Read our Update: UK Data Privacy Laws in a Post-Brexit World
As the June 23 referendum on Britain’s membership in the European Union looms, the potential that Britain will exit the European Union (“Brexit”) raises data privacy issues.
Being part of the European Union has meant that UK businesses are subject to numerous data protection laws. The UK has enacted most of its domestic data protection laws, such as the Data Protection Act 1998 (DPA), to implement European Directives. If a “Brexit” occurred, existing domestic legislation would remain unless and until changed by the UK government. This means that businesses in the United Kingdom would continue to be subject to the DPA. The Information Commissioner’s Office would also remain as the UK data protection authority with regulatory powers to conduct investigations into breaches of the DPA and issue penalties for noncompliance.
Any UK business that offers goods or services to European consumers or which has a website that is accessible in Europe will, in addition to the DPA, also need to comply with European data protection laws such as the new General Data Protection Regulation (GDPR).
Most UK businesses are almost certainly going to need to transfer personal data to Europe and to other countries outside Europe such as the United States. Currently, whilst the United Kingdom remains part of the European Union, there are restrictions against transferring personal data (without consent from the individual) outside of Europe, other than to certain “adequate” countries such as Canada or Switzerland or if the business has a legally permissible mechanism such as model clauses or binding corporate rules in place. If the United Kingdom leaves the European Union, the UK government will need to decide if it will retain the same restrictions for cross-border transfers or adopt an alternative solution. If the proposed EU-US Privacy Shield is enacted, the UK government will need to decide if it will adopt a similar model for data transfers from the United Kingdom to the United States if the current restriction on such data transfers is retained. Additionally, the United Kingdom is likely to apply to the European Commission for a decision of “adequacy” that would allow European countries to transfer personal data to the United Kingdom. This will, of course, depend on whether the UK government has passed laws that differ to the current DPA and whether the European Commission views the standard of “adequacy” as having been raised after the GDPR becomes effective.
Data security is becoming increasingly important for businesses. Similarly, privacy is becoming increasingly important for individuals globally. It therefore seems unlikely that any government would wish to repeal the DPA and pass weaker data protection laws in the United Kingdom, thereby undermining consumer confidence in UK businesses and potentially exposing them to increased data security breaches.
Morgan Lewis will be watching this space and will update our clients as events unfold.
Morgan Lewis has set up a dedicated Brexit Resource Center to provide up-to-date news and industry contacts to answer any questions you may have about the implications for your business in the event of a Brexit.
For more than three decades, Morgan Lewis has represented companies and institutions doing business in the United Kingdom and globally. Our Brexit team of lawyers have been advising clients on a variety of legal issues in the run up to the decision and are assessing the complex short- and long-term implications of the June 23 vote. Our Brexit Resource Centre will continue to provide guidance on the legal and business implications of the United Kingdom’s decision to leave the union. To view this alert and others, and to gain immediate access to our most recent guidance on Brexit, please visit the Brexit Resource Centre. In addition, please feel free to speak to your usual contact at Morgan Lewis or to contact any one of the Brexit Team via Brexit@morganlewis.com.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: