How will Brexit affect or help England?

How Brexit will affect data protection

It was a kind of Christmas miracle, the agreement between the European Union and the United Kingdom, which was concluded on December 24, 2020, a few days before the deadline on December 31. The trade agreement made it possible to avoid the hard Brexit at the last minute. On 1246 pages, the contract not only affects the movement of goods, but also areas such as air and road transport as well as social security - and also regulates data protection.

If there had been no regulation for the export of data via the English Channel, Great Britain would have become a so-called third country overnight. The transmission of personal data would then only have been possible under very strict conditions. The restrictions would have had a catastrophic impact on traffic.

According to a study by the industry associations Digitaleurope and techUK, six out of ten European companies transfer data to the United Kingdom. For them there is now a short time corridor in which they have to agree on the future handling of personal data. If they fail to do this, a lot is at stake, not only for businesses but also for EU citizens.

Six months deadline

According to the EU Commission, the aim of the Brexit Treaty is "to facilitate digital trade by removing unjustified obstacles. At the same time, it is intended to guarantee high standards for the protection of personal data".

The agreement stipulates that the UK will not be classified as an unsafe third country for a transitional period. The prerequisite is that the British adhere to their national data protection regulations based on the GDPR for this period. A deviation would only be permitted with the consent of the EU.

Data traffic can therefore continue to flow unchanged until the end of April. This transition period can then be extended by another two months. The EU Commission must agree a so-called adequacy decision with the United Kingdom by the end of June at the latest. The negotiations on this should begin immediately.

Controversial special regulation

However, well-known British law professors are of the opinion that EU law does not allow such special regulations as in the Brexit Treaty. In addition, the agreement would be in contradiction to the GDPR, which regulates data export outside the EU. The United Kingdom formally left the EU on January 1, 2021 and is no longer a member state. On the other hand, it is argued, for example, that the convention is an international treaty that takes precedence over EU law.

The conference of the local data protection supervisory authorities apparently has no problem with the agreed special route. In a press release at the end of December, they expressly welcome the "preliminary legal certainty for data transfers to the United Kingdom". The agreement would prevent the "previously feared serious legal uncertainties". The British data protection authority ICO praised the contract as "the best possible regulation for UK organizations that process personal data from the EU".

Safe third countries

If the deadline set by the contract ends, there are two scenarios in the room at the end of June: The two parties, who have so far been very divided, agree on the adequacy decision. If there is no agreement, the tough data protection Brexit will follow with a delay.

Basically, the world is divided into three areas in this country. The transfer of personal information within the EU, in which the GDPR applies uniformly, is legally unproblematic. The second category includes safe third countries to which transfer is possible and permitted without restriction. "Safe" are those states to which the European Commission has confirmed a level of data protection that corresponds to European requirements. These currently include, for example, Argentina, Canada (commercial organizations only), Israel, New Zealand, Switzerland and, for some time, Japan.

The United Kingdom could also be classified in this second category from summer 2021. According to the responsible EU Commission, the relevant negotiations have already been underway for a few months. However, experts doubt that the necessary agreement can be reached in such a short period of time. The negotiations with Japan lasted much longer.

In terms of content, there are also doubts that a level of data protection comparable to that in the EU can actually be assumed in the UK. Above all, the strong role played by the secret services is viewed critically. These are closely networked with the American services and are also part of the "Five Eyes" community. In addition to the USA and Great Britain, Australia, Canada and New Zealand also belong to this elite group of surveillance-friendly states. At least in the case of the last two countries mentioned, this did not stand in the way of recognition as a safe third country.

Unsafe third countries

All other countries are classified as insecure third countries whose national law does not guarantee adequate protection of the data of European citizens. If no agreement is reached by the end of June, Great Britain would also fall into this classification, which already includes China, India, Russia and the USA. Passing on information to these countries is not strictly prohibited. However, there are some legal hurdles that need to be cleared before the first transfer.

The strict regulations of Art. 44 ff. GDPR apply to such states. The conclusion of so-called standard data protection clauses (SDK) is particularly relevant in practice. These are contractual clauses formulated by the EU Commission that are concluded between the company exporting the data and the recipient in the third country.

The idea behind this is that those involved undertake in writing to uphold the EU's high data protection standards. These guidelines regulate, for example, the obligations of those involved, liability or participation in arbitration proceedings. In practice, it is important that the formulation templates must be adopted unchanged. However, the EU Commission is currently working on reformulating the clauses, which will probably be ready in early 2021.

In addition, according to the case law of the ECJ, additional technical and organizational protective measures must usually be taken, in particular to protect EU citizens from all too careless access by foreign secret services. These protective measures include, for example, the anonymization and encryption of data.

A data transfer to a third country can also be legitimized by the consent of the respective data subject. The requirements for their voluntariness must be observed. Another difficulty in practice is the requirement that the data subject must be explicitly informed about the planned processing of his data before giving his consent and that his consent can be revoked at any time. In this case, the information about him must be deleted immediately.

Prepare for an emergency

IT companies are well advised to take the impending dangers seriously and to take advantage of the delay to prepare thoroughly for the possible "data protection Brexit". This includes first of all analyzing your own dependency on UK companies and looking for possible alternatives.

For important and indispensable partners, for example in the field of IT, human resources or finance, it is advisable to plan a scenario in good time without an adequacy decision. For this purpose, standard data protection clauses in particular will be the means of choice. If you prepare this by the end of June, you can change quickly in the middle of the year in an emergency. This also includes defining and preparing additional technical and organizational measures to protect EU citizens' data.