skip to main content

Brexit means Brexit?

  • Alex Hazell

    Alex Hazell

Created at August 12th, 2016

Brexit means Brexit?

Seconds after David Dimbleby announced the referendum result I posted on social media that we can now relook at the EU data protection reforms.

After all, brexit in its most likely form will mean the UK no longer has to follow European law. I was surprised therefore when many privacy pundits started to write that brexit would make little or no difference to the impact of the General Data Protection Regulation on the UK.

The cynic in me thought the last thing the burgeoning GDPR monetisation industry wanted was for their clients’ spending plans to be put on hold whilst the “brexit effect” was worked through. But were vested interests really at play here?

Brexit impact on GDPR in the UK

I understood their argument that the GDPR says it applies to companies outside the EU that monitor and process personal data on EU citizens such as companies in a post-brexit UK, or even Nauru for that matter. This cross border point would not apply to UK personal data however which, the privacy pundits concluded, still needed to be subject to the same GDPR privacy regime to ensure consistency and adequacy across Europe.

This is where their argument faltered for me.

  1. First of all there are a lot of derogations in the GDPR that water down harmonisation anyway; in other words there will still be lots of differences between countries.
  2. Secondly, under the current Data Protection Directive we are all very used to operating where different countries have varying standards of data protection so we could continue to do so with differences between the UK and EU.
  3. Thirdly, the US is a good example of where two different privacy regimes can be made to work side by side: the Privacy Shield for EU data and US law for US data; if that approach can work in the US why not in the UK too?
  4. Fourthly, in a post-hard-brexit world the GDPR would not be directly applicable in the UK, but a mirror statute would not guarantee adequacy which would look at surrounding issues that might eat into privacy protection such as surveillance law – or lack thereof – and actual practice on the ground.

The flip side is that countries with existing adequacy determinations (such as Argentina and Canada) have not mirrored the current Data Protection Directive in their domestic laws so adequacy must be achievable based on a different take of the overarching EU privacy principles. We should therefore jump on this opportunity to revisit the data protection reforms with both feet to ensure a high standard of data protection is balanced with the right to business use.

Some think that privacy reform is not important enough to be high up the brexit negotiators’ priority list. I vehemently disagree as the continued success of the digital economy depends on workable information rights’ law. Revisiting the GDPR is also in people’s interests so they don’t end up with laws which are unworkable, not enforced and don’t protect them anyway.

As well as getting creative with our statute, we should also make the most of not being fettered by EU court decisions not to mention the EDPB* consistency mechanism driven by privacy regulator fundamentalists about whom I wrote in my previous IAB blog:

What is needed therefore, is a brexit mind-set change within the privacy community. We should join forces with our famously pragmatic regulator to help her propose alternative, workable positions which further business whilst sticking to the spirit of the data protection reforms. If for the sake of a quick buck we advocate for more of the same, then that is what we are likely to get.

*Powerful new group of EU regulators that decides what the GDPR means.