Posted by Derek Fitzpatrick, General Manager – EMEA, at Legal Futures Associate Clio
The people have spoken and the UK will be leaving the EU. But what effect will this have on existing legislation?
The potentially far reaching fallout was discussed by Philip Kolvin QC, head of Cornerstone Barristers, who in Local Government Lawyer, wrote: “The Brexit debate has been emotive and political. The consequences for our legal system have barely figured in it but EU inspired or mandated legislation is part of the bedrock of societal protection.
“I speak of health and safety, town and country planning, ecological protection, freedom of information, data protection, competition, discrimination, public procurement, indeed the very concept of proportionality which governs much of our regulatory system. Ahead of us lie profoundly significant legal questions. Are these protections to be thrown on the bonfire of laws? If not, which are to survive and which are to be replaced, and if so by what?”
As the bonfire awaits, I thought this would be a good opportunity to take a look at one of the areas most relevant to legal professionals: data protection.
More than ever, issues around data residency and the obligations of data controllers are of increasing importance for legal professionals when providing comprehensive advice to clients. Data privacy in the UK is controlled by the Data Protection Act 1998 (DPA). The DPA states that personally identifiable information must be stored on a server located either within the European Economic Area (EEA) or on a server outside the EEA, only if that server and the country where it resides provides sufficient security for the privacy and security of the data.
Following the Schrems decision by the European Court of Justice in October 2015, it is advisable that EU data continue to be stored in EEA locales. The DPA also require a certain level of security for the data storage from both data controllers and data processors.
In 1995, when the DPA was developed, Mark Zuckerberg was 11 and cloud computing was still a wild notion embraced by few. To address this, a replacement for the current legislation has already been scheduled for 2018.
The General Data Protection Regulation (GDPR) will ensure much stricter levels of data protection and will apply to all EU member states. Due to the time scales involved, it will be a minimum of two years before the UK can officially leave, meaning there will almost certainly be overlap and the GDPR will apply to British firms for a certain period.
In this respect, the most common sense approach would appear to be for the UK to adopt GDPR. Also, any UK business which has a group company or staff operating with the EU will have to comply with the GDPR’s provisions.
The Information Commissioner’s Office was quick to issue a statement following the release of the referendum result in which it was clear that the DPA will remain law post-Brexit and that the UK will have to legislate equivalent GDPR regulations, even if it exits the EU.
If the UK decides not to upgrade its data protection laws to a GDPR-level standard, the question will inevitably rise soon after the GDPR’s 25 May introduction of whether the UK laws offer an ‘adequate’ level of data protection. The answer will almost certainly be that they do not and the UK would no longer be considered by the EU to be a ‘safe country’ for Europe to transfer data into, much like the position the United States currently occupies.
So for the time being, legal professionals would be well advised to keep to their close adherence to the DPA, keep a close eye on all developments and announcements regarding the imminent launch of the GDPR, and then align their firm’s internal data protection procedures to them.