Information governance after Brexit: what the future holds
Once the shock of the unexpected result of the referendum had sunk in, information governance professionals turned their thoughts to how Brexit would affect the future shape of our laws in this area.
Top of everyone's list was what would happen to the forthcoming General Data Protection Regulation, a brand new law due to come into force across all EU member states in 2018. But questions were also raised about the future of other information governance laws, many of which are derived from the EU. In our last article, back in June, we said that there were no clear answers to these questions. Are we any closer now to mapping out the possible future of information governance law in the UK?
Well, the future still remains uncertain. We know very little about what sort of Brexit the government wants, still less about what it may achieve in the tough exit negotiations that are still to come. But things are becoming a little clearer. The government's announcement that Article 50 will be triggered by the end of March 2017 has given us the start of a definite timetable. And the announcement of a 'Great Repeal Bill' to incorporate existing EU law into UK law on the exit date provides some reassurance that existing legislation will continue, at least into the medium term.
For information governance, we can now be fairly certain of two things:
1. The GDPR will come into force in the UK on 25 May 2018, and controllers and processors in the UK will need to comply with it.
The GDPR represents a significant change to existing data protection law and will require organisations to invest considerable time and effort to ensure that their processing of personal data complies with the new rules. May 2018 is approaching fast, and so organisations that were waiting for more clarity before taking action should now step up their preparations. More information about the GDPR can be found here.
2. There will be no wholesale changes to information governance obligations on the date of the UK leaving the EU.
A key reason for the uncertainty since the referendum has been that so much legislation in this area derives from the EU. For instance, the Environmental Information Regulations, the Re-use of Public Sector Information Regulations and the Privacy and Electronic Communications Regulations are all derived from EU directives and made under powers given to ministers by the European Communities Act 1972. The government's 'Great Repeal Bill' will repeal the ECA 1972 but, rather than letting secondary legislation made under it fall away, the Bill will incorporate into UK law all those laws that Parliament chooses to keep.
We still have no details of the 'Great Repeal Bill' and what EU laws may be retained or discarded. But given the sheer volume of EU law over the past 40 years and the tight timescales envisaged under the Article 50 procedure, it is safe to assume that the majority of EU laws will be incorporated into UK law on exit from the EU. The government may want to include some headline-friendly repeals in its 'Great Repeal Bill', but these are unlikely to include the majority of the technical and (dare I say it) somewhat dry rules surrounding information governance. In addition, any changes to the GDPR will have implications for cross-border data flows and will need careful thought. It is unlikely that there will be time for such detailed scrutiny in what are sure to be a very busy few years to come.
Of course, there are still plenty of things we don't know. The GDPR, for instance, provides for various derogations by member states. How will these be implemented in the UK? How will the consistency mechanism and the European Data Protection Board work when the UK is no longer a member of the EU? Will the UK implement the parallel Directive on processing in the police and criminal justice field (which is also required by May 2018)? What will be the Information Commissioner's approach to regulation? Will this change after Brexit?
As for the longer term, once the UK has actually left the EU, all bets are off. Assuming that the UK is not required to comply with aspects of EU information governance law as part of any new trade agreement with the EU (which is a very big assumption), it will be a matter for Parliament and/or the government of the day to decide whether to amend or repeal legislation in this area. No longer restrained by the requirements of the underlying EU directives and CJEU decisions, the UK government may wish to adopt a more business-friendly approach and reduce some of the perceived burdens of information governance law. But any changes won't be made in a vacuum, and the UK will still need to ensure an equivalent level of protection to the GDPR in order to allow data to flow freely between the UK and the EU. This is a point that was stressed by the new Information Commission, Elizabeth Denham, in a recent speech.
So we may not see any radical changes for some time yet.
Click here to download our free Brexit guide.