EU issues Brexit "warning" to companies about data protection

The European Commission just issued a Brexit notice to EU companies about Data Protection following Brexit, warning them that unless a ratified withdrawal agreement sets another date or unanimous agreement is reached between the EU and the UK, all primary and secondary EU law will cease to apply to the UK from 30 March 2019.

As a result, the UK will become a 'third country' for the purposes of EU data protection rules, and all companies processing personal data need to consider how to ensure continued, compliant transfer of personal data to the UK. 

Under the current regime, transfer of data to a third country may take place based on one of the following instruments only:

 

  • An "adequacy decision", which allows the free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards.

  • “Appropriate safeguards” provided by the controller or processor. Such safeguards may be provided for by: 
    - Three sets of Standard data protection clauses adopted by the Commission
    - Adoption of binding corporate rules, which are approved by the competent data protection authority and which apply within a corporate group
    - Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country
    - Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country.

  • So-called “derogations”, which allow transfers in specific cases, such as based on consent, for the performance of a contract, for the exercise of legal claims, or for important reasons of public interest.

Read the EU Commission Notice of 9 January 2018.