January 22, 2018

The Notice reminds stakeholders that all EU law will cease to apply to the UK from 30 March 2019 as a result of the EU referendum in the UK. The UK will therefore then become a “third country”. The Notice is to remind all stakeholders processing personal data of the legal repercussions that need to be considered when this happens.

The Notice explains that, subject to any transitional arrangement that may be contained in a possible withdrawal agreement, as of the withdrawal date, EU rules for the transfer of personal data to third countries will apply to the UK. Aside from an “adequacy decision”, which allows the free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards or being subject to further conditions, the EU’s data protection rules (both under the current Data Protection Directive (95/46/EC) and under the new General Data Protection Regulation (2016/679/EU) allow a transfer if the controller or processor has provided “appropriate safeguards”. These safeguards may be provided for by:

• standard data protection clauses: the Commission has adopted three sets of model clauses which are available on the Commission’s website;
• binding corporate rules: legally binding data protection rules approved by the competent data protection authority which apply within a corporate group;
• approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country; and
• approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country.

In the absence of an “adequacy decision” or of “appropriate safeguards” a transfer or a set of transfers may take place on the basis of “derogations”, which allow transfers in specific cases, such as where there is consent, for the performance of a contract, for the exercise of legal claims or for important reasons of public interest.

The GDPR has simplified the use of these tools. Transfers based on approved standard data protection clauses or on binding corporate rules will not be subject to a further, specific authorisation from a supervisory authority. In addition, the GDPR has, subject to further conditions, introduced codes of conduct and certification mechanisms as new tools for the transfer of personal data.

The Notice reminds readers that preparing for the withdrawal is not just a matter for EU and national authorities, but also for private parties. As regards the implementation of the GDPR, and in particular the new tools for transfers to third countries (e.g. approved Codes of Conduct and approved certification mechanisms entailing binding commitments by the controllers and processors receiving the data in the third country), the Commission says it is working with interested parties and data protection authorities to make the best use of these new instruments. Further, the Commission has set up a stakeholder group comprised of industry, civil society and academics, which will discuss this topic. To read the Notice in full click here.