The UK government has warned UK firms to assume that their trading partners in the rest of the EEA will be unable to send them any personal data from 29 March 2019, unless they enter into formal written agreements generally required for sending data to non-EEA countries or some other basis for transfer listed below.
While the EU might eventually decide to allow the free flow of personal data from the EEA to the UK, if satisfied that the UK's level of personal data protection is equivalent to EU's, the process for reaching an "adequacy decision" cannot begin until after Brexit.
In these circumstances, it's likely that trading partners will be waiting on UK firms to do the necessary work. So the UK government recommends that UK firms should be proactive in making contact on this issue. Of course, EEA firms who are themselves dependent on reaching new arrangements might not wish to wait!
It follows that any revised personal data sharing agreements would need to be under the law of an EEA member state, rather than the UK. As explained elsewhere, switching from English to Irish law and courts is an easy choice to make.
The alternatives to having the explicit consent of each individual whose personal data is to be transferred (or perhaps relying on one of the processing rights under the General Data Protection Regulation), are:
- A legally binding and enforceable instrument between public authorities or bodies;
- Binding corporate rules;
- Standard model data protection clauses adopted by the Commission;
- Standard data protection clauses adopted by an EEA supervisory authority and approved by the Commission;
- An code of conduct approved by an EEA supervisory authority, together with binding and enforceable commitments of the receiver outside the EEA;
- Certification under an approved EEA certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;
- Contractual clauses authorised by an EEA supervisory authority
- Administrative arrangements between public authorities or bodies which include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorised by an EEA supervisory authority.
Please note that the UK government has said in its 'no deal preparation notice' that it proposes to allow the free flow of personal data from the UK to the EU27, but does not mention Norway, Liechtenstein or Iceland in relation to that proposal.
The UK government has warned UK firms to assume that their trading partners in the rest of the EEA will be unable to send them any personal data from 29 March 2019