On 13 September 2018, the Department for Digital, Culture, Media & Sport published a technical notice on how the collection and use of personal data would change if the UK leaves the EU in March 2019 with no deal.
The technical notice is one of a series which sets out information to allow businesses and citizens to understand what they would need to do in a no deal scenario, so they can make informed plans and preparations. It sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.
If the UK leaves the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the European Union (Withdrawal) Act 2018 would incorporate the General Data Protection Regulation into UK law to sit alongside it.
Personal data could continue to be sent from the UK to the EU, although the UK Government would keep this under review. The EU has an established mechanism to allow the free flow of personal data to countries outside the EU, namely an adequacy decision. However, the European Commission has stated that the decision on adequacy cannot be taken until the UK is a third country.
The legal framework governing transfers of personal data from organisations (or subsidiaries) established in the EU to organisations established in the UK would change on exit. The notice recommends that organisations proactively consider what action they may need to take to ensure the continued free flow of data with EU partners. For the majority of organisations the most relevant alternative legal basis would be standard contractual clauses.
The Information Commissioner's Office will remain the UK’s independent supervisory authority on data protection and the UK Government will continue to push for close co-operation and joined up enforcement action between the Commissioner’s office and EU data protection authorities.