On June 23, 2016, the UK held a referendum to decide upon its continued membership in the European Union. The outcome has resulted in the decision for the UK to withdraw its membership from the European Union. Despite the result, data protection standards are unlikely to be affected.
The full details of how and when the UK will negotiate its exit from the EU is still unclear. The process for withdrawal will be a long one, and unless there is an agreement to the contrary, it will take a minimum of 2 years. The next step is for the UK to serve notice of its intention to exit the EU using the formal legal procedure set out in Article 50 of the Treaty on European Union. As yet, no notice has been served and is unlikely to be served until a new UK prime minister is in place, widely expected to be in October 2016.
From a data protection perspective, any change will not be immediate. Regardless of the referendum result, the incoming EU General Data Protection Regulation (“GDPR”) will become law on May 25, 2018, meaning that the UK will almost certainly experience life under the GDPR. Businesses will therefore need to continue to prepare for, and start to, comply with the GDPR despite the UK’s withdrawal from the EU. Other EU Member States must also comply with GDPR beginning May 25, 2018.
Given that businesses will want to trade in the EU, once the UK formally leaves the EU, it is highly likely that the UK would seek to put in place a legal framework that reflects the GDPR. In particular, it appears that the UK would seek recognition as an “adequate” jurisdiction in order to allow the free flow of data from the EU to the UK. This has been confirmed by the UK’s Information Commissioner’s Office (“ICO”) in its statement issued on June 24, 2016. The ICO highlighted that “the Data Protection Act remains the law of the land irrespective of the referendum result.” “If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
The GDPR (or a UK equivalent) will be the prevailing data protection standard in the UK, and companies should continue their GDPR preparation as before. In due course, and subject to the outcome of the UK’s exit negotiations, companies will need to review and make adjustments to their compliance programs, including relevant data transfer mechanisms, to reflect the fact that the UK will have a separate (albeit similar) data protection law to the EU.