This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Digital Business Lawyer

Seeing through the fog after the UKís vote to leave the EU

This article was originally published in Volume: 18 Issue: 7 (July 2016)

In light of the United Kingdom choosing to leave the EU on the 24 June 2016, this transition will undoubtedly impact data protection. Francis Aldhouse, Former Deputy Information Commissioner and Ruth Boardman, Co-head of International Data Protection Practice at Bird & Bird, discuss the potential implications of Brexit, providing detail on a range of issues facing e-commerce businesses in the UK.

So it is decided. The UK has voted to leave the EU. In one way or another, the UK’s relationship with the EU is to change. David Cameron has suggested that a new Prime Minister should start the withdrawal process by notice to the Council under Article 50 of the Treaty on the EU (‘TEU’). The EU’s Council of Ministers then has to adopt guidelines for the negotiations to settle the arrangements for separation and the future relationship between the UK and the EU. The EU Commission’s (‘EC’) role is critical in this process even though it might not be leading the negotiations. The policy which it recommends to the Council will set the tone of the negotiation. The Council does not have to accept the EC’s recommendations, but it is unlikely to reject them out of hand. Who would the UK prefer as the Council’s negotiator, France, Poland or the EC?

How long will all this take?

Article 50.3 TEU says that: ‘The Treaties shall cease to apply to the State in question from the date of entry into force of the withdrawal agreement or, failing that, two years after the notification referred to in paragraph 2, unless the EU Council, in agreement with the Member State concerned, unanimously decides to extend this period.’ Some Brexiters argue for a lengthy complex negotiation outside the Article 50 scheme; others seek a clean break; various EU voices have called for strict adherence to Article 50. In the absence of unanimity, the two year time limit would apply. Nor must we overlook the role of the EU Parliament (‘EP’) in consenting to a withdrawal agreement. One can picture an unholy alliance in the EP opposed to an agreement with the UK for mixed and conflicting motives. In that case, the UK would be adrift with no agreed relationship with the EU.

What is the UK doing while this is taking place?

It is still a member of the EU and the Treaties continue to bind the UK until the two year notice period or other agreed period has expired. Article 50.4 provides that a withdrawing state cannot take part in the Council discussions on the withdrawal. However, during the notice period and whilst bound by the Treaties, the UK is presumably entitled to play a part in the Council’s decision-making. 

So will the General Data Protection Regulation apply?

In the normal course of events, the Data Protection Act 1998 (‘DPA’) would have been overridden in May 2018 by the GDPR. When the UK is no longer an EU Member State and no longer bound by the Treaty obligations, all EU Regulations will be of no effect. This could have such a destabilising effect on a whole range of matters that the UK Parliament would have to pass emergency temporary legislation to preserve the existing regulatory effect while the longer term disentangling took place. Perhaps, as an alternative solution, the Supreme Court might apply an imaginative interpretation of the rules on statutory interpretation. Either of these approaches could mean that the UK would follow the GDPR, even if the UK is not a Member State. If, by May 2018, the UK is still involved in long drawn out negotiations, then the GDPR would apply in any event until the date of eventual withdrawal.

Of course, businesses must also remember the extra-territorial reach of the GDPR. For businesses that provide goods or services to, or monitor, individuals who are in the EU, then the GDPR will apply to them on an extra-territorial basis, irrespective of the UK domestic situation.

What about e-Privacy?

Directive 95/46/EC was implemented by primary UK legislation. But what will happen to the e-Privacy legislation which was implemented by regulations made under the EU Communities Act 1972? Leave campaigners have been demanding the early repeal of the 1972 Act, but that does not undo anything previously done under that Act. Section 16.1 of the Interpretation Act 1978 gives the answer: ‘16 General savings.

(1) Without prejudice to section 15, where an Act repeals an enactment, the repeal does not, unless the contrary intention appears, -

(a) revive anything not in force or existing at the time at which the repeal takes effect;

(b) affect the previous operation of the enactment repealed or anything duly done or suffered under that enactment.’

The consequence of Section 16(1) would seem to be that not only would the e-Privacy Regulations remain in force, but so would the offences created by them and the powers of the Commissioner and the courts in relation to them.

