If the UK leaves the EU in a “No-Deal Brexit”, the UK will drop to "3rd country status" with no adequacy decision awarded.
Under the GDPR, personal data can only be transferred to third countries in compliance with the conditions for cross-border data transfers set out in Chapter V (Articles 44 to 50, GDPR).
Appropriate safeguards are required to enable transfers of personal data from the EU and EEA member states. These safeguards attribute to what is known as an adequacy decision. An adequacy decision permits a cross-border data transfer outside the EU, or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority (Article 45(1), GDPR).
Some 3rd countries in the eyes of the EU have been awarded an adequacy decision that permits cross-border data transfer outside of the UK or onward data transfer from a party outside the EU without any further authorisation from a national supervisory body. (Article 45(1), GDPR). (An example of an EU member state such as Ireland has a data supervisory body known as the Data Protection Commission)
Currently, 11 countries have been awarded an adequacy decision which took a considerable amount of time to achieve. Examples include Norway, Iceland, Israel and more recently Japan. The UK will just be starting this process! As in case of a “No-Deal Brexit” can only start after the UK’s departure. Once the UK becomes a third country then the procedure on average takes 28 months and can be revoked at any time. In data protection terms, an “inadequate” “third country”, is for example Egypt or Nigeria. Therfore, the UK will be grouped with these 3rd countries.
GDPR is still of vital importance to 3rd countries as GDPR does not only apply to EU companies but also to all non-EU companies (including post-Brexit UK companies) that wish to trade with the EU. However, they lose the benefits the GDPR offers to EU companies.
Under GDPR (Art. 3(1) GDPR). UK organisations will no longer be located within the EU although they will still be subject to GDPR in most of their data operations.
When the UK organisation offers goods or services to individuals located in the EU via ( 1) a “targeted” way, or (2) organisations who “monitor the behaviour” of EU individuals (Article 3(2) GDPR). A primary example of this would be any online transaction to an individual from the EU.
After a “No-Deal Brexit”, any UK company that falls within any of the points below they are required to be fully GDPR compliant, as specified via the EU.
(1) Targeted Way
Below are some of the factors that would suggest that goods or services are “targeted” to the EU / EU member state and also at EU individuals:
-The EU / EU member state is stated by name regarding the goods or service offered
-Search engine advertisement / social media advertisement targeted at consumers / audience in the EU
-The international nature of the activity, such as certain tourist activities - Example the use of an App by a tourist within the EU
-Dedicated contact details provided to be reached from an EU country
-Use of top-level domain names by a Controller / processor established within a third country specific to an EU member state, such as .de (Germany) and .fr (France) or .eu (EU in general)
-Travel instructions from one or more EU Member States to the place where the service is provided
-The mention of an international clientele composed of customers domiciled in various EU member states, in particular by presentation of accounts written by such customers
-Third country use of a language or a currency from an EU member
-The data controller offers the delivery of goods in EU Member States
(2) Monitor the Behaviour
The GDPR must also be applied if the third-party country “monitors the behaviour” of individuals located in the EU. Particularly if the individuals can access websites or apps that implement:
-Behavioural advertising - Facebook ads retargeting / Google Ads remarketing
-Geo-localisation tracking, in particular for marketing purposes
-Online tracking through the use of cookies / tracking pixels / device fingerprinting
-Offering personalised diet and health analytics services online
-CCTV accessed by a non-EU-based entity of CCTV images that are captured in the EU
-Market surveys and other behavioural studies based on individual profiles
-Monitoring or regular reporting on an individual’s health status
