The UK Government has issued guidance explaining the probable data protection consequences of the UK leaving the EU without mutual agreement with the EU authorities on March 29, 2019. The UK Government views this “no-deal” scenario unlikely but underscores its responsibility “to prepare for all eventualities”.
The guidance explains that upon Brexit, the EU General Data Protection Regulation (GDPR) will automatically cease to apply as law in the UK. In the interest of stability and continuity, the UK government plans to enact an omnibus EU Withdrawal Act, that among other issues, will fully re-adopt the GDPR, verbatim, as national law within the UK.
The guidance goes on to explain that organizations will not necessarily be able to seamlessly transfer personal data from the EU to the UK because the EU’s GDPR does not automatically permit personal data transfers from the EU to non-EU countries. Following the UK’s EU Withdrawal Act, the European Commission will very likely deem the UK’s personal data protection regime equivalent to that of the EU, clearing the path to an EU adequacy decision allowing the transfer of personal data to the UK without restrictions. Yet the EU has made it clear that the process for an adequacy decision cannot be launched before Brexit and experience tells us that the adequacy finding process can take time.
Therefore, there would likely be an indeterminate period of time beginning March 29 up until the EU will have made an adequacy decision, during which data transfers from the EU to the UK will need to rely on an alternative legal basis, such as standard contractual clauses (“Model Clauses”). These are data protection clauses that have been approved by the EU and enable the free flow of personal data from an EU organization to a non-EU organization.
The guidance indicates that closer to the Brexit date the UK’s privacy regulator (the Information Commissioner’s Office – ICO) will produce additional guidance on this issue.
CLICK HERE to read the UK government’s guidance.