GRDP and Brexit

By | Tuesday July 5th, 2016

When the Brexit referendum will be put in concrete actions, Great Britain will be subjected to the Chapter V of the Regulation, which defines the rules for data transfer outside UE.

According to point 1 of Article 45 “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.” That is, a statement of the Commission will be required to assess the adequacy of the level of protection in UK in the absence of other ageements.

An the other hand, the Regulation is currently in force in the UK, like many other EU measures, and  it will remain in force until UK is formally out of the EU. When this happens the destiny of the Regulation 2016/279 will depend on the results of the negotiations between the parties occurred in the meantime. That is it will depend on what UK decides about the vaste body of UE directives and regulations  deriving from the its European past in a variety of sectors among which there is also the Data Protection.

At this point, it is useful to underline that the very beginning of the Regulation is the following: “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Using Google+Wikipedia the meaning of EEA is easy to discover: “The European Economic Area (EEA) is the area in which the Agreement on the EEA provides for the free movement of persons, goods, services and capital within the internal market of the European Union (EU). The EEA was established on 1 January 1994 upon entry into force of the EEA Agreement.[4] … Membership has grown to 31 states as of 2016: 28 EU member states, as well as three of the four member states of the EFTA (Iceland, Liechtenstein and Norway).[4].

So, some European States extra UE exist which have a specific integration regime with the EU: for these States the Regulation applies as if they were EU members, therefore out of the provisions of Chapter V mentioned above.

This is one of the possible ways for the future relations between UK and EU. In such a case the only aspect that will change is the status of the UK when partecipating to the preparation and to the management of Regulations and Directives.

Surely, the time between now and when these aspects are completely defined will be dominated by some uncertainty for the ones that, for instance, invested in UK based infrastructures to supply cloud or e-commerce services to the EU.

Category: Legal framework Tags: ,

About Sergio Fumagalli

Vice President Zeropiu Spa, system integrator specialized in digital identity and data security with operations in Italy and in the Nordics. After serving as MP in the Italian Parliament, I started a professional collaboration with the Data Protection Italian Authority and a professional activity on these topics. Co-author of “Privacy guida agli adempimenti”, IPSOA, 2004, 2005 a book on compliance to the Italian Law. Since 2008 member of the Oracle Community for Security - http://c4s.clusit.it/views/Homepage.html - and since 2014 member of the board of Clusit a leader association on IT Security in Italy Between 2004 and 2012 member of the board of Webank Spa, the online banc of the Banca Popolare di Milano group.

Leave a Reply