Well I guess this comes as no big surprise. In its “Notice to stakeholders: withdrawal of the United Kingdom and EU rules in the field of data protection”, the EU today declared that the United Kingdom post Brexit will not meet the adequacy requirements with regards to the transfer of personal data from the EU to the UK.
As it currently stands, when Brexit happens in March 2019, in order to transfer personal data to the UK, organisations within the EU will have to do so using one of the following mechanisms;
- Standard data protection clauses: the Commission has adopted three sets of model clauses which are available on the Commission’s website;
- Binding corporate rules: legally binding data protection rules approved by the competent data protection authority which apply within a corporate group;
- Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country
- Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country”
In other words, the free flow of personal data from the EU to the UK will have to be done under different conditions than today.
This will have major implications for many businesses within the EU using UK-based companies to process data should this issue not be addressed appropriately between now and when the UK leaves the EU.
I wrote about this issue last year for the Irish Independent and highlighted many of the issues that have arisen today.
I also gave a presentation on the same topic last year. That presentation is available below