Greetings from London!
Today, Friday, 29 March 2019, was supposed to be a momentous day in European history. At 11:00 p.m. Greenwich Mean Time, the U.K. was due to leave the EU. That date and time had been inscribed in U.K. legislation since last summer. It was to be the culmination of two years of tough negotiations and the end result of the referendum on the U.K.’s membership of the EU held in 2016.
Yet on Wednesday, the U.K. Parliament passed a statutory instrument (a form of secondary legislation) extending the U.K.’s membership of the EU to either 12 April or 22 May. Whichever of these dates ends up being the exit date will depend on whether Parliament votes in favor of the withdrawal agreement and political declaration that the U.K. government and the European Council agreed on 25 Nov. 2018. If Parliament does not vote for the deal, then the U.K. will leave the EU on a “no-deal” basis 12 April. If it does, then the U.K. will depart 22 May and, pursuant to the withdrawal agreement, a status quo transition period will kick in until at least 31 Dec. 2020 (extendable for a further one or two years).
The U.K. government, which negotiated the deal, failed in its first two so-called “meaningful votes” to get the deal through Parliament. While Prime Minister Theresa May has offered to resign on the condition that Parliament backs the deal in a third meaningful vote, members of Parliament remain divided over a number of issues, particularly the “backstop” mechanism to prevent a hard border between the Republic of Ireland in the EU and Northern Ireland in the U.K.
What does all this mean for privacy professionals? The European Data Protection Board’s information note on data transfers in the event of a no-deal Brexit still stands. If the U.K. leaves 12 April on a no-deal basis, then it will assume third-country status. Therefore, appropriate data transfer instruments, such as standard data protection clauses or binding corporate rules, must be implemented to enable the transfer of personal data from the European Economic Area to the U.K.
If, on the other hand, the deal is approved and the U.K. leaves 22 May, data may continue to be transferred to the U.K. during the transition period, in accordance with current practice. The U.K. government and the European Commission want to conclude an adequacy agreement during the transition period, which will enable the free flow of personal data to continue — although the U.K.’s domestic implementation of data protection laws will be heavily scrutinized during this process.
The position for organizations in the U.K. is more certain. The government will legislate for the free flow of personal data to continue from the U.K. to the EEA, as well as to countries that the European Commission has already determined as adequate. Furthermore, several jurisdictions outside the EEA — including Argentina, Israel, Switzerland and the Faroe Islands (the full list is contained in guidance from the Information Commissioner’s Office on a no-deal Brexit) — have declared that data may continue to flow from their territories to the U.K. Under the Privacy Shield agreement, organizations based in the U.S. will need to update their commitments to include the U.K., but FAQs from the U.S. government should be reviewed.
What can we expect in the coming weeks as the new exit dates approach? On Wednesday, Parliament held indicative votes on alternative approaches to Brexit, including leaving with no deal, joining a customs union, implementing an EEA-style arrangement, and holding a confirmatory public vote on the deal — which has been the subject of recent large-scale public campaigns. However, none of these options gained a majority in Parliament, which means that reaching an agreement on the deal remains the government’s priority. Amid this uncertainty, organizations should make contingency plans for data transfers if needed and continue to check guidance from relevant regulators.
If you want to comment on this post, you need to login.