Why the UK's vote to leave the EU will have little effect on its data protection rules

The UK now faces a long, drawn-out process to quit the EU, at the end of which many of the rules "leave" campaigners sought to escape will remain in place

With the haircut that the sterling-euro exchange rate has taken in the wake of the U.K.'s vote to leave the European Union, the U.K. has suddenly become a low-cost country for companies wishing to host or process the personal information of EU citizens.

EU businesses will need to weigh that price cut against the regulatory uncertainty Thursday's vote introduced -- but it turns out that's surprisingly small, at least in the short to medium term.

As for U.K. businesses hoping for more relaxed data protection rules in the wake of the referendum vote, they will have to wait -- perhaps for a very long while.

That's because many of the rules that the 51.9 percent who voted to leave the EU hoped to escape are, in fact, firmly part of U.K. law, and will only go away if the U.K. parliament votes to repeal them.

And it can't do that until it has negotiated its exit from the EU, which is a matter of international treaty and not the will of the people.

The first question, then, is when will the U.K. officially leave the EU?

That will depend on when the U.K. government informs the other member states of its intention to leave by invoking Article 50 of the Lisbon Treaty. The UK will cease to be bound by the EU treaties two years after that date -- sooner in the unlikely event that all parties reach an agreement on an exit settlement before then.

However, U.K. Prime Minister David Cameron is in no hurry to invoke Article 50. On Friday morning he announced that he will resign and make way for a new leader of the ruling Conservative Party before the party's annual conference in October. Invoking Article 50, he said, would be a task for his successor.

That means the U.K. is likely to remain part of the EU until October 2018 -- or longer, if Cameron's successor is in no rush to invoke Article 50.

That means U.K. businesses and citizens will still be subject to EU laws for some years to come.

Those laws come in two forms: directives, and regulations. In the field of data protection, there's one of each to pay attention to.

The most significant -- for now -- is the 1995 Data Protection Directive.

Directives are proposed by the European Commission (the members of which are nominated by the EU member states), then amended by the European Council (composed of the heads of the EU member governments or their ministers) and the European Parliament (directly elected by EU citizens) until all three parties reach a compromise. Then, the parliaments of each member state transpose the directives into their own national law, adapting it where necessary to fit their own legal systems and circumstances. In this way, the Data Protection Directive took effect in 1998.

One of its key provisions, for businesses at least, is that EU citizens' personal information may only be processed in countries offering a level of data protection at least equal to that afforded by EU law.

Since the U.K.'s data protection regime will remain unchanged, for now, U.K. businesses can still process data for EU companies and citizens, and U.K. citizens will have the same protections if their data is exported to, say, the U.S.

Protection of EU citizens' data in the U.S. has itself been called into question since the October 2015 decision by the Court of Justice of the EU to overturn the legal instrument providing that protection, the so-called Safe Harbor Agreement. EU and U.S. officials are still negotiating the details of its replacement, Privacy Shield, which will also cover the U.K. until it formally leaves the EU.

The other EU data protection law of relevance to the U.K. is the General Data Protection Regulation (GDPR), voted in April 2016. This introduces harsher fines for companies breaching the rules -- up to 4 percent of worldwide revenue -- and seeks to harmonize those rules, eliminating national differences allowed under the Data Protection Directive.

Regulations begin life in the same way as directives, as compromise texts agreed upon by the Commission, Council and Parliament. After that, though, there's no time-consuming transposition into national laws: Regulations are directly applicable, and automatically enter effect after two years.

At first sight, that would suggest that U.K. citizens will benefit from, and U.K. businesses will be subject to, the effects of the GDPR from April 2018 through at least October 2018.

That, though, is without considering the exemptions from EU home affairs and justice legislation negotiated by the U.K., Ireland and Denmark. The exemptions mean the GDPR will apply only partially in the U.K up until October 2018.

But what then? Well, one of the innovations of the GDPR is that the rules applicable depend on the location of the data subject, so companies in the U.K. will still have to comply with it when processing EU citizens' data.

U.K. businesses might even choose voluntarily to follow EU data protection rules at all times, in order to hang on to their U.K. customers.

"It would make no sense at all for U.K. regulations to be any less stringent. Poor safeguards against loss, theft and misuse of data would ultimately cost U.K. business, as consumers and brands put their data elsewhere," said Richard Lack, EMEA director of sales at Gigya, which provides a visitor tracking and identification service for websites.

Following the EU data protection rules would be a good thing for U.K. businesses in other respects, according to Javvad Malik, security advocate at AlienVault, a security threat management company.

"Many Infosec professionals seem to view the legislation in a positive light, believing that stipulations such as 'data protection by design' will make the data held by their organizations more secure," he said of the GDPR.

Until October 2018, then, and even beyond, it seems unlikely that much will change, in the field of data protection at least.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?