As we get closer to the January 31st deadline for the UK to sort of kind of leave the EU, the bill that the PM’s side so carefully drafted may or may not hold together.
Over the last two days, the House of Lords voted against Johnson 5 times, forcing the bill back to the House of Commons, which will likely try to undo the changes. What the House of Lords does after that is not clear. Read the details of the changes here.
What is in the bill with regard to security and privacy is this:
- After the 31st, the UK will enter a transition period lasting until the end of this year during which time the EU and UK will negotiate about what happens on January 1, 2021.
- Apparently there is no option to extend this 11 month negotiating period and if the EU and UK can’t agree, the UK will leave in a so-called “hard exit” where the UK becomes a third country with whatever agreements might have been created during the next 11 months.
- In the meantime, UK companies will need to continue to follow GDPR.
- Companies will also need to comply with the UK Data Protection Act of 2019.
- As a result of 3 and 4, data can continue to flow between the EU and UK for the next 11 months.
- The UK will try to negotiate an “adequacy decision” meaning that the EU says that the UK’s data protection laws are adequate so that data can flow permanently. Historically, these determinations have taken way longer than 11 months, so that doesn’t seem likely.
- Alternatively they could write and approve a privacy-shield type law like the US has with the EU. While this could be done more quickly, the courts may strike down the US Privacy Shield law this year so, I am not sure what this means.
- If 6 or 7 doesn’t happen then companies will need to figure out a different solution such as Binding Corporate Rules, but those are both complex and not easy to get approved.
- In the case of moving data between the UK and US, Privacy Shield still works, at least in the short term, but it will need some changes.
- The UK says that it plans to keep complying with GDPR long term (because they do want to be able to facilitate commerce between the EU and UK).
Bottom line, things are moving forward, but there is still a lot of uncertainty. Some information for this post came from CSO Online.