24 June 2016

The Future of UK Data Protection Laws after Brexit: Some Initial Thoughts

As UK (and the rest of the world) reels from the results of the UK referendum and we find ourselves living in a world where the dystopian Faragist (yes I know he is not the only one!) rhetoric reflects the current thinking of many in the UK, we face important and serious questions about our future laws, policies, social norms and the like in the UK.

For many UK data protection lawyers, the challenge ahead is to ensure that we remain important and relevant voices both with the context of the implementation, interpretation and enforcement of the General Data Protection Regulation and the reform of UK data protection laws.

Since the Brexit outcome, the  UK ICO has said that the UK will rely on "adequacy" decisions from the press release it seems to be more than the usual "essential adequacy". But this could just be down to poor drafting!

However, I doubt this will be effective given that adequacy decisions and similar mechanisms are under attack at EU level. Only BCRs  are not under attack although who knows for how long? And BCRs are not appropriate in all cases. Since the UK ICO release, Jan Phillip Albrecht has since noted on Twitter that the an "adequacy decision" may not be sufficient given surveillance concerns. The UK will need to develop and implement effective data transfer mechanisms, which are line with the robust requirements of the GDPR and protect the fundamental rights and freedoms of individuals. UK data protection lawyers will play key roles in ensuring that we have the relevant data transfer mechanisms in place which will support UK/EU data transfers, promote the growth of the data-driven economy and protect the fundamental rights and freedoms of individuals. 

This also bring us to the second task at hand for UK data protection lawyers. How will the UK amend its data protection laws in the aftermath of Brexit? Will the principles of the European Convention of Human Rights still apply in the UK? If so, how will they be reflected in the new laws? What is the status of decades of European jurisprudence which have impacted on how we have interpreted our national data protection laws? To what extent will and should the new the UK data protection laws include provisions which reflect the new realities since Google Spain and Schrems cases (and others!) to enable UK/EU data transfers.

These are some of the inital questions which UK data protection lawyers and policy- makers need to address once we have all recovered from the shock of Brexit. Anya Croops QC of 11KBW has also published interesting insights on the upcoming data protection challenges in the UK.

We need to ensure that the data-driven economy and digital innovation in the UK does not suffer because UK data protection laws cut us off from the rest of the world. This is not a small task and we all need to put our thinking hats on...fast!