.svg)
Brexit is drawing closer. Companies should take action to ensure that compliance with data protection rules is guaranteed with the end of the transitional phase.
We recommend the following 7 to-dos (explained in more detail below):
The agreement for the United Kingdom's withdrawal from the European Union provides for a transition period until 31 December 2020. After the end of this transition period, the United Kingdom becomes a third country in terms of data protection law. Data transfers to third countries are only permitted under Art. 44 et seq. GDPR, data transfers to third countries are only permitted under certain additional conditions. It depends in particular on whether an adequate level of data protection is guaranteed in the third country.
The EU Commission may for example determine by providing a resolution on adequacy that an adequate level of protection exists in the third country. This has so far been done for Japan, Israel, partially for Canada and some other countries. The EU Commission is currently evaluating the level of data protection in the UK and whether an adequacy resolution can be issued. At this stage, however, it is not possible to make any clear predictions as to whether and when an adequacy resolution is to be issued for the United Kingdom. There are indicators, however, that speak against a short-term adequacy resolution in any case. For example, there is extensive data sharing between the US and the UK as part of the Five Eyes intelligence alliance. A decision of the ECJ (ruling dated 6.10.2020, C 623/17) also raises doubts about the level of data protection in the UK. The ECJ has ruled that the unwarranted storage and sharing of connection data for preventive purposes, as required by UK surveillance laws, is unlawful.
In the absence of an adequacy decision, alternative safeguards to guarantee an adequate level of data protection need to be applied. Suitable safeguards include primarily the use of standard data protection clauses as well as Binding Corporate Rules, approved codes of conduct and approved certification mechanisms and individually negotiated contractual clauses. We assume that in most cases standard data protection clauses are eligible as a justification instrument. Please note, however, that in certain cases, such as transfers to a dependent branch in the UK, standard data protection clauses cannot be stipulated.
The ECJ has already established in its Schrems II ruling that standard data protection clauses are generally not sufficient to ensure an adequate level of data protection due to the considerable access powers of security authorities without further safeguards. It is not inconceivable that this applies to a similar extent to the United Kingdom.
We recommend seven concrete to-dos to check whether and to what extent you need to take action. Regardless of Brexit, undertake the audit steps as a matter of course for all third-country processing operations. This is a consequence of the Schrems 2 case law.
The to dos are as follows:
At this point in time, the legal situation has not yet been clarified in many respects. In contrast to the USA with Schrems 2, there is no ECJ ruling that makes comparably detailed and critical statements on the level of data protection in the UK. Of course, this also means that EU companies have more leeway in their argumentation. Potential data protection risks are significantly reduced by following the audit steps described above. However, do not underestimate the amount of time involved. The aforementioned proposed solution would involve committing significant resources, both for EU companies and for their internal or external advisors.
We would therefore like to provide you with other possible solutions that involve significantly less effort, but probably also entail somewhat higher data protection risks. Excluding all data protection risks related to Brexit would require stopping all UK-related data processing. Naturally, we do not consider this to be a pragmatic approach.
As an alternative pragmatic approach, we suggest that you at least conclude standard data protection clauses with your UK contractual partners without the further audit steps. This option would save a lot of time. However, should a data protection supervisory authority undertake an audit and determine that an adequate level of data protection is not given for the relevant data processing in the UK, we anticipate a risk of regulatory sanctions despite concluding the standard data protection clauses. Of course, it is entirely questionable whether authorities would actually initiate investigations on their own initiative in the first few months after the end of the transitional phase.
You could also wait and speculate that an adequacy resolution is likely in the near future. However, this approach would result in even greater data protection risks. Without an adequacy resolution or conclusion of standard data protection clauses, the corresponding processing operations are clearly unlawful due to the lack of a justification mechanism within the meaning of Art. 44 et seq. GDPR, the corresponding processing operations clearly qualify as being unlawful. Should an authority become aware of this, then this would possibly result in sanctions.
Do you have questions about the trials and tribulations of Brexit? We would be pleased to assist you!
secjur GmbH is a modern and fast-growing legal tech company. Our four locations in Regensburg, Düsseldorf, Berlin and Hamburg have teams of lawyers, business economists and IT specialists working on holistic solutions for data protection and data security.
Brexit is drawing closer. Companies should take action to ensure that compliance with data protection rules is guaranteed with the end of the transitional phase.
.png)
.svg)
%201.svg)