Earlier today, the European Union and the United Kingdom reached agreement on a revised customs plan for Brexit. If approved by the EU Member States, the European Parliament and the UK House of Commons, this deal would allow the United Kingdom to exit the European Union on 31 October 2019 in an orderly manner. But what does this Brexit deal mean for data protection?
In short: until at least the end of 2020, nothing will change. The Withdrawal Agreement foresees a transition period, that only applies in case of a deal, until that moment. If need be, a longer transition period can be agreed between the UK and the EU. During the transition period, both parties will continue with a series of negotiations between the EU and the UK, including on various economic issues and further free trade and customs arrangements.
From the revised political declaration, as published on 17 October 2019, it becomes clear that also data protection is one of the issues that falls within the transition period.
First of all, this means that during the transition period, the GDPR will continue to apply in full in the United Kingdom and all data flows can continue unhindered. The 14 months available will be used by the European Commission to make an adequacy assessment of the United Kingdom’s data protection regime. It is good to note that such an assessment goes beyond the mere application of the rules of GDPR, ePrivacy and the Police and Justice Data Protection Directive, but would also take into account other data protection related issues, like possible interference on the fundamental right to privacy and data protection by surveillance legislation.
Should the European Commission come to the conclusion that the United Kingdom indeed offers an adequate level of data protection, it will strive to ensure a legally binding adequacy decision can be taking before the end of the transition period. The European Data Protection Board would likely be invited to present their views as well, like it has done for the EU-Japan Adequacy decision earlier this year.
During the transition period, the United Kingdom will also have to make a decision on their future data exports. So far, the UK Government has indicated it seems no objection for data flows from the UK to the EU, but under the UK Data Protection Act 2018, there is a possibility to establish new rules for international data transfers. If that is the case, which is expected, also the UK will endeavor to reach a binding decision on future UK-EU data flows by the end of the transition period.
In case the political agreement will not be endorsed by the UK House of Commons, or if it fails to convince European leaders or the European Parliament, the UK Government has indicated it will aim for a no-deal Brexit on 31 October 2019. If that happens, no transition period will be put in place, and the UK will immediately become a third country.
For international data transfers to the UK, that means that one of the existing GDPR transfer mechanisms should be used immediately, including the Standard Contractual Clauses, Binding Corporate Rules or any other DPA approved adequate safeguards. Organisations already using Binding Corporate Rules should ensure their lead data protection authority is based in one of the EU27 Member States.