For global pharmaceutical and medical device companies handling personal data in the European Union (EU) or engaged in transatlantic data transfers, some of the many questions created by the Brexit vote include what its impact will be on the United Kingdom’s (UK) data protection laws.
These questions also arise in the context of the EU’s General Data Protection Regulation (GDPR), due to come into force in May 2018, which coincides with the period during which the UK will be negotiating its EU exit, and the impending agreement by the EU to the Privacy Shield. The GDPR is designed to strengthen and harmonise data protection within the EU and the Privacy Shield is meant to replace the now invalid EU-US Safe Harbor Framework. Given this, it is important for manufacturers to consider the following:
How will personal data be regulated under UK law?
If the UK exits the EU before the GDPR comes into force, it will not be without a data protection law. The UK’s own Data Protection Act 1998 (DPA) is currently and would remain the law of the land. Even now, the UK’s Information Commissioner’s Office interprets the DPA in a manner that is consistent with some of the GDPR requirements, such as privacy by design and accountability through the use of privacy impact assessments. Compliance with the DPA provides a degree of compliance with the GDPR.
What will the UK-EU relationship look like with respect to data protection?
Given that the GDPR may come into force in the UK and EU before the UK’s negotiation period to leave the EU is complete, the UK should not find it difficult to achieve the ‘adequate’ data protection status necessary to maintain current trade and commercial relationships with the EU. It may be that the UK adopts much of the GDPR into its law, either as an update to the DPA, or as a new legislative measure.
How will Brexit affect data transfers?
Brexit will not affect the Privacy Shield agreement, and for the UK, Brexit should not change UK policy in relation to the Privacy Shield. Since the DPA permits UK data controllers to make their own adequacy determination for transferring data outside the UK and the European Economic Area (EEA), it may be that the UK’s Information Commissioner’s Office deems certification to the Privacy Shield by US companies adequate even if the UK is outside the EU. Such a stance would not be unprecedented, since other countries, such as Israel, had taken a similar position in relation to the US-EU Safe Harbor Framework before it had been ruled invalid by the CJEU. If that is the case, then transfers of data to the US on the basis of certification to the Privacy Shield could be deemed per se adequate by the UK.
In addition, the UK remains a member of the Council of Europe and a party to Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Convention provisions relating to transborder data flows permit the transfer of data between Convention 108 members, which include not only the EU member states, but a total of 50 countries, including Turkey, Russia, and Ukraine, among others.
To learn more about Brexit’s potential impact on the United Kingdom’s (UK) data protection laws, and about how Brexit could provide an unexpected opportunity for the UK to become a data haven, please read our recent Client Alert, “Data Protection in a Post-Brexit Landscape.”