The European Commission in Brussels published a notice to stakeholders on 9 January 2018, stating that the United Kingdom will be recognised as a “third country” in the field of data protection after its withdrawal from the EU, subject to any transitional arrangement. The notice sought to remind all stakeholders processing personal data of the legal repercussions this new status will bring, particularly “in view of the considerable uncertainties”.
It is unclear at this stage whether or not the Commission will decide that the UK is an “adequate jurisdiction” following its withdrawal from the EU. Aside from an “adequacy decision”, the EU’s data protection laws (currently Directive 95/46, although the General Data Protection Regulation 2016/679 or “GDPR” will apply from 25 May 2018) only permit a transfer of personal data to a third country if the controller or processor has provided “appropriate safeguards”.
The Commission explains that these safeguards may take the form of:
- Standard data protection clauses adopted by the Commission;
- Binding corporate rules approved by the competent data protection authority;
- Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country; or
- Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country.
In the absence of an “adequacy decision” and “appropriate safeguards”, the Commission notes that transfers may instead take place on the basis of “derogations”. However, these would only apply for transfers in specific cases, such as those based on consent, required for the performance of a contract, or for important reasons of public interest.