Brexit ‘No Deal’ Guidance Notices Regarding Data Protection
On 12 October 2108, the UK Government published Brexit ‘no deal’ guidance notices delineating data protection policy in the post Brexit.
In the UK, the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) provide a comprehensive data protection framework. Under GDPR rules, organizations are only permitted to transfer personal data outside the EU if there is a legal basis for doing so. Transfers of personal data within the EU are not restricted.
In case of ‘no deal’ Brexit:
- No immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.
- The legal framework governing transfers of personal data from organizations (or subsidiaries) established in the EU to organizations established in the UK would change on exit
- The UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU
- The European Commission has stated that if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision allowing the transfer of personal data to the UK without restrictions.
- If the European Commission does not make an adequacy decision regarding the UK at the point of exit, the alternative legal basis would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract.
More information is available on the website of UK Government.