Brexit: EU Data Transfers to UK Can Continue - For NowEuropean Officials Promise Final Ruling on EU Data Transfers to UK Within 6 Months
Information security and privacy professionals who are responsible for safeguarding personal information have been left in limbo as the U.K. exits the European Union. But the transfer of Europeans’ data from EU member nations to the U.K. can continue unimpeded for six months until the EU makes a final ruling on the issue.
As a result of Brexit, companies will no longer be able to transfer Europeans’ data to the U.K. unless the EU determines that the U.K.’s data protection rules are as robust as its own. But many observers are optimistic that the EU will make a favorable ruling.
The Brexit deal, finalized Dec. 28, 2020, includes a clause that allows data transfers from Europe to the U.K. to continue for six more months during which time the EU can make a ruling.
Many security experts are confident that EU officials will determine the U.K. rules eventually will be found “adequate” to provide protection of the privacy of EU citizens’ data. That’s because the current U.K. privacy law, the Data Protection Act 2018, or DPA 2018, complies with the EU General Data Protection Regulation.
“There should be little doubt that, so long as the U.K. behaves itself by not changing data protection laws in the next few months, the European Commission will grant the U.K. ‘equivalence’ status, and it will remain 'business as usual' from a data protection perspective,” says Dai Davis, GDPR adviser and partner at the law firm Percy Crow Davis & Co.
Be Prepared for Worst
Under a worst-case scenario, however, if the EU rules that U.K. privacy protections are inadequate, data processors could find themselves playing by separate rules for the U.K. and the EU, often needing to comply with both.
That’s why the U.K. Information Commissioner’s Office and the U.K. government recommend being prepared for dealing with the challenges posed if the EU rules against allowing its member nations to continue to transfer Europeans’ data to the U.K.
The official government advice states: “As a sensible precaution, before and during the bridging mechanism, it is recommended that you work with EU/European Economic Area organizations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU-to-U.K. personal data. For most organizations, the most relevant of these will be Standard Contractual Clauses.”
In a blog, Kristy Gouldsmith, data protection lawyer at Sapphire Data Protection Consultants, says that if there is no agreement, organizations based in the U.K. that handle EU citizens’ data will need to appoint a representative based in a country in the European Economic Area.
U.K. Information Commissioner Elizabeth Denham said: “We will be updating the ICO guidance on our website to reflect the extended provisions and ensure businesses know what happens next.”
Each EU country has its own privacy regulator, which operates independently. And those regulators – even if the EU approves continued data transfers to the U.K. - could decide not to abide by the deal.
The courts could also come into play. A privacy advocate could lodge a complaint against an EU ruling on data transfers, for example, by objecting to the level of access to EU citizens’ data by Britain's Secret Intelligence Service, aka MI6. Austrian activist Max Schrems objected to transfers of European data to the U.S. resulting in Privacy Shield regulations being invalidated.