US companies and policy makers will no doubt spend a good chunk of the day today considering the possible implications for them of yesterday’s UK vote for Brexit. Mark Carney, Governor of the Bank of England, has issued a statement to calm the markets. I will content myself with a much more modest statement to calm US companies who have been working hard to fill in the gap left by the demise of Safe Harbor and to prepare for the implementation of the GDPR in May 2018: Brexit will have very little, if any, impact on the UK’s approach to data protection laws, at least in the medium term (say the next five years or so).
Why is that? First and foremost, the UK has no interest in doing anything that would impede the flow of personal data between the UK and the rest of Europe. The GDPR, like the current laws under the Data Protection Directive, provides a pathway of least resistance for data transfers: If a country’s laws “ensure[ ] an adequate level of protection” for the personal data, the Commission can issue an adequacy decision to allow data transfers to that country (without the need for model clauses or BCRs). The most straightforward way for the UK to get an adequacy decision is to adopt and implement the GDPR (or at least all of the material parts of the GDPR) as part of its national legislation.
Second, of all the things that the UK will need to negotiate with the EU over the coming years, any quibbles that the UK may have about data protection legislation is likely to be low on the list, far behind passporting of banking services and new immigration arrangements. The UK did have some concerns about the GDPR, as communicated by the ICO in its initial comments on the Commission’s early draft of the GDPR. However, none of them were deal-breakers for the UK.
Third, as a practical matter, UK companies that are part of international corporate groups with a European presence would probably not make it a priority to push hard for UK legislation that eases their burden under UK law, while they still have to comply, in effect, with the GDPR with respect to their European operations (both of their affiliates and with regard to UK companies’ own sales into Europe).
Looking past the medium term, how might the UK’s approach change later on, once the key Brexit negotiations are finished? The ICO did say a couple of weeks ago at a conference that it would consider other approaches, such as the data protection frameworks used in New Zealand or Australia, that meet EU adequacy requirements. However, all of those existing frameworks will need to be reviewed again against the GDPR in order to keep their adequacy decisions in place, so those legal frameworks may look a lot more like the GDPR within a couple of years.
So until the ICO tells us otherwise, US companies working on preparing for the implementation of the GDPR should continue with that work even if their primary EU activities are only in the UK. (And don’t forget that the actual exit is not taking place immediately.)