The Government of the United Kingdom has published guidance discussing the impact on UK data protection law if the UK leaves the EU without a deal on Brexit Day – March 29, 2019. At the outset, the EU’s GDPR will cease to apply in the UK on Brexit Day. Therefore, the UK plans that its EU (Withdrawal) Act of 2018 will include provisions that retain the GDPR in UK law.
In order to allow for seamless transfers of personal data from the UK to Europe, the UK will recognize the EU member states, Norway, Liechtenstein, Iceland and Gibraltar as ‘adequate’. Contrarily, allowing personal data from the EU to flow to the UK requires a formal EU driven procedure, which the UK cannot control.
In order to preserve the other permissible data flows into the UK as they currently exist under the GDPR, the UK will also recognize the same territories that the EU Commission has recognized as adequate for data flows: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the Privacy Shield certified organizations in the U.S. The UK will similarly recognize the EU’s Standard Contractual Clauses as well as Binding Corporate Rules that have already been approved prior to Brexit Day, so that UK organizations that transfer personal data on the basis of these EU recognized mechanisms, can continue to rely on them.
Finally, the UK’s version of the GDPR will require that non-UK organizations that are subject to the UK GDPR appoint a local UK representative, similar to the EU’s GDPR requirement for non-EU organizations to appoint an EU representative.
CLICK HERE to read the UK Government’s Guidance on the data protection implications of a ‘No Deal’ Brexit.