We were worried this was going to happen. So much so that we flagged it in our October newsletter.
This is section 25 of the European Commission’s current draft contingency plan for a no-deal Brexit:
25 In the case of a no deal scenario, as of the withdrawal date, the transfer of personal data to theUnited Kingdom will become subject to the rules on international transfers in application ofthe General Data Protection Regulation (EU) 2016/679, Directive (EU) 2016/680 for the law enforcement sector and Regulation (EC) 45/200126 for the institutions and bodies of the European Union.The General Data Protection Regulation, Directive 2016/680 and Regulation 45/2001 contain a broad toolbox for data transfers to third countries. This includes in particular the so-calledʻappropriate safeguardsʼ (e.g. the Commission’s approved Standard Contractual Clauses,Binding Corporate Rules, administrative arrangements) that can be used both by the private sector and public authorities.In addition, the three legislative acts mentioned above contain a number of derogations for specific situations that allow data transfers even in the absence of appropriate safeguards, for instance if the data subject provides explicit consent, for the performance of a contract, for exercise of legal claims or for important reasons of public interest. These are the same tools that are used with most countries in the world for which no adequacy decision exists. In view of the options available under the legislative acts mentioned, the adoption of an adequacy decision is not part of the Commission’s contingency planning.Full document here
In case you’re not fluent in Eurocrat-ese, the short version of this is that transfers of data to the UK in the event of a no-deal Brexit will require a great deal of additional paperwork. Most importantly, it will mean that most existing processing of EU citizen data by UK firms will need to be revisited, as it almost certainly doesn’t comply with the provisions for third-country transfers.
While it will by no means make it impossible for EU firms to outsource processing to the UK and use UK-based data-driven services, it will create a significant competitive disadvantage, particularly in more risk-averse sectors like those dealing with sensitive information. It’s also going to increase costs for UK companies seeking to offer services directly to EU consumers.
To give you an idea, we’ll be in the same category as Argentina, Armenia, Azerbaijan, Belarus, Burkina Faso, Cabo Verde, Georgia, Liechtenstein, Mauritius, Mexico, Moldova, Monaco, Morocco, Russia, San Marino, Senegal, Tunisia, Ukraine, and Vatican City.
That’s the list of signatories to Convention 108 who are not members of the EU and who don’t have an adequacy agreement.
This is not good.