Never gonna give you up? The General Data Protection Regulation

In the current post-referendum/pre-Brexit world there is plenty of speculation on the future of data protection in the UK.

New relationship with Europe, new rules?

For some, lowering the Union Flag in Brussels, folding it neatly into a diplomatic bag and hurling it into the hold of the next flight back to London, will give us the power to do what we want. We will have the power to draft our own data protection laws. We will have the power to draft our own international data transfer arrangements. We will, in effect, be able to take back control of our data protection laws.

What’s to stop us, for example, entering into a more flexible framework like the new EU-US Privacy Shield? This would mean, post-Brexit, we’d be free to transfer personal data to and from the other 27 member states of the EU without the pettifogging red tape of its new data protection regime, the General Data Protection Regulation (GDPR), which applies from 25 May 2018.

We could devise our own flexible, light-touch regime.

Game, set and match to the UK!

On the other hand

Others say that the only way forward is full compliance with the GDPR, or as near to full compliance as is humanly possible. No ifs and no buts: if we want to continue trading with the rest of the EU in some form, there is no alternative.

The reality is that the UK’s room for manoeuvre is limited for many reasons; some of which have been overlooked in the fog of war since the vote to leave the EU. In the battle to understand where our ‘troops’ are placed, we seem to have forgotten that they are not all in Brussels. While we may be abandoning the Belgium capital—to what degree is yet to be determined - we still have a large battalion deployed some 300 miles down the road at the Council of Europe in Strasbourg. Brexit may well mean Brexit but, as the Prime Minister confirmed on the day she launched her bid to be Tory leader, there are no plans to stray from Strasbourg.

Many may have forgotten that the Council of Europe is not the same as the EU’s European Council or Council of the European Union. Things aren’t helped by all these European institutions having the same flag: the circle of twelve gold stars on an azure background. (Is it any wonder people get lost in this institutional maze? It is like the Houses of Parliament in the UK sitting alongside two independent bodies named the ‘Parliamentary House’ and the ‘Houses of UK Parliament’ with some or all of them passing laws on the same subject to varying degrees.)

So, putting aside this natural confusion, why does this matter?

Quite simply, the Council of Europe also has the power to legislate on data protection matters and, what’s more, has already done so.

Data – the weight of history

In simple terms, this means that the UK will not be taking back control of any data protection laws from Strasbourg. Indeed, a UK Privacy Shield is arguably a non-starter since it would be unlikely to comply with the Council of Europe’s rules on data protection: the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

When this little-known legal instrument was ratified by the UK, on 26 August 1987, Rick Astley was at number 1 with his hit tune, ‘Never gonna give you up’. Perhaps this is now a prediction of the UK’s future relationship with the GDPR?

It is clear that the odds are currently stacked against a compelling UK alternative to the GDPR, particularly given that these new EU rules are based on parts of the convention. Any UK data law, if one is required depending on our future relationship with the EU, would likely need to borrow heavily from the GDPR.

So – the future of data protection in the UK is?

Perhaps, ultimately, we’ll see a slightly tweaked General Data Protection Act or ‘GDPA’?

Moreover, for a short—or not so short—period between 25 May 2018 and Brexit Day (I hesitate to use ‘B-Day’. I’ll let you work out why) the UK will still be a EU member state. Any UK organisation will be subject to fines of up to 4% of its worldwide annual turnover or €20 million, whichever is higher, for breaching the new data rules. Present this stark fact to any board member and watch the blood drain from their faces quicker than they can mumble ‘GDPR compliance’.

So, what to do?

The simple and most practical answer is to work on the basis that the GDPR will apply to the UK. Given that we don’t know when Brexit will take place and the form that it will take, the interim period during which time the GDPR is in force in the UK is likely to be longer than many people imagine. And that’s not forgetting that many organisations will still need to comply with the new regime anyway as they have operations in Europe.

Giving up the GDPR will be hard to do – adding a layer of meaning to Rick Astley’s number 1 single that nobody could have foreseen.

Relevant Articles
Area of Interest