In the great pall of uncertainty which seems to have enveloped all predictions in the last fortnight, there’s one prediction that I feel it is safe to make: the new EU General Data Protection Regulation (GDPR) will be law in the UK. Well … for a bit at least.
It’s essential to be ‘adequate’
I expect the GDPR to be law in the UK from at least May until October 2018 and something substantially similar will be law from then on.
Following the UK’s departure from the EU, all EU-facing companies will still need to comply with GDPR. All companies in the UK will also have to comply with whatever the UK law is at that point, which we expect will be similar to the GDPR, although there may be some changes. The UK will want to ensure it is considered ‘adequate’ by the EU to ensure data can continue to be transferred easily between the UK and EU.
Fundamentally though, I expect the UK to adopt the principles of the GDPR because the need for privacy and data protection addressed by the GDPR will continue to be major issues.
Our advice to businesses is to continue to prepare for the GDPR, but to watch developments closely. Ultimately any changes to the GDPR in the UK may be of a similar size to the margins for manoeuvre already granted to member countries under the GDPR, so the impact of Brexit may be minimal.
We don’t foresee Brexit impacting the demand for privacy-enhancing technology solutions. If anything, we see it creating new opportunities to employ leading privacy engineering principles to accommodate a potentially more intricate regulatory landscape.
Privitar’s key recommendations
- Continue preparing for GDPR: businesses will need to be GDPR compliant come May 2018
- Monitor: We would also recommend following any statements from the new Information Commissioner, Elizabeth Denham, on the approach she intends to take. If she does suggest that the ICO deviate from the GDPR, it will be worth considering the following:
- Does she believe these changes will still allow for adequacy?
- If she intends to change specific requirements in the GDPR, then does she intend to enforce those requirements whilst the GDPR is in effect in the UK?
GDPR and Brexit ‘ 5 additional thoughts
Will we leave the EU? The EEA? If so when? What would the UK want to change about the GDPR? And will that be possible? All these questions remain to be answered, and until they are there will continue to be a great deal of uncertainty in this space. This post therefore comes with the caveat that there are a number of assumptions in the analysis below which may prove to be inaccurate.
1) GDPR will likely be UK law for at least 6 months, probably longer.
The GDPR comes into effect in May 2018. Based on David Cameron’s statements, we don’t think that Article 50 will be triggered until after the Conservative leadership election which means October of this year at the earliest (And Theresa May has indicated that if she wins, it won’t be until 2017, although Angela Leadsom says she would act immediately), and there are some credible commentators suggesting that the UK may have a second referendum or not leave at all, with Ladbrokes and Paddy Power putting the odds of the UK still being in the EU by 2020 as about 1 in 4.
Before exploring potential timelines, it is worth identifying what is meant by ‘leaving’. If the UK leaves the EU, but remains in the European Economic Area (EEA), then it will keep the same trade terms and regulations as the EU, meaning that negotiations would be much simpler but the UK would keep the GDPR. If the UK leaves the EEA then we will need to pass equivalent laws. Some we may want to transfer without substantial changes, but others we may alter. There are 80,000 pages of relevant EU legislation which will need to be reviewed and considered. A great amount of time will also be needed for negotiation, both of new treaties between the UK and the EU, and to cover transitional issues. Based on this we think the two-year maximum for Article 50 is likely to be needed in its entirety, so we doubt the UK will be ready to leave the EU before Autumn 2018. That means we expect that the GDPR will be enforceable in the UK for at least 6 months, from May-October 2018.
2) Regardless what the post-Brexit situation is, European facing companies will still have to comply with GDPR
Should the UK leave the EEA, Article 3 of the GDPR states that the GDPR will still apply to processing of personal data where the data subjects are in the EU. So for companies with customers in the EU, Brexit should make little difference to their compliance plans.
