Post-Brexit – What's The Potential Fallout For Data Protection?

Author:Mr Philip Nolan, Oisin Tobin and Jevan Neilan
Profession:Mason Hayes & Curran

The result in the recent Brexit referendum creates questions on how the UK's decision to leave the EU will impact stakeholders across the key sectors of the UK economy.

We take a look at what Brexit means for technology, data protection and privacy.

Existing UK rules

One of the main aspects of the EU and the Single Market is the harmonisation of national laws. Currently, the regulation and protection of personal data in the UK is primarily governed by the Data Protection Act 1998. These rules, like their Irish equivalent, derive from EU law. In the wake of the Brexit vote, the Information Commissioner's Office ("ICO") - the UK's regulator and the counterpart of the Irish Data Protection Commissioner - issued a statement regarding the on-going status of the 1998 Act. In its statement, the ICO made clear that the 1998 Act will remain law post-Brexit.

Incoming Changes

Despite the fact that the EU-derived 1998 Act will continue to apply, UK and EU paths in respect of data protection may possibly be on course to diverge. On 25 May 2018, the General Data Protection Regulation ("GDPR") will come into force. Unlike its predecessor - the Data Protection Directive - the GDPR will apply directly to all EU member states. In other words, for the most part, Member States will not require national measures to transpose the GDPR. The GDPR also represents a significant toughening of EU data protection rules. With the UK out of the EU picture, the GDPR will not apply to it. This in turn raises questions as to what form the UK's future data protection rules will take.

What are the UK's options?

It is possible that certain quarters of the UK may seek to use Brexit as an opportunity to repeal or significantly amend the 1998 Act. The UK may consider taking advantage of Brexit to loosen data protection standards, and to not adopt the GDPR, thereby placing UK businesses at a competitive advantage, essentially having less red tape compared to companies located in other EU Member States. However, on balance, it is most likely that the UK will end up having to retain EU data protection law, and potentially also including the high standards contained in the GDPR. This was recognised in a recent statement by the ICO:

"With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens."

The GDPR is a "text with EEA relevance" so...

To continue reading