Brexit and Data Transfers to the UK (June 2016)

The decision whether or not Great Britain will remain in the European Union (EU) has been made by a 51.9 % majority of votes as British citizens decided to leave the EU. While the conditions and timing of the actual Brexit are yet to be negotiated, it cannot be excluded that a potential Brexit could under some scenarios impact data transfers between the EU and the UK.

As an EU Member State, Great Britain benefits from harmonized trading rules across the EU and the European Economic Area (EEA), where adequate legislative has been adopted as well. Data protection is currently harmonized by the Data Protection Directive 95/46/EC (Directive) which ensures the free flow of data between EU/EEA Member States. Personal data must not be transferred to countries outside of the EEA unless such “third” countries provide an adequate level of data protection.

If the UK leaves the EU but remains a party to the EEA Agreement, it may continue to benefit from the free movement of data between the EU and the rest of EEA, similarly as other EEA Member States, Norway, Iceland and Lichtenstein, do.

In less than two years, on May 25, 2018, a new EU regulation on data protection – the General Data Protection Regulation (GDPR) – will come into force. Even if Great Britain is no longer an EU member by that time (which is highly unlikely) and if it remains a party to the EEA Agreement, it will likely be also bound by the GDPR because the EEA is currently in the process of adopting the GDPR. The free movement of data between the EU and the EEA countries will continue even after Brexit takes effect.

That being said, the current EU rules on data transfers are under discussion and challenged on many fronts; it thus cannot be excluded that more restrictive rules on data transfers outside the EU will be applied in the future.

Should Great Britain leave the EEA as well, the benefit of the free flow of data guaranteed by the Directive (and the GDPR) would be lost. The European Commission would then need to assess whether the UK laws provide an adequate level of protection comparable to the EU requirements. That may force Great Britain to adopt the GDPR or similarly protective legislation on the national level. In the event that no such adequacy decision is adopted, Great Britain would be considered a third party for the purposes of data transfers and data transfers would need to be based on other mechanisms, such as the EU standard contractual clauses.

In addition to the EU/EEA legal framework outlined above, Great Britain is a party to the Council of Europe’s Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention). This Convention, which pre-dates the Directive, stipulates that a party to the Convention is not entitled, for the sole purpose of the protection of privacy, prohibit data transfers to another party. This should, in theory, guarantee a free movement of personal data between the Convention countries (the Czech Republic has also ratified the Convention, as did all EU/EEA Member States plus a few other, predominantly European, countries). However, Great Britain has made declarations to the Convention, excluding some categories of automated personal data files such as accounts and transaction records from its scope. Such declarations might be considered as falling short of the new data protection standards introduced by the GDPR. In the absence of a specific Commission adequacy decision declaring Great Britain a country affording an adequate protection to personal data, the legality of data transfers from the EU to post-Brexit Britain would remain questionable.