On 29 March 2019, MPs in the UK rejected the government’s Withdrawal Agreement with a vote of 344 to 286, a margin of 58. This means the UK has missed an EU deadline to delay Brexit to 22 May and faces a new deadline of 12 April to come up with a way forward or leave without a deal. The EU is planning an emergency summit on 10 April to discuss its next move.
So what does this mean for data privacy? If the UK were to leave the EU today i.e. with no deal, all EU laws within the UK will cease to apply in the UK and the UK will become effectively a third country under the GDPR. For further information, please see Section II (Withdrawal Agreement not ratified by the Exit Date – Implications on Data flows from the EEA to the U.K.) of the International Data Transfers in the Limbo of Brexit. As can be seen in International Data Transfers in the Limbo of Brexit alert, the fundamental impact Brexit will have, from a data privacy perspective, is in relation to transfers of personal data from a country in the EU to the UK. To combat this impact, additional measures will be necessary in order to lawfully transfer the personal data.
While the outcome of Brexit is still unknown, even with the date so close, it is essential that organisations transferring personal data prepare themselves for the possibility of the UK leaving the EU without a deal. That means identifying the processing of data which will be affected, determining the appropriate safeguard needed to lawfully transfer the personal data and implementing said safeguard. Should the UK find itself on 12 April to be leaving the EU with a Withdrawal Agreement in place (and therefore the transfer safeguards may not be necessary), we do not believe this preparatory work will have been a waste of time or resource as the risk of leaving the EU without these measures in place can be said to be higher.