The effect of Brexit on UK data protection law is just one of a multitude of questions raised by the UK’s decision to leave the European Union (EU).
However, the implications of Brexit on UK data protection law may not be as great as they initially appear.
Data Protection Act 1998
At present, the Data Protection Act 1998 is the current framework for UK wide data protection law. However, data protection law was, even before Brexit, due to see a dramatic overhaul in the coming years. The General Data Protection Regulation (GDPR), which has direct effect in all member states, is due to come into force in May 2018. At this point in time, it seems likely that the UK will still be part of the EU when the GDPR takes effect. That being so, the UK will still be bound by the terms of the GDPR and must ensure compliance with its terms.
General Data Protection Regulation (GDPR)
The GDPR will replace the Data Protection Act and will significantly expand the reach of data protection law, increasing the penalties for failure to comply and making it more difficult for organisations to contact individuals or use personal data for marketing. The GDPR will also expand the category of persons liable for a breach of the GDPR from data controllers to include those handling data on behalf of a data controller.
While the UK is likely to be subject to the GDPR for a period of time, on Brexit, the GDPR will cease to have direct effect in the UK. When that happens, the UK would be free to revert to a Data Protection Act equivalent or abandon data protection laws entirely. However, it seems very unlikely that will happen. While the GDPR ceases to have direct effect on Brexit, UK businesses which trade or have interests in the EU will still be affected by its terms and will still need to ensure compliance.
While the UK may not be legally bound by the GDPR after Brexit, it is likely that there will be significant business pressure to ensure that similar, if not identical, provisions are put in place to ensure that there is as little disruption as possible in trade and the exchange of information with the rest of Europe. It would, of course, be open to the UK to continue to implement GDPR after Brexit.
Whether or not the UK secures membership of the European Economic Area may also have some bearing on the nature of data protection law following Brexit. While there are still many unanswered questions, it is seems certain that the UK will need some form of data protection law in order to allow effective trade with other countries and the EU in particular. There will be significant changes to data protection law over the coming years but these will not initially be as a result of Brexit and the changes which take place after the UK leaves the EU may not be as great as initially feared.