Personal data flows between the UK and the EU are subject to the current tumultuous Brexit negotiations. The effects of this uncertainty yield considerable implications for businesses, for which personal data flows are the life blood of internal and external processes.

As a result, several considerations have to be taken into account, both from the UK and the EU perspective. Indeed, as personal data flows both ways, the analysis of the possible consequences stemming from the different Brexit scenarios needs to take into account both UK to EU transfers and EU to UK transfers. 

As current negotiations draw to a close, several scenarios are possible. In this article we will examine the following three scenarios: a Deal Brexit (in its current negotiated form), a No deal Brexit (or “Hard Brexit”) or a postponement of the withdrawal date. We will hereafter analyse the impact that these scenarios would have on the data flows between the UK and the EU, and examine considerations on how organizations should react in order to avoid disruptions to their businesses.

EEA to UK personal data flows

Deal scenario

What will happen? 

Under the current draft of the Brexit deal[1], data will continue to flow freely from both ways during an extendable two years transition period. This period should allow ultimately to negotiate an adequacy decision, which should be approved by the end of 2020.[2] The adequacy decision will allow the free flow of personal data from the EEA to the UK for an unlimited duration and will be subject to periodic reviews.


What to do?

  • The General Data Protection Regulation (GDPR) will continue to apply to personal data transferred from the EEA and UK law will apply to data obtained in the UK.
  • In practice there will not be any noticeable change (“business as usual”).
  • Once the adequacy decision is adopted, it will be important to monitor if additional obligations arise from it.

No deal scenario

What will happen?

The free flow of personal data from the EU to the UK will stop, as the UK will be considered as any other third country. In order to re-establish the free flow of personal data, an adequacy decision from the European Commission will have to be negotiated and approved. However, in this case there won’t be a transition period as provided under the Deal scenario. The No deal scenario would imply as well the absence of any guarantees concerning when the adequacy decision will be taken, which is of significant importance. It should be noted that the last adequacy decision for Japan took two years to be negotiated and approved.


What to do?

  • Businesses will first have to assess the importance of personal data flows with the UK.
  • In case of non-repetitive transfers and covering a very limited amount of individuals, specific derogations exist that would permit the transfer of data, in accordance with Article 49 of the GDPR.
  • In case of repetitive and constant transfers, several options exist, namely:
    • Standard Contractual Clauses from the European Commission;
    • Ad-hoc standard contractual clauses;
    • Binding corporate rules;
    • Certifications;
    • Adherence to a code of conduct;

      Despite these available options, most of them require lengthy pre-approval by national data protection authorities or are not operational yet. Only the first option (Standard Contractual Clauses) is deployable in a short time span.
  • Finally, organizations should assess whether data transfer to the UK is necessary and irreplaceable for their business models. If this is not the case, necessary arrangements in order to stop the transfer of personal data to the UK should be made. 

Postponing the withdrawal date

What will happen?

A third possible option would be the extension of the withdrawal date of the UK from the EU. In this case the UK will still be part of the EU, therefore personal data transfers will continue undisturbed. An extension of deadline however depends on an approval by the 27 EU Member States and thus will not be automatic if no deal is reached by the 29th of March.


What to do?

  • In this respect, no actions will need to be taken immediately.
  • Depending on the length of the extension, this could allow businesses transferring data to the UK from the EEA to prepare the needed legal mechanisms to ensure compliant transfers in the future, in case of a no deal scenario.

UK to EEA personal data flows

What will happen?

In all three scenarios analysed above, the flow of data from the UK to the EEA will not be disrupted. Indeed, the UK have explicitly said that it would make the necessary arrangements to allow UK companies to freely transfer data to the EEA.[3]


What to do?

In this respect, no actions will need to be taken.


What´s next?

The EU27 leaders will meet on 21 March 2019, during the EU Summit, to discuss the latest developments on Brexit. Depending on the outcome of the discussions, the likelihood of one of the above scenarios playing out will increase or decrease.

[1] Article 72 of the Brexit Draft Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community, as agreed at negotiators' level on 14th November 2018

[2] Political Declaration setting out the framework for the future relationship between the European Union and the United Kingdom, , as agreed at negotiators' level on the 22nd of November 2018

[3] Using personal data after Brexit -


Connect with us