We've voted to leave: what now for information governance?
The result of the referendum last Thursday will have major implications in many areas of law, and none more so than information governance.
Most of the laws in this area are derived from European legislation, and there must now be uncertainty about whether the new General Data Protection Regulation will ever be fully implemented in the UK. As I write, it is becoming painfully clear that our government has no real plan for delivering the result of the referendum and enabling the UK to leave the EU. In any case, there are likely to be lengthy and difficult negotiations with our (soon to be former) European partners about what laws the EU requires us to keep as a price for continuing access to the single market, if indeed that's the desired outcome.
In short, no-one really knows how this will play out and what the future holds. I've set out below some of my thoughts on what may happen in the area of information governance.
The effect on existing laws
The Data Protection Act, the Privacy and Electronic Communications Regulations, the Re-use of Public Sector Information Regulations, the Environmental Information Regulations – all of these are examples of UK laws derived from EU directives. For primary legislation, such as the DPA, leaving the EU will have no immediate effect. For secondary legislation, such as the EIRs, the situation is more complicated. These were made under powers derived from the European Communities Act 1972, which is the statute that governs our membership of the EU. Some in the 'leave' campaign have argued for the repeal of the ECA, but this is unlikely to happen any time soon. The regulations will therefore remain UK law for the foreseeable future.
However, the whole thrust of the leave campaign was for the UK to 'take control' of its own laws, and many on the political right have long argued that EU legislation imposes too many burdens on UK enterprises. It is possible that some of our existing information governance regulations will be in the firing line when it comes to the fundamental review of EU-inspired legislation that will inevitably take place at some point in the future. At this stage we just don't know when this might happen or what the consequences will be.
A further consideration is that our information governance laws are heavily influenced by judicial decisions at a European level, and the domestic courts have taken into account EU directives and EU case law in reaching their own decisions. For instance, the Google Spain case, which established a right to be forgotten, is a decision of the Court of Justice of the EU. As and when the UK leaves the EU, it is likely to result in a greater degree of uncertainty because parties will no longer be able to rely on previous decisions with confidence. We may see an increase in data protection litigation.
What about the GDPR?
The EU's flagship new data protection law, the General Data Protection Regulation, was passed earlier this year. It becomes directly effective in all EU member states from 25 May 2018. But will the UK still be a member in 2018? Will the GDPR apply to UK-based data controllers? Whilst we don't yet know the answers to these questions, it does now seem less likely that the GDPR will apply in the UK from that date. A pro-leave government is very unlikely to welcome a new EU law imposing what they will see as greater burdens on organisations coming into force during the period in which it is negotiating to leave the EU.
Nevertheless, there are good reasons to believe that UK organisations will need to comply with the GDPR, or at least something like it, from May 2018. Firstly, the GDPR has broad territorial scope and therefore data controllers offering goods or services to individuals in the EU, or monitoring their behaviour, will still need to prepare to comply with it. Secondly, if the UK were to retain its access to the single market as a member of the European Economic Area but outside the EU, as Norway currently is, then we would also need to comply with the GDPR. And thirdly, the UK may in any case need to enact legislation giving an 'equivalent' level of protection to personal data in order to continue to trade with the EU.
The ICO has issued a short statement on the implications of the referendum. It says:
“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018."
As with so many other areas of law, the implications of our vote last Thursday may take some time to become clear. We will continue to keep you updated on developments as they occur.