Brexit vs. data protection: What’s in store for the economy?
Brexit is here: As of January 1, 2021, the United Kingdom is no longer a member of the European Union. The exit agreement between London and Brussels is a fact. But there are still open points, for example, how the data protection of personal data is to be regulated in the future. The British efforts to dissociate themselves from the dependencies of European legislation also affect the GDPR.
Since no new regulation has yet been formulated, but all parties involved want to avoid an unregulated legal situation, a four-month transition period came into force at the beginning of the year. Until April 30, 2021, the partnership agreement guarantees all EU-based companies data security for personal data transferred to the UK for processing. At the end of the four-month period, it will be automatically extended for another two months, unless a party objects to this extension.
Brexit vs data protection: these are the possible scenarios
Scenario 1 – Business as usual: Everything goes well, the EU and the UK agree on the protection of personal data at a level in line with the GDPR. If the agreement is reached before the end of the automatic deadline extension, data transfer between the EU and the UK can continue seamlessly. Legal certainty for German companies would be guaranteed.
Scenario 2 – Absolute worst case: One party objects to the automatic deadline extension without previous agreement on the future data protection regulations. The result is an unregulated exit from the EU on April 30. In this case, personal data transfers across the English Channel could only take place on the basis of the third country regulation (see Chapter V of the GDPR), which contains particularly strict requirements. In an extreme case, German companies would have to have all future personal data transfers approved by their competent data protection officer. Either an adequacy decision would have to be in place (Art. 45 GDPR) or the data processor based in the UK would have to be able to demonstrate appropriate safeguards in order to continue processing personal data from the EU. Appropriate safeguards are understood to be any enforceable and effective remedies under Article 46 of the GDPR.
Brexit is complete and the British are going their own way as of now. We are still friends, but friendship alone does not guarantee long-term legal certainty. A promise is good as long as both parties feel committed to it and pursue similar goals. However, bilateral treaties are volatile and usually come with an expiration date. Far too often, they are misused as a pawn by political actors and do not last longer than a legislative period.
If you want to be on the safe side, use the remaining transition period to complete the move of your data to European servers.
This article was published in April 2019 and updated in January 2021.