One year to go: GDPR Brexit Expectations
Blog: Laurence Lawson
Data transfers to the United Kingdom
With negotiations well underway, and around a year until the UK officially leaves the EU, we look at what will happen to data transfers to the British Isles. Will your business be affected
In June 2016, to the surprise of most of the world, the United Kingdom voted in a referendum to leave the European Union, ending a relationship which began in 1972. This desire to leave was formally enacted by Prime Minister Theresa May at the end of March 2017 through Article 50, meaning that the UK’s current last day of EU membership is pencilled in for the 30th of March 2019.
Part of the reasoning for this vote to leave is due to many British citizens believing that EU laws are restricting their lives and go too far. The UK government have confirmed that they’ll incorporate some EU laws into national legislation, and scrap a whole heap of others.
With that in mind, many have wondered what will happen to one of the most discussed EU laws of recent years, the General Data Protection Regulation (GDPR).
For those who are unaware, the EU is seeking to overhaul data protection law in the EU through the GDPR, providing blanket protection for all EU citizens across the current 28 member states. The GDPR will increase the rights of individuals, bringing with it large fines and penalties for companies which can’t comply with the law.
The original timeline
The GDPR is due to come into force in the EU on the 25th of May 2018, some 10 months before the expected end of the UK’s EU membership. As the GDPR is a regulation and becomes law instantly, this means that the GDPR will be valid in the UK during this time.
This is significant as the GDPR itself sets a very high standard for data protection and will have effects on UK law during this time; and all companies in the UK are expected to comply or face sanctions of up to 4% of annual turnover or €20 million (whichever is higher).
Therefore, it is imperative that British firms are compliant with this law by the 25th of May 2018; but it does seem that most of the larger firms are either compliant already, or have made public statements that they will be.
In terms of what will happen in April 2019 and beyond, there is much speculation as to what to expect. At the time of writing this post, the UK is in the process of passing a Data Protection law which attempts to mirror the GDPR. Although discussions around the law suggest a few key variations in terms of powers available to the government.
If all goes well, it is likely that the UK will be given “adequacy” status by the EU, meaning that the data protection standards offered by the UK are good enough for data transfers to continue as standard, without any issues. This would put the UK on the same level as Israel, Switzerland, and New Zealand to name a few.
However, this may not be as smooth as expected. Nations like South Korea have extensive data protection laws which are GDPR compatible, but negotiations regarding adequacy status seem to be as an impasse. Organisations seeking to conduct data transfers to South Korea will need to rely on other methods such as Model Clauses and “Binding Corporate Rules” to legally perform these transfers.
Some have also mentioned the potential of building a scheme similar to the EU-US Privacy Shield to allow transfers to happen to selected British-based firms, relying largely on self-certification and promises.
At this moment in time, data transfers to the UK can continue as normal until at least March 2019, and the hope is that the UK obtains “adequacy” status. With negotiations ongoing, and the UK’s Data Protection Law being hotly debated in Parliament, only time will tell what will happen.
If you’re keen to know more about the GDPR, Data Privacy, or have any questions about this topic, feel free to get in touch with us here at Deloitte using the links below.
Laurence is a privacy professional working within the Risk Advisory practice in Finland, having moved over to Helsinki from the UK in 2016. He possesses his LL.B from the UK and is currently writing his master’s thesis in Privacy law at the University of Helsinki.