A ‘no deal’ Brexit is looking like a real possibility the closer we get to March 29th. So what would a ‘no deal’ Brexit mean for data protection?
Summary of the situation:
On June 23rd 2016, a referendum was held to decide whether the UK should leave or remain in the European Union. The Leave camp took the victory and won by 51.9% to 48.1%.
Thus, the Brexit process was triggered on March 29th 2017, giving the UK a two-year window to agree on separation terms. However, the UK still has a chance to curb Brexit, by deciding to stay in the EU at any time up to the deadline of March 29th 2019, thanks to a European court ruling.
With less than a month left to go, the probability that Brexit will occur is very likely, whether there is a deal or ‘no deal’ in place.
Today
There is currently free movement of data between the United Kingdom and the European Union, but that might not be the case for much longer. Or is that so?
According to the British government, data transfers from the UK to the EU will remain in the existing practice, even after Brexit, due to the UK Data Protection Act 2018. The DPA 2018 mirrors GDPR to the point that we shouldn’t expect a big shift in the conditions in place, as it is designed to allow a free flow of data into the EU.
Here are a few more facts from Elizabeth Denham – UK Information Commissioner:
⁃ In a ‘no deal’ situation the UK Government has already made clear its intention to enable data to flow from the UK to EEA countries without any additional measures. But transfers of personal data from the EEA to the UK will be affected.”
⁃ Don’t presume you are covered by the structure of your company. In the case of ‘no deal’, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action.
⁃ ‘Adequacy’ is the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards. Companies and organisations operating within countries with adequacy agreements enjoy an uninterrupted flow of personal data with the EU. But an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have usually taken many months. Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses.
As Brexit is soon approaching, at Aphaia we are here to help with any related aspect.