In a 9 January 2018 communiqué, the European Commission announced that starting 30 March 2019, the date on which the Brexit will enter into effect, the United Kingdom will be considered a non-EU country, or third country, under the new General Data Protection Regulation (the “GDPR”).
Thus, subject to any transitional arrangement that could be agreed upon between the United Kingdom and the European Union, the Commission points out that in the absence of an adequacy decision, a Commission decision recognizing that a State assures an adequate level of protection in light of the GDPR, transfers of personal data to the United Kingdom will only be possible of the data controller or the sub-contractor provides “appropriate safeguards”.
Under Article 46 of the GDPR, such safeguards are the use of standard data protection clauses, approved codes of conduct, binding corporate rules or approved certification mechanisms. In addition, the transfers will also be possible on the basis of derogations provided under Article 49 of the GDPR, for example when a concerned person has given his consent to the transfer, or when the transfer is necessary to the execution of a contract.
Nonetheless, the United Kingdom has already begun to incorporate the GDPR into its legislation. Moreover, the “Great Repeal Bill” that the British government intends to enact will undoubtedly allow it to maintain the GDPR standards at the conclusion of the Brexit. Given the legislative safeguards that the UK will enforce, it is unlikely that the European Commission would refuse to issue it an adequacy decision.