MHC Tech Law: Post-Brexit, what’s the potential fallout for data protection?

4 Jul 2016

Mason Hayes & Curran takes a look at what Brexit means in the context of technology, data protection and privacy.

The result in the recent Brexit referendum has undoubtedly come to many as a shock. The Leave vote has triggered a period of uncertainty and there is a significant absence of clarity on the next steps.

Questions are already circling as to how the UK’s decision to leave the EU will impact it and the many stakeholders across the key sectors of the UK economy.

Existing UK rules

Future Human

One of the main aspects of the EU and the Single Market is the harmonisation of national laws. Currently, the regulation and protection of personal data in the UK is primarily governed by the Data Protection Act 1998. These rules, like their Irish equivalent, derive from EU law.

In the wake of the Brexit vote, the Information Commissioner’s Office (ICO) – the UK’s regulator and the counterpart of the Irish Data Protection Commissioner (DPC) – issued a statement regarding the ongoing status of the 1998 Act. In its statement, the ICO made clear that the 1998 Act will remain law post-Brexit.

Incoming changes

Despite the fact that the EU-derived 1998 Act will continue to apply, UK and EU paths in respect of data protection may possibly be on course to diverge.

On 25 May 2018, the General Data Protection Regulation (GDPR) will come into force. Unlike its predecessor – the Data Protection Directive – the GDPR will apply directly to all EU member states. In other words, for the most part, member states will not require national measures to transpose the GDPR. The GDPR also represents a significant toughening of EU data protection rules.

With the UK out of the EU picture, the GDPR will not apply to it. This in turn raises questions as to what form the UK’s future data protection rules will take.

What are the UK’s options?

It is possible that certain quarters of the UK may seek to use Brexit as an opportunity to repeal or significantly amend the 1998 Act. The UK may consider taking advantage of Brexit to loosen data protection standards, and to not adopt the GDPR, thereby placing UK businesses at a competitive advantage, essentially having less red tape compared to companies located in other EU member states.

However, on balance, it is most likely that the UK will end up having to retain EU data protection law and, potentially, also including the high standards contained in the GDPR. This was recognised in a recent statement by the ICO, which said, “With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”

The GDPR is a “text with EEA relevance” so, if the UK wants to join the European Economic Area, it will need to adopt the GDPR.

‘An optimist could view Brexit as heralding an era of flexibility and the possibility for the UK. The unavoidable reality, however, is that the UK is likely to be significantly more constrained in its options, particularly if it hopes to remain a hub of financial and IT activity’

Alternatively, if the UK goes another route, including the most flexible ‘WTO’ approach, UK businesses that deal with other EU countries will still need to comply with the GDPR. This stems from the regulation’s expansive scope, as the GDPR will apply to companies based outside the EU that offer goods or services to individuals located in the EU.

Finally, if the UK seeks an EU Commission adequacy decision to get over the data transfer issues as discussed below, it will need to comply with the GDPR. Despite the onerous GDPR compliance burden, the UK might still find itself deprived of some of the key advantages of the GDPR – namely, an ability for multinational companies with significant operations in the UK to avail of the ‘one-stop-shop’ mechanism from the UK.

Data transfers

With the UK rescinding its EU membership, serious issues are likely to arise with respect to the free flow of data between the EU and the UK.

Coupled with the harmonisation of laws across the EU is the notion of “free movement”. Here, meaning the free movement of data within the EU.

Conversely, however, Irish and EU data protection law prohibits transfers of personal data to countries that do not provide an “adequate” level of protection for personal data. Only a handful of countries are recognised as meeting this standard. Canada, New Zealand and Israel are among them, as well as EEA members, like Norway.

Transferring data to destinations other than these countries requires the EU party to rely on exceptions to the general prohibition, such as by using the EU Commission-approved Standard Contractual Clauses.

However, international data transfers are a fraught area at present. The Irish Data Protection Commissioner recently commenced proceedings in the Irish High Court seeking a referral to the CJEU and a declaration that the Standard Contractual Clauses are themselves in breach of the EU Charter, at least where used for transfers to the US. The results of litigation of this sort may make it more challenging to address data transfers between the EU and the UK, which in turn may present real challenges to UK trade.

Adequate protection

As indicated above, the list of countries deemed to provide an “adequate” level of protection for personal data is short. If the UK does not join the EEA, it may ask the Commission to issue a decision finding that UK law is adequate for the purposes of international data transfers.

This could give rise to four sets of difficulties:

  • First, such an adequacy decision could only be forthcoming if UK law was “essentially equivalent” to EU data protection law. This means that the UK would have to adopt the GDPR (see further above) while being deprived of some of its benefits.
  • Second, it is far from clear that there would be a political will to issue such an adequacy decision, which must be approved by member state representatives via a qualified majority vote.
  • Third, certain MEPs have already come out and said that they will campaign against the UK getting an adequacy decision as a result of its national security laws and online surveillance practices.
  • Fourth, we know from the recent CJEU decision in the Schrems case that data protection authorities (DPAs) in member states will still be able to block exports to countries despite them benefitting from an adequacy decision.

What does this all mean?

Generally speaking, it is likely to be business as usual for at least the coming 12 to 18 months. The UK’s exit period is expected to take up to two years, ending a few months after the GDPR comes into force.

This tacks another pressing issue onto the UK’s already lengthy list of negotiation points. An optimist could view Brexit as heralding an era of flexibility and the possibility for the UK to leverage data protection laws to its competitive advantage. The unavoidable reality, however, is that the UK is likely to be significantly more constrained in its options, particularly if it hopes to remain a hub of financial and IT activity.

In many respects, the Leave vote can be seen as playing to Ireland’s advantage in respect of data protection. Barring Malta, he Republic will soon be the only English-speaking nation armed with all the EU benefits of free movement of goods, services, workers, capital and personal data. Under the GPDR, Ireland will also have the benefit of the ‘one-stop-shop’ mechanism.

This somewhat reduces the risks of re-regulation of the same set of data processing activities by multiple EU DPAs. It will mean that businesses can structure themselves so as to only be subject to the supervision of a single data protection authority, such as the Irish DPC. This will be a significant advantage to multinational business under the GDPR but will not be available to businesses with their ‘main establishment’ in the UK as the concept is defined in the GDPR.

The content of this article is provided for information purposes only and does not constitute legal or other advice. 

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out for more.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Brexit image via Shutterstock