The General Data Protection Regulation (GDPR) becomes binding on all EU member states, including the UK, on Friday.
It aims to harmonise data protection laws across Europe, and shift power away from corporations and towards consumers, giving individuals greater control of the personal data held about them.
With over 70 per cent of all trade in services enabled by data flows, the UK is likely to suffer significant financial losses without an effective data protection framework which allows smooth data exchanges with the EU.
A number of non-EU nations have already secured “adequacy decisions”, allowing data transfers from the EU to third countries to carry on as normal after 25 May. However, for the time being it is not clear whether the UK will be able to secure its own adequacy decision in time for Brexit.
In the absence of an adequacy decision, any UK businesses with an interest in the EU need to ensure that they have appropriate safeguards in place, by applying for, and abiding by, individual arrangements. This is likely to increase costs and complexities, and there is a chance that these costs will be passed on to consumers.
The government should be doing everything it can to help businesses make this transition. But it may actually be making things harder.
In its report dated 21 March 2018, the Common’s Home Affairs Committee expressed serious concerns about the future of data flows post-Brexit. According to the Committee, the Investigatory Powers Act 2016 (IPA), also known as the Snooper’s Charter, is one of several reasons the UK could fall foul of the EU’s strict data protection standards after Brexit.
The IPA in its current form is at odds with EU case law. It requires web and phone companies to store everyone’s web browsing histories for 12 months and give the police, security services, and a whole range of other agencies unprecedented access to the communication data.
However, in the case of Watson, the European Court of Justice has stated that the UK government’s bulk retention of communications data is illegal. Furthermore, in April the High Court in London ruled that changes need to be made to some parts of the Snooper’s Charter by 1 November to bring it in line with EU law. It is, however, unclear whether the changes to the IPA will suffice in securing an adequacy decision.
If the UK decides to deviate from GDPR after Brexit, it could be highly damaging for UK businesses trading with the EU as they will be subject to two different sets of data protection regulations, putting them at a disadvantage against any company based in the EU.
An additional concern is that even if the UK manages to secure an adequacy decision, the EU can repeal its decision at any time if it believes that the UK no longer ensures an adequate level of data protection.
With the IPA, this will be an ongoing risk, and the uncertainty may contribute to pushing companies to move their operations outside the UK.
There are solutions to these problems, but they will require significant effort and compromise. And data protection is just one area of law. Right now, it does not seem like the government has properly considered the consequences and complexities of making this transition.