Brexit and data protection: What does it mean for you?

The British people have voted to leave the EU and their will must be respected.  The will of the British people is an instruction that must be delivered.  There can be no doubt about the result.”  So said David Cameron this morning as he announced his intention to step down as Prime Minister, following the historic news overnight that the UK has voted to leave the European Union.

The effects of this decision will have many profound political, economic and social consequences, and it’s far too early to say precisely what these will be or how they will play out.  However, by way of some immediate reactions:

1. Keep calm and carry on:  It will take the UK at least two years to negotiate its exit from the European Union.  This isn’t going to be an overnight process and, during this interim period at least, the UK will remain fully subject to EU laws – including EU data protection laws.  In other words, the UK will continue to be subject to the same data protection regime as the rest of the EU for the immediate future – and possibly longer, depending on how long exit negotiations take.

2. Keep preparing for the GDPR:  Businesses still need to undertake their GDPR readiness preparations.  When it comes into effect, the GDPR will apply to every business – whether in the EU or not – that offers goods and services to EU citizens or that monitors EU citizens’ behaviour.  UK businesses selling into the EU will therefore still be subject to GDPR requirements, as will wider international businesses operating across the UK and the EU.  The UK’s leaving the EU won’t change this.

3. The UK could “do a Norway”:  Norway, Lichtenstein and Iceland are all members of the European Economic Area, but not the EU.  Being a member of the EEA means that they enjoy free trade with the EU, but on condition that they submit themselves to EU laws.  On exiting the EU, the UK may seek to remain within the EEA in order to continue enjoying free trade with the EU – and, if it does, it will necessarily be subject to the GDPR when it comes into effect.

4. But if it doesn’t…:  If the UK doesn’t stay part of the EEA, then it will in effect become a “third country” for data protection purposes – meaning that data transfers from the EEA to the UK could be restricted in the same way as data exports from the EEA to the US.  Or, more accurately, they’ll be restricted unless the EU Commission decides that the UK provides “adequate” protection for data it imports from the EEA, as is the case currently with countries like Canada and New Zealand.  Whether that happens will very likely depend on the next point…

5. The UK might adopt a “GDPR-lite”:  If the UK doesn’t stay part of the EEA (meaning it won’t become subject to the GDPR), then it will need to adopt new national data protection laws or continue its reliance on the Data Protection Act 1998.  It will need to tread very carefully if it follows this path – while it might be tempted to adopt more relaxed data protection rules than the GDPR to attract investment from countries like the US, if these rules aren’t “strict enough” then it also risks not achieving “adequacy” recognition by the EU, seriously impacting data flows between the UK and the EU.

It’s very early days right now, and there’s a lot to be worked out over the coming weeks, months and years – all we can do for now is offer our best guesses at the way things may develop.  One thing is certain though: things will inevitably change now, and the UK, Europe and the world will be watching every development with baited breath.