3) Adequacy is essential, but it doesn’t mean identical
After leaving the EU the UK Government (HMG) could make changes to data protection law. The ICO, in their press release following the referendum result, made it clear that they still feel that a change to the current law (from 1998) is necessary, so we shouldn’t expect a reversion to the current regulatory landscape. The question is will they keep the GDPR? And if not, what will change?
The important limitation on what may change is the necessity for ‘adequacy’. The stated intention of the GDPR was to help shape the single digital market. Making data protection law uniform across the bloc was intended to help the digital market to flourish. The ICO will want to support UK businesses to access this market, which means that they must be deemed as having ‘adequate’ data protection laws. Without an adequacy agreement companies have to use complex derogations which put them at a disadvantage.
So what constitutes adequacy? Currently only 11 countries are considered adequate including New Zealand and Israel. Which do not have the same data protection laws as the EU. Instead they respect the same rights and principles and have similar structures and safeguards in place to ensure these rights are upheld. This potentially means there is latitude for the UK to make changes, so long as they do not change anything which relates to the fundamental rights and principles of the GDPR. The European Court of Justice defined adequacy as being where a country was ‘essentially equivalent’, which is in turn interpreted by the Article 29 Working Group as:
‘The Court has underlined that the term ‘adequate level of protection’, although not requiring the third country to ensure a level of protection identical to that guaranteed in the EU legal order, must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union‘
The focus on rights and assurances of protection, not on the processes companies must go through to demonstrate compliance, differs from the GDPR. For instance, Article 30 specifies the information which must be held on processing activities. To me it would seem to be a stretch to argue that this stipulation related to a fundamental right, particularly if the Privacy Shield agreement between the EU and US is accepted, which would indicate a relatively wide interpretation of adequacy.
If the UK is able to make some changes, either minor or fundamental, would it? The GDPR was negotiated for nearly four years, during which time the UK, like other countries, made a number of compromises. At a recent panel discussion of Privacy issues I discussed this issue with a representative from the ICO, who explained that there are some aspects of the GDPR which they think could be improved. They suggested some of the processes which are imposed on companies are overly onerous, and they would prefer to focus more on the outcomes and rights being upheld, as opposed to exactly how a company demonstrates compliance. Our discussion centred on the potential consequences of the Right to be Forgotten and Subject Access Requests (SARs). We discussed how a removal of charging for SARs could lead to a surge in requests which would represent an unreasonable burden on businesses. This may be the type of thing I could imagine the ICO changing whilst maintaining adequacy, bringing back a fee to prevent unintended consequences.
4) The new Information Commissioner will be important
If the UK does make any changes, it will likely do so based on advice from the Information Commissioner’s Office, which brings in another element of uncertainty, as the current information commissioner departs and is being replaced by Elizabeth Denham this month. It will be well worth watching out for indications from her on the approach she intends to take.
5) Should the UK deviate substantially from the GDPR, new use cases could emerge for privacy-enhancing technology
The impact of Brexit on the GDPR in the UK is unlikely to affect the need for better data protection and privacy-enhancing software solutions, but if a regulatory gap does appear (which I think highly unlikely), with different requirements in the UK to the EU, we expect it would lead to faster and wider adoption of the techniques Privitar offers. Privitar’s software makes individuals unidentifiable within data sets. Recital 26 of the GDPR advises that data sets where the data subject is no longer identifiable are not to be considered as personal data and so are not within the remit of the GDPR. If the UK does choose to bring in regulations which differ significantly from the GDPR, then we would expect to see an increase in the usage of anonymisation software so companies could safely transfer anonymised data or provide access through privacy-preserving interfaces, without having to manage the regulatory gap. This could prove an effective way of reducing what could otherwise by a costly barrier.
In addition to his work at Privitar developing research, policy and strategy, he is also a fellow at the University of Cambridge Centre for Science and Policy. Before joining Privitar, Guy worked in various roles in the Civil Service, in Cabinet Office, the Department of Health and HMRC.