What if the UK becomes a member of the EEA instead?

This analysis has so far assumed complete withdrawal of the UK from the EU in two years or shortly thereafter. However, there is certainly a parliamentary majority for remaining part of the single market - presumably as a member of the EEA. This is difficult to reconcile with the objectives which have come to the fore during campaigning, which have placed control over immigration and sovereignty as key reasons for exit. 

If the UK were to become a member of the EEA, however, then the GDPR would come into effect and continue to apply as part of the acquis communautaire, acceptance of which has so far been seen as an essential condition of EEA membership. The 1972 Act might be repealed as a face-saving gesture, but it would have to be replaced by something similar to authorise subordinate legislation necessary to comply with EEA obligations. 

Whether some different third way relationship with the EU might be negotiated is highly speculative.

What about data transfers?

UK businesses will also need to be able to receive data from the EU, for example - so that data about EU employees can be accessed by UK headquartered parents; so that data about EU consumers can be accessed by UK service providers; and so that the UK technology industry can continue to offer solutions to EU customers, which involve EU data being hosted in the UK. If the UK were to become a member of the EEA, then data transfers from most EU Member States could continue. (This may not be the case everywhere: French law, for example, differentiates between transfers to the EU and EEA).

If the UK does not become a member of the EEA, then, as the Directive and the GDPR restrict transfers of data to third countries, a way of legitimising the flows of data to the UK would have to be found. This could be the case if the UK were to amend the Data Protection Act, so as to bring it up to GDPR standards - in which case, perhaps the EU would accept that existing UK legislation would be the basis for an adequacy finding. The recent European Court of Justice decision over safe harbor suggests that it would be a difficult moment to seek such a decision, especially given UK governments’ desires to maintain widespread rights of access to communications data for national security and law enforcement purposes. Jan Philipp Albrecht, the MEP who was the rapporteur for the GDPR, tweeted that in his view UK surveillance programs would rule out a favourable adequacy decision.

Absent such an adequacy finding, standard contractual clauses, binding corporate rules and all the other trappings of transborder data flow management must be relied upon. Standard contractual clauses and binding corporate rules require the importing organisation to offer EU-equivalent protections for personal data. Although, at the moment, these require protections which meet the standards of the Directive, the GDPR provides for current adequacy methods to be reassessed. Such reassessment will inevitably result in changes to standard contractual clauses and to binding corporate rules, so that they meet the higher standards of the GDPR. 

What does this mean for UK organisations? 

If you are an entirely domestic UK organisation with no EU trading or other links, your only concern will be working out which data protection laws will apply after the UK withdraws from the EU. This could just be the current regime of the DPA and e-Privacy Regulations. As set out above, a more extensive regime could end up applying - either because the UK becomes a member of the EEA, or because UK law has to adapt to provide a better basis for an adequacy decision. 

If, however, you have EU connections which require you to process EU data, either as a data controller or a processor, then the GDPR will certainly be relevant: 1) directly, on a long arm basis; or 2) because, in order to receive data from EU based organisations, you will need to have GDPR-compliant systems, policies and procedures.

So what should organisations do and when?

The greatest difficulty in seeing through the current fog arises from the different interests and motives not only of the domestic UK groups, but also of the EC and all the other Member States. Prediction is far too difficult. For the moment, organisations with no EU customers, may feel that watching and waiting is the best advice. For anyone else, continue to plan on the basis that the GDPR will apply to you either because the UK will be part of the EEA or, if you are processing EU data, because it will apply on a long-arm basis and because you will be required either by standard contractual clauses or some other instrument to give that personal data ‘adequate protection’ as defined in the GDPR. Let us hope the fog quickly clears.


Francis Aldhouse CBE, Consultant

Ruth Boardman Co-head International Data Protection Practice

Bird & Bird, London

Search Publication Archives

Our publication archives contain all of our articles, dating back to 1999.
Canít find what you are looking for?
Try an Advanced Search

Log in to digital business lawyer
Subscribe to digital business lawyer
Register for a Free Trial to digital business lawyer
E-Law Alerts
digital business lawyer Pricing

Social Media

Follow digital business lawyer on Twitterdigital business lawyer on LinkedIndigital business lawyer RSS Feed