Information law analysis: Adam Rose, partner and head of data protection group, and Nina O'Sullivan, legal director at Mishcon de Reya LLP discuss personal data transfers between the UK and European Economic Area (EEA) post-Brexit.
What is the impact of Brexit on controller to processor data processing clauses involving transfers of personal data between the UK and EEA, and why is this an issue?
The UK is due to leave the EU on 30 March 2019, at which point it will become a third country, as any country other than the EU and European Free Trade Association EFTA-EEA Member States is classified as a ‘third country’.
The General Data Protection Regulation (EU) 2016/679 (GDPR) will apply across the EU from 25 May 2018 and (once duly incorporated into the European Economic Area Agreement and in force) across the EEA. Businesses established in the UK (and not elsewhere) will still, however, be required to comply with GDPR post-Brexit. The GDPR has extra-territorial effect outside the EEA/EU, such as processing of personal data of data subjects who are in the EU or EEA if they are offering goods or services to data subjects in the EEA/EU or monitoring their behaviour in the EEA/EU.
Read the full article here.