Update on GDPR and Brexit – Divergence on Data Protection Likely?

Coronavirus Crisis, Brexit Talks Stall

The Coronavirus crisis and the enormous economic and social havoc it caused has, quite rightly, attracted all of the public’s attention over the last few months. Our world has changed and, with it, the problems that once preoccupied us. It would therefore come as a rather unwelcome reminder to most that Brexit – and, in particular, talks on reaching a trade deal before expiry of the ‘transition phase’ on 31st December 2021 – is yet to be properly resolved. The fourth round of talks between the UK and European Union over a post-Brexit trade deal take place this week, ahead of a crucial EU summit later in June to decide whether an extension to the transition phase should be granted. 

 

By all accounts, these talks have achieved little thus far. Clearly, practical limitations have played their part. While there had been attempts to remotely conduct the negotiations throughout the pandemic, these have been hampered not only by the difficulties of holding such complex discussions via video conferencing but also by the fact that some of the key figures involved – not least the chief negotiator of either side and British Prime Minister Boris Johnson – had themselves tested positive for the virus. Despite these problems, the British Government appears adamant that there will be no extension to the transition phase and remains “optimistic” that a trade deal will be signed before the end of the year.

Michel Barnier, Chief Brexit Negotiator

In setting out his Government’s position for the free trade negotiations, Boris Johnson has taken a decisively bullish tone and rejected the close alignment of British rules with European regulations in the future. The British side has also been adamant that they will refuse to allow for the jurisdiction of the European Court of Justice, which acts as the final arbiter of disputes concerning EU laws and promotes regulatory harmonization among the member states. Johnson’s Government, of course, sees this as one of the ultimate ‘prizes’ of the Brexit project – the ‘taking back control’ of the UK’s rulemaking sovereignty and the prospect of entering into new trade agreements with other countries outside the European block. However, as is frequently pointed out by critics, by breaking away from the rules that govern trade across the European block’s 27 Member States, the UK risks becoming a far less attractive destination for businesses looking to operate throughout the EU – particularly so for Israel-based companies looking to access the European market.

UK data protection rules might differ to the EU's GDPR

In a previous article, I discussed how Britain’s exit from the European Union will likely impact the role of the UK’s Information Commissioner’s Office as a Lead Supervisory Authority under the GDPR’s “one stop shop” mechanism. A further issue which has not received sufficient public scrutiny is regulatory divergence between the UK and EU on GDPR-related issues. In other words, what if the UK’s version of the GDPR quickly becomes a different creature than the EU’s GDPR regime, as harmonised across all 27 Member States?

 

The UK government has sought to allay the fears of British businesses with data heavy operations in the post-Brexit era by adopting the GDPR into UK domestic law, through enactment of the Data Protection Act 2018. British government ministers have argued that this, coupled with the fact that the (European) GDPR will continue to remain legally enforceable in the UK until the end of the transition period, means that there will be no divergence – or disruption – between the UK and EU data protection regimes. This, however, flies in the face of legal and political realities.

 

Clearly, the initial absorption of the text of the GDPR into the UK’s domestic legislation does not take into account future legal developments of the legislation in the UK or EU – either by judges (through their interpretation of the law) or by amendments to the legislation itself. By rejecting the supremacy of the EU’s rulemaking organs, the UK has essentially ensured that its own GDPR regime will soon begin to appear different from the EU-wide version. This is even before one takes into account the fact that the UK’s version of the GDPR will now be ultimately interpreted by British judges, who are not bound to follow any of the opinions or precedents of their European colleagues in the ECJ. 

Ireland set to benefit from GDPR divergence

Ireland, which has long been the preferred entry point to the European market for multinationals, is now emerging as one of the principle beneficiaries of investment from international companies operating in heavily regulated industries such as fintech, banking, pharmaceuticals and medical devices. The companies operating in these fields are particularly vulnerable to disparities between UK and EU regulations and they simply cannot afford to speculate on the outcome of the UK/EU trade agreement negotiations. For them, any outcome which creates different regulatory regimes for complex goods and services between the UK and EU will leave them exposed and, potentially, cut off from either market. It is for this reason that we have seen some key London-based Israeli companies explore setting up regulation-focused operations in Ireland – not least Payoneer, which opened a new office in Dublin last month, having obtained an e-money license from the Central Bank of Ireland. 

For a consultation to discuss your company’s GDPR requirements, please contact us 

Adv. Mattan Lass

Managing director of Ireland Israel Business, Mattan is triple-qualified as a Solicitor in Ireland and England & Wales, as well as an Attorney (Israel).

Adv. Mattan Lass with a blue circle behind him