GDPR and ‘no-deal’ Brexit

04 Feb 2019

There is still no clarity about the conditions under which the United Kingdom will leave the EU, and time is running out. With regard to the AVG, the British government announced some time ago that the GDPR will, following the Brexit, be converted into British law. For a long time, it has been the expectation that agreements on the continuous flow of personal data between the UK and the EU would be part of the Brexit deal. But what if that deal does not come about?

Philip Nabben

The British government has already announced that it will allow the flow of personal data from the UK to EU countries, but the UK government does not control the flow of EU personal data to the UK. Strictly speaking, personal data can following the Brexit not simply be transferred from EU countries to the UK without further additional agreements because after the Brexit, the UK no longer falls under the scope of the GDPR and the UK has not (yet) been included on the list of the European Union of countries with an adequate level of protection (a list to which Japan has, by the way, very recently been added.

The British privacy watchdog ICO has published an online  '6-step plan' for UK businesses to help them understand the consequences of a 'no-deal' Brexit and for these businesses to take measures if necessary. For the sake of security, there will be companies considering to make use of the EU Standard Contractual Clauses between their Dutch entities and those in the UK, in order to make the exchange of personal data GDPR-compliant even in the upcoming uncertain times. This is a relatively cheap and fast method.

The Dutch Data Protection Authority has not yet commented on the (post) Brexit (enforcement), but stated last December that it would do so 'early 2019'. The privacy team of BDA will of course monitor this closely and publish an update as soon as new developments take place.