All businesses – not just businesses in the digital sphere – are going to need to know how they will be affected by the UK (or some of the UK?) leaving the EU.
The timing is important to the effect, because the new EU Data Protection regime is due to come into effect on 25 May 2018. On the strict rules it seems that we’ll still be members of the EU but in the dying weeks of membership. Some of the changes – the need to have data protection officers, and the levels of fines – are ones which the UK government were already unhappy about. The UK may therefore look to scoot around those. Others, around levels of protection, are going to be essential for British businesses to be able to transfer data freely in its biggest export market. Depending on the route taken by government, we may be part of the European Economic Area, in which case we’ll, Norway-like, have to comply (and allow free movement of people, and contribute to the EU funds); or we’ll have to apply for an “Adequacy Decision” from the EU for our safeguards – a status some countries including Canada, Israel, Argentina and Switzerland have, but the US doesn’t. The EU will be more interested in working with the US than it’s difficult ex, we’d suspect.
Not much is clear, bit one thing is – there isn’t going to be a data free-for-all. As the Information Commissioner has made clear, although the forthcoming reforms to EU data protection laws may not apply directly to a post-Brexit UK when it is no longer a member of the EU, for the most part – effectively in all material respects - the data protection standards the UK will have to adopt are going to have to be "equivalent" to the EU’s new General Data Protection Regulations if the UK hopes to continue to trade either with, or as part of the single market from 2018.
Written by Paul Berwin of Berwins Solicitors.