Referendum: has the GDPR gone away?

A few hours after the result of Thursday's referendum on membership of the European Union, I gave a presentation on the significance of the EU's General Data Protection Regulation, due to come into force in May 2018. That might seem a waste of time, but my suggestion was that the referendum result might in fact make the GDPR more important to us.

If the UK remains part of the European Economic Area, then we still have to comply with all EU laws: situation unchanged. But if we leave the EEA as well as the EU, then two particular aspects of the GDPR become significant. First is that, according to Article 3(2), the Regulation applies to organisations outside the EU whenever they process personal data of "data subjects who are in the Union" in relation to "the offering of goods or services … to such data subjects in the Union". That clearly covers distance learning and other services we might offer remotely; it seems possible that it might also cover on-line recruitment of students into face-to-face courses delivered in the UK. In respect of those personal data, at least, the GDPR will still apply directly.

And so long as UK organisations wish to receive personal data from organisations located within the EU, there will also be a strong indirect incentive to comply. That's because, under Article 44, the sending organisations must ensure that what would then count as "exports from the EEA" will not undermine the level of protection that the Regulation guarantees for individuals. When transferring to another member state, it is presumed that such "adequate protection" is automatically provided by that member state's national law, but when transferring to a non-member state the presumption is that it does not.

Under the current Data Protection Directive a small number of non-EEA countries have obtained a declaration that their laws do provide adequate protection. In most cases this has required them to essentially implement the Directive in their own laws. The one country to try an alternative approach is the USA, whose Safe Harbor agreement was supposed to ensure adequate protection but was last year found by the European Court not to do so. A replacement Privacy Shield agreement is now being negotiated. If the UK did not obtain an adequacy declaration then organisations receiving personal data from Europe would need to provide both the protections that are the responsibility of the data controller/processor under current law, and those that are the responsibility of the state. The Regulation allows that to be done, as under the current Directive, through a contract incorporating model contract clauses. However following the Safe Harbor case it has been suggested that those clauses, too, need to be strengthened.

Far from going away, the GDPR could in future increase the requirements on us to protect personal data.

For more details, see articles by Bird & Bird, Phil Lee of FieldFisher and Amberhawk