Brexit – ICO statement

An ICO spokesperson said on 24 June 2016:

“The Data Protection Act remains the law of the land irrespective of the referendum result.

“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.

“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”


For our comment on Brexit, please see our earlier blog post here.

Brexit and the future of Data Protection

Nigel Miller
Nigel Miller

Having spent several years negotiating the new EU General Data Protection Regulation (GDPR), could it be that if the UK votes for Brexit on 23 June 2016 we will no longer need to be troubled with this mammoth piece of new legislation?

The GDPR will come into force across the EU on 25 May 2018. It represents a major upgrade to Data Protection laws, which are woefully out of date for the digital connected world.  While 2018 is a little time away, because of the substantive changes involved, businesses are starting now to consider what they need to do to make sure that they are compliant by 2018 at the latest.

So, the question is, if the UK is no longer a member of the EU, will the GDPR still be relevant?  In brief, the answer is YES.

First, from a timing viewpoint, while a vote for Brexit may be passed in June 2016, the UK’s actual exit from the EU will take place at least two years later.  This means that the UK will still actually be a member of the EU, although under notice of leaving, when the GDPR comes into force in May 2018.

While this first point may be short-lived, as the ICO has stated, “the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU”.  Having been part of the lengthy process of negotiating the GDPR, it is highly unlikely that the UK would do a u-turn on their implementation. While there may be some who will argue that the UK could benefit from not being weighed down by this somewhat bloated and bureaucratic Regulation, and could opt for something more streamlined and flexible, there is unlikely to be much appetite to change things materially.

Furthermore, for the UK to trade with the EU, it will be essential for the UK to be regarded as a safe harbor to receive personal data from the EU. This in turns depends on the data protection laws of the UK being in line with those in the EU.  This is ironic given that the EU Data Protection Directive of 1995 was based in large measure on the original UK Data Protection Act of 1984.

Following a Brexit, the UK would be in the somewhat awkward position of having to ask the EU to make a formal ruling that the UK has “an adequate level of protection for personal data”. Such a ruling has been made in relation to countries such as Switzerland, Canada, New Zealand etc and would be required to enable EU-based businesses to transfer personal data to the UK, and to give confidence to EU-based consumers transacting with UK businesses.

While there are many unknowns about Brexit, not least (at the time of writing) whether we are in or out, since May 2016 when the GDPR was approved, the future as regards Data Protection laws looks pretty clear.

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at