Impact of Brexit on EU Data Protection Law (Term Paper Sample)

IMPACT OF BREXIT ON EU DATA PROTECTION LAW
Student’s Name
Institution
Instructor’s Name
Course Name
Due Date
Introduction
On 23rd June 2016, the UK voted to exit the European Union (EU). Consequently, the General Justice and Consumers Directorate (GJCD) of the European Commission published a notice on 9 January 2018 detailing the implications of Britain’s exit (Brexit) from the EU1. The announcement confirmed that after March 30, 2019, the date the UK is to leave the EU officially, the UK would become a third country2 and the EU rules regarding the transfer of personal data to third countries would henceforth apply. However, before the planned departure date, the EU data protection laws will continue to apply in addition to existing domestic laws. The laws protect personal data and set regulations for the collection and use of such data by organizations. The requirements include the UK Data Protection Act 20183 (DPA), the Police and Criminal Justice Directive, the Network and Information Security Directive (NISD), and the Privacy and Electronic Communications Regulations 2003 (PECR). The DPA is the major source of legislation in Britain. The DPA implements the Data Protection Directive4 (Directive 95/46/EC) and establishes regulations for the definitions of personal data, data processing, sensitive personal data, consent and rights of data subjects, notification and registration requirements, collection and marketing of data, and sanctions for non-compliance.
[‘Notice to stakeholders: withdrawal of the United Kingdom and EU rules in the field of data protection’ (European Commission 09 January 2018)2 Decision on Alternative Set of Standard Contractual Clauses for the Transfer of Personal Data to Third Countries (2004/915/EC)3 Data Protection Act 20184 The Data Protection Directive 1995]
The transfer of personal data outside the boundaries of the EU and the data processing by data controllers outside the European Economic Area (EEA)5 but using equipment based in the UK are also governed by the Data Protection Directive (DP Directive). On 4 May 2016, the EU approved changes to the DP Directive and passed a new law referred to as the General Data Protection Regulation6 (GDPR). The new law seeks to strengthen the rights of data subjects as well streamline the rules with a view to harmonize data protection standards across the EU and make it easier to do business across EU markets. The GDPR directly applies to member states without the need for member states to pass additional implementation regulation. Once the UK leaves the EU, the UK will become a third country and the GDPR will no longer apply.
The exit of Britain from the EU will have many implications on data protection laws, particularly for multinational organizations and companies that rely on the transfers of personal data between the EU and the UK. The UK’s Prime Minister, Theresa May, negotiated a withdrawal deal from the EU but the UK parliament rejected the agreement. Therefore, no withdrawal agreement has been reached to date. Although negotiations are still ongoing, it remains uncertain when and how the UK will exit the EU. Upon Brexit, the GDPR will no longer have direct applicability to the UK, but the GJCD has confirmed that the GDPR will continue to have an impact on UK organizations that receive data from the EU member states.
[5 Agreement on the European Economic Area (August 2016) <‘Notice to stakeholders: withdrawal of the United Kingdom and EU rules in the field of data protection’ (European Commission 09 January 2018)>6 General Data Protection Regulations 20167 GDPR Article 38 Data Protection Directive 1995]
Article 3 of the GDPR7 states that organizations in third countries that process personal data of subjects within the boundaries of the EU are required to comply with its provisions. Therefore, despite the intended purpose of Brexit, businesses in the UK will not be completely free from the EU data protection laws. Thus, it is essential that companies that operate on a cross-border basis evaluate the risks Brexit poses to the current international data transfer rules and implement safeguards that will ensure the uninterrupted flow of data between the UK and EU after Brexit. This paper seeks to evaluate the implications of Brexit on data protection laws and its impact on organizations in the UK and EU. It also evaluates the GDPR obligations that will apply after the UK’s departure from the EU and what the British government could do to relieve some of those obligations.
The EU Data Protection Framework
Data in the EU, including the UK, is ubiquitous. Unlike in the United States (US) where industry-specific rules apply to different sectors, the EU data protection law applies consistent rules across all types of personal data. The law is primarily based on the 1995 Data Protection Directive8 (the Directive). The Directive was implemented into UK national legislation by the Data Protection Act 1998. The Directive establishes the legal framework for data protection in the UK. It establishes vital protections for the processing of personal data10 with the aim of protecting the interests of data subjects within the boundaries of the EU. The protections include the requirements that; (a) Legal basis be established before the processing of personal data. Whether data is being processed for the performance of a contract with a subject or for the processor’s legitimate interests, the data subjects must consent to the processing of such personal data. (b) Personal data must be collected for legal purposes and processed fairly. (c) The data must be accurate, and subjects have the right to access the data for correction purposes, and (d) Personal data of EU subjects can only leave the EU boundaries if the EU is satisfied that the receiving country has adequate legal protections for the data. The Directive also subjects sensitive personal data to greater protection under the rules. Sensitive personal data includes information about the ethnic or racial origin of the subject, their political affiliations or opinions, sexual life, religious beliefs, and union memberships.
Central to the EU data protection law is the EU’s Charter of Fundamental Rights and Freedoms. Article 8 of the Charter9 grants individuals the right to protection of their personal data. It also states that personal data must be fairly processed for the purposes specified and the subjects must give consent for the processing of their data unless the law provides another legitimate basis. It also established an independent authority to control compliance with the laid down rules. The 2008 Council Framework Decision10 further protects data processing in criminal cases, particularly those relating to police and judicial proceedings. The Framework Decision was incorporated into UK law by the 2014 Criminal Justice and Data Protection11 (Protocol No. 36) Regulations.
[9 Article 8 Charter of Fundamental Rights of the European Union 2000/C 364/0110 Council Framework Decision 2008/977/JHA 3 11 Council Framework Decision 2014/3141. 11]
Since the 1995 Directive was implemented before the commercialization of the internet and many technological developments in existence today, the way data is collected, stored, accessed and used has significantly changed. To align the data protection law with the technological changes, the EU proposed a new legislative data protection framework in January 201212. The Commission a new law, the General Data Protection Regulation13 that would come into force in May 2018. It also issued the Police and Criminal Justice Directive or the Law Enforcement Directive14 “to protect the fundamental rights and freedoms of people whose personal data is processed to prevent, investigate, detect or prosecute a criminal offense”.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation 2016/679 was adopted by the EU in May 2016 and would become effective across all EU member states from 25 May 2018. The GDPR is a regulation that governs the processing of personal data by organizations, and the movement of personal data within and outside the EU. It had direct applicability, and EU member states would not need to enact enabling legislation. The Regulation establishes the responsibilities of data controllers and data processors15. It also outlines the rights of individuals whose personal data is being processed16.
[12 Council Framework Decision, COM (2012) 10 final, 25 January 2012, p313 General Data Protection Regulations 201614 Council Framework Decision , COM (2012) 10 final, 25 January 201215 GDPR Article 2816 EU website (2018) Protection of personal data used by police and criminal justice authorities]
Among the fundamental changes that were introduced by the GDPR was the broadening of the scope for compliance by more organizations, to include data processors that were previously not governed by the DP Directive.
It applies to data processors and data controllers not established in the EU but who process personal data for subjects within the EU if such processing activities are related to (a) the provision of goods and services or (b) behavior monitoring so long as the behavior takes place within the boundaries of the EU. It also introduced data protection by design and default by requiring that safeguards for data protection be incorporated into systems during development. The GDPR established the European Data Protection Board17 mandated to resolve disputes between supervisory authorities and ensure consistent compliance with the Regulation. The EDPB will replace the current Committee established by Article...