Brexit vote may have little effect on UK data protection rules
27 June 2016 | 0
With the haircut that the sterling-euro exchange rate has taken in the wake of the UK’s vote to leave the European Union, the UK has suddenly become a low-cost country for companies wishing to host or process the personal information of EU citizens.
EU businesses will need to weigh that price cut against the regulatory uncertainty the referendum vote introduced — but it turns out that is surprisingly small, at least in the short to medium term.
Wait a little
As for UK businesses hoping for more relaxed data protection rules in the wake of the referendum vote, they will have to wait — perhaps for a very long while.
That is because many of the rules that the 51.9% who voted to leave the EU hoped to escape are, in fact, firmly part of UK law, and will only go away if the UK parliament votes to repeal them. And it cannot do that until it has negotiated its exit from the EU, which is a matter of international treaty and not the will of the people.
The first question, then, is when will the UK officially leave the EU?
That will depend on when the UK government informs the other member states of its intention to leave by invoking Article 50 of the Lisbon Treaty. The UK will cease to be bound by the EU treaties two years after that date — sooner in the unlikely event that all parties reach an agreement on an exit settlement before then.
However, UK Prime Minister David Cameron is in no hurry to invoke Article 50. On Friday morning after the vote, he announced that he will resign and make way for a new leader of the ruling Conservative Party before the party’s annual conference in October. Invoking Article 50, he said, would be a task for his successor. That means the UK is likely to remain part of the EU until October 2018 — or longer, if Cameron’s successor is in no rush to invoke Article 50. That means UK businesses and citizens will still be subject to EU laws for some years to come.
The European Union however, led by president Jean-Claude Juncker, has insisted that the process begin as soon as possible.
Directives and regulations
Those laws come in two forms: directives, and regulations. In the field of data protection, there’s one of each to pay attention to.
The most significant — for now — is the 1995 Data Protection Directive.
Directives are proposed by the European Commission (the members of which are nominated by the EU member states), then amended by the European Council (composed of the heads of the EU member governments or their ministers) and the European Parliament (directly elected by EU citizens) until all three parties reach a compromise. Then, the parliaments of each member state transpose the directives into their own national law, adapting it where necessary to fit their own legal systems and circumstances. In this way, the Data Protection Directive took effect in 1998.
One of its key provisions, for businesses at least, is that EU citizens’ personal information may only be processed in countries offering a level of data protection at least equal to that afforded by EU law.
Since the UK’s data protection regime will remain unchanged, for now, UK businesses can still process data for EU companies and citizens, and UK citizens will have the same protections if their data is exported to, say, the US
Protection of EU citizens’ data in the US has itself been called into question since the October 2015 decision by the Court of Justice of the EU to overturn the legal instrument providing that protection, the so-called Safe Harbor Agreement. EU and US officials are still negotiating the details of its replacement, Privacy Shield, which will also cover the UK until it formally leaves the EU.
The other EU data protection law of relevance to the UK is the General Data Protection Regulation (GDPR), voted in April 2016. This introduces harsher fines for companies breaching the rules — up to 4% of worldwide revenue — and seeks to harmonise those rules, eliminating national differences allowed under the Data Protection Directive.
Regulations begin life in the same way as directives, as compromise texts agreed upon by the Commission, Council and Parliament. After that, though, there is no time-consuming transposition into national laws: regulations are directly applicable, and automatically enter effect after two years.
At first sight, that would suggest that UK citizens will benefit from, and UK businesses will be subject to, the effects of the GDPR from April 2018 through at least October 2018.
That, though, is without considering the exemptions from EU home affairs and justice legislation negotiated by the UK, Ireland and Denmark. The exemptions mean the GDPR will apply only partially in the UK up until October 2018.
But what then? Well, one of the innovations of the GDPR is that the rules applicable depend on the location of the data subject, so companies in the UK will still have to comply with it when processing EU citizens’ data.
UK businesses might even choose voluntarily to follow EU data protection rules at all times, in order to hang on to their UK customers.
“It would make no sense at all for UK regulations to be any less stringent. Poor safeguards against loss, theft and misuse of data would ultimately cost UK business, as consumers and brands put their data elsewhere,” said Richard Lack, EMEA director of sales at Gigya, which provides a visitor tracking and identification service for web sites.
Following the EU data protection rules would be a good thing for UK businesses in other respects, according to Javvad Malik, security advocate at AlienVault, a security threat management company.
“Many Infosec professionals seem to view the legislation in a positive light, believing that stipulations such as ‘data protection by design’ will make the data held by their organisations more secure,” he said of the GDPR.
Until October 2018, then, and even beyond, it seems unlikely that much will change, in the field of data protection at least.
IDG News Service