作者：金杜律师事务所 King & Wood Mallesons
The debate about Brexit would be incomplete without considering the data protection and privacy implications.
Many UK businesses feel constrained by European data protection laws, which restrict the way in which they can handle personal data. However, it’s a key issue for many voters, who value their privacy in an increasingly digital world.
So what would happen on data protection if Britain were to exit Europe? First of all, data protection laws in the UK would still exist in some form or another. The UK’s Data Protection Act has been in force since 1998 and that would continue to be in force unless and until the Government were to change those laws. The position is a little bit more questionable in terms of future laws that are being developed at a future level. At the moment, there has been much debate concerning a new general data protection regulation which will have direct force on the member states of the European Union. If Britain were to exit the EU then that regulation would not have force in the UK and, therefore, there would be a question mark as to how the British Government and British businesses would need to deal with those changes in law. On the one hand, British businesses would still need to comply with the general data protection regulation on many levels. This is because the jurisdictional scope of that new regulation would apply to any businesses that are processing the personal data of European citizens. So Britain exiting Europe would not actually remove the red tape that British businesses would need to comply with. Britain would effectively have to make a choice as to how it would like to deal with Europe in the future. It could adopt an approach similar to that of Switzerland, which tries to ensure that it has equivalent data protection laws in place to match those in force in other European member states. What that means is that Switzerland can enjoy data transfers between European member states and itself, without the need for additional agreements at an international level or between European and Swiss businesses.
However, if the UK Government were not to agree with the higher level of protection that would be imposed by the general data protection regulation at an EU level then it might seek to take more of an approach akin to that of the United States, where various laws are in place, which have much lower standards of protection than in the EU, but in which the US Government has agreed to put in place certain protections to allow more easy cross-border transfers of data from Europe to the United States.
It is true that Britain would enjoy a higher degree of control over its own data protection laws. The effect of that, however, could cut both ways. First of all, it would be much easier for the Government to pass new surveillance laws which it is always seeking to do to obtain more access to personal data on users of mobile phones, regarding individuals’ website activities and so forth. However, any of those new surveillance laws would not be subject to challenge by the Europe Court of Justice and, therefore, in many ways, individuals may lose some of the rights of privacy that they have enjoyed to date.
In conclusion, if Britain were to exit the European Union, Britain would obtain more control over its own privacy laws. However, British businesses would still need to comply with the red tape that is imposed by European standards concerning data protection and Britain would lose its seat at the table in determining what those standards would be in the future.