In her first speech as the UK's new Information Commissioner, Elizabeth Denham gave few clues on how the Data Protection laws in the UK will eventually look post Brexit. The primary confusion arises because GDPR is already in force and must be active in the UK by May 2018 at the latest.
Prime Minister Theresa May announced Sunday that she would trigger Article 50 by March 2019, meaning that GDPR will be enforceable law within the UK for at least a year before the UK actually leaves the EU.
Recent debate within the UK has been over whether the government will seek a hard or soft Brexit. A soft Brexit would imply a continued free trading arrangement with Europe in exchange for some allegiance to EU principals. Primarily, those seem to be free movement of labor (immigration issues) and the continuing role of the European Court of Justice -- both of which were apparently ruled out by the Prime Minister on Sunday: "We are going to be a fully independent, sovereign country," she reportedly said at the Tory Party conference; "a country that is no longer part of a political union with supranational institutions that can override national parliaments and courts."
The pound immediately fell to a three year low against the euro.
The UK is on course for a complete separation from Europe -- and that once again raises the question over implementation of GDPR: will it remain, in part, or will it be fully replaced? If replaced, by what? For the majority of US companies, this is an academic question. If they wish to trade with Europe they will need to be GDPR compliant regardless of what the UK does. But it is important for future or continued investment within the UK. For the UK, the task will be to become more business-friendly than the EU countries, while still providing privacy protection levels acceptable to the European Commission.
For her part, the UK ICO makes it clear that she thinks GDPR is the way forward for both UK and non-UK businesses. "The fact is," she said, "no matter what the future legal relationship between the UK and Europe, personal information will need to flow... the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent."
It was already clear before the Brexit vote, however, that the UK was only ever going to implement minimal GDPR. Despite GDPR being a Regulation (and therefore required 'as is' for all member countries) it nevertheless contains a large number of options. In January 2016, the HawkTalk privacy blog commented, "However, the devil for implementation is in the detail as Member States have flexibility to adapt more than 50 GDPR provisions. Thus, until these exceptions are expressed by UK national law, the precise GDPR implementation in the UK is up in the air. The Minister [Baroness Neville-Rolfe] said that with respect to such flexibility, the UK would take advantage of 'all possible legislative discretion' in order to minimize the burden on business."
This raises a warning flag. The consensus is that post-Brexit UK data protection laws are likely to be modeled on GDPR in order to maintain legal equivalence for the continuing free flow of business data. In a BBC Radio 4 interview on Friday, Denham commented, "there is some flexibility, but bottom line, I don't think that Brexit should mean Brexit when it comes to standards of data protection."
Tara Taubman-Bassirian, a French specialist in privacy, IP and copyright law working in London, told SecurityWeek that in the global economy, the UK is no longer an island, and the UK needs to trade with Europe. Her advice is that business should conform to the GDPR since most companies will need to trade with Europe.
But until the UK makes it very clear what will happen after the country leaves Europe, data protection and privacy plans will remain difficult. Even if it enforces GDPR and leaves it untouched on the statute books after Brexit, it may still not be enough. In 2010 the European Commission announced that it had "decided to refer the United Kingdom to the EU's Court of Justice for not fully implementing EU rules on the confidentiality of electronic communications such as e-mail or internet browsing."
More specifically, it said, "Current UK law authorizes interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has 'reasonable grounds for believing' that consent to do so has been given. These UK provisions do not comply with EU rules defining consent as 'freely given, specific and informed indication of a person's wishes'."
This concern can only be exacerbated by the UK's Investigatory Powers Bill which is likely to become law in 2017. The IP Bill will allow bulk data collection by the authorities. Since a lot of EU/US traffic passes through the UK, there will be a strong possibility of European data also being collected. Even if the European Commission merely suspects that possibility, given its infraction procedure against the UK's implementation of the old Data Protection Directive, there must also be a strong possibility that it will not accept any UK implementation of the GDPR as 'adequate'.
The reality is that there is currently zero clarity coming from the UK over how it will comply with European data protection requirements. Both UK and US businesses are likely to be best served by seeking compliance with either the German or French implementation of GDPR rather than waiting to see what the UK may or may not do.