Preparing for UK’s withdrawal from the EU causes confusion in many ways and no wonder. The political situation of Brexit is still unclear. The European Commission has announced that the UK’s withdrawal should be prepared for by taking into account all possible scenarios.
Even though mutual understanding of the withdrawal agreement would not be reached by March 29th 2019, the UK is likely to leave the EU in any case, which means starting from March 30th, the UK will be a so-called third country.
What does Brexit mean from the perspective of transferring personal data and what actions does it require in practice?
EU membership secures the free movement of personal data between the EU member countries and EFTA/EEA countries. Transferring data outside the European Economic Area is allowed only if adequate level of data protection is guaranteed in the third country or additional safeguards in accordance with the GDPR are followed in the transfer of personal data. If the UK withdraws from the EU without a withdrawal agreement, the transfer mechanisms in chapter five of the GDPR are applied.
Here are the concrete steps, with which you can prepare for the arrival of Brexit:
1. Option 1. The UK withdraws from the EU March 29th, 2019 without a withdrawal agreement
· Map all the data flows in your company, in which data is transferred to the UK. Consider in particular if the transfer of data continues after March 29th.
· If the transfer continues after March 29th, consider a suitable mechanism of transfer for your company. If needed, consult Fondia’s experts. In principle, we recommend using the European Commission’s standard contractual clauses.
2. Option 2. Withdrawal agreement is entered into force by March 29th, 2019
· If the agreement is reached by March 29th, a transition period begins. EU legislation (including the GDPR) is applicable law until the end of the transition period i.e. until December 31st, 2020. Personal data can be transferred to the UK safely during the transition period as before.
· After the transition period, EU legislation is not applied. In this case it is possible that the European Commission decides on the adequate level of data protection in the UK by the end of the transition period, in which case the transfer of personal data to the UK is secured. The schedule on behalf of the Commission is unclear and we have experience that the decision-making stretches. For example, for Israel the decision-making process took 42 months. For this reason, companies should prepare for applying other safeguards, such as the Commission’s standard contractual clauses.
The UK has prepared excellently for the arrival of Brexit with regard to the GDPR and transferring personal data. The UK is one of the few member countries, which got their own national Data Protection Act into effect simultaneously with the GDPR in May 2018.
Moreover, even if the withdrawal agreement is not achieved, the Commission’s adequacy decision may come into effect later on. We do not recommend reckoning on the possible decision-making, since the decision-making process can stretch and there is no information on the schedule at this point.