While many of the big Brexit issues got settled in a last-minute deal between Europe and the U.K. late last year, there were plenty of important matters that got kicked down the road. One of those is the question of personal data, an omission that has made some enterprises nervous as they wonder whether big changes will be required.
After weeks of silence, the European Commission has officially begun the administrative process to reach an agreement with the U.K. on personal data transfers. The hope on both sides is that some accommodation can be made that will allow companies to avoid spending billions of dollars to comply with otherwise tangled regulations.
“Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel,” the EC’s vice president for values and transparency Věra Jourová said in a statement. “The U.K. has left the EU, but not the European privacy family.”
The first step in this process is a series of draft documents outlining the details of the process, which must determine whether U.K. laws match Europe’s General Data Protection Regulation (GDPR). Technically, businesses and residents of the U.K. are no longer governed by GDPR, but the U.K. has made no moves so far to change the rules it adopted to align itself with GDPR several years ago.
The official EC request is being made to the European Data Protection Board (EDPB) as well as a committee representing EU member states. If these two groups give the thumbs up, the EC could move to adopt what is known as “adequacy decisions” that would effectively allow data transfers to continue.
For its part, the U.K. government has already approved such data transfers from its side. However, critics have worried that some data surveillance procedures in the U.K. might be cause for the E.U. to refuse to reciprocate.
The costs of such a move would be enormous. A report last fall suggested that U.K. businesses could be forced to spend $2.14 billion on compliance measures for data transfers with Europe if no deal had been reached.
Advocates had hoped such a deal would be part of the larger Brexit deal and have grown anxious as they awaited word from the EU, which granted a 6-month waiver. The move to start the review gives a generally positive review to U.K. data laws, which suggests a final data transfer agreement could come well within that 6-month window.
Still, some uncertainly will continue to linger. Any such adequacy agreements are only good for 4 years. They could be renewed, but that means the U.K. would be severely limited in terms of any changes it might wish to make to weaken its data rules.
And of course, issues of sovereignty were what kick-started the whole Brexit movement in the first place.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.
Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform
- networking features, and more