EU Exit and the Impact on Data Protection

The UK is currently scheduled to hold a referendum on continuing EU membership in 2017 and the continuing rise of Euro-scepticism in the UK political landscape suggests that the outcome of such a vote is far from certain.

With the widespread acknowledgement of the increasing value of the digital economy, and the central role played by personal data in driving that value, it is therefore surprising to note that a parliamentary research paper published in July 2013 looking at the impact of a UK EU exit, gave consideration of data protection issues barely half a page from a total of more than a hundred.

The situation is of course complicated by the current negotiations for a new Data Protection Regulation, but this seems to make examination of the issues more important not less.  I have therefore decided to write this article to attempt to stimulate increased examination of the issue.

UK Law

The UK Data Protection Act, while based on an EU Directive, is local law, and therefore leaving the EU would not force a particular change in the short term.  We could continue to use the Act, even though most experts agree it needs updating.

However, if we wanted complete autonomy, we would at the very least need to change some provisions relating to the transfer of data overseas.  Currently much rests on decisions about the ‘adequacy’ of the law of other countries to protect personal data, and these adequacy decisions are made at EU level.  We could continue to follow those rulings if we were outside the EU, but of course we could have no influence on them, so it would make more sense for us to set up our own processes for deciding where was safe to allow data to go to.  This in itself could be a fairly hefty regulatory burden.

The EU Data Trade

Perhaps the biggest issue however will be the fact that, regardless of our independence, the UK will still need to be able to conduct data trade with EU countries and in particular import personal data from the rest of Europe.  This means it would have to be recognised by the EU as providing an equivalent level of protection as the EU member states.

On the surface of it right now this may seem like it should be automatic, given that our current law comes from an EU Directive.  However, the UK law is subtly different, some would say more permissive than in the other major economies, and we also have a more relaxed approach to enforcement.

While we are in the EU such differences can be overlooked, but the moment we step outside – it would be perfectly possible for political attitudes to harden against such differences.  This leads to the possibility that in leaving the EU, we may have to end up adopting data protection practices more clearly harmonised with the remaining states, in order to continue our trade with them.

Enter the Data Protection Regulation

Things start to look more uncertain when taking into account the Data Protection Regulation.  Although both the changes in law that it will bring about, and the timings of those changes are unpredictable, it is likely the impact will be very significant.

Current expectations are that the text of the Regulation will be finalised and put into effect in 2015, with enforcement of the new requirements starting in 2017 – i.e. around the time that the referendum will be held.

It is also reasonable to assume that if the vote results in an exit – that in itself will take some reasonable amount of time – taking us into 2018 at the earliest before the UK become ‘independent’.

As the effect of the Regulation is direct, this means that the current Data Protection Act will almost certainly need to be repealed, although an Act to deal with the use of personal data within the criminal justice system will have to be in place by then (this is outside the scope of the Regulation).

That means independence will require the UK to write a new piece of data protection legislation, pretty much from scratch.  And once again, if we will want to continue to trade with the EU in personal data, we will need to both make sure that such legislation offers similar protections as the EU Regulation, and we will need to get approval from the EU in the form of an adequacy decision.  This would likely take a considerable amount of time and effort, and is by no means assured.

UK companies could even end up having to comply with two sets of laws – the UK and the EU.  Also extremely costly.

Investment Deterrent

Another issue to consider would be the potential impact it would have on foreign companies considering investing in the UK.

Multinational companies have expressed direct support for the principle in the Data Protection Regulation that will provide them with a single set of rules to work with across Europe.  Having one set of rules rather than 28 slightly different ones will makes their lives easier.

A UK exit would mean any companies thinking of moving into Europe will have one more reason not to consider the UK as their base of operation.  The additional burdens would of course be most significant in the technology sector – where the UK has been most keen to attract such investment.

 

Conclusions

All of this of course is quite speculative and I have deliberately not delved into too much detail at this point in time.

The simple fact is that no country has ever attempted to leave the EU before, so there is no precedent to draw on.  Our EU partners could make it easy or difficult for us to leave and still retain access to their markets – and the market for data is no different.

However, in a world of global data, legal borders are like a blockage in the river – either it is overwhelmed or the water finds another route round.  If the UK moves to isolate itself from its biggest trading market – the risk of losing out due to a divergence in data protection laws seems greater than any probable advantage it might bring.