The United Kingdom (UK) left the European Union (EU) on 31 January and it entered a post-withdrawal transition period.
Statement from the UK Information Commissioner’s Office (ICO) (29 January 2020)
“During [the transition] period, which runs until the end of December 2020, it will be business as usual for data protection”. (Our emphasis)
“The GDPR will continue to apply”. (…)
The UK continues to be considered an EU Member state during the transition period
For (most) legal purposes the UK will continue to be considered as an EU Member State until the end of the transition period (31 December 2020). Withdrawal Agreement (WA) Article 127 6. states:
“Unless otherwise provided in this Agreement, during the transition period, any reference to Member States in the Union law applicable” (…), “shall be understood as including the United Kingdom”. (Our emphasis.)
The Withdrawal Agreement
The WA is an International Treaty. It is intended to be attended by legal consequences and to be enforceable. Title VII WA (Articles 70 to 74), specifically concerns Data and Information.
The effect of WA Article 71(1)(a) is that the rules of the GDPR continue to apply for personal data transfers between the European Economic Area (the EEA is the EU plus Iceland, Liechtenstein and Norway) and the UK as from 1 February 2019. Thereafter, WA Article 71(2) appears to assume that during the transition period a finding of ‘adequacy’ will be made in respect of the United Kingdom’s data protection regime.
‘Adequacy’ is important
The general rule (under Chapter V of the GDPR), is that controllers and processors cannot transfer personal data outside the EEA to ‘third-countries’ (such as the UK) unless adequate levels of data protection can be ensured. In the absence of a general finding of adequacy in respect of a third country contractual methods need to be used to enable such transfers.
ICO’s statement acknowledges the potential for uncertainty
“It is not yet known what the data protection landscape will look like at the end of the transition period and we recognise that businesses and organisations will have concerns about the flow of personal data in future”.
“We will continue to monitor the situation and update our external guidance accordingly”.
More information available from: ICO’s Brexit related guidance and resources