GDPR: Directives, Regulations, Brexit and Equivalence

As I mentioned in my previous post, the General Data Protection Regulation (GDPR) is new European data protection legislation that comes into effect on May 25th 2018. Because it’s significantly different from existing European and UK data protection requirements, achieving compliance with GDPR will require major changes to both administrative and IT systems. It will apply to almost every organisation that processes personal data of anyone located in the EU.

One of the major changes is that this regulation replaces a previous directive. That’s important.

Directives and Regulations

An EU Directive is an instruction to each member state to enact local legislation to implement the provisions of the Directive. Each member state can adopt its own attitude to the legislation provided the provisions of the Directive are covered. This has led to what’s sometimes referred to as “gold plating” where a member state enacts local legislation that’s more extensive, or includes greater penalties, than those required by the Directive. It also means that the rules are likely to vary from one state to another – so any firm trying to do business across Europe will have to be aware of the nuances and differences in the local legislation between member states.

This is the current state (March 2017) of data protection in Europe. It’s specified in a Directive of 1995, which was effectively implemented in the UK by the 1998 Data Protection Act (DPA). In some areas, such as the appointment of a Data Protection Officer, the DPA went further than the Directive required.

The new legislation, the General Data Protection Regulation is, as you can see by its name, a Regulation. This means it is legally enforceable in all member states without requiring local legislation. It also means the provisions, and penalties, will be consistent across all member states. Despite this there is still scope for variation both in some local regulations* and in how rigidly the Regulation is enforced, as enforcement is the responsibility of a local regulator or supervisory authority. In the UK this is the Information Commissioner’s Office (ICO).

A Regulation may be seen as beneficial since it means organisations trading or offering services across multiple member states need implement only one data protection regime to ensure compliance everywhere. The European Commission believes this will result in a substantial saving to European businesses compared to the current somewhat heterogenous regulatory environment. It hasn’t, though, accounted for any expense involved in actually complying with the new legislation

*On April 12th the UK government published a “call for views” asking for input on how they should deal with the areas within the GDPR regulation which are flexible, or from which the UK could derogate. Responses required by 9th May, so not long then!

Brexit

UK Prime Minister Theresa May has now triggered Article 50 – the means by which the UK will leave the EU. Article 50 provides for a 2-year negotiation period prior to the departure of the member state (this can be extended by mutual, unanimous agreement – unlikely but possible). So the earliest the UK will leave the EU will be March 2019. The GDPR comes into force on May 25th 2018, so it will be in force for at least 10 months before the UK’s earliest possible EU exit. Current press speculation suggests there may be as much as a 3-year “transition” period after the UK actually leaves the EU, during which time all EU rules, and freedoms, may continue to apply.

But whatever happens during or after Brexit, UK organisations will be required to implement GDPR; this was confirmed by the UK Secretary of State for Culture, Media and Sport, Karen Bradley, in oral evidence to a Parliamentary Select Committee in October 2016. (Source)

Once the UK leaves the European Union, whether GDPR directly applies in the UK will depend on the UK’s continuing relationship with the EU. If, unlikely though it seems, we remain part of the single market, or become members of the European Economic Area (EEA), then GDPR will continue to apply directly. If we’re not members of either of these, much will depend on the provisions of the “great repeal bill” which will be brought before Parliament to undo existing EU legislation, and replace it with equivalent UK legislation.

The ICO has confirmed that it will work with government to provide advice on the continuing application of the GDPR, or any replacement legislation, after Brexit.

Equivalence and Adequacy

One of the important provisions of GDPR is that it applies to all organisations that store or process personal data of individuals in the European Union, irrespective of where the company is legally registered, based or operates. This means any organisation that wants to do business with, or provide services to, EU residents (and remember places like Gibraltar, French Guiana and the Azores are part of the EU) will need to comply with GDPR. So any UK business or other organisation wanting to continue to use European Union residents’ personal data must comply. The penalty for failure to comply is a fine of up to €20m or 4% of global annual revenues, whichever is the greater. For comparison, the maximum fine under the DPA is £500,000.

Many firms multinational firms are looking at GDPR as the “Global Data Protection Regulation” as its provisions are equivalent to, or better than, any current regime elsewhere, so complying with GDPR would enable a multinational firm to process personal data for any individual anywhere in the world, under a single data protection regime.

European law includes the idea of “equivalence”; the concept that a local law enacted in a non-EU territory has provisions that make it effectively the same as the equivalent European law. The judgement on equivalence is made solely by the European Commission; if it considers the local law equivalent then it’ll issue an “adequacy decision” to that effect. Post Brexit it’s highly likely that the UK will enact effectively the same legislation as GDPR, and seek an adequacy decision to enable the continued free flow of personal data between the UK and the EU. And further it would not make sense to have two different privacy regimes, one for the EU (and likely the rest of the world) and a weaker one for the UK, so it’s very likely that the UK data protection legislation following Brexit will be directly equivalent to GDPR.

Conclusion

GDPR is an EU Regulation, meaning it is law in all member states of the EU, including the UK. It is already law; it will come into effect in the UK in May 2018, and therefore it will be in force long before the UK leaves the EU.

In order for UK businesses to continue to do business with EU citizens post Brexit, and because GDPR is increasingly being seen as the Global standard in data privacy and data protection, it’s highly likely that the UK will either adopt GDPR in its entirety or enact equivalent legislation. It’ll then seek an adequacy decision from the European Commission. The ICO will be providing the government advice on how to best achieve this outcome.

Further Reading

If you’d like to find out more about the major provisions of GDPR, some suggestions for the first steps to take on the path to conformance, and some links to further sources of information, please request a copy of our White Paper – GDPR: an overview.