The Effect of Brexit on Data Protection Law

As the debate on “Brexit” intensifies ahead of next week’s referendum on the UK’s membership of the European Union, I was struck by former Prime Minister John Major’s recent description of how, following a UK vote to leave, our NHS would be about as safe in the hands of a Tory party lead by Boris Johnson and Michael Gove as “a pet hamster with a hungry python”.

As a lawyer this does not surprise me at all. I am glad that Mr Major is speaking out against the right wing of the Conservative party and their ideological agenda to strip fundamental rights and protections from UK citizens. In the legal sector we have seen the Tories take a slash-and-burn approach to Legal Aid, under the false pretenses of austerity, strip away the recoverability of legal expense insurance from victims of police misconduct, weaken the rights of workers to sue their employers for workplace injuries, introduce an “Investigatory Powers Bill” widely decried as a “Snooper’s Charter” and threaten to remove one of our fundamental rights under English Common Law – entitlement to damages for personal injury – in cases involving road traffic accidents, on the basis of bogus statistics produced by the motor insurance industry, which every year pours millions of pounds of funding into Tory party coffers.

Protection of highly sensitive and personal information about ourselves could also be at threat, if we are left at the mercy of a right wing Conservative government without the shield of EU Law.

Did you know, for example, that the UK’s Data Protection Act 1988 does not include any legal obligation to report personal data breaches to either the Information Commissioner’s Office (ICO) or the people whose privacy has been invaded (such as the 157,000 customers of TalkTalk Telecom whose details, including thousands of people’s bank details, were hacked last year in a cyber attack).

This situation is set to be rectified by the incoming EU General Data Protection Regulation (adopted 27 April 2016 and coming into force with full effect in 2018) which requires data controllers – whether public sector organisations or private companies such as TalkTalk- to notify their national supervisory authority – in the UK the ICO – of personal data breaches within 72 hours at the latest, of the company becoming aware of the breach – whether it was caused by a hostile external ‘hack’, or an internal act, deliberate or accidental.

Furthermore, the Regulation goes further than previous legislation as it also applies to organizations based outside the European Union if they process personal data of EU citizens.

This new law’s status as a Regulation means that it comes directly into effect in all Member States of the EU, without the time delay and costs of each individual national government having to enact separate legislation in their own domestic parliament.

Surely this is a perfect example of how the lawmakers of Brussels, often derided for being obfuscating bureaucrats, are legislating in the interests of us all, protecting the rights of individual citizens in this age of the ‘information revolution.’

Likewise, the new EU Regulation will give UK citizens a further right which our own domestic law does not currently afford us – namely to be directly notified (over and above the company’s notification to the ICO) if a serious breach of our personal data, likely to put us at risk of financial loss or identity theft, occurs.

The EU Regulation will also significantly increase the financial penalties companies face for allowing data protection breaches to occur – thereby significantly sharpening the incentive to make sure they don’t. Currently the maximum fine allowed under the DPA is £500,000. Under the new law this will be increased to a maximum of 4% of annual global turnover or 20 million Euros.

Article 82 of the Regulation also contains a right for an individual to sue for compensation from the controller or processor of the data for damage suffered as a result.

Article 17 enshrines the right to request erasure of your personal data held by a third party – what is sometimes known as the “right to be forgotten”. This can apply in varied situations such as – the data is no longer necessary for the purpose for which it was gathered, the subject has withdrawn consent for the data to be held, or the data was unlawfully processed.

Without the protection of this EU law, we would have to fall back upon the frankly inadequate and outdated Data Protection Act – enacted in 1988 in an era when the ‘online’ world simply did not exist.

Don’t rely on a Tory government, in the absence of the EU watchdog, to do anything to rectify this situation – quite the opposite.

Given the Tory government’s track record over the last 6 years on civil rights and access to justice, I personally don’t believe we’ll see the much trumpeted “British Bill of Rights”, or if we do, find much that is palatable therein, following a vote for Brexit; more likely we will find ourselves presented with a hungry python’s shopping list.