Brexit and the GDPR – How would Brexit affect the transfer of personal data to Britain?
February 5, 2019
Recently, there has been turmoil around Brexit, and at this moment there is uncertainty surrounding the realization of Brexit and the terms on which it will be executed. Based on latest information, Great Britain’s withdrawal from the EU will take effect on March 29, 2019. If the EU and Britain reach a consensus on the withdrawal agreement, Britain would comply with EU legislation and would be part of the single market for the agreed transition period, i.e. until the end of 2020. However, the transition period can’t start if a withdrawal agreement is not reached before March 29, 2019. In that case, the application of EU legislation would end in Britain immediately on March 30, 2019, and Britain would be a non-EU country.
Securing the post-Brexit transfer of personal data
Brexit’s impact on data protection and the problems relate to transfer of personal data has recognized during the Brexit negotiation. Data protection has been considered an especially important issue in the negotiations between the EU and UK. It is in the interests of both EU and Britain to ensure that the flow of data is smooth also in the future, and the parties are committed to ensuring high-level personal data protection also post-Brexit. Britain currently complies with the General Data Protection Regulation (GDPR) that took effect in last May. Additionally, the national Data Protection Act 2018 supplementing the GDPR is in effect in Britain.
After Brexit is realized, Great Britain will be a non-EU country, and the obligations related to the transfer of data to outside the EU must be observed. According to the GDPR, personal data can be transferred to non-EU countries if the country in question guarantees what the European Commission considers an adequate level of data protection, or if certain other prerequisites are met. The original Brexit agreement draft has outlined that after the transition period Great Britain would continue applying the GDPR rules until the EU gives a decision that Britain’s data protection legislation guarantees adequate protection for processing personal data. In that case, the transfer of personal data between Britain and the EU wouldn’t require additional obligations compared to the current situation. However, during the last weeks we have seen an increased likelihood of the scenario that Britain would leave the EU without the agreement.
Brexit can increase the obligations for data transfer
If the European Commission doesn’t give a decision on data protection adequacy concerning the UK, post-Brexit personal data transfers to Britain must comply with the other GDPR requirements for the transfer. In that case one of the mechanisms to the transfer of personal data to non-EU countries would be, e.g., an individual’s explicit consent. Secondly, personal data can be transferred to non-EU countries if there are grounds for exemption set by the law. Additionally, it would be possible to transfer personal data by agreement that uses standard contractual clauses confirmed by the European Commission. Similar clauses must be used also currently when transferring personal data to non-EU countries for which the Commission has not issued a decision on the adequacy of data protection.
In practice, for the majority organizations the standard contractual clauses are the most relevant alternative to ensure compliance with the GDPR, when transferring personal data from EU to third countries.
When organizations are preparing for Brexit, especially Brexit without agreement scenario, also data protection issues should be considered. If a company currently transfer personal data to the UK, it is recommendable to review current contracts with the UK based partners and prepare to negotiate how to ensure a legal basis for those transfers also in the post-Brexit world.
Text and additional information: