Brexit and GDPR
The United Kingdom officially left the European Union on January 31, 2020. What about the General Data Protection Regulation (GDPR)? Nominet published a clarifying note (theukdomain.uk, 2020-02-20).
The .UK Registry immediately points out, wisely, that the United Kingdom and the European Union have entered a transitional period which poses the status quo while new negotiations on post-Brexit relations are underway. In the meantime, the GDPR and the Data Protection Act 2018 (the UK law on the protection of personal data which transposed the GDPR into the UK legal order) will continue to apply normally. The transition period should, in principle, extend until December 31, 2020. The Commission clarified as follows:
“During its EU membership, private and public bodies in the United Kingdom received personal data from companies and administrations in other Member States.
The Withdrawal Agreement provides that, after the end of the transition period, the United Kingdom has to continue applying the EU data protection rules to this ‘stock of personal data’, until the Commission has established, by way of a formal, so-called adequacy decision, that the personal data protection regime of the United Kingdom provides data protection safeguards which are “essentially equivalent” to those in the EU.
The formal adequacy decision by the Commission has to be preceded by an assessment of the data protection regime applicable in the United Kingdom. In the case where the adequacy decision was annulled or repealed, the United Kingdom shall ensure that data received will be subject to ‘essentially equivalent’ standard of protection to that under the EU data protection rules” (European Commission, Questions and Answers on the United Kingdom’s withdrawal from the European Union on 31 January 2020, 2020-01-24).
No official information is provided as to the possible duration of the evaluation procedure.
According to Nominet, the provisions of the GDPR are transposed into British law and should not be repealed. In any event, since the United Kingdom is now a third country, companies must necessarily comply with the provisions relating to cross-border transfers of personal data.