General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

Brexit: EU Data Transfers to UK Can Continue - For Now

European Officials Promise Final Ruling on EU Data Transfers to UK Within 6 Months
Brexit: EU Data Transfers to UK Can Continue - For Now

Information security and privacy professionals who are responsible for safeguarding personal information have been left in limbo as the U.K. exits the European Union. But the transfer of Europeans’ data from EU member nations to the U.K. can continue unimpeded for six months until the EU makes a final ruling on the issue.

See Also: Leadership Guide for SEC Cybersecurity Disclosure Rule Preparedness

As a result of Brexit, companies will no longer be able to transfer Europeans’ data to the U.K. unless the EU determines that the U.K.’s data protection rules are as robust as its own. But many observers are optimistic that the EU will make a favorable ruling.

The Brexit deal, finalized Dec. 28, 2020, includes a clause that allows data transfers from Europe to the U.K. to continue for six more months during which time the EU can make a ruling.

Many security experts are confident that EU officials will determine the U.K. rules eventually will be found “adequate” to provide protection of the privacy of EU citizens’ data. That’s because the current U.K. privacy law, the Data Protection Act 2018, or DPA 2018, complies with the EU General Data Protection Regulation.

“There should be little doubt that, so long as the U.K. behaves itself by not changing data protection laws in the next few months, the European Commission will grant the U.K. ‘equivalence’ status, and it will remain 'business as usual' from a data protection perspective,” says Dai Davis, GDPR adviser and partner at the law firm Percy Crow Davis & Co.

Be Prepared for Worst

Under a worst-case scenario, however, if the EU rules that U.K. privacy protections are inadequate, data processors could find themselves playing by separate rules for the U.K. and the EU, often needing to comply with both.

That’s why the U.K. Information Commissioner’s Office and the U.K. government recommend being prepared for dealing with the challenges posed if the EU rules against allowing its member nations to continue to transfer Europeans’ data to the U.K.

The official government advice states: “As a sensible precaution, before and during the bridging mechanism, it is recommended that you work with EU/European Economic Area organizations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU-to-U.K. personal data. For most organizations, the most relevant of these will be Standard Contractual Clauses.”

In a blog, Kristy Gouldsmith, data protection lawyer at Sapphire Data Protection Consultants, says that if there is no agreement, organizations based in the U.K. that handle EU citizens’ data will need to appoint a representative based in a country in the European Economic Area.

U.K. Information Commissioner Elizabeth Denham said: “We will be updating the ICO guidance on our website to reflect the extended provisions and ensure businesses know what happens next.”

Other Possibilities

Each EU country has its own privacy regulator, which operates independently. And those regulators – even if the EU approves continued data transfers to the U.K. - could decide not to abide by the deal.

The courts could also come into play. A privacy advocate could lodge a complaint against an EU ruling on data transfers, for example, by objecting to the level of access to EU citizens’ data by Britain's Secret Intelligence Service, aka MI6. Austrian activist Max Schrems objected to transfers of European data to the U.S. resulting in Privacy Shield regulations being invalidated.

About the Author

Tony Morbin

Tony Morbin

Executive News Editor, EU

Morbin is a veteran cybersecurity and tech journalist, editor, publisher and presenter working exclusively in cybersecurity for the past decade – at ISMG, SC Magazine and IT Sec Guru. He previously covered computing, finance, risk, electronic payments, telecoms, broadband and computing, including at the Financial Times. Morbin spent seven years as an editor in the Middle East and worked on ventures covering Hong Kong and Ukraine.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.