Dutch and Belgian companies exchanging personal data with companies in the United Kingdom (UK) are facing an uncertain future. The UK Government’s plans to amend existing privacy legislation could have implications for the transfer of personal data to the UK. This is the opinion of privacy expert Anne Zwierstra, consultant at the information security and privacy company Hodari in Warmond.
The Government of London is working on amendments to existing legislation based on the General Data Protection Regulation (GDPR). The plan is, among other things, to make privacy legislation less cumbersome: All forms of administrative burdens and unnecessary paperwork must disappear.
The so-called Data Reform Bill would make it easier for UK companies and scientific institutions to disclose personal data. The rules for research are simplified. Smart data schemes are also being considered, with which SMEs and private individuals can better manage their personal data.
“A similar situation may arise as now with the United States”
But for companies from EU member states, the change in existing legislation can have counterproductive consequences, Zwierstra believes. The administrative burden will increase if Dutch and Belgian companies exchanging personal data with the United Kingdom have to carry out additional checks.
Until now, that was not the case. When Britain left the EU, this country no longer fell under the GDPR. This prompted the EU to scrutinize the British version. The deviations were so small that the EU issued a so-called adequacy decision for the UK.
On loose screws
But that may change, warns Zwierstra. “Although there is still a great deal of uncertainty about the implications of the data reform bill, the current adequacy decision may be questioned.” In the absence of such a decision, it will be more difficult to send personal data to the UK and carry out processing there. “Then a similar situation could arise as it is now with the United States.”
This will depend on the final content of the new UK legislation. At the moment, the changes do not seem to be that bad, based on the current, limited information. But as the changes continue, a period of uncertainty ensues.
According to Alex van der Wolk, specialist in data protection and IT law at the international law firm Morrison and Foerster in Brussels, it is not only uncertain what will happen, but also when. An uncertain situation can arise for a long time.
‘The key is the extent to which there is pressure on the decision on adequacy,’ says Van der Wolk. The European Commission regularly evaluates whether the UK remains close to the GDPR in terms of privacy legislation. The current decision expires at the end of June 2025, unless the European Commission renews it.
Judgment of the European Commission
“You can’t just transfer data to the UK without a decision on adequacy”
According to the British Government, the new proposal to amend the law does not jeopardize the decision on adequacy. But the European Commission may think otherwise. Van der Wolk expects the data reform proposal to enter into force around the summer of 2023.
The European Commission must then assess whether the adjustments are in fact sufficiently in line with the GDPR, as the UK states. The question is when the Commission will do so. She can wait until the end of June 2025, when the decision on adequacy automatically expires. But the Commission can also see reason to make its judgment in the British adjustments. ‘ If that judgment is subsequently positive, the current situation will continue, allowing personal data to be exported to the UK.
It will be difficult for the companies involved if the Commission needs more time after June 2025. ‘Then there is nothing left’, says Van der Wolk. If there is no decision on adequacy, you can not just transfer data to the UK. »In addition, separate model contracts are needed. That means extra administrative burden. ‘