On 13 September 2018, the UK Government published a series of technical notes setting out the implications in various sectors and areas of a ‘no deal’ scenario (i.e. a scenario in which the UK leaves the EU without an agreement), including a note specifically covering data protection. The note sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.
Transferring data from the UK to the EU
Even in the event of a ‘no deal’ scenario, the technical note confirms that there should not be any impact on the transfer of personal data from the UK to the EU and beyond. A combination of the UK Data Protection Act 2018 and the EU Withdrawal Act would incorporate the GDPR into UK law. As such, the provisions currently found in Chapter V of the GDPR, which prohibit the transfer of personal data outside of the EEA without adequate safeguards in place, would remain. UK entities would therefore continue to be able to freely send personal data from the UK to the EU, and would continue to need to satisfy an appropriate legal basis to legitimise the transfer of personal data beyond European borders.
The technical note further confirms that, “in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU”. However, there is a potential sting in the tail as the technical note provides that the UK will keep this under review – once the UK data protection regime is no longer required to mirror the GDPR, it would in theory be possible for the UK Government to amend the UK rules to provide that, for example, no personal data could be transferred outside of the UK without additional safeguards in place – meaning that this could potentially change in the future.