By Richard Nicholas and Lauren Webb – data protection lawyers at Browne Jacobson LLP
Now that the UK is outside the European Union – will that mean less red tape for SMEs when it comes to processing personal data? Here’s why you shouldn’t hold your breath.
What law applies?
You’re probably aware of two pieces of legislation that currently apply to processing of personal data:
- The General Data Protection Regulation (GDPR), as a regulation, applies directly to all member states of the European Union (EU).
- The UK Data Protection Act 2018, currently in force also incorporates the GDPR and deals with the derogations specific to the UK.
Since Brexit, the GDPR no longer directly and automatically applies to the UK, although the Data Protection Act 2018 and the Withdrawal Act means that its provisions will continue to have an effect, via UK legislation.
In its guidance the Information Commissioner’s Office (ICO) have confirmed that a new UK version of the GDPR (removing references to Europe) will be incorporated into UK law. The UK will therefore have a similar law in place to the GDPR but tailored to the UK (the UK GDPR).
No more EU legislation?
Not quite. The EU version of the GDPR will continue to apply to those UK based controllers and processors in the UK who either:
- offer goods and services to individuals in the EU; or
- Monitor the behaviour of individuals in the EU.
Will UK businesses supplying goods and services to EU customers have to comply with TWO versions of the GDPR?
Yes, but they’re likely to be very similar – so that’s not the problem. What’s often more important however is how the law is interpreted by the regulator.
Guidance from the regulator
Pre-Brexit the ICO would take into account the guidance of an EU body, the European Data Protection Board, (EDPB) when drafting its own guidance and making decisions. The ICO had a seat on this board and the EDPB would ensure a consistent approach throughout the member states of the European Union, including the UK.
Next year however the ICO will no longer sit on the EDPB. There is a chance therefore that data protection guidance could result in different interpretations of the law in the UK compared to the EU.
Differing Case Law
Alongside guidance from the regulator, case law will often determine how legislation applies to individual businesses. Pre-Brexit cases would take into account as the last court of appeal, decisions from the Court of Justice of the European Union (CJEU) on how legislation should be interpreted – the intention being that the legislation should be applied in a similar fashion across member states.
If, as is currently proposed, the UK Government will not accept the jurisdiction of the CJEU after Brexit, then again there is a good chance that UK data protection law, even though based on the GDPR could be interpreted differently as a result of UK courts taking a different line to the EU.
What does this mean for UK businesses?
Organisations in the UK that operate in both the UK and the EU will be subject to both the EU and the UK versions of the GDPR and must comply with both laws going forwards. That shouldn’t be too much of a stretch for so long as the laws remain similar, however in the event that guidance and case law leads to different interpretations of those laws, organisations could be in the difficult position of being required to comply with different and possibly conflicting laws when dealing with personal data from EU and UK customers.