Well, it’s finally happened : Brexit has taken place, the transition period has ended, and a trade deal has been struck between the UK and the EU. As a result, we now have concrete answers about the nature of the new relationship between the two parties, including laws around data transference.
Er actually no, sorry, that’s a lie
As nice as it would have been if the deal had brought clarity on this and many other matters, the issue of data flows is still unresolved. The good news is that both sides appear to be on the same page as far as wanting an agreement that recognises the UK’s data protection laws as being equivalent to the EU’s GDPR.
Under the GDPR, the UK must now, like any other third country, prove its data protection laws are sufficiently robust to allow data to continue to flow freely, as it did previously.
While we wait for the EU to make its judgement about the UK’s standards, a “bridging period” of 6 months has been put in place. Assuming an agreement is reached within that time, data flows will remain seamless. In the event of no agreement however, issues will arise for businesses serving both EU and UK customers, as they will need to comply with both the UK and EU’s data laws.
Needless to say, being required to adhere to multiple sets of stringent regulations would be a nightmare for businesses. So far, indications are good that recognition will be given, although it all depends on what happens from now until the end of June. And obviously, any move by the UK side to dilute their standards below the EU’s will ruin its chances of obtaining adequacy.
Given that the UK government has previously explicitly stated it wants to diverge from the GDPR, a deal is by no means certain. It would however be in the best interests of all involved, so let’s hope that, for once at least, sanity prevails.