As the 23rd June referendum on Britain’s membership of the European Union looms, the potential that Britain will exit the European Union (“Brexit”) raises data privacy issues.
Being part of the EU has meant that UK businesses are subject to numerous data protection laws. The UK has enacted most of its domestic data protection laws, such as the Data Protection Act 1998 (DPA), to implement European Directives. If a Brexit occurred, our existing domestic legislation would remain unless and until changed by the Government.
This means that businesses in the UK would continue to be subject to the DPA. The Information Commissioner’s Office would remain as our data protection authority with regulatory powers to conduct investigations into breaches of the DPA and issue penalties for non-compliance.
Any UK business which offers goods or services to European consumers or which has a website which is accessible in Europe will, in addition to the DPA, also need to comply with European data protection laws, such as the new General Data Protection Regulation (GDPR).
Most UK businesses are almost certainly going to need to transfer personal data to Europe and also to other countries outside Europe such as the US. Currently, while the UK remains part of Europe, there are restrictions against transferring personal data outside Europe, without consent from the individual, other than to certain “adequate” countries such as Canada or Switzerland, or unless the business has in place a legally-permissible mechanism, such as model clauses or binding corporate rules.
If the UK leaves Europe, the Government will need to decide if it will retain the same restrictions for cross-border transfers or adopt an alternative solution. If the proposed EU-US Privacy Shield is enacted, the UK will need to decide if it will adopt a similar model for data transfers from the UK to the US if the current restriction on such data transfers is retained.
Additionally, the UK is likely to apply to the European Commission for a decision of “adequacy” allowing European countries to transfer personal data to the UK. This will, of course, depend on whether the Government has passed laws which differ to the current DPA and whether the European Commission views the standard of “adequacy” as having been raised after the GDPR becomes effective.
Data security is becoming increasingly important for businesses. Similarly, privacy is becoming increasingly important for individuals globally. It therefore seems unlikely that any government would wish to repeal the DPA and pass weaker data protection laws in the UK, thereby undermining consumer confidence in UK businesses and potentially exposing UK businesses to increased data security breaches.