The European Commission confirmed that the UK will be considered a 'third country' from the point that Brexit takes effect for the purposes of data transfers.
Unless EU and UK officials agree on transitional arrangements in the interim, businesses will no longer be able to automatically transfer personal data to the UK from 30 March 2019 and be sure that those arrangements comply with EU data protection laws, according to the note.
"Subject to any transitional arrangement that may be contained in a possible withdrawal agreement, as of the withdrawal date, the EU rules for transfer of personal data to third countries apply," the Commission said in its notice to stakeholders.
One way in which personal data could continue to flow freely between the EU and UK post-Brexit is if the European Commission designates the UK's data protection framework as providing for adequate protection of personal data. To issue a so-called 'adequacy decision', the Commission would have to be satisfied that the UK's data protection standards are essentially equivalent to those that apply within the EU.
In its note, the Commission said that, alternatively, businesses will be able to transfer personal data between the EU and UK post-Brexit if "adequate safeguards" are in place for those arrangements. It set out the type of mechanisms for data transfers that businesses might rely on under the forthcoming General Data Protection Regulation (GDPR), which will apply from 25 May this year.
"These safeguards may be provided for by: standard data protection clauses: the Commission has adopted three sets of model clauses which are available on the Commission’s website; binding corporate rules: legally binding data protection rules approved by the competent data protection authority which apply within a corporate group; approved codes of conduct together with binding and enforceable commitments of the controller or processor in the third country; approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country," the Commission said.
Other legal conditions for transferring personal data from the EU to third countries could also underpin such transfers post-Brexit, it said.
"In the absence of an 'adequacy decision' or of 'appropriate safeguards' a transfer or a set of transfers may take place on the basis of so-called 'derogations': they allow transfers in specific cases, such as based on consent, for the performance of a contract, for the exercise of legal claims or for important reasons of public interest," the Commission said.