With the Great Repeal Bill making its way through Parliament, Britain is slowly moving closer to cutting ties with the European Union. While it is still too early to tell what both sides of the split will look like in a few years' time, the preferred approach as articulated by leading Government figures, suggests that the desire is to have a “European style economy”. This would mean a consistent regulatory approach, especially in areas where there is closer cooperation.
The Government's white paper asserts that the UK will look to the major equivalent data protection laws as part of the objective to retain its status as a leading player in the global technological landscape. This calls for a stable regulatory environment that balances the needs of consumers with businesses and fosters effective international data flows. Assuming negotiations proceed as the Government hopes, it appears that the data privacy landscape in the UK is unlikely to shift away from the EU regulatory model.
Although the UK has traditionally been on the less restrictive end of the spectrum in its approach to data protection, there does not seem to be any indication that it will reposition itself post-Brexit as a regulation-light safe haven for data focused service providers.
The UK has a long-standing privacy tradition predating the EU, which traces its roots to the European Convention of Human Rights. British consumers are unlikely to tolerate a loss of their rights to privacy from big data corporations, particularly the more obvious manifestations of this such as unsolicited marketing (spam) and indiscriminate data sharing.
Regardless of Britain's data protection heritage, the government and the ICO (the UK privacy regulator) have already confirmed that the General Data Protection Regulation (GDPR), the EU's updated privacy framework, will apply to the UK just as it would to any other country in the EU when it takes effect in May 2018 (presumably before the negotiations triggered by Article 50 are complete).
Implementing this framework only to roll back the provisions a few years later may not be conducive to creating a business friendly environment, which requires stable and predictable regulation. Whether in the form of the GDPR itself, or a local variant by another name, the provisions of the GDPR are likely to continue to apply to the UK long after its EU membership has ended.
UK companies are therefore unlikely to benefit from any significant deregulation in this field post-Brexit. Any UK company looking to sell into one of the biggest markets in the world will also be caught by the extraterritoriality provisions of EU law, as the updated regulation explicitly applies to anyone processing the data of EU residents. For online service providers looking to offer a coherent user experience across the world, adopting a different compliance regime for domestic users and those in the EEA is unlikely to be an option.
However, while the rules are likely to be equivalent, the UK may have more flexibility in how to interpret and enforce them than if the UK remained in the EU. The ICO will be less influenced and constrained by the approach of some of the more strict regulators in the EU. This is likely to allow the ICO to develop a more business-friendly and risk-based approach in its role as the UK privacy regulator.
There is no doubt that this approach will be welcomed by businesses in the UK but it comes at a price for those operating on a pan-European basis. The EU's data protection standards are already some of the most restrictive in the world, but there is evidence to suggest that, without Britain, the EU could trend towards an even stricter regime.
The UK has been praised by some Silicon Valley giants as adopting a “common sense” approach to drafting regulation, and for being a tempering influence on some of the more stringent requirements. Without its presence at the negotiating table, it is possible that future EU data protection law and guidance and any international frameworks looking to emulate the EU model may reflect the more restrictive approaches of some Member States' national data protection authorities.
Contributed by Kolvin Stone, partner, and Alex Sobolev, associate, Orrick's Cyber-security & Data Privacy Practice
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.