The General Data Protection Regulation (GDPR) is expected to come in to force for EU member states in early 2018. It could be some time later that year that the UK finally severs its links with the EU.
So for UK citizens will the GDPR be a short-lived regulation that can largely be ignored? The answer is no and the reasons fairly obvious; they are commercial, legal and moral.
Commercially, of course UK and European businesses will continue to trade, whatever happens to the balance of that trade in the longer term. So, any UK-based organization that trades in the EU will have to comply with GDPR for at least the data stored about its EU-based customers; there is little point in having two regimes so many businesses will comply with the GDPR anyway.
The big benefit of GDPR at a high level, regardless of any shortfalls in the detail, is a common regime for multi-national businesses to deal with. A UK government that designed a data protection regime wholly different from the GDPR would just see UK descend the list as a target destination for foreign direct investment (FDI). This will be especially true for cloud service providers selecting a location to set up in Europe. In data protection, as in many other regulatory areas, it makes sense for UK to have a common status with its neighbours.
These commercial necessities lead on to the legal ones. The UK Data Protection Act is already closely aligned with the existing EU Data Protection Directive. It seems unlikely they any future UK government would reduce the protections provided to the privacy of UK citizens. Whatever its faults, the EU has never been an evil empire set to undermining the rights of the individual, it has always sought to improve their protection.
In fact, the most likely scenario is the all existing laws passed down by the EU over the last 40-odd years will be embedded wholesale into the corpus of UK law as scrapping them all overnight would leave UK business and citizens without much of the protection they have come to take for granted. This includes extant data protection laws.
This leads on to the moral reasons. Whether a UK citizen voted ‘remain’ or ‘leave’ in the June 2016 referendum and whatever their groans about EU law, few are going to turn round say; ‘no I don’t want to be informed when my data is compromised’ or ‘I don’t want the right to be forgotten’. The GDPR is ultimately about protecting EU citizens and, as with human rights in general, when it comes to crunch, the majority will recognise we are better off with these aspects of EU legislation than without them.
There is good news there too: become a victim of a privacy violation and ultimately you will still have the Europe Court of Human Rights (ECHR) to appeal to. Many do not realise that the UK, along with 47 other countries, is signed up to the ECHR separately to its EU membership. Asking UK citizens to ditch a final court of appeal should their own nation let them down may be a harder sell than ditching the EU itself.