What are the consequences of a Brexit for the privacy and data protection obligations of your company?Back to articles
14 July, 2016
Can I still transfer data to the United Kingdom? And is it still possible to transfer data from the United Kingdom to the Netherlands and the rest of the EU?
Yes, as long as the United Kingdom (UK) is still formally a member of the EU the European privacy and data protection legal framework is still applicable to the UK. It is expected that it will take some years before the UK is formally not a member of the EU anymore. After the UK has formally left the EU, it will depend on the new relationship between the EU and the UK under what conditions data transfers can take place.
What about the privacy and data protection law in the future? Is the privacy and data protection law going to change in the UK in the upcoming years?
The new data protection law (the General Data Protection Regulation) which will be applicable from the 25th of May 2018 onwards in the EU, will probably not directly apply in the UK, assuming the UK will have left the EU by then, as EU Regulations are only directly applicable in the EU Member States. If the UK would like to continue to trade with the EU it has to make sure to have an equivalent/adequate level of privacy and data protection.
What if the UK is still formally part of the EU when the General Data Protection Regulation (GDPR) becomes applicable?
If the UK is still formally a Member State of the EU when the GDPR becomes applicable, it will be applicable there too and organisations need to comply with the GDPR, because a Regulation is directly applicable and does not need implementation in national law (as was the case with the current Directive 95/46/EC).
What will be the status of the UK when they are not an official member of the EU anymore?
The UK will formally be qualified as a third country and it is yet unclear whether they will become part of the EEA or not.
Will there still be equivalant privacy and data protection in the UK when the UK does not or only partly incooperate the General Data Protection Regulation?
When the UK decides to not or only partly adopt the GDPR, the European Commission can decide that the privacy and data protection legislation in the UK can be deemed adequate, so whether it provides enough safeguards to transfer data to the UK. If not deemed adequate, additional safeguards should be adopted when transferring personal data from the EU to the UK.
What does Brexit means for processing agreements with British processors (under the GDPR)?
Controllers that are bound by the GDPR need to ensure compliance with the law, including when contracting a processor to process data on their behalf. When contracting a processor in the UK, it should be assured that the requirements of the GDPR are met. Furthermore, many obligations of the GDPR will apply to organisations located anywhere in the world that process EU residents’ personal data when offering goods or services to them or monitoring them. British processors need to comply with these obligations when processing EU citizen’s personal data. When having long term contracts with processors in the UK it is important to assess and when necessary amend the contracts to be sure adequate privacy and data protection is part of them.
What does Brexit means for my Binding Corporate Rules?
Binding Corporate Rules (BCRs) allow companies to make intra-organisational transfers of personal data with adequate protection across borders. BCRs are mainly used outside the EU to ensure an adequate level of data protection. Transferring personal data through BCRs remain valid with the UK leaving the EU.
Would you like to know more about the possible privacy and data protection consequences of a Brexit for your company? Contact us!
Senior Public Affairs Consultant
Senior Legal Consultant
Considerati is your partner in a digital world. The legal team of Considerati supports technology and data driven companies as well as governments, with processing personal data responsibly and being compliant with the latest rules and legislation.
Considerati is the leading legal and public affairs consultancy for the digital domain in the Netherlands. We specialize in building trust in your organization and in the ecosystem in which your organization operates. This enables you to enhance the performance of your organization and to strengthen your license to operate in a challenging environment.
I’ve just returned from giving a guest lecture at Stanford to computer science students as part...
An amendment to the law on data breaches and the Dutch Data Protection Authority (DPA) reveals that...