June 24, 2016
The Data Protection Regulation (Regulation (EU) 2016/679) will come into force across the EU on 25 May 2018, but how will this impact businesses following the UK’s referendum to leave the EU?
While in the long term much will depend on the overall agreement ultimately reached between the UK and the EU, we believe that UK companies, particularly those doing business across the EU as well as those transferring data outside of the EU should operate on the basis that the UK will ultimately adopt part or all of the Data Protection Regulation in order to benefit from the free flow of data within the single European data market. Furthermore, whilst the UK has voted to the leave the EU, its official departure will likely not happen until after the Regulation comes into force. At that time, the Regulation will apply in the UK without the need for implementing legislation (subject to UK-EU negotiations). Moreover, Article 3 of the Regulation provides for extra-territorial effect meaning that the Regulation will apply to businesses based outside of the EU where: (a) goods or services, irrespective of whether a payment is required, are offered to individuals located within the EU; or (b) monitoring of EU individual’s behaviour takes place as far as their behaviour occurs within the EU. Finally, personal data from the EU may only be transferred to jurisdictions which protect that data as per EU standards. As such, we would advise UK businesses to continue reviewing their internal data processing and to aim to be compliant with the Data Protection Regulation by May 2018.