The UK would no longer remain under the ambit of GDPR following the implementation of Brexit and may have to prove its adequacy in data protection to EU 27 countries before any data is transferred from the mainland to the UK.
In a recent blog post in which he talked about the impact of Brexit on the flow of data between the UK and the twenty-seven countries who are members of the European Union, Duncan Brown, Forcepoint’s Chief Security Strategist in EMEA, said that the UK would be treated like any other “third country” as per GDPR and that EU firms will not be able to move any data to firms located in the UK unless there are legal safeguards in place.
“Data received from the EU must comply with GDPR and it is illegal for an EU 27 firm to export data to a so-called “third country” without specific legal safeguards in place. Since post-Brexit UK will be a third country, UK companies will be subject to these safeguards,” Brown said.
Bilateral data-exchange agreement post-Brexit?
If a firm located in the EU region wishes to move data to a third country, there should be adequate evidence that the third country has similar data protection credentials and safeguards in place as in the EU. Post-Brexit, the UK will have to prove such adequacy in order to ensure unrestricted flow of data to-and-from the EU region.
According to Brown, one way to ensure unrestricted flow of data is to enter into a bilateral agreement with the EU similar to the EU-US Privacy Shield. The Privacy Shield was designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
If the UK and EU 27 countries fail to agree to such a bilateral contract, then the UK will have to prove its adequacy based on its data protection credentials but the same could be delayed or complicated because of its “approach to citizen surveillance (via the Investigatory Powers Act 2016) and its intention to withdraw from the EU Charter of Fundamental Rights.”
“Our view is that companies should assume that GDPR, as implemented in the UK DPA, will persist for the foreseeable future, post-Brexit. Day-to-day compliance requirements will not change (much, or at all). However, for those companies engaged in receiving data transfers from the EU, additional focus must be given to the legal safeguards required.
“Companies may take a wait-and-see approach, but may wish to familiarise themselves with – at least — Standard Model Contract Clauses. Should a no-deal Brexit result occur, such firms would not be able to receive EU data transfers without a legal safeguard measure in place,” Brown added.
Cooperation with EU agencies post-Brexit a must
Earlier this year, academic group The UK In A Changing Europe warned that the UK’s ability to defend against cyber attacks in the future and to strengthen data security will be reliant on how it will cooperate with European agencies and data security authorities post-Brexit
In a paper titled ‘A Successful Brexit: Three Foreign and Security Policy Tests’, the group said that Brexit will be deemed to have a positive impact on security if it allows the UK to continue to shape European cyber security standards while gaining more room for manoeuvre in its own practices.
If the UK ends up losing full membership of Europol, the European Arrest Warrant System and other intelligence sharing arrangements, it would significantly reduce its ability to defend against trans-border terrorism, organised crime, and cyber attacks.
“The ability of the UK to counter cyber security threats is partly dependent on regular data exchange between UK authorities and private companies, including those based in the EU. These exchanges may be put at risk if the EU does not regard the UK as a safe recipient of sensitive personal data.
“The more the UK continues to be committed to EU cyber standards, the less significant will be the impact of Brexit in this area. If the UK diverges significantly in cyber security practice, it will not be possible to weigh any security benefits derived from this increase in national control against the costs – in terms of both security and market access – of lost influence in the EU,” the group added.