After years of negotiation, the UK and the EU have finally signed their long-awaited trade deal on Brexit, but that is not to say that every sticking point has been resolved – and among the issues that are yet to be agreed on, is the transfer of personal data from the continent to the UK.
As the country left the European bloc, so did the UK exit the realm of the EU's general data protection regulation (GDPR), within which personal data can flow freely from one member state to the next. To allow UK organizations to keep managing the personal information of EU citizens, therefore, new mechanisms need to be set up to regulate data flows.
Instead, the Brexit deal establishes that when it comes to the transfer of personal data, the UK will not be considered a third country just yet. The personal information of EU citizens will continue to be sent freely to the UK, until an agreement on the question is reached.
SEE: IT Data Center Green Energy Policy (TechRepublic Premium)
Such an agreement would see EU regulators recognizing that UK laws provide a level of data protection that matches the GDPR, and granting the country a special status called adequacy.
If a deal on data flows isn't achieved in the next six months, however, the bridging period will come to an end, and the UK will have to resort to alternative mechanisms to make sure that organizations in the country can still legally process personal information from the EU.
For Ben Rapp, the founder of data privacy consultancy Securys, the Brexit deal does little to advance the issue of data transfers. "It's not really an outcome," he tells ZDNet. "It's just another transition period. The can got kicked down the road for another six months. Nothing in the agreement determines the direction of travel – it's just more time in which to decide what that direction of travel will be."
The UK's regulation, in its current form, is aligned with the GDPR; and the Brexit deal establishes that any changes brought to the country's data protection regime in the next six months will require the agreement of the EU, without which the transition period will end.
"Right now, the UK's data protection law is the GDPR, so the EU has determined that so long as the rules don't change, they'll give themselves a bit more time to make a decision," says Rapp. "The price for a temporary transition is that the UK agrees not to use any of its new powers to make up its own rules."
Without the new bridging period, or an adequacy decision from the EU, UK organizations would have faced significant administrative hurdles from the first day of Brexit. Every single transfer of information such as names, IP addresses, HR details, or even delivery details, would have required examining, and in most cases, it would have been necessary to put in place specific contracts called Standard Contractual Clauses (SCCs).
SCCs have to be signed by both the sender and the receiver of data in a contract covering the specifics of the data to be transferred, and place significant technical and legal obligations on the receiver. The cost of implementing appropriate data transfer mechanisms like SCCs at a company-wide scale is high: recent reports estimate that the overall cost to UK businesses could reach £1.6 billion ($2.1 billion).
Three-quarters of the UK's international data flows are with the EU. From healthcare to financial services, through tourism and banking, there is practically no industry that would not have been affected by an abrupt end to the free flow of data between the EU and the UK.
This looming threat has now been pushed back by six months. Because the Data Protection Act and the GDPR cover the same grounds, however, it is widely hoped that the EU will grant the UK adequacy before the end of the transition period, sparing organizations the cost and effort of implementing alternative contracts like SCCs.
A government spokesperson said: "We are committed to high data protection standards and the UK is a global leader in protecting people's personal data. We see no reason why we should not be awarded adequacy given we have an existing data protection framework that is equivalent to the EU's."
According to Rapp, however, counting on adequacy might be over-optimistic. The UK's Data Protection Act effectively sits next to a controversial surveillance law called the Investigatory Powers Act (IPA), which grants the government rights to collect and retain certain citizen data in ways that the EU recently ruled was unlawful.
Similar government snooping laws in the US recently caused European courts to strike down personal data transfers across the Atlantic in a ruling called Schrems II. "The reason the US lost adequacy was mass surveillance programs, and the IPA looks very similar," says Rapp. "So, on the face of it, the UK shouldn't get adequacy, because the US didn't."
"The other choice is for the government to accept that the IPA is not compatible with EU law, and that if we want adequacy, we need to change something to make it more compatible with the EU's charter of fundamental rights," he continues.
Rapp, for his part, isn't confident that any amendments will be made to the IPA, and recommends that businesses keep working with a no-adequacy scenario in mind, even at the end of the six-month transition period. The UK government, in fact, has officially advised organizations that transfer personal data to put in place alternative transfer mechanisms during the next six months, as "a sensible precaution" to safeguard against any interruption to the free flow of information from the EU.
In the short term, most businesses will likely welcome the extension of the transition period, which will provide many with the time that they lacked to prevent a data disaster that they often hadn't seen coming. "This is basically more time to get their houses in order," says Rapp, "but we should run under the assumption that we will be doing SCCs."