Many would argue that finding a Brexit option that is in the best interests of the U.K. is an oxymoron. Yet that is precisely the aim that the U.K. government has set out to achieve. The process of Brexit has officially started. In about two years from now, the U.K. will have ceased to be a member of the European Union. What seemed like an insanely improbable outcome barely some months ago is now an action plan with objectives and milestones. One of those objectives is to deliver a data protection framework that meets the policy goals of a 21st century democracy that seeks to play an influential role in the wider world.
What does that winning formula look like?
For starters, it should be remembered that the U.K. has always been a pioneer in data protection. The original Data Protection Act 1984 was one of the first laws to implement the principles of the Council of Europe Convention 108, and the Data Protection Act 1998 was one of the few European laws that managed to meet the deadline for implementation of the 1995 Directive. In 2008, the then Information Commissioner, Richard Thomas, single-handedly kick-started the reform of the EU data protection framework by openly questioning the suitability of the directive, and even today, the U.K. is actively participating in the proposed reform of the EU e-privacy law.
This is all to say that whatever Brexit leads to, the U.K. will never be too far away from the action on the ever evolving data protection legislative front.
This is all to say that whatever Brexit leads to, the U.K. will never be too far away from the action on the ever evolving data protection legislative front. The £350 million question is how close the post-Brexit data protection framework will be to the EU one. Logic suggests that U.K. data protection law will never be miles away from EU law but yet, the whole premise for Brexit rests on being independent from the legislative decisions made in Brussels and the judicial decisions made in Luxembourg. At this stage, the U.K. government has simply indicated that the GDPR will become U.K. law by May 2018, which is understandable given that the U.K. will not have left the EU by then.
But the U.K. government is also aware of the importance of ensuring the free flow of data from the EU if it is to fully benefit from the opportunities of the digital economy. How it will achieve that is open to debate but given that being part of the European Economic Area appears to have been abandoned altogether, the most obvious way forward will be to secure its status as a safe jurisdiction for personal data.
From a U.K. perspective, the best outcome would be to officially be deemed as 'adequate' – an unfortunate word which may even be seen as quite embarrassing by hardcore Brexiteers – without even having to apply to the European Commission for an adequacy decision. This is something that the government will probably be aiming for from day one as part of the overall Brexit deal, as otherwise the process to obtain adequacy is bound to be slow and painful.
A key practical question is what role the Information Commissioner's Office will end up playing in all of this.
Following the adoption of the GDPR, U.K.-headquartered multinationals were certainly hoping that the ICO would be a helpful lead authority in the context of the one-stop-shop arrangements. Now, those same companies face being directly accountable to a variety of EU data protection authorities and some are even considering moving their HQ to other Member States to secure the lead authority benefit.
While it will no doubt be challenging for the ICO to retain its position alongside the other EU data protection authorities, the U.K. regulator's seat at the European Data Protection Board should not be entirely ruled out.
Fortunately, this is something that the ICO is well aware of and judging by the actions of Elizabeth Denham since her appointment as Commissioner, for all practical purposes, the U.K. has one of the most robust, focused and credible privacy regulators on the planet. So while it will no doubt be challenging for the ICO to retain its position alongside the other EU data protection authorities, the U.K. regulator's seat at the European Data Protection Board should not be entirely ruled out.
When looking at Brexit and its consequences, it is difficult to escape the political implications of it all. It is somewhat counter-intuitive to think that the U.K. will be actively seeking to align itself with the EU's data protection framework at a time when it is preparing for its departure.
However, reconsidering what's best for the U.K., its businesses and its citizens is what the Brexit process is about and if the answer is that the best way to take back control is to be as involved in the dynamic European data protection world as possible, that will ultimately be the direction of travel.
photo credit: The Prime Minister's Office PM signs Article 50 letter via photopin (license)