On June 24th 2016, the United Kingdom voted its withdrawal from the European Union (EU).

Under article 50 of the Lisbon Treaty, the United Kingdom (UK) will have to serve notice of intention to exit the EU to the European Commission. The UK will then have a two year period to negotiate its exit with the European Commission. At the end of this transition and negotiation period, the UK will not be subject to European treaties anymore.

Beyond the political and economic uncertainties of such event, UK’s exit raises numerous legal questions, among which questions regarding data protection.

In the UK, the current data protection regulation results from the Data Protection Act adopted in 1998 pursuant to the 1995 directive 95/46/CE. This directive is intended to be replaced by the regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - GDPR) that will come into force on May 25th 2018.

In all likelihood, the GDPR will apply to the UK even for a short period of time until its effective withdrawal of the EU, unless the negotiation period for UK exit ends before the GDPR enters into force.

As of the date of its effective exit, what will then be the regulation applicable to the transfer of personal data between the UK and EU member states? The answer to this question will essentially depend on the form of cooperation that will be established between the EU and the UK.

The UK could become a member of the European Free Trade Association (EFTA) as Norway, Iceland or Liechtenstein. In this case, the UK would be part of the European Economic Area (EEA). The UK would then benefit from free trade agreements and would be part of the European single market. However, the UK would have to apply certain European regulations and legal provisions such as the GDPR. Currently, members of the EFTA have all implemented the provisions of the directive related to data protection in their local laws and will have to comply with the GDPR once it will enter into force. Should this solution be adopted, the UK would have to amend its data protection legislation to comply with the GDPR.

The UK could also be recognized as a state offering an adequate level of protection by the European Commission as such is currently the case for Switzerland pursuant to a specific bilateral economic agreement and for other states such as Andorra, Argentina, Australia, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey and Uruguay.

Finally, the UK could negotiate a specific agreement with the European Commission regarding the transfer of personal data similar to the Privacy Shield negotiated with the US. Nevertheless, this solution presents some risks as well as legal uncertainty as the US were able to find out when the Safe Harbor was invalidated in October 2015.

Alternatively, except in case of legal exceptions to the principle of transfer, companies will have to apply Binding Corporate Rules (BCR) previously approved by the competent data protection authority (the CNIL in France) or will have to use the standard contractual clauses set by the European Commission.

Behring – Anne-Solène Gay – Juris Initiative –GDPR – Brexit – data protection– EEA – EFTA – BCR – Standard contractual clauses – Adequate level of protection – Privacy Shield – Safe Harbor – Data Protection Act – Directive 95/46/CE – Regulation 2016/679