"No Deal” Brexit: No Data Protection Adequacy Decision For The UK in Commission’s Contingency Plan

Dechert LLP

Dechert LLP

Further to our previous OnPoint “No Deal” Brexit and its Implications for Data Protection, the European Commission has given an update on its “no deal” Brexit contingency planning in a communication published on November 13, 2018. The Commission states that in the case of a “no deal” Brexit, “the adoption of an adequacy decision in favour of the UK is not part of the Commission’s contingency planning.” This means businesses will need to rely on alternative bases for transferring personal data from the EU to the UK unless and until an adequacy decision in respect of the UK is adopted.

Why is the European Commission not adopting an adequacy decision as part of its contingency plan?

The communication from the Commission points to the fact that there is a “broad toolbox for data transfers to third countries” (including safeguards and derogations) contained within the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) which allow businesses to transfer personal data out of the EU. The Commission highlights that some of the derogations can be relied upon even in the absence of appropriate safeguards, such as if the data subject gives explicit consent, when the transfer of personal data is necessary for the performance of a contract or for important reasons of public interest.

The Commission’s contingency plans in case of no deal being reached will generally be temporary in nature and, as businesses in the EU already transfer personal data to "non-adequate" countries in reliance on the safeguards and derogations set out in the GDPR, the Commission seemingly does not feel it is necessary to adopt an adequacy decision in respect of the UK as part of its contingency plans.

What does this mean for businesses?

As it is unclear if and when an adequacy decision will be made in favour of the UK, businesses will have to rely on alternative bases to transfer personal data from the EU to the UK. These bases are discussed in our previous OnPoint.

Businesses should, therefore, be considering their options for the transfer of personal data now to ensure that they remain compliant with the GDPR, in the scenario that the UK leaves the EU without securing a deal.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dechert LLP | Attorney Advertising

Written by:

Dechert LLP

Dechert LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.