Data Protection is not an area that people generally get especially excited about, but the rights contained in the Data Protection Act 1998 (“the DPA”) are important. They enable individuals to find out (mostly) what information companies and organisations hold about them, where they got it from, what they do with it, who they give it to and what it says. It also enables people to take a degree of control over what companies and organisations do with that information; including the ability to prevent a company from using their information for marketing purposes, forcing them to correct inaccurate information and forcing them to stop “processing” their information where the processing causes substantial damage or distress that is unwarranted.
The DPA implements an EU Directive into domestic law. Data Protection law in the UK has its roots in European law. However, it’s not just the DPA that has its roots in European law; the connected Privacy and Electronic Communications Regulations 2003 (the full name of which is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003) also implement European law into domestic law. These Regulations relate to the use of personal data and are the regulatory regime that governs the use of electronic communications (such as E-mail, phone and text) to market directly to individuals. These are the regulations which help deal with those annoying and unsolicited PPI and accident claims telephone calls.
In 2018 the Directive that underpins the DPA is being replaced with a new EU Regulation on Data Protection and the Directive underpinning the 2003 Regulations is currently being reviewed in light of the new EU Data Protection Regulation (the European Commission is consulting on this issue until 5 July 2016).
The DPA replaced the Data Protection Act 1984. The 1984 Act was introduced to give protection to individuals in relation to the automatic processing of their personal data and was based upon the Council of Europe’s (the same Council of Europe behind the European Convention on Human Rights and Fundamental Freedoms) 1981 Convention for the protection of individuals with regard to automatic processing of personal data.
Now that there has been a brief account in respect of the history of Data Protection law in the United Kingdom, it is possible to thrust into the main purpose of this article; that is to consider Data Protection in the context of the EU Referendum.
If the UK votes to remain in the European Union then in May 2018 the United Kingdom will have to comply with the General Data Protection Regulation (which, being a Regulation, will have direct effect regardless as to whether the UK Parliament enacts a new Data Protection Act or not) together with the associated Directives; including whatever eventually replaces the 2002 e-Privacy Directive. The associated Directives, together with some of the fudges in the new Regulation, will likely mean that there will be a new Data Protection Act to replace the current Act (probably towards the end of 2017).
If the UK votes to leave the European Union what happens is a bit more uncertain. A vote to leave the EU will not mean that there is a complete end to the UK’s relationship with the EU, and that will have an impact on Data Protection.
The first thing to note is that a vote to leave will not mean an instantaneous split. There currently isn’t really a process for an EU Member State to leave the Union so some time will be spent working out how that happens and there will inevitably be a time spent negotiating a new relationship with the EU; whether that is inside of or outside of the EEA. It seems quite likely that we will still be in the EU come May 2018, which might mean that the GDPR will automatically apply – but that is entirely dependent upon what happens in terms of negotiations between the vote to leave and May 2018.
If the United Kingdom simply becomes part of the EEA then the result, insofar as Data Protection is concerned, will be identical to a vote to remain; the GDPR applies to the EEA countries (presently being Iceland, Liechtenstein and Norway) as well as to EU Member States.
If the United Kingdom leaves the EU and doesn’t join the EEA there will be bit more freedom in respect of Data Protection. However, the requirement for Data Controllers within EU Member States not to transfer personal data to a country outside of the EU/EEA, unless there is an adequate level of protection for personal data, will mean that we will continue to have some form of Data Protection law.
It is possible that the UK could meet the adequate level of protection requirement with rights that are substantially lower than those afforded by the DGPR (when it enters into force) and so the UK’s Data Protection law will not necessarily be all that similar to the GDPR – especially if the government of the day is one that favours light-touch regulation and a lack of “red tape”. That means that even if the UK is forced to comply with the GDPR initially, Data Protection law in the UK could change dramatically to something that affords much less protection than the GDPR. What the law will look like though will not only depend upon the ideals of the government of the day, but what they think would be politically acceptable; over the last 30 or so years people have become much more wary about what governments, public agencies and businesses do with their personal data; so while the political will might be to substantially lower the level of protection afforded to individual’s personal data, the public will might not let them go quite as far as they wish!
In short, the future of Data Protection law in the UK will be very much influenced by the result of the Referendum and the eventual relationship with the EU in the event of a vote to leave.