequacy'. The answer will almost certainly be that they do not. That will put the UK in the position of having to adopt either EU strength data protection laws (to join countries such as Canada as benefiting from an adequacy decision), or an EC approved data transfer mechanism (as the USA is currently seeking to do via the EU-US Privacy Shield) if it wants to avoid inconveniencing UK businesses, by forcing them to adopt other adequacy mechanisms, such as the EC's standard contractual clauses, every time they receive data from the EU. Historic criticism of the UK's security services in the context of the revelations made by Edward Snowden will very likely be raised by the EC as well as EU based data protection regulators in the context of any future discussion regarding UK 'adequacy'.

Looking at each of these options it seems likely that either the GDPR or a law that looks very like it will be required in the UK after Brexit takes effect.

The impact of the Brexit vote upon the ICO

Those familiar with EU data protection regulation will be aware that the Article 29 Working Party (A29WP), whose members include representatives from each EU Member State's regulatory authority, regularly issue important opinion papers on key data protection issues.

In the run up to application of the GDPR commencing on 25th May 2018, the A29WP will publish hugely significant opinions and guidance which will, to a large extent, shape interpretation of the GDPR. The GDPR will then replace the A29WP with the 'European Data Protection Board' (EDPB), which is set to play a very significant role in data protection compliance as a body central to the formation of guidance, approval of codes of practice and certification schemes and, crucially, as the appellant board for GDPR disputes. Like the A29WP, the EDPB will be comprised of regulators from each EU Member State (among others).

In relation to both the A29WP opinions and EDPB activities, the ICO's voice would appear to be increasingly redundant in the aftermath of the Brexit vote. In relation to the EDPB, unless an exception can be negotiated (and is that really feasible?) it seems that the often comparitively liberal voice of the ICO will lose its seat at the top regulatory table once the UK exits the EU. 

The large number of UK businesses which are likely to fall under the jurisdiction of the GDPR could find themselves in the position of being subject to guidance and/or being judged by a body which does not include their own national regulatory body.

It will be interesting to see the extent to which the ICO's voice is valued within the A29WP discussions on significant data protection policy issues between now and Brexit taking effect, whether those issues relate to the GDPR or to other important topics, such as the future of the EU-US Privacy Shield.
A word about the NIS Directive

Once Brexit takes effect (presumably at some point after June 2018) the UK will no longer be obliged to implement EU Directives into its national law. This may include the NIS Directive, although on its current legislative timetable the NIS Directive seems likely to be required to be implemented in to Member State law before any Brexit takes effect – perhaps in the UK as the Cybersecurity Act 2017 or 2018.

The sense in a decision to not adopt the NIS Directive or a near clone of it into UK legislation would be questionable. It is hard to identify much of the directive that doesn’t make plain common sense. Clearly its provisions that address a pan-European approach to minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements will need to be reconsidered, but the obvious benefits of commonality of approach to the global threat of cybersecurity will be a spur to find ways to voluntarily lock into the EU adopted NIS Directive regime.

Although the nation has now voted for Brexit, the UK will no doubt wish to continue to trade with the EU, therefore closely comparable data protection and cyber security laws in many areas will be necessary to avoid barriers to trade.

We intend to update our guidance in this area as the data protection and cyber security law implications become clearer.