The European Commission's Directorate-General for Justice and Consumers has issued a warning on the data protection ramifications of Brexit.
The document, entitled "Notice to stakeholders: withdrawal of the United Kingdom and EU rules in the field of data protection", warns that the United Kingdom will become a 'third country' as of the withdrawal date of 30 March 2019. The UK will then be subject to the same EU rules for the transfer of personal data as other third countries. Under both the current Directive 95/46/EC and the upcoming GDPR which will replace it as of 25 May 2018, transfers to third countries are only allowed if the controller or processor has provided "appropriate safeguards". These may be provided by:
- Standard data protection clauses: these are standard contractual clauses which the Commission has decided provide adequate safeguards for data subjects. Under the current regime the Commission has issued two sets of standard contractual clauses: (1) for transfers from EU-based controllers to controllers outside of the EU; and (2) for transfers from EU-based controllers to processors established outside of the EU.
- Binding corporate rules: these are legally binding data protection rules applicable within a corporate group, approved by the competent data protection authority.
- Codes of Conduct: these codes of conduct are drafted by bodies representing controllers or processors. Under the GDPR controllers or processors in third countries can demonstrate that they provide appropriate safeguards by adhering to approved codes of conduct and making a "binding and enforceable commitment" to comply with the GDPR and to respect data subjects' rights.
- Certification mechanisms: so far certification marks and seals have only served as useful signals of privacy standards for consumers. However they will receive formal recognition under the GDPR, under which certifications may be issued by either an accredited certification body, the competent supervisory authority or by the European Data Protection Board. As with codes of conduct, certified controllers and processors in third countries who make a "binding and enforceable commitment" to comply with the GDPR and respect data subjects' rights will be considered to provide appropriate safeguards.
If there are no appropriate safeguards, in exceptional cases, a transfer may take place on the basis of certain derogations. There is also the possibility that the EU will make a decision on the adequacy of personal data protection in the UK, as it has done in respect of certain transfers to Canada, New Zealand and Switzerland, which would allow the free flow of personal data to the UK by EU data exporters.
The Commission Notice concludes by noting that the Commission has established a stakeholder group comprised of industry, civil society and academic contributors, who will discuss the tools for transfers to third countries under the GDPR.