At the beginning of March this year, I wrote a paper on the legal mechanics of Brexit. (You can find it here if you are interested.) One of the things it discusses is how the UK – or in some cases England and Wales, and (separately) Scotland – would go about retaining or replacing EU-derived law if the UK left the EU.
On 19th April 2016 the Information Commissioner’s Office put out this statement:-
“The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.
The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on.”
Data protection is an interesting example of how Brexit might affect our law, and throws up the sort of questions which would apply across the legal board in the event of a “leave” vote.
Much of our data protection law, though derived from EU instruments, is embodied in primary legislation, the Data Protection Act 1998 – so that the repeal of section 2 of the European Communities Act 1972 (if that happened) would not in itself result in the repeal of our data protection framework. The same is not true in many other fields, which are governed by statutory instruments made under section 2 of the ECA 1972, rather than primary legislation.
But the DPA is currently to be to understood in the light of EU-derived principles and caselaw. If we left the EU, and kept the DPA, would those principles and the caselaw have grown domestic roots and continue to shape the interpretation of the DPA?
Another question. To what extent would leaving the EU allow the UK to reconsider what sort of data protection regime it wanted? Principles of privacy are separately embodied in Article 8 of the ECHR, which will remain enforceable under the Human Rights Act 1998, regardless of the outcome of the vote on 23rd June. And if a significant information protection gap were left as a result of the re-shaping of our data protection law post-Brexit, common law or equity might step in.
This leaves out of account questions of what (if any) information protection arrangements the EU might be looking for from the UK in bilateral trade and security arrangements. But that is a political question.
Peter Oldham QC