When the U.K. withdrew from the European Union (EU), its General Data Protection Regulation (GDPR) status was one of many headaches for regulators to figure out. After drawn-out negotiations over points such as requiring opt-in or opt-out models, lawmakers had settled mainly on a GDPR-like solution called the Data Protection and Digital Information Bill.
The European Commission previously granted the U.K. adequacy status to allow personal data to pass freely between the U.K. and the EU, which will last until June 27, 2025. The European Commission will likely begin to review this in 2024, at which time it will decide whether to extend the adequacy decision for the U.K. for a further maximum period of up to another four years. If the U.K. does not receive such an extension, the current adequacy status will expire on June 27, 2025. U.K. businesses that formerly operated easily across the EU have understandably watched this space anxiously.
However, U.K .Secretary of State for Digital, Culture, Media, and Sport, Michelle Donelan, announced in a speech earlier this month that the government intends to replace the U.K. GDPR with another data protection law with less “red tape.” This announcement, which did not come with firm policy outlines, has put U.K. businesses back at square one for planning any technical or procedural updates needed to ensure seamless data transfers between the U.K. and the EU when the current adequacy status eventually expires.