Earlier this month the European Commission's Directorate-General for Justice and Consumers (DGJUST) published its " Notice to Stakeholders: withdrawal of the United Kingdom from the Union and EU rules in the field of data protection". The notice should come as no surprise as it simply reiterates the applicability of the general European Union data protection law regime that restricts data transfers outside of the EU unless adequate safeguards are in place or the third country guarantees an adequate level of protection.
While the UK has indicated that it wishes to remain closely aligned with EU Data Protection law (it will, after all, at the point of withdrawal have implemented the General Data Protection Regulation ("GDPR")), the outcome of the Article 50 negotiation process and whether the terms of any withdrawal agreement will address data transfers between the UK and the remaining 27 EU member states) is uncertain. In those circumstances, the notice serves as a valuable reminder of the legal implications of Brexit on the ways organisations and businesses process personal data and to consider implementing one of the mechanisms available to them for the purposes of personal data flows to third countries.
The Border Cow and Data Transfers
The importance of EU-UK cross border data flows cannot be underestimated. Much like milk from the proverbial Irish border cow grazing in the south, that is processed in the north, only to end up on supermarket shelves south of the border, the flow of personal data between the EU and the UK is a complex web of transfers back and forth that is deeply engrained in the operations of many businesses and organisation that cannot be entangled at a moment's notice. According to the Frontier Economics independent report "The UK Digital Sectors after Brexit", three quarters of the UK's data transfers are with EU countries. Some of the world's largest technology companies such as Amazon, Microsoft and IBM, rely on data centres in the UK.
With an ever-increasing use of cloud storage and SaaS based applications, the day-to-day operations of many businesses and organisations rely on the free movement of data between the UK and the rest of the EU. For processors, data processing contracts will generally prohibit data transfers outside the European Economic Area ("EEA") with some data controllers (such as public bodies) restricting data transfers to within the EU. Given the broad legal definition of "transfer" (which...