On February 20, 2019, the French data protection authority (the “CNIL”) published a set of questions and answers (“FAQs”) indicating the CNIL’s recommendations, and steps that organizations should take, to prepare for a no-deal Brexit. The CNIL’s FAQs build upon guidance the European Data Protection Board (“EDPB”) provided in its Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit.
As matters stand, the United Kingdom is due to leave the European Union at 00.00 am CET on March 30, 2019. No transition deal has been agreed upon, leaving looming the prospect of a “no-deal Brexit.” The CNIL’s FAQs stress the need for organizations to implement data transfer mechanisms that are effective March 30, 2019, if they wish to continue transferring personal data from the European Economic Area (“EEA”) to the UK as from March 30, 2019. The FAQs also point out that, in the absence of adequate safeguards (e.g., standard contractual clauses and binding corporate rules) that could legitimize the data transfer, such transfer could take place – by way of exception – on the basis of derogations provided in Article 49 of the GDPR.
In addition to the CNIL’s FAQs and the EDPB’s Information Note, organizations should review the UK Information Commissioner’s Office’s guidance, on which we previously reported, regarding the consequences of a no-deal Brexit and the steps organizations should take to prepare.