Brexit and Data Protection: Secure Your Data Transfers!
Transition period will not be extended
The transitional period for the UK's withdrawal from the European Union is not extended and thus ends on 31 December 2020. No use has been made of the consensual extension of the transitional period that is possible under the withdrawal agreement. We assume that there will also be no or only a very limited free trade agreement by 31 December 2020 - this would thus result in a "No Deal Brexit".
Both European and British companies in all sectors and of all sizes will be faced with major challenges. In the area of data protection law, companies must quickly take precautions to ensure that data transfers between the EU and the UK remain possible even after the end of the transition phase starting 1 January 2021.
The British view on data transfer
On 31 December 2020, EU law (with some exceptions) will be fully incorporated into UK national law. This also applies to the GDPR, which will be incorporated verbatim into national law ("UK-GDPR"), excluding certain articles on cooperation with other European authorities and adapting to the British situation. Hence, for the time being, no changes in the content of data protection law are evident.
The EU view on data transfer
However, as of 31 December 2020, Great Britain is to be treated as a third country from a European perspective. After that date, personal data may only be transferred to Great Britain if an adequate level of data protection is ensured for the transfer, as set out in Articles 44 et seq. GDPR. In principle, the parties involved are seeking an "adequacy decision" which would in principle permit data transfers from the EU to the United Kingdom in accordance with Article 45 GDPR. However, the wording of such an adequacy decision before the end of the transitional phase is by no means certain. For one thing, other countries (e.g. South Korea) have been lining up for a long time, and they would be highly dissatisfied with the UK's preference in terms of timing. On the other hand, despite an almost identical legal situation as regards data protection, there is a realistic possibility that a decision on adequacy will not be taken (at least not for the time being). The far-reaching surveillance laws - in particular the British Investigatory Powers Act 2016 - and the considerable powers of the secret services in the UK give rise to considerable concerns about the adequacy decision.
Need for action: Securing data transfer and making necessary adjustments
For this reason, controllers responsible within the EU should prepare for the Brexit without a quick decision on adequacy. Rather, they should ensure that data transfers only take place with appropriate guarantees. Should no adequacy decision have been reached by the end of the year, it is recommended to conclude the standard contractual clauses published by the EU Commission with data recipients in the UK for data transfers via the channel.
In addition, there is a need for further adjustment both in terms of documentation requirements (e.g. updating the data protection statement and the list of processing activities) and internal organisational issues (e.g. double reporting of data protection incidents, insofar as European and UK data subjects are affected).
Controllers responsible should address the implementation of these measures as soon as possible, with a view to implementing them before the turn of the year. As of the beginning of next year, supervisory measures are imminent.
Dr Axel von Walter
Lawyer, Licensed Specialist for Copyright and Media Law, Licensed Specialist for Information Technology Law