Brexit and law firm data

Print This Post

16 September 2016

Posted by Derek Fitzpatrick, General Manager – EMEA, at Legal Futures Associate Clio

Fitzpatrick: UK will need data protection laws to a GDPR-level standard

Fitzpatrick: UK will need data protection laws to a GDPR-level standard

The people have spoken and the UK will be leaving the EU. But what effect will this have on existing legislation?

The potentially far reaching fallout was discussed by Philip Kolvin QC, head of Cornerstone Barristers, who in Local Government Lawyer, wrote: “The Brexit debate has been emotive and political. The consequences for our legal system have barely figured in it but EU inspired or mandated legislation is part of the bedrock of societal protection.

“I speak of health and safety, town and country planning, ecological protection, freedom of information, data protection, competition, discrimination, public procurement, indeed the very concept of proportionality which governs much of our regulatory system. Ahead of us lie profoundly significant legal questions. Are these protections to be thrown on the bonfire of laws? If not, which are to survive and which are to be replaced, and if so by what?”

As the bonfire awaits, I thought this would be a good opportunity to take a look at one of the areas most relevant to legal professionals: data protection.

More than ever, issues around data residency and the obligations of data controllers are of increasing importance for legal professionals when providing comprehensive advice to clients. Data privacy in the UK is controlled by the Data Protection Act 1998 (DPA). The DPA states that personally identifiable information must be stored on a server located either within the European Economic Area (EEA) or on a server outside the EEA, only if that server and the country where it resides provides sufficient security for the privacy and security of the data.

Following the Schrems decision by the European Court of Justice in October 2015, it is advisable that EU data continue to be stored in EEA locales. The DPA also require a certain level of security for the data storage from both data controllers and data processors.

In 1995, when the DPA was developed, Mark Zuckerberg was 11 and cloud computing was still a wild notion embraced by few. To address this, a replacement for the current legislation has already been scheduled for 2018.

The General Data Protection Regulation (GDPR) will ensure much stricter levels of data protection and will apply to all EU member states. Due to the time scales involved, it will be a minimum of two years before the UK can officially leave, meaning there will almost certainly be overlap and the GDPR will apply to British firms for a certain period.

In this respect, the most common sense approach would appear to be for the UK to adopt GDPR. Also, any UK business which has a group company or staff operating with the EU will have to comply with the GDPR’s provisions.

The Information Commissioner’s Office was quick to issue a statement following the release of the referendum result in which it was clear that the DPA will remain law post-Brexit and that the UK will have to legislate equivalent GDPR regulations, even if it exits the EU.

If the UK decides not to upgrade its data protection laws to a GDPR-level standard, the question will inevitably rise soon after the GDPR’s 25 May introduction of whether the UK laws offer an ‘adequate’ level of data protection. The answer will almost certainly be that they do not and the UK would no longer be considered by the EU to be a ‘safe country’ for Europe to transfer data into, much like the position the United States currently occupies.

So for the time being, legal professionals would be well advised to keep to their close adherence to the DPA, keep a close eye on all developments and announcements regarding the imminent launch of the GDPR, and then align their firm’s internal data protection procedures to them.

For more information on issues and obligations your firm can face as a data holder check out our Clio’s new guide Data residency – Issues and obligations for European law firms

Leave a comment

* Denotes required field

All comments will be moderated before posting. Please see our Terms and Conditions

Legal Futures Blog

The ethics of the SRA’s social media warning notice

Mena Ruparel

Social media portals are regularly used by firms and those who work for law firms in both professional and personal capacities. Their informal nature and the fast pace of use makes it all too easy for regulated people to get carried away with online discussions or comments which can fall foul of the regulator. This is more likely to happen on social media platforms as these are virtual, accessed in the solicitor’s own time and space. It can be easy to forget that solicitors are regulated just the same at 11pm on their home computer as they are at 3pm in the office or at court.

September 15th, 2017