The United Kingdom will become a third country following Brexit

Many had expected it and the European Commission has now created provisional clarity through an announcement on January 9, 2018: Brexit will mean that the United Kingdom will be considered a third country under data protection law as from March 30, 2019. Consequently, data transfers to the United Kingdom can no longer benefit from the freedoms of the European Union Single Market. On the contrary, companies will have to ensure that data transfers to the United Kingdom satisfy the requirements of Artt. 44 et seq. GDPR.

Unless the European Commission passes an adequacy decision, for example within the framework of a Brexit agreement between the United Kingdom and the European Union, companies exchanging personal data with the United Kingdom will therefore have to use the standard contractual clauses for this, or resort to other derogations such as consent.

Accordingly, the fact that the United Kingdom is implementing the GDPR is not, by itself, sufficient for an appropriate level of protection for personal data in the United Kingdom that would simplify the transfer of data.

Companies that exchange personal data with the United Kingdom, whether in the context of group relationships or service relationships, for example with IT providers, should therefore follow the Brexit negotiations very closely and take precautions against the absence of an adequacy decision from the European Commission on March 30, 2019.