Brexit and the Future of Data Protection – Anya Proops QC

1 07 2016

data_protection (1)So a week on from the Brexit referendum and it is clear that that there is no clear, carefully thought out strategy for extricating ourselves from the EU legal edifice. If you feel that this ‘make it up as we go along’ approach to the biggest legal and political challenge which our country has faced in decades is somewhat less than satisfactory, you will be pleased to learn you are not alone.

But if the path to Brexit is unclear you can at least assume that the journey will not be swift. Indeed, it seems likely that it will take at least two years and probably more before we part company with our EU brethren. Why does this matter, apart from the fact that it leaves our country in a protracted state of general confusion and uncertainty? Well for the readers of Inforrm it matters because there is at least one major piece of EU legislation which is due to take effect within the next two years, namely the EU General Data Protection Regulation.

The GDPR is due to become law automatically in the UK on 25 May 2018. Whilst it may be that technically the UK could agree an exit from the EU prior to that date, it seems most unlikely that we will arrive at that state of affairs. Indeed, with the current vacillations over even commencing the Article 50 exit process and the fact that that process itself envisages that there will be a minimum two year period before a Member State can leave the EU, it seems that Brexit is unlikely to occur any time prior to late 2018, early 2019.

But if the GDPR is to become part of our law, how long will it remain so? Of course none of us have any definitive answers to this particular question. That said, there are certainly good reasons for supposing that the provisions embodied in the GDPR will remain subsumed within our domestic laws for some years to come. Those reasons include not least that:

(a) post-Brexit, incumbent governments are likely to have more important legislative and administrative fish to fry than tackling the GDPR;

(b) a heavy tinkering with the GDPR principles may well threaten our ability to secure a finding of ‘adequacy’ when it comes to cross-border data transfers from the EU, with the inevitable knock on effect on cross-border EU/UK commerce;

(c) the EU may well require compliance with the GDPR as one of the pre-conditions for participation in the single market (as per the Norwegian model) and

(d) there may well in any event be no public appetite within the UK to reduce the levels of protection for personal data embodied in the GDPR.

Of course there is the point that, even if we retain the GDPR provisions post-Brexit (through some form of automatic domestic legislative incorporation), our courts will be free to apply those provisions free from the shackles of CJEU jurisprudence. In that sense there will be an important departure. However, even there, the question we have to ask ourselves is whether our domestic courts will continue to be influenced by the European approach to data protection, either because they consider that that approach closely chimes with a modern, universal approach to data privacy or because they are conscious of the ‘adequacy’ issue. Notably, the ICO itself appears to take the view that there should be no seismic divergence of approach to data protection in the post-Brexit world – see his news release here.

Of course, all this is to say nothing of the fact that some elements of the GDPR in any event require domestic implementation. This is the case not least with respect to those data protection rights which may conflict with the fundamental right to free expression. What this means is that, whatever the future holds in terms of applicability of GDPR principles, the relevant incumbent government will not be able to avoid engaging in at least some active legislative debate around the data protection regime.

The good news is that all of these issues are to be canvassed and no doubt debated at length at 11KBW’s forthcoming all day conference on the GDPR – see details here.

This post originally appeared on the Panopticon Blog and is reproduced with permission and thanks


Actions

Information

3 responses

1 07 2016
Brexit and the Future of Data Protection | LSE Media Policy Project

[…] article is reposted from Inforrm’s blog with permission and […]

1 07 2016
David Radlett

Unfortunately, perhaps, the GDPR is probably not at the top of many people’s lists of things to worry about. Article 50 process does not envisage a minimum two-year period – “3. The Treaties shall cease to apply to the State in question from the date of entry into force of the withdrawal agreement or, failing that, two years after the notification referred to in paragraph 2” unless there is agreement to extend. If anything, it is a maximum period as upon its expiry an exiting state is free to go.

1 07 2016
‘Brexit and the Future of Data Protection’ | Private Law Theory - Obligations, property, legal theory

[…] “So a week on from the Brexit referendum and it is clear that that there is no clear, carefully thought out strategy for extricating ourselves from the EU legal edifice. If you feel that this ‘make it up as we go along’ approach to the biggest legal and political challenge which our country has faced in decades is somewhat less than satisfactory, you will be pleased to learn you are not alone …” (more) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: