A few weeks ago we brought you an article focused on privacy protection laws in the UK in relation to the Brexit vote. Many in the “out” campaign highlighted the need for free—–dom from cumbersome EU regulations, such as the General Data Protection Regulation (GDPR) expected to become effective in 2018. Now that the Brexit vote has passed, it’s time for an update. How are UK privacy laws likely to change as it looks at negotiating an exit from the EU? Legal regulation of personal data is one of the many ways we can protect our clients at ReputationDefender, so this is a serious issue for us.
Britain has two choices post Brexit
There are basically two options for Britain regarding data protection after Brexit. The first is to keep data regulation exactly the same as it is in the EU, including implementation of the GDPR which is allegedly the strictest policy of its kind. This would facilitate the transfer of personal data on EU individuals into and out of Britain and keep many of the data sharing privileges the UK holds as an EU member. However as we mentioned in the previous article, many companies will face challenges in updating their systems to become compliant before the new law goes into effect.
The UK’s other option is to devise its own data protection regulation bill and negotiate a data sharing policy with Brussels as it leaves the EU. As an EU member, Britain already did have a significant voice in drafting the regulation, but it was one of many influences and an independent legislation could look quite different. Brussels is unlikely to accept a policy that offers less protection, so it’s unclear at this point whether this would be an advantage. It would probably mean that UK based companies would face costly limitations when doing business with individuals covered under EU regulations.
Negotiating with Brussels
The problems associated with a separate policy could be ameliorated by a generous agreement with the EU, but there’s no precedent to support this. The US has already faced leg
al issues in relation to its surveillance programs under the EU’s current directive. The previous data sharing agreement, “safe harbor”, was struck down last year; a new agreement is in the works, but it could face further legal challenges. Any UK legislation is likely to encounter the same issues since many feel Britain’s GCHQ network is even more invasive than the NSA. As we mentioned previously, under the new GDPR, fines for non-compliance in relation to EU data will apply to companies regardless of where they are located, so British companies will need to understand the implications of the new policy whether or not it actually protects British citizens.