What will happen to data protection after Brexit in a ‘no deal’ scenario?
| Data protection after Brexit and cross border data transfer. From a UK perspective.
Despite differences yet to be resolved, the UK and the EU still have mutual interests in securing a negotiated outcome. Therefore, a situation in which the UK leaves the EU without agreement (‘no deal scenario’) seems unlikely.
That said, what if agreement is not reached before March 29, 2019?
We need to consider whether EU partner organisations can rely on GDPR derogations or standard contractual clauses for data transfers. And should they continue to comply with broader data protection obligations in the Data Protection Act 2018 and GDPR.
According to the Information Commissioner’s Office (ICO) website:
…there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.
The legal framework governing transfers of personal data from organisations established in the EU to organisations established in the UK would undoubtedly change post Brexit.
Effect on Data Protection after Brexit in ‘no deal’ scenario
There would be no immediate changes if no agreement is in place for data protection after Brexit. The Data Protection Act 2018 would still be in place. And the EU Withdrawal Act would integrate the GDPR into UK law.
We would still be able to transfer individuals’ personal data from the UK to EU partners. After all, there is considerable synergy between UK and EU data protection rules. Therefore, the UK would continue to allow the free flow of personal data from the UK to the EU.
However, as with all legal frameworks, this would remain under constant review.
What UK organisations would need to do
If UK organisations wish to receive personal data from EU partners, they should consider helping EU partners to identify legal basis for such transfers. In most cases this would be standard contractual clauses. The Information Commissioner’s Office recommends that firms proactively consider what action is required to “ensure the continued free flow of data with EU partners”.
The UK Government is:
…committed to the highest standards of data protection and all organisations should continue to comply with their broader obligations under data protection law, including the GDPR (as incorporated into UK law).
Important: This article is provided for guidance purposes only. You should always consult a suitably qualified GDPR/data privacy practitioner.
Sources: Information Commissioner’s Office