This article summarises a number of unanswered questions in data protection and cyber security legislation brought on by Brexit.
The "in-out" Referendum on the question of the UK's membership of the EU has resulted in a majority of voters (on a turnout of approximately 72%) preferring the UK to leave the EU. The vote was 51.9% in favour of leaving, with 48.1% voting to remain.
Under the terms of Article 50 of the Treaty on European Union, which governs the process, the UK must first inform the European Council of its intention to leave the EU. This notification triggers the two-year period specified by the Treaty for the negotiation of the terms of a Member State's withdrawal.
In the sphere of data protection, the referendum results leaves a number of questions unanswered about whether and when organisations in the UK will have to comply with the requirements in the upcoming General Data Protection Regulation ("GDPR").
The GDPR is due to come into force on 25 May 2018. If the UK does not actually exit from Europe until, say, November 2018 (because of the two year negotiation period under Article 50), that would leave organisations with the difficult scenario of having to comply with the GDPR for a short period of time before potentially having then to move to comply with a new UK law.
However, when putting in place any new UK data protection law post-Brexit, it is in practice unlikely that the UK will want or be able to stray far from the principles of data protection set out in the GDPR. Depending upon the form of Brexit undertaken, the UK may be required to adopt certain EU laws anyway, including data protection laws. Also, the UK Government will want to ensure that the transfer of data to and from the UK is not restricted, as this could have a negative effect on UK business. The GDPR includes a provision prohibiting the transfer of personal data outside of the EEA unless adequate protections are in place. If the UK were no longer part of the EEA, to avoid administratively burdensome measures to overcome this prohibition, the Government would be likely to seek an "adequacy decision" from the European Commission, declaring that the UK is "adequate" for data protection purposes. However, this is likely to only be possible if the UK has in place data protection regulation that is essentially equivalent to the GDPR.
In relation to specific cyber security legislation, the timing of the Network and Information Security Directive (the "NIS Directive") may also have an impact on the UK's implementation and compliance with such legislation. As described above, Member States have until 9 May 2018 to transpose the NIS Directive into national law, and until 9 November 2018 to identify operators of essential services who will be subject to some of the requirements of the Directive. This timing could be similar to the timing of the UK's exit from the EU, meaning that the UK Government may take the decision not to implement the NIS Directive into national law at all. However, given that the Government has already taken steps in anticipation of the NIS Directive (such as the new National Cyber Security Centre), and the importance of international cooperation on cyber security issues, we would anticipate that something similar might be implemented instead.
The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2019