The UK government has made it clear that it will try to reach an agreement to match the EU, but the process can only begin when the UK leaves the bloc. Robert Bond, partner of Bristows LLP and chairman of the DPN, adds: « British companies that are multinationals will be affected, as will pure British organisations that transfer personal data from the EU to the UK. However, multinational companies that have already approved binding business rules (BCRs) may not be affected, as a BCR focuses more on the group approach to managing personal data, including data transfers. Some multinationals have also entered into a framework agreement that contains standard EU contractual clauses and, in this regard, such an agreement could well survive Brexit, since the company, called a data exporter, was simply changing the UK to a data importer. But that would not be the case if the United Kingdom, as an exporter, had been signed on standard contractual clauses and on the basis of contracts. Under the agreement, a transitional period is in effect until 31 December 2020, during which current EU rules will continue to be applied by the UK and can begin negotiations on the way forward (the option to extend the transition period has been removed from the most recent version). After this transition period, if no agreement, agreement or trade agreement is reached between the UK and the EU, the UK will leave the country in a non-agreement scenario and become a `third country`. As the CSO has already pointed out, UK organisations and organisations that carry out UK activities that receive personal data from the EU must, in such a scenario, ensure that they have additional legal controls, such as standard contractual clauses or binding business rules, to ensure compliance with the RGPD. The RGPD and EU fines continue to be imposed on third countries when dealing with personal data of EU citizens. After years of turmoil, the UK finally seems to have an agreement defining how it will leave the European Union (EU).
Prime Minister Boris Johnson`s withdrawal deal shares many similarities to the withdrawal agreement put forward by his predecessor Theresa May, particularly with regard to data protection requirements. If the UK leaves the EU in March 2019 without a data protection and data transmission agreement, the UK government has stressed that there will be no immediate change to UK data protection standards. The reason is that the Data Protection Act would remain in force in 2018, and that the EU Withdrawal Act would include the RGPD in UK legislation to sit next to it. As far as Brexit is concerned, this means that the UK could use CSSs if a data transfer agreement is not formalised as part of a negotiated exit. If a negotiated exit does not contain a provision for data transfers or if a non-agreement scenario is achieved, the UK must wait an indeterminate period before reaching an adequacy agreement, creating an even greater need for mechanisms such as SCCs. However, the data protection shield, like its predecessor, the safe harbor agreement, was cancelled by the ECJ because the United States does not adequately protect personal data within the meaning of the RGPD. The development of the 2018 CCA was an important part of this commitment. As soon as the UK leaves the EU, it is granted `third country` status, a classification that requires countries to maintain strong data legislation offering protection equivalent to that of the EU.
This Sovin, called the Adequacy Agreement, aims to ensure that data belonging to people within the EU is protected when it is transferred to a country outside their jurisdiction. This mechanism remains valid for British companies that send data to the U.S. under the Privacy Shield agreement (and U.S. organizations that receive