With the decision of the EU leaders to postpone Brexit, the future relationship between the EU and the UK is still up in the air and the risk of the UK leaving the EU without a deal is still a very possible outcome. The question remains: how will EU based companies and organizations who are active in the UK (or deal with UK companies in their business relationships) have to adapt?
With regards to the transfer of personal data, the European Data Protection Board (EDPB) has now clarified in its Information Note of 12 February 2019 on data transfers under the General Data Protection Regulation (GDPR) in the event of a no-deal Brexit (“Guidance1”), if (and how) personal data can still flow freely between the European Economic Area (EEA) and the UK.
Should the UK leave the EU without a deal, the UK will become a so called “third country” to the EU. In this case, according to the Guidance, if personal data is being transferred to the UK, five steps need to be taken for EU companies and organizations to remain ‘compliant’ under the provisions of the GDPR.
Similarly, in the event of a no-deal Brexit, the EDPB considered to what extent EEA companies and organizations will still be allowed to freely receive personal data from the UK.
According to the EDPB, the UK government has stated that in case of a ‘no deal’ situation, it is the intention to enable data to flow from the UK to EEA countries without any additional measures. The question on how this will be done in practice is currently still left open (and will hopefully be clarified in the coming weeks).
1. European Data Protection Board, Information note on data transfers under the GDPR in the event of a no-deal Brexit, 12 February 2019, (link).