Although the UK electorate has voted for the country to leave the EU, any uncoupling from the EU’s regulatory environment is likely to take considerable time.
One of the many issues yet to be agreed is what is going to happen about consumer data protection, specifically what’s going to happen about the General Data Protection Regulation (GDPR).
This piece of EU legislation comes into effect at the start of 2018. As the UK’s status in the EU is likely to still be in flux at this time, it’s unclear how UK businesses will be bound by these rules.
It’s generally thought that it might take around 2 years for the UK to leave the EU. Voters who thought that EU legislation would immediately cease to apply in Britain after exit are likely to be extremely disappointed.
Many of the rules and laws introduced during the UK’s membership of the EU will need to be considered on an individual basis if they are to be overturned. Even if there were the political willpower to undertake this massive task, it would take a great deal of time to implement in parliament.
What this means is that General Data Protection Regulation (GDPR) is likely to apply to UK businesses from early 2018 and for an indeterminate period thereafter.
It’s also the case that UK businesses will be expected to be compliant with EU regulations if the country is to trade with that market. This may mean the UK is best advised to comply with the GDPR and other regulations in order to participate economically.
Organisations based in the UK will need to comply with GDPR as it applies to their customers in EU member states. As the EU is the world’s biggest economy, it would be inadvisable not to meet the requirements for doing business in that territory.
Complying with GDPR is also advisable for international organisations anyway as the influence of the EU as a key world market means this level of protection is likely to become a common standard outside the EU.
Countries such as Canada are already working alongside the EU when it comes to data regulation in order to facilitate trade. Opting out of the data regulation environment it promotes would also threaten foreign investment in the UK; another reason to retain it post-Brexit.
GDPR may be a safe bet
In fact, it’s highly unlikely that any government of the UK is going to reduce consumer protection, making it likely that GDPR standards and other existing data protection laws are likely to be retained once they are implemented in 2018.
Even though there is turbulence and uncertainty ahead, any future government of the UK is very unlikely to scrap those parts of EU law embedded already in UK law. If there is to be change to UK laws that originated from the EU, it’s likely to be on a case-by-case basis and will be slow to implement.
For this reason, businesses can probably expect no change before the deadline for GDPR standards coming into force, and it’s unlikely to be repealed in the UK thereafter. However, UK-based businesses that regularly transfer customer data across borders are advised to keep an eye on the situation as it unfolds.
Many voters don’t seem to be aware of it, the Brexit does not affect Britain’s relationship with the Europe Court of Human Rights (ECHR).
Although Tory party leadership candidate Theresa May, so far looking like a serious contender to head her party, opposes Britain being subject to this court, she has admitted there is not enough political support in parliament to do anything about this.
This means that any consumer who feels that their data protection rights have been compromised can take their case to the Europe Court of Human Rights (ECHR). As the UK is subject to this court’s decisions, what happens in the UK will be influenced by what the ECHR decides.
One possibility for the UK is to join the European Free Trade Association (EFTA), joining countries such as Norway and Iceland. Membership of EFTA would mean the UK remains in the European Economic Area (EEA), which is effectively an area of free movement of personal data.
Within all member states of the EEA, data can be transferred freely because all participants have equal regulations for data transfer. This effectively means the data isn’t being transferred across borders.
An option outside EFTA
If the UK doesn’t join EFTA, the country could seek to follow countries such as Israel and Canada and gain the approval of the European Commission that the UK’s data protection laws are deemed adequate. This would have the same effect as membership of EFTA insofar as personal data could be transferred between these states freely.
The UK has a history of implementing the provisions of the Data Protection Directive slightly differently from the other EU member states. Coupled with the high probability that the UK will not be allowed an easy or painless exit from the EU, it’s by no means certain that the European Commission will take an accommodating view of judging whether its data protection legislation is adequate.
This is another reason why complying with the EU’s own standards i.e. the GPDR may be the best choice for the country. This would make it hard to for the EC to reject the UK’s data protection laws no matter how hostile the Brexit negotiations are.
The only thing that’s certain is that businesses are facing a long period of uncertainty thanks to unprecedented situation the UK has landed itself in. There are likely to be additional complications if various parts of the UK seek different positions within or without the EU.
There have even been rumours that the London mayor is negotiating for the city to remain in the single market whilst the rest of England departs.
It seems as if anything can happen in the immediate future: a situation of uncertainty that does not help businesses make critical decisions.