Brexit and data protection

24 June 2016 by Adrienn Toth

As the world contemplates the ramifications of the EU referendum, we’ve speculated as to how Brexit might change the way our clients handle data transfers in litigation and investigations.

What legislative regime would govern the UK?

The UK currently operates under the Data Protection Act 1998, which was enacted to bring British law in line with the EU Data Protection Directive (DPD). Since Britain has voted to leave the EU it is likely that the Data Protection Act 1998 will remain unchanged at least during the transition period.

For businesses operating solely within the UK, this means business as usual. However, things become complicated when a business needs to transfer data to or from another European country.

The EU is currently in the midst of replacing the General Data Protection Directive with the General Data Protection Regulation (GDPR) and had Britain voted to remain, British businesses would have had to comply with this new, tougher legislation which includes:

  • Increased fines, up to 4% of the annual global turnover
  • A “Privacy by design” provision requiring that data protection is designed into business services. Companies will need to ensure they are adopting measures to protect data right from the start of a client engagement.
  • Explicit consent being obtained for the collection and processing of data.
  • The appointment of an independent Data Protection Officer.
  • A “Right to be forgotten". A client has the right to request the erasing of personal data. Companies will need to take steps to understand how they can comply with such a request.
  • A prohibition on data being transferred outside the EU without approval from the relevant supervisory body.

However, Brexit is not simply a case of “in” or “out” and much of the potential consequences of leaving depend on whether or not Britain becomes part of the European Economic Area (EEA) or completely severs ties.

If Britain becomes part of the EEA, this would afford Britain the same status as other European countries such as Norway and Iceland. This would mean it would be designated a ‘safe area’ under the GDPR.  In business terms, this would make data transfers somewhat easier, assuming the EU found the UK’s safeguards to be appropriate.  However, this would mean that the UK would still be subject to the DPD and from May 2018, the GDPR, when transferring data across borders to comply with legal obligations in other countries.

An EU-UK Privacy Shield?

If the UK does not become part of the EEA, the UK would probably have to negotiate an agreement similar to the EU-US Privacy Shield in order for UK companies to continue to transfer data between the UK and countries in the EU.

In this scenario it is likely the Article 29 Working Party would suggest similar terms to the US:

  • An ombudsman to handle complaints from EU citizens about the UK security services accessing their data.
  • UK Security services / the Home Office to provide written commitments that Europeans’ personal data will not be subject to mass surveillance.
  • An annual review or audit to check the new system is working properly.

The Upshot

Data protection legislation is changing regardless of the outcome of the referendum and British businesses need to be prepared for these changes. Until the UK finalises its data protection regime and comes to an agreement with the EU, companies need to think carefully about the risks of transferring data across European borders. However, business does not have to come to standstill; law firms and companies can rely on Kroll Ontrack’s mobile ediscovery solution and network of European offices and data centres to continue to process and transfer data in Europe in a compliant and cost-effective manner. We have always catered for the data protection needs of our clients as they take all laws and regulations into consideration.