Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
How will personal data be transferred to the UK post Brexit?
Government pushes for UK to become a whitelisted country to legalise transfers of personal data from EU post Brexit.
The Department for Exiting the European Union has published a “future partnership paper” outlining its suggestion that the UK become a whitelisted country for the purposes of transferring personal data to the UK from the EU after Brexit.
Both current data protection laws and the General Data Protection Regulation (GDPR) (see our previous blogs on GDPR here) strictly regulate the transfer of personal data outside of the European Economic Area (EEA), only permitting such transfers under limited legal bases.
Under the current law, and under the GDPR, personal data can be transferred from the EEA to countries which have been deemed by the European Commission (Commission) to provide an adequate level of protection in relation to the processing of personal data. These so called “whitelisted” countries tend to be those which have adopted data protection regimes similar to that of the EU, for example Argentina and Switzerland.
In order to maintain the free flow of personal data between the EU and the UK, the UK government is hoping that the Commission will adopt an adequacy decision in respect of the UK in order to legalise the transfer of personal data across the Channel. Given the UK’s commitment to implementing the extensive provisions of the GDPR (see our blog on the Data Protection Bill here) and enforcing it via the Information Commissioner’s Office, the UK will effectively provide the same level of data protection as any member state, even post Brexit.
The UK is also asking the EU to acknowledge its level of protection of personal data by allowing the ICO to maintain an influence over data protection policy at an EU level. Allowing a white listed country’s regulator to influence EU data protection policy is not commonplace and no doubt such a suggestion will be one of the many cards played in the ongoing Brexit negotiations.
The UK government favours an adequacy decision, as it is the broadest means of legalising a data transfers. However, the future partnership paper acknowledges that there are other fall back options available if an adequacy decision, is not adopted. Such alternatives include a partial adequacy decision such as the US Privacy Shield, and other organisation-to-organisation mechanisms, such as Binding Corporate Rules or Model Clauses.
The adoption of an adequacy decision would ensure the continuation of the flow of data between the UK and EEA post Brexit. This would be a crucial element in securing the continued growth of the digital market both in the UK and the EEA, especially given the uncertainty over model clauses created by the recent Schrems II referral to the Court of Justice of the European Union (see our previous blog post here).
The Commission is currently considering Japan and South Korea’s suitability for becoming white listed and it remains to be seen in if the UK will have to join the back of the queue, if considered an eligible candidate for white listing by the Commission.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.