On January 9, 2018, the EU Commission announced that the United Kingdom (UK) would be treated as a third country within the meaning of the GDPR after its withdrawal from the EU on March 30, 2019. Even though the UK has already taken steps to implement the GDPR, the current EU Member State will not automatically be granted safe third country status when withdrawing from the EU. The reason for this is, on the one hand, that the European primary and secondary law in the UK – and thus the GDPR – will cease to apply after the withdrawal date. In addition, there will not be an automatic adequacy decision by the European Commission pursuant to Art. 45 GDPR on the level of data protection in the UK. Such a decision will be necessary, however, in order to be able to transfer data to a third country without taking additional legal steps.
What are the consequences for companies?
In the absence of an adequacy decision by the European Commission, companies transferring personal data to the UK after the withdrawal date must take the same legal steps as for data transfer to the United States or China. In this context, the EU standard contractual clauses (referred to as standard data protection clauses as from May 25, 2018) and binding corporate rules (BCR) will play an important role. In its notice, the European Commission also mentioned other mechanisms such as approved certification mechanisms or approved Codes of Conduct that could serve as a basis for data transfers to the UK.
Companies that are transferring data to entities in the UK must closely monitor the Brexit negotiations and review which GDPR instruments are appropriate for them in terms of the legal basis for data transfer. Even though it will take more than a year until Britain’s withdrawal from the EU, certain measures – such as BCR implementation – require a lead time that should not be underestimated.