Businesses in the UK should be preparing now for the looming prospect of personal data transfers from the EU becoming unlawful in a matter of months, which could cause major headaches for any company importing information from the continent, whether that’s HR files, customer details or advertising data.
In a new blog post, the Information Commissioner Elizabeth Denham warned UK businesses to “take sensible precautions for any eventuality“, despite the seemingly encouraging terms of the trade deal that was agreed between the UK and the EU following the country’s departure from the bloc.
The eleventh-hour Trade and Cooperation Agreement (TCA) that was reached last month contains a provision that allows personal data to continue to flow unimpeded from the EU to the UK until a longer-term deal is achieved on the issue. If no agreement has been found by the end of June, however, UK businesses will have to resort to new mechanisms, often in the form of complex data protection contracts, to be able to legally import and process the personal information of EU citizens.
With practically all industries currently exchanging data with the European bloc, all eyes will be on the outcome of the negotiations. Three quarters of the UK’s international data flows are with the EU, affecting fields such as tourism or financial services, but also healthcare or banking.
Until Brexit happened, the UK formed part of the EU’s General Data Protection Regulation (GDPR), meaning that the country’s data privacy laws were aligned with the bloc’s standards. Now that the UK has left the EU, however, it is up to European regulators to decide whether the country’s data privacy laws are stringent enough to protect the personal information of EU citizens.
This is called an adequacy decision, and despite many years of negotiations, it was not achieved before the UK left the bloc. Instead, a six-month transition period was granted, which allows transfers of personal data to keep flowing to the UK without restrictions, while the EU continues to weigh whether or not to concede adequacy.
“This is very welcome news and was the best possible outcome for UK organisations given the risks and impacts of no adequacy,” wrote Denham. But although the EU has committed to consider “promptly” the UK’s adequacy decision, the information commissioner warned against complacency. “Of course, there is no guarantee that the EU will grant the UK an adequacy decision,” she said.
The government, for its part, has been striking a more reassuring tone. Before the Trade and Cooperation Agreement was finalized, official guidance stated that the government was “confident” that adequacy would be achieved before the Brexit deadline; now that the deadline has passed, officials have said that they “see no reason” why the UK should not be awarded adequacy before the end of June.
In a recent webinar, experts from data privacy consultancy Securys noted that the ICO’s more reserved position was reflective of a seemingly “significant risk” of the UK not securing adequacy, and, in line with the information commissioner, urged businesses to start implementing alternative mechanisms for data transfers now.
Securys founder Ben Rapp told ZDNet that with many terms of the relationship between the EU and the UK that are still to be defined, adequacy might be a useful tool for the bloc to hold on to in order to increase its negotiating power.
“This is all speculation, of course, but you’ve got to ask yourself why this is taking so long,” said Rapp. “Brexit was voted four years ago, and it seems extraordinary that it’s taking so long for the Commission to grant adequacy to a former member state.”
“You have to assume that there are other motivations at work, and one of them could be that adequacy is a useful lever in negotiations,” he continued.
According to Rapp, the adequacy decision could be used to sharpen the debate on a proposed future deal on financial services, for instance, for which a Memorandum of Understanding is due to be agreed by March 2021. With data constituting a core part of financial services, the rules surrounding the processing of EU citizens’ personal information is likely to be at the heart of negotiations.
Others have suggested that the UK’s mass surveillance programs could also come in the way of an adequacy decision being reached, meaning that the government would be required to change some of its laws to comply with EU rules.
Playing it by ear, therefore, is unlikely to be a successful strategy for businesses that currently process European data. “International agreements are the crucial foundations to so much of the digital innovation we take for granted,” said Denham in her latest blog post – and the fragility of those agreements should not be underestimated.
Denham encouraged businesses to implement safeguards now in order to ensure that data continues to flow even without an adequacy deal. The ICO’s latest guidance can be consulted on the organization’s website.