What Does Brexit Mean for Your Data Protection?
On February 2, 2017, the UK Parliament voted overwhelmingly (498-114) to go ahead with the Brexit procedures, which Prime Minister Theresa May hopes to initiate by the end of March.
What this means is that Brexit is certain–however, much less certain is what happens to the data protection regulations that have come with being a member of the EU. Although procedures are set to begin this March, it will take two years until the UK is officially out of the EU.
EU Data Protection Standards
The European Union has introduced its data protection regulations known as the General Data Protection Regulations (GDPR) that were entered into force on 24 May, 2016. However, the GDPR won’t officially become law in member states until 6 May, 2018, and in the EU until 25 May, 2018.
What this means is that, although the UK will be well on its way out of the EU, there will be a period from May 2018 (when GDPR goes into effect) until March 2019 (when the UK finally exits) when the GDPR will apply to the UK.
The GDPR is an EU regulation that does not require legislation in the UK, so residents of the UK will automatically be covered by it. However, as it will stop being applicable when the UK finally exits the UK, it could leave many residents and businesses confused about exactly what can and cannot be done with their data and, from a business perspective, whether they will be allowed to handle EU data at all.
This also means that the UK will fall outside of the US-EU Privacy Shield agreement, meaning it will have to work on a similar agreement with the US on its own.
The UK will naturally seek to retain the regulation and US agreement in some form to ensure a smooth transition in 2019. However, this may not be so easy as it will require figuring out answers to difficult questions.
For example, if the UK will not be able to secure an ‘adequacy decision’ from the EU, its businesses could be in trouble. An adequacy decision is a judgment from the EU that any UK Data Protection laws fully meet EU standards. This would mean that businesses can continue to be entrusted with EU citizens’ data, which is the only way that many businesses would be able to continue having EU citizens as customers.
However, if the EU doesn’t provide an adequacy decision, or doesn’t do so by Marcy 2019, then there will be a rough break from the GDPR and businesses and individuals could suffer.
In that case, the UK would have to have an agreement with the EU similar to Privacy Shield, and one separately with the US. This could lead to more problems, such as predictably difficult negotiations with the EU (after leaving) and likely tough negotiations with the US, with the new administration leaning towards ‘America-first’ policies.
Without a GDPR-similar law or Privacy Shield agreement, many computing jobs could be put in danger. A ‘hard Brexit’ in terms of data protection could spell lots of trouble, or at least uncertainty for many UK residents not only for business purposes but also what companies may be allowed to do with UK residents’ data.
How you can protect yourself
Coupled with the Investigatory Powers Act that was passed this year, it is best to take data protection into your own hands. One way to do that, which will at least keep your data private and secure, is to use a VPN like NordVPN. Not only does it help anonymize you on the Internet, it also encrypts all your Internet data so that no one can read it.
If you don’t need encryption and simply want to avoid being tracked by advertisers and your service provider, you can use a web proxy. However, make sure to choose a reliable provider as free proxies may be run by anyone, including hackers.
In case you specifically want to protect the content of your communications, you could consider switching to an encrypted email service such as ProtonMail, and a secure messaging service such as Signal.
Just remember: As always, the last line of defense in protecting your privacy is your vigilance. Good luck!