Although U.K. voters have decided to leave the European Union (EU), a British exit, or “Brexit,” will take at least two years to go into effect. When the U.K. does eventually leave the union, the flow of EU personal data to the U.K. will no longer be lawful unless the U.K. is assessed as having an adequate level of data protection by the European Commission (EC).
This is a complicated and sensitive issue, as U.S. authorities and businesses discovered last year when the EU declared the EU-U.S. Safe Harbor scheme invalid. The U.K. does not want to participate in the kind of tortuous negotiations the U.S. endured when developing the Safe Harbor scheme’s successor agreement, the EU-U.S. Privacy Shield.
So the burning question in this area is this: Would the U.K.’s data protection regime receive an adequacy endorsement from the European Commission?
The U.K.’s current data protection position would at the moment likely obtain a favorable EC assessment. After all, the U.K. has transposed the EU Data Protection Directive 95/46 into U.K. law; therefore, the U.K.’s domestic data protection laws now match the standards required by the EU.
However, the General Data Protection Regulation (GDPR)—set to become law across all EU member states on May 25, 2018—casts a long shadow on the U.K.’s data protection position. In particular, the timing of the GDPR could prove problematic for the U.K.
Read the full blog article here.