Dutch companies that exchange personal data with companies in the United Kingdom (UK) face an uncertain future. The UK Government’s plans to change the existing Privacy Act may have implications for the transfer of personal data to the UK. This is the view of Anne Swirestra, a privacy expert and consultant at Hodari, an information security and privacy firm based in Warmond.
The Government of London is amending the existing law on the basis of the Public Data Protection Regulation (GDPR). The plan is, among other things, to complicate privacy law: all kinds of administrative burdens and unnecessary paperwork must disappear.
The so-called Data Reform Bill would make it easier for British companies and scientific institutes to publish personal data. The rules related to research have been simplified. SMEs and smart data plans where private individuals can better manage their personal data are also being considered.
“A situation similar to what exists now in the United States”
But with regard to the Dutch business community, Swirestra thinks that the amendment of the existing law may have adverse effects. The administrative burden increases if Dutch companies exchanging personal data with the UK have to undergo further testing.
Until now, that was not the case. When the UK left the EU, that country did not fall within the GDPR range. This prompted the EU to explore the UK version. The EU was called a sufficient decision for the UK because the deviations were so small.
On loose screws
But that could change, Zwierstra warns. “There is still a lot of uncertainty about the implications of the data reform bill, and the current adequate outcome may be in question.” In the absence of such a decision it would be very difficult to send personal data to the UK and carry out processing operations there. “Then a situation like the one the United States has now could happen.”
It depends on the final content of the new UK law. At the moment, the changes are not so bad based on current, limited information. But as the changes continue, a period of uncertainty develops.
According to Alex van der Volk, an expert in data protection and information technology law at Morrison and Forster, an international law firm based in Brussels, it is only uncertain what will happen. An uncertain situation can occur for a long time.
Van der Volk says, ‘What matters is how much pressure there is on the desired outcome’. The European Commission periodically assesses whether the UK is close to GDPR in terms of privacy law. Until the European Commission renews it, the current decision will expire at the end of June 2025.
Judgment of the European Commission
“You can not transfer data to the UK without a sufficient result”
According to the British government, the new proposal to amend the law will not affect the decision enough. But the European Commission may think differently. Van der Volk expects the data reform bill to go into effect in the summer of 2023.
The European Commission, as a British government, must determine whether the adjustment is adequate in line with GDPR. The question is when the Commission will do it. He can wait until the end of June 2025, when sufficient results will automatically expire. But the Commission can also see the reason for presenting its verdict on British reforms. ‘ If the verdict is positive then the current situation where personal data is exported to the UK will continue.
It would be difficult for the companies involved if the commission needed more time after June 2025. ‘Then there’s nothing left,’ says Van der Volk. If there are not enough results, you simply cannot transfer the data to the UK. ‘For that, separate model contracts are needed. That is an additional administrative burden. ‘