As the UK ploughs towards a no-deal Brexit, the question on data protection after October 31 is somewhat murky. In fact, it could be a chaotic mud slide that will sink UK digital companies and data centers.
Under the current agreement, that Boris Johnston is determined to tear up, GDPR would apply to the UK once it leaves the EU. The UK was actually one of the key contributors to the creation of GDPR laws. The plan was to be incorporate GDPR into UK domestic law as part of the Withdrawal Agreement, and have it function alongside the Data Protection Act 2018.
In the event of a no-deal, the UK government says it would permit data to flow from the UK to countries in the European Economic Area (EEA). That doesn’t mean that the EU will extend the same courtesy to the flow of data from the EEA to the UK. In fact, under the terms of the GDPR, it cannot. The UK will be labeled a ‘third country’ and the data traffic between it and the EU will be treated like any other third country.
As a nation, the UK's data and information practices will need to be assessed by the EU before it can be granted “adequacy” status which ensures data on or pertaining to EU citizens could be held by UK-based organizations.
Adequacy could take many months, if not a year or more, to achieve so the EU may place strictures on information about its citizens being held in the UK. That will have significant effects of data businesses that currently use UK data centers or in-house data repositories.
The use of unregulated surveillance in the UK by private companies could put another spanner in the adequacy application. Under GDPR, companies that wish to use facial recognition systems need to have a good reason to do so. Vague claims of “security” won’t cut it.
The EU has long been unhappy with the UK’s Investigatory Powers Act, which may prove to be an inadequacy. The EU could use the issue to pressure the UK into dropping or significantly amending the Act.
The Information Commissioner's Office (ICO), the UK regulator responsible for data protection enforcement, has issued advice to organizations that rely on EEA data transfers, explaining that alternative transfer mechanisms may be required in the event of a no-deal Brexit. The European Data Protection Board has published similar advice to European organizations.