Why the UK's vote to leave the EU will have little effect on its data protection rules

The UK now faces a long, drawn-out process to quit the EU, at the end of which many of the rules "leave" campaigners sought to escape will remain in place

With the haircut that the sterling-euro exchange rate has taken in the wake of the U.K.'s vote to leave the European Union, the U.K. has suddenly become a low-cost country for companies wishing to host or process the personal information of EU citizens.

EU businesses will need to weigh that price cut against the regulatory uncertainty Thursday's vote introduced -- but it turns out that's surprisingly small, at least in the short to medium term.

As for U.K. businesses hoping for more relaxed data protection rules in the wake of the referendum vote, they will have to wait -- perhaps for a very long while.

That's because many of the rules that the 51.9 percent who voted to leave the EU hoped to escape are, in fact, firmly part of U.K. law, and will only go away if the U.K. parliament votes to repeal them.

And it can't do that until it has negotiated its exit from the EU, which is a matter of international treaty and not the will of the people.

The first question, then, is when will the U.K. officially leave the EU?

That will depend on when the U.K. government informs the other member states of its intention to leave by invoking Article 50 of the Lisbon Treaty. The UK will cease to be bound by the EU treaties two years after that date -- sooner in the unlikely event that all parties reach an agreement on an exit settlement before then.

However, U.K. Prime Minister David Cameron is in no hurry to invoke Article 50. On Friday morning he announced that he will resign and make way for a new leader of the ruling Conservative Party before the party's annual conference in October. Invoking Article 50, he said, would be a task for his successor.

That means the U.K. is likely to remain part of the EU until October 2018 -- or longer, if Cameron's successor is in no rush to invoke Article 50.

That means U.K. businesses and citizens will still be subject to EU laws for some years to come.

Those laws come in two forms: directives, and regulations. In the field of data protection, there's one of each to pay attention to.

The most significant -- for now -- is the 1995 Data Protection Directive.

Directives are proposed by the European Commission (the members of which are nominated by the EU member states), then amended by the European Council (composed of the heads of the EU member governments or their ministers) and the European Parliament (directly elected by EU citizens) until all three parties reach a compromise. Then, the parliaments of each member state transpose the directives into their own national law, adapting it where necessary to fit their own legal systems and circumstances. In this way, the Data Protection Directive took effect in 1998.

One of its key provisions, for businesses at least, is that EU citizens' personal information may only be processed in countries offering a level of data protection at least equal to that afforded by EU law.

Since the U.K.'s data protection regime will remain unchanged, for now, U.K. businesses can still process data for EU companies and citizens, and U.K. citizens will have the same protections if their data is exported to, say, the U.S.

Protection of EU citizens' data in the U.S. has itself been called into question since the October 2015 decision by the Court of Justice of the EU to overturn the legal instrument providing that protection, the so-called Safe Harbor Agreement. EU and U.S. officials are still negotiating the details of its replacement, Privacy Shield, which will also cover the U.K. until it formally leaves the EU.

The other EU data protection law of relevance to the U.K. is the General Data Protection Regulation (GDPR), voted in April 2016. This introduces harsher fines for companies breaching the rules -- up to 4 percent of worldwide revenue -- and seeks to harmonize those rules, eliminating national differences allowed under the Data Protection Directive.

Regulations begin life in the same way as directives, as compromise texts agreed upon by the Commission, Council and Parliament. After that, though, there's no time-consuming transposition into national laws: Regulations are directly applicable, and automatically enter effect after two years.

At first sight, that would suggest that U.K. citizens will benefit from, and U.K. businesses will be subject to, the effects of the GDPR from April 2018 through at least October 2018.

That, though, is without considering the exemptions from EU home affairs and justice legislation negotiated by the U.K., Ireland and Denmark. The exemptions mean the GDPR will apply only partially in the U.K up until October 2018.

But what then? Well, one of the innovations of the GDPR is that the rules applicable depend on the location of the data subject, so companies in the U.K. will still have to comply with it when processing EU citizens' data.

U.K. businesses might even choose voluntarily to follow EU data protection rules at all times, in order to hang on to their U.K. customers.

"It would make no sense at all for U.K. regulations to be any less stringent. Poor safeguards against loss, theft and misuse of data would ultimately cost U.K. business, as consumers and brands put their data elsewhere," said Richard Lack, EMEA director of sales at Gigya, which provides a visitor tracking and identification service for websites.

Following the EU data protection rules would be a good thing for U.K. businesses in other respects, according to Javvad Malik, security advocate at AlienVault, a security threat management company.

"Many Infosec professionals seem to view the legislation in a positive light, believing that stipulations such as 'data protection by design' will make the data held by their organizations more secure," he said of the GDPR.

Until October 2018, then, and even beyond, it seems unlikely that much will change, in the field of data protection at least.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?