After Brexit, the UK government intends to allow data to flow from the UK to EU countries. However, transfers of personal data from the EU to the UK will be affected. Moving forward, any transfers of personal data from an EU country into the UK will need an additional safeguard implemented around this transfer.
The simplest of these would be for the UK to be recognised as an “adequate” country in terms of its Data Protection laws by the European Data Protection Board. Initial thinking was that this was unlikely to happen before the UK left the EU.
However, the European Commission’s Task Force for Relations with the UK recently presented to the Council Working Party (Article 50) on initial discussions on the future relationship with the UK and adequacy decisions.
This presentation detailed plans for the European Commission to start assessing the UK’s Data Protection standards as soon as possible after Brexit at the end of January, endeavouring to adopt decisions by the end of 2020 if the applicable conditions are met. At the same time, the UK will take steps to ensure comparable transfers of personal data to the EU.
This is good news for businesses who currently store data in the EU, or routinely share personal data from the EU into the UK. If an adequacy decision is reached within this timescale, this will ensure that these flows can continue without additional measures (such as standard contractual clauses) being implemented (recognising that these may still be needed for transfers from the UK to other non-adequate countries).