Apparently the Brexit result has caused some IT leaders to look at repatriating data to the UK to “comply with data protection laws and especially GDPR”. But wait a minute – this seems to be more about a lack of understanding of data protection laws. Again.
Earlier this year I wrote about emotional knee-jerk reactionism being used as a substitute for proper data protection advice and this looks like more of the same. Maybe Trinity was right all along: déjà vu means there is a glitch in the matrix and they have changed something. And here that change is (or will be) Brexit. It's worth a look in more detail to help you decide what you need to do.
GDPR will come into force in UK before Brexit
Until Brexit, data transfers can still happen. The General Data Protection Regulation won’t change that. It becomes enforceable in May 2018. Unless the UK waives the two year exit negotiation period and pulls out of the EU before then, it will still be part of the EU. In fact, the UK government is having trouble even issuing notice under Article 50 to start the whole exit process off.
Even when the government starts the exit process, immediate withdrawal is unlikely and a government spokesman has confirmed that the UK will “opt-in” to GDPR. That statement doesn’t really add anything. It is long settled law that EU Regulations such as GDPR don’t require the UK to implement them by an Act of Parliament nor do they require the UK to “opt-in” to them once they have been approved by the EU national governments and EU Parliament (despite what this particular cabinet minister might hope). So GDPR will pass into UK law before Brexit. Until Brexit happens, data protection law will still be harmonised with the EU. CONCLUSION: data transfers can still occur before GDPR as they do now. After GDPR everyone in the UK will have no choice to be compliant, so data transfers can continue. You can repatriate your data to the UK if it fits with your business case or makes you feel safer, but the law doesn't require it.
By now, we've all heard that “Brexit means Brexit”. In truth, this is no more than a vacuous holding statement repeated by the Prime Minister to provide comfort to Leave voters, while reminding Remain voters of the outcome of the referendum. In the meantime, the UK government is trying to work out exactly what Brexit means.
Naturally, it is important to plan ahead and two years is not a long time to do this. The lack of clarity from the UK government isn’t helping either. There are a number of different Brexit scenarios. The rest of this article is not going to attempt to explain them all, nor to get into a debate about whether Brexit is a good or bad thing. That is better covered elsewhere. We will simply examine how a few scenarios will affect data protection.
This might be where the UK leaves the EU but stays in the Single Market or the European Economic Area. The data protection laws extend to the EEA so if the UK were to stay in the EEA it would have to continue to comply.
The UK government has expressed a strong desire to curtail the freedom of movement of workers. This has been countered by the adamant insistence from the rest of the EU members that without free movement, the UK cannot partake in the Single Market or EEA. Soft Brexit seems unlikely for anything other than a transitional deal while the UK sorts itself out. CONCLUSION: during any continued UK membership of EEA / Single Market, data transfers will still happen. Repatriation of data not required.
This is where the UK leaves the EU and falls back onto WTO trade agreements without a favourable deal with the EU. In that situation, the UK would fall outside the data transfer safe zone – that is, the EEA – within which all countries adhere to the same standards of data protection. In that case, the European Commission would evaluate the UK’s laws to see whether personal data is protected to the same standard as inside the EEA.
The Prime Minister has said she will issue a Great Repeal Bill which preserves most EU laws as at Brexit to avoid having to rewrite lots of laws all at once. It is unlikely that the UK will immediately cancel compliance with GDPR. Remember the UK was a founding nation of the European Convention on Human Rights which sets out the basis of data protection law through Article 8 which provides a right to respect for one's "private and family life”. Even though the UK has said it will adopt its own Human Rights Act, this right is likely to stay in some form. Besides, the UK government will probably be too busy negotiating trade deals. In that case, the Commission will likely conclude that UK law provides adequate data protection and data can continue to flow to and from the UK. This is what happens with Canada, Switzerland, Israel and other countries.
Having said that, the far reaching snooping powers under the new Investigatory Powers Act might undermine that compliance, even if we keep our data protection laws. This is similar to what caused EU/US Safe Harbour to be invalidated, although the US didn’t (and still doesn’t) have all encompassing data protection laws like in the UK. Data transfers are too important to abandon so, in that case, the UK would likely negotiate its own Privacy Shield as fast as bureaucracy allows. CONCLUSION: data transfers will still happen but under a UK Privacy Shield. Repatriation if you feel safer. But that would mean your data could be accessed by the UK government under its snooping powers. Maybe it would be better leaving it abroad.
Of course, the other outcome is that we never leave the EU. This is not what the Leave voters want. But before Brexit, maybe even before we issue notice to leave there are numerous important events in the rest of the EU. There’s the Italian referendum and the Austrian re-run election in December. Next year the French and Germans are having general elections. This might lead to a completely changed EU without so much top-down regulation, harmonisation or political integration. Or, of course, it could lead to the disintegration of the EU. Maybe the UK will pass Russian-style data protection laws forcing UK businesses to keep UK data inside the UK. Isn’t NHS England rumoured to have that kind of restriction in place already? CONCLUSION: Nobody really knows what would happen to data transfers in these unlikely scenarios but maybe then repatriation would be best. ®