In August 2017, prior to the publishing of the draft Data Protection Bill, the UK Government was already inviting the EC to grant the UK an “adequacy decision” (i.e. a decision taken by the EC to determine whether a third country ensures an adequate level of protection based on its domestic law, or on the international commitments it has entered into) to allow for the transfer of personal data from the EU to the UK without additional measures. The UK Government expressed itself as follows:
“The UK’s data protection law will fully implement the most up-to-date EU framework, and this will remain the case at the point of the UK’s withdrawal from the EU. On this basis, the Government believes it would be in the interest of both the UK and EU to agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and UK from the point of exit until such time as new and more permanent arrangements come into force.”
At the moment, the discussions around this potential data-flow deal have not yet started. It is thus unsure whether they will be completed prior to the date of withdrawal (taking into account for instance that it took nearly three years for the EU to reach a data transfer deal with the U.S. and that Japan’s pending data agreement with the EU is expected to take 18 months).
Brexit should in principle not cause major issues within the context of the subject at case as the EC is, according to the main stakeholders, likely to adopt such an adequacy decision. For UK-based companies: keep in mind that the GDPR will in any case apply to UK-based companies that process personal data of EU data subjects where the processing is related to the offering of goods or services to individuals in the EU or to the monitoring of their behaviour in the EU.