The Brexit Withdrawal Agreement negotiated between the European Union and the United Kingdom envisaged that during the United Kingdom's transitional period data protection legislation would have been treated in the same way as with the countries of the European Economic Area. This would have allowed a transfer of personal data from the European Union to the United Kingdom without additional measures to ensure adequate levels of data protection. Subsequently, an adequacy decision on the level of data protection of the United Kingdom was supposed to be issued during the transitional period.
However, with the British Parliament's rejection of the Brexit Withdrawal Agreement on 01/15/2019, it is now becoming more and more likely that these transitional arrangements will never be applied. This means that, when the Brexit comes into effect on 03/29/2019, the United Kingdom will become a third country within the meaning of Art. 44-49 GDPR. In order to ensure the transfer of personal data, in addition to the general permissibility of the processing itself, either the consent of the data subjects must be obtained for this transfer, or other measures must be taken in accordance with Art. 44-49 GDPR which ensure an adequate level of data protection. Otherwise, the transfer of personal data from the European Union to the United Kingdom would be unlawful.
This is true even though the United Kingdom has transposed the GDPR into national law and will continue to do so after Brexit becomes effective. In fact, the same data protection legislation applies as within the European Union. However, the European Commission has already clarified on 11/13/2018 that in the case of a No-Deal Brexit, the United Kingdom will still be regarded as an unsafe third country from 03/30/2019 until a decision on adequacy is issued. In order to do achieve this, the regular procedure for reaching an adequacy decision that would qualify the United Kingdom as a secure third country and thus facilitate a transfer without further action must first of all be completed. According to experience so far, such a procedure takes from several months to more than one year.
Need for action for companies
This means that companies who transfer personal data to the United Kingdom need to take action. For example, a transfer occurs if they have subsidiaries or branches that need to work with personal data from the European Union (access to IT systems located within the European Union is already sufficient to be deemed a transfer of personal data). The use of IT providers whose systems are hosted in the UK is also sufficient to trigger the requirement to act. Otherwise, companies risk that these transfers of personal data are impermissible, which may result in fines of up to EUR 20 million or 4 percent of worldwide annual turnover. No transitional periods apply.
The only practicable means to secure the data transfer is the use of the so-called standard contractual clauses. Standard contractual clauses are contractual arrangements between the controller in the European Union and the recipient of the personal data in the unsafe third country, here the United Kingdom, which are to ensure an adequate level of data protection. The European Commission has stated in decisions that this is the case when using these standard contract clauses. They exist for the transfer of personal data from controller to controller as well as from controller to processor.
We recommend that companies concerned act proactively and approach the data-receiving companies in the United Kingdom and urge them to agree to the conclusion of the standard contract clauses. This could be done under the condition precedent of a No-Deal Brexit.
On the other hand, companies that wish to transfer data from the United Kingdom to the European Union can continue to do so, according to currently available information. The UK regulator has already said so in statements. Unfortunately, this does not apply for the reverse direction.