Post-Brexit, data transfers between the UK and EU will continue to be permitted without additional measures for the next four to six months.
The “bridging mechanism” will give the European Commission time to complete its adequacy assessment of the UK under the General Data Protection Regulation (GDPR) and Law Enforcement Directive.
Kicking it into the long grass
The UK has declared that the European Union and European Economic Area offer adequate protections for the flow of data coming from their nations, so this adequacy assessment period purely focuses on the flow of data from the UK to EU countries.
The transition will initially last four months from January 1, but can be extended another two months if neither the UK nor the EU object. Alternatively, the transition could end earlier if a UK adequacy decision is adopted by the European Commission.
Equally, if the UK makes a sudden unapproved change to its data protection framework, the transition period will be ended.
Should the European Commission propose a new UK adequacy assessment, it will then be reviewed by the European Data Protection Board, and have to be approved by member state representatives, before being issued as an adopting decision.
If an adequacy decision is not reached, the UK will be classed as a third country. If this happens, the transfer of personal data from organizations within the EU to other organizations in the UK will be subject to strict data transfer rules under GDPR.
It is not entirely clear what those restrictions would be, and could vary from organization to organization depending on how they operate. Companies wishing to legally transfer data would need to resort to alternative mechanisms, such as Standard Contractual Clauses.
A report by think-tank New Economics Foundation estimates the cost to UK businesses of a no adequacy decision to likely be between £1 billion and £1.6 billion.