In the wake of the EU-UK trade deal, businesses in the UK that serve EU consumers are watching closely to see how data flows will be impacted.
While there is no guarantee that data will continue to flow as freely as it had when the UK was still part of the EU, both sides appear to be on the same page when it comes to establishing an agreement that recognises the UK’s GDPR (General Data Protection Regulations) as being adequately in line with the EU’s GDPR in providing protection for personal data.
Since the UK is now officially considered a third country under the EU GDPR, after the trade deal came into effect on 1 January 2021, proper adequacy status must be established for personal data to flow unimpeded from the EU to the UK.
A ‘bridging period’ of up-to-six months has been put in place to allow the EU to enable data transfers while the EU completes its adequacy assessment.
If an agreement is not reached then the UK will need to introduce additional safeguards.
These might include entering into EU standard contractual clauses and establishing Binding Corporate Rules; although exemptions may apply in certain cases, for example if a data subject provides appropriate authorization for the transfer of his or her personal data.
If proper adequacy status is granted to the UK within the ‘bridging period’, data transfers will be permitted to continue flowing freely without the need to introduce additional safeguards.
It is if an adequacy agreement is not established that issues will arise for UK businesses serving EU consumers, as they will need to comply with both the UK and EU GDPR.
Compliance with one set of data protection laws is complicated and costly enough, but being required to adhere to multiple sets of stringent regulations will likely become a headache for any affected organisation.
The good news, however, is that information commissioner, Elizabeth Denham, seems optimistic that a positive outcome for businesses can be achieved.
Denham concluded, following the announcement of a trade deal, that “this is the best possible outcome for UK organisations processing personal data from the EU,” adding that “this means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.”
However, her office issued a recommendation that organisations still prepare contingencies and “alternative transfer mechanisms” should an adequacy agreement not be reached, as a “sensible precaution”.
What happens from now until the end of June will determine whether or not applicable UK businesses will need to adhere to two different data protection regimes. A lot will ultimately depend on how the UK government plays its cards and decides to proceed.
If UK government officials attempt to make changes to existing UK data protection regulations in a way that is unequal to the protections afforded by the EU’s GDPR – essentially to dilute it – an adequacy decision by the EU is unlikely.
As the government is essentially keeping UK GDPR under review, and could change the name of the game at any moment, adequacy is still anything but a sure bet.
But an adequacy decision would be in the best interests of all parties involved. It would allow UK businesses to focus solely on a singular data protection regime, retain the existing streamlined nature of data flow between the EU and UK, and avoid having to jump through hoops and navigate red tape to make it happen.
UK businesses are hoping for the best, but preparing for a less favourable outcome.
