Cet article a pour objectif de démontrer pourquoi et comment le nouveau règlement de la protection des données à caractère personnel(RGPD) est susceptible de s’appliquer au Royaume-Uni avant le Brexit. Ce premier post défend la thèse selon laquelle, le RGPD deviendra applicable au RU avant la finalisation de la procédure du Brexit et explique quelle forme la réalisation du RGPD pourrait prendre au RU dans le contexte très incertain déclenché par le Brexit. Un second post viendra préciser comment les règles du RGPD continueront à s’appliquer au Royaume-Uni même après le Brexit.

The purpose of this post is to set out legal arguments in order to demonstrate why and how the General Data Protection Regulation (herein after GDPR) rules will apply to the UK, in one way or another. In her speech on 17th January, Theresa May said that the European Communities Act Repeal Bill « will convert the “acquis”, the body of existing EU law, into British law ». In other words, the application of the GDPR rules after Brexit is closely linked with the question whether or not the GDPR will apply before the Brexit. Thus, this first post will point out how the GDPR will apply before Brexit and a second one will examine how the GDPR rules will apply after Brexit.*

The application of the GDPR before the Brexit

In earlier posts Peter Oliver presented the legal context of the Brexit such as the Withdrawal procedure , and the future UK’s Future Relationship with the EU, The judgment of the High Court of England and Wales and the ruling of the Supreme Court which make it clear that an Act of the Parliament is required before Brexit is formally triggered.  The present post will focus on the impact of the highly uncertain Brexit’s context on data protection. This has been taken into account in the White Paper on Brexit which refers to the importance of « the stability of the data transfer for many sectors from financial services, to tech, to energy companies. » (point.8.38).

The impact of the highly uncertain Brexit’s context on data protection

Nature abhores vacuum, so do the stakeholders in data protection. The GDPR has the virtue of existing, at least. The GDPR has been adopted after four years of negotiations on the 26th of April 2016. It is a monster text of 99 articles, part of a package designed as a comprehensive reform of the EU legal framework that must be linked with “the second wave of global privacy law ». This reform is based on three pillars:

1. The reinforcement of the rights of the data subject,
2. The reinforcement of the obligations of the data controller and processor under the principle of accountability and
3. The reinforcement of the regulation of the data protection through Data protection Authorities (this include an harmonisation of their status, competences and powers including a increase of the sanctions up to 20 millions of € or 4% of the global annual turnover of the companie).

The GDPR provides a legal framework on which the actors can rely in the highly uncertain Brexit’s context.

• Uncertainty of the content of the future relations between the UK and the EU: Norway model, the Swiss Model, the WTO model, Canadian Model,  sui generis  scenario have been on the table. Their impact on Data protection has been well described by Dr. Karen Mc Cullagh. According Theresa May’s speech on 17th January, the UK will become a third country and will try to negotiate a special free trade with European markets. The creation of  a “truly Global Britain” as expressed by the PM Theresa May could lead the UK to consider that GDPR is not the only solution after Brexit. The UK may opt for a data protection regime more closely aligned with those of its Commonwealth partners or other allies. Only time will tell.
• Uncertainty of the timing: will Theresa May trigger article 50 by March 2017 so that the negotiations could start?  Currently, the House of Commons voted in favour of the EU Notification of Withdrawal Bill by 494 to 122 on the 8th February. This Bill  is under discussion in the House of Lords.  But, even if the Bill is passed on time by the UK, it is not certain that UK-EU negotiations will be complete by the end of March 2019.
• Uncertainty on whether notice given under Article 50 can be revoked or not. As the Briefing paper n°7884 on 30th January of the House of Commons outlines this issue has not been ruled by the Courts and there are still debate on it. It could  be that this will need a request to the ECJ in a current litigation contemplated before the Irish Court. This is not only a theoretical issue. The latest polls demonstrate that the public will not accept a Brexit that leaves them worse off.

Under such circumstances, the GDPR is likely to be applicable to the UK before it has formally left the EU.

The nature of postponed application of the GDPR under article 99

Article 99 GDPR dealt with the Entry into force and application of the GDPR. It provides:

1.   This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.   It shall apply from 25 May 2018.

What does it mean exactly?

• Firstly, the GDPR is an incomplete Regulation because it needs to be implemented by Member States. It is essential to underline here, that the GDPR will not implied a great repeal of the European, national data protection Laws. The GDPR contains provisions called « opening clauses », which allow the Member States to adopt their own legal data protection provisions. Thus, European national protection laws will be maintained after the GDPR. The GDPR is an illustration of the porous boundaries between a regulation and a Directive.
• Secondly, the GDPR has immediate effects since its entry into force the 25th May 2016:
  • controllers and processors have to bring all their current processing into conformity with the GDPR because no transitional regime has been provided (see Recital 171). It means that all their processing have to be conform for the 25 May 2018. They will not have anymore to declare their data processing but have to be able to demonstrate that they comply with the GDPR.
  • Furthermore, the Member States have to take measures for the implementation of the GDPR.
• Thirdly, the GDPR will have direct effect on the 25 March 2018.  Article 99 recalls that the GDPR « shall be binding in its entirety and directly applicable in all Member States« .

The UK’s options before Brexit

The UK has two options regarding the GDPR before Brexit. Both of them will inevitably will have an impact on the Data protection after Brexit.

• The UK can request not to implement the GDPR. The first solution will need an amendment of the GDPR or should be part of the future negotiation as suggested by Christopher Kuner and others authors.  It is most unlikely to happen.  Governments will have « more important legislative initiatives to tackle ».
• The UK can implement the GDPR. The second solution will bring the GDPR rules to be part of the “acquis”. Technically the implementation of the GDPR in the UK should lead in this context to the use of the possibility of implementing the GDPR with repetitive contents i.e incorporation of elements of this Regulation into the UK Data Protection Act. This should not come to a transformation of the GDPR in national law before the Brexit. This possibility has been provided by Recital 8 « where this Regulation provides for specifications or restrictions of rules by Member State Law » and « when it is necessary for the coherence and making the national provisions comprehensible to the persons to whom they apply« . Futhermore, the UK should use the possibility of declaratory referrals to the GDPR in the UK Data Protection Act.

One could also argue that private sector is also faced with two choices:

• Hosting data processing in the EU rather than in the UK and fully implement the GDPR. Some US companies had already done that after the invalidation of the Safe Harbour. The media have already mentioned the shift of staff, or establishment from the UK to European countries such as HSBC, or the Loyds for instance.
• Staying in the UK but as we’ve mentionned this will likely lead to an implementation of the GDPR before the Brexit.

Our next post will explain how the rules of the GDPR will also apply after the Brexit. Just to give a flavour on it, it is interesting to underline that « The UK first introduced data protection legislation in 1984 [was a] response to pressure from the business community, which voiced concerns that the UK would lose cross border trade in personal data if it remarined a « data heaven »:  as Dr. Karen Mc Cullagh said. (p.6)

* Theses posts are adapted from a presentation made at the Computers, Privacy and Data Protection Conference 2017 in a roundtable called « Data protection after Brexit ». An academic paper will be available  later in the University Paris-Dauphine institutionnal repository. I will very much welcome and value comments, suggested readings you consider revelant at : olivia.tambou@dauphine.fr

To be continued next week

Olivia Tambou, Associate professor at the Université Paris-Dauphine, PSL Research University, Editor of Blogdroiteuropeen