Further to our previous OnPoint “No Deal” Brexit and its Implications for Data Protection, the European Commission has given an update on its “no deal” Brexit contingency planning in a communication published on November 13, 2018. The Commission states that in the case of a “no deal” Brexit, “the adoption of an adequacy decision in favour of the UK is not part of the Commission’s contingency planning.” This means businesses will need to rely on alternative bases for transferring personal data from the EU to the UK unless and until an adequacy decision in respect of the UK is adopted.
Why is the European Commission not adopting an adequacy decision as part of its contingency plan?
The communication from the Commission points to the fact that there is a “broad toolbox for data transfers to third countries” (including safeguards and derogations) contained within the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) which allow businesses to transfer personal data out of the EU. The Commission highlights that some of the derogations can be relied upon even in the absence of appropriate safeguards, such as if the data subject gives explicit consent, when the transfer of personal data is necessary for the performance of a contract or for important reasons of public interest.
The Commission’s contingency plans in case of no deal being reached will generally be temporary in nature and, as businesses in the EU already transfer personal data to "non-adequate" countries in reliance on the safeguards and derogations set out in the GDPR, the Commission seemingly does not feel it is necessary to adopt an adequacy decision in respect of the UK as part of its contingency plans.
What does this mean for businesses?
As it is unclear if and when an adequacy decision will be made in favour of the UK, businesses will have to rely on alternative bases to transfer personal data from the EU to the UK. These bases are discussed in our previous OnPoint.
Businesses should, therefore, be considering their options for the transfer of personal data now to ensure that they remain compliant with the GDPR, in the scenario that the UK leaves the EU without securing a deal.