Why the UK's vote to leave the EU will have little effect on its data protection rules

24.06.2016
With the haircut that the sterling-euro exchange rate has taken in the wake of the U.K.'s vote to leave the European Union, the U.K. has suddenly become a low-cost country for companies wishing to host or process the personal information of EU citizens.

EU businesses will need to weigh that price cut against the regulatory uncertainty Thursday's vote introduced -- but it turns out that's surprisingly small, at least in the short to medium term.

As for U.K. businesses hoping for more relaxed data protection rules in the wake of the referendum vote, they will have to wait -- perhaps for a very long while.

That's because many of the rules that the 51.9 percent who voted to leave the EU hoped to escape are, in fact, firmly part of U.K. law, and will only go away if the U.K. parliament votes to repeal them.

And it can't do that until it has negotiated its exit from the EU, which is a matter of international treaty and not the will of the people.

The first question, then, is when will the U.K. officially leave the EU

That will depend on when the U.K. government informs the other member states of its intention to leave by invoking Article 50 of the Lisbon Treaty. The UK will cease to be bound by the EU treaties two years after that date -- sooner in the unlikely event that all parties reach an agreement on an exit settlement before then.

However, U.K. Prime Minister David Cameron is in no hurry to invoke Article 50. On Friday morning he announced that he will resign and make way for a new leader of the ruling Conservative Party before the party's annual conference in October. Invoking Article 50, he said, would be a task for his successor.

That means the U.K. is likely to remain part of the EU until October 2018 -- or longer, if Cameron's successor is in no rush to invoke Article 50.

That means U.K. businesses and citizens will still be subject to EU laws for some years to come.

Those laws come in two forms: directives, and regulations. In the field of data protection, there's one of each to pay attention to.

The most significant -- for now -- is the 1995 Data Protection Directive.

Directives are proposed by the European Commission (the members of which are nominated by the EU member states), then amended by the European Council (composed of the heads of the EU member governments or their ministers) and the European Parliament (directly elected by EU citizens) until all three parties reach a compromise. Then, the parliaments of each member state transpose the directives into their own national law, adapting it where necessary to fit their own legal systems and circumstances. In this way, the Data Protection Directive took effect in 1998.

One of its key provisions, for businesses at least, is that EU citizens' personal information may only be processed in countries offering a level of data protection at least equal to that afforded by EU law.

Since the U.K.'s data protection regime will remain unchanged, for now, U.K. businesses can still process data for EU companies and citizens, and U.K. citizens will have the same protections if their data is exported to, say, the U.S.

Protection of EU citizens' data in the U.S. has itself been called into question since the October 2015 decision by the Court of Justice of the EU to overturn the legal instrument providing that protection, the so-called Safe Harbor Agreement. EU and U.S. officials are still negotiating the details of its replacement, Privacy Shield, which will also cover the U.K. until it formally leaves the EU.

The other EU data protection law of relevance to the U.K. is the General Data Protection Regulation (GDPR), voted in April 2016. This introduces harsher fines for companies breaching the rules -- up to 4 percent of worldwide revenue -- and seeks to harmonize those rules, eliminating national differences allowed under the Data Protection Directive.

Regulations begin life in the same way as directives, as compromise texts agreed upon by the Commission, Council and Parliament. After that, though, there's no time-consuming transposition into national laws: Regulations are directly applicable, and automatically enter effect after two years.

At first sight, that would suggest that U.K. citizens will benefit from, and U.K. businesses will be subject to, the effects of the GDPR from April 2018 through at least October 2018.

That, though, is without considering the exemptions from EU home affairs and justice legislation negotiated by the U.K., Ireland and Denmark. The exemptions mean the GDPR will apply only partially in the U.K up until October 2018.

But what then Well, one of the innovations of the GDPR is that the rules applicable depend on the location of the data subject, so companies in the U.K. will still have to comply with it when processing EU citizens' data.

U.K. businesses might even choose voluntarily to follow EU data protection rules at all times, in order to hang on to their U.K. customers.

"It would make no sense at all for U.K. regulations to be any less stringent. Poor safeguards against loss, theft and misuse of data would ultimately cost U.K. business, as consumers and brands put their data elsewhere," said Richard Lack, EMEA director of sales at Gigya, which provides a visitor tracking and identification service for websites.

Following the EU data protection rules would be a good thing for U.K. businesses in other respects, according to Javvad Malik, security advocate at AlienVault, a security threat management company.

"Many Infosec professionals seem to view the legislation in a positive light, believing that stipulations such as 'data protection by design' will make the data held by their organizations more secure," he said of the GDPR.

Until October 2018, then, and even beyond, it seems unlikely that much will change, in the field of data protection at least.

Peter Sayer