back to homepage



We must all be very concerned about the implications of Brexit as the possibility of leaving the EU without a deal gets more likely by the day. One cannot be optimistic that a transition will permit the UK to continue trading with the EU and other approved countries under the GDPR regulation; it may happen, but it cannot be assumed. The requirement therefore is to make or at least prepare the necessary alterations in workflows and processing to ensure standardisation and continuity of data transfers.

How might matters develop:

The Adequacy Decision

The existing mechanism to permit non-EU countries to be able to trade on the same terms as EU countries, is an Adequacy Decision.

This is a decision taken by the European Commission establishing that a third country provides a comparable level of protection of personal data, to that in the European Union, through its domestic law or its international commitments. As a result, personal data can flow safely between the European Economic Area (EEA), (the 28 EU Member States as well Norway, Liechtenstein and Iceland), to such a third country without being subject to any further safeguards or authorisations.

UK’s Total Compliance

The UK has fully incorporated GDPR into UK legislation. For the moment it is difficult to see how the EU could deny, on strictly GDPR terms, an Adequacy Decision in line with approvals already given to ; Andorra, Argentina, Canada Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland Uruguay and most recently, Japan.

We think it is fair to say that the UK Government (DCMS) is doing everything in its power to deliver as seamless a solution as possible. The points below are their tidy summary of the key issue on which they have taken action :

  • Preserve EU GDPR standards in domestic law
  • Transitionally recognise all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue
  • Preserve the effect of existing EU adequacy decisions on a transitional basis
  • Recognise EU Standard Contractual Clauses (SCCs) in UK law and give the ICO the power to issue new clauses
  • Recognise Binding Corporate Rules (BCRs) authorised before Exit day
  • Maintain the extraterritorial scope of the UK data protection framework
  • Oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale.

Held to Ransom

The decision however may have little or nothing to do with Adequacy and a great deal to do with the political negotiations or horse trading, using GDPR as one ransom tool for the EU to prevail on a range of issues such as French fishing in UK waters, Spain’s claim to Gibraltar etc.

However, the UK Governments stated view is “In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.” However, it is the EU that has the decision-making powers not the UK.

USA/EU/Switzerland – Privacy Shield

In terms of GDPR and the USA The EU Commission has determined as at 18th December
2018 that the Adequacy Decision of 12th July 2016 continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States. 3,858 companies have registered under the Privacy Shield arrangement and therefore enjoy trade under GDPR with the union. When the UK leaves the EU only limited protection will exist. It is up to the ICO to settle as quickly as possible the forward arrangements with the US, presumably similar to those existing between the EU and the US. For the time being, present arrangements will remain in place.

Going Forward

In these circumstances (crash out or delayed Adequacy Decision), companies would be prudent to take the necessary steps to ensure continued seamless operation. The main requirements for compliance out-with GDPR, come under Articles 46,47 & 28. Article 46 provides for Appropriate Safeguards including the use of Binding Corporate rules (BCRs), Article 47 the requirements to be implemented for effective BCR. Article 28 covers the use of Standard Contractual Clauses. DCMS2 has advised that provision will be made so that the use of Standard Contractual Clauses (SCCs) can continue to be used to export personal data from the UK. (see Below)

Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs) are quite different and are used for different corporate requirements.

BCRs, are meant specifically for companies within the same group to be able to transfer personal data strictly between them even if some of the companies within that group are located outside the EEA in third countries without an adequate level of protection to the data subjects.

SCCs are meant to be used by data controllers who want to export the data to recipients in third countries (outside the EEA or outside countries offering adequate protections to the EU resident data subjects) by agreeing and signing the SCCs

Both mechanisms are there to provide the supervisory authorities with sufficient proof that adequate safeguards are in place, and under all circumstance the instruments are permitted to replace the legally bound data protection obligations. In either case the requirements and undertakings are quite extensive and sufficient time and resources should be available to ensure effective implementation, reporting and monitoring thereafter.