bradford 240x280With today’s (Thursday 23rd, June 2016) ‘Brexit’ decision, the following is a very early view of the potential impacts on legislative and business impacts.

In summary, ultimately the UK’s post-Brexit business and legal landscape will largely depend on the nature of our continued relationship with the EU, and the scope and type of changes we decide to make to our legislation.

Using the data protection GDPR as an example.  However the EU legislative framework applies equally to all many area of UK financial services law.

The data protection framework in the EU and UK is based on the Data Protection Directive.  This is a common approach across many areas of UK business and employment law where EU Directives are transposed into member state legislation and in the case of EU Regulations, these apply directly to members states without the need to enact them into an Act of Parliament – to use the UK as an example.

Although member state regulation is based on this Data Protection Directive, domestic laws and, in particular, respective enforcement practice differ to some extent from one state to another.

A higher degree of harmonisation in EU data protection standards will be achieved by the upcoming General Data Protection Regulation (GDPR), which will most likely come into force in 2018. The GDPR will be directly applicable in all member states, and will introduce fines at a level similar to antitrust regulations in the EU. It will have a broad scope of application as it will also cover data processing outside the EU if such processing is related to the offering of goods or services to data subjects in the EU.

The transfer of personal data outside the EU is subject to additional requirements. In most cases, this is only allowed if the country where the recipient of the data is located is regarded as a ‘safe third country’ by the European Commission.  This is where the UK is very likely to follow similar lines to those contained in the GDPR irrespective of no longer being in the EU post the Article 50 process.

An important question is whether, after Brexit, the UK would be classified as a ‘safe third country’ by the Commission, so as to permit EU personal data to be transmitted to the UK. If it were not, UK companies doing business in the EU would need to re-think their data protection compliance strategy.

Cross-border data flows to data processors in the UK that do not currently require a legal justification are likely to require a particular justification in case of a Brexit. Without such justification, changes to data flows will become necessary. This would be especially burdensome if the data processor plays a role as a data processing hub within a group structure with headquarters or subsidiaries in the EU.

This need to follow EU legislative expectations cuts across many areas of UK business and even being outside the UK will require the UK to adopt acceptable levels of controls and safeguards to ensure our ongoing ability to trade with the EU and its member states.  In short, economic and commercial drivers will dictate how much we follow EU legislation, rather than political considerations and the desire to be independent.

There are a number of possible models already in operation for non EU countries.

When the UK leaves the EU it could join the European Free Trade Association and remains part of the European Economic Area (EEA)? (the Norwegian option)

The four freedoms as laid down in the Treaty on the Functioning of the European Union (ie the free movement of goods, services, persons and capital, as well as competition and state aid rules) are incorporated in the EEA Agreement. This means that:

  • the Data Protection Directive applies throughout the EEA. Hence, nothing would change since the UK would still have to comply with this directive; and
  • the upcoming GDPR would have an immediate effect on UK-based companies.

When the UK leaves the EU w it does not adopt any form of free trade agreement? (the WTO option)

  • The UK would be free to revise its data protection framework and deviate from EU standards.
  • The upcoming GDPR would have no direct effect on the UK.
  • Depending on future revisions to UK data protection law, the Commission would have to designate the UK as a ‘safe third country’. If it didn’t, data transfers to the UK would be subject to stricter requirements, like data transfers to the USA, for example.

The above would apply equally to all current and pending EU Directives and Regulations applicable to EU member states.

It will be a turbulent time on all fronts and things will only becomes clearer once the EU exit discussions start, probably after October when a new PM will be elected.

Regulatory StrategiesCourtesy Mike Bradford. Director, Regulatory Strategies Ltd.   –