Imagine the following scenario: regardless of whether it is a public or private agent based in the European Union (EU), there is a ban on transferring personal data to the United Kingdom, except when there is an instrument of contractual regulation between the parties, ie a derogation from the aforementioned and necessary regulatory instrument applies.
This scenario would constitute an obstacle from a regulatory, economic, commercial, political point of view and guarantee the national security of the Member States and, in addition, it would be virtually impossible for stakeholders covered by the legal regime applicable to the processing of personal data in the EU.
The Brexit Agreement between the UK and the EU is a true antithesis of the above scenario, so it represents not only a historic milestone for this supra-state organization, but also a fundamental result for the political and commercial stability of the Old Continent.
Indeed, among the matters foreseen in the Agreement, is the regulation of international transfers of personal data from the EU to the United Kingdom. In fact, Data Protection as a fundamental right provided for in the Charter of Fundamental Rights of the European Union is one of the points worthy of regulation.
The importance and regulatory complexity inherent to Data Protection is based, from the outset, on the need to exchange information with the United Kingdom for the purposes of security and prevention of criminal threats and on the obligation to comply with the EU's legal system regarding processing of personal data.
In this context, it was essential to regulate the international transfer of personal data in the Agreement, which is to convey its free movement from the EU (and the EEA) to the United Kingdom for six months, until adequacy decisions are taken.
Without this transitional rule, we would be facing a putative scenario of non-compliance with the rules applicable to the transfer of personal data to the United Kingdom, since it would be virtually impossible for all stakeholders obliged to comply with the legal regime on data protection, apply the necessary legal mechanisms, other than the transfer by means of a European Commission adequacy decision (non-existent to date) or the application of legally provided derogations.
That is, that such stakeholders develop and apply standard contractual clauses or binding rules applicable to companies (Binding Corporate Rules) transfers of personal data to the United Kingdom. The reason for this statement lies, on the one hand, in the limited set of professionals qualified to draw up such standard contractual clauses and, on the other, in the limitation of resources of the control and supervisory authorities to approve binding rules applicable to companies.
It follows, therefore, that the transitional regime provides the necessary legal certainty for all stakeholders, allowing companies and public bodies in all sectors to continue to freely receive personal data from the EU (and the EEA), including competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or carrying out criminal sanctions.
Additionally, the transience and drafting of the standard announces the regulatory horizon, since it is anticipated in the Agreement that the necessary adequacy decisions will exist that will allow a free flow of data. In short, decisions that will qualify the United Kingdom as a territory that respects the guarantees of an adequate level of protection essentially equivalent to that guaranteed in the Union in terms of Data Protection. Scenario that we anticipate will occur, since the UK has a legal framework similar to that of the EU in the field of Data Protection.
As with the Brexit Agreement, the regulation of the processing of personal data, although transitory, constitutes a platform of fair and balanced understanding for what we hope will be the final solution to this regulatory problem.