25.11.2020
Brexit will change Europe - not only in terms of trade in goods, but also in terms of data exchange. Transferring data within the EU is simple, but transferring data to countries outside the EU (which, from a data protection perspective, will in future include the UK) is only possible under certain conditions.
According to the 2020 European Strategy for Data, data is an essential resource for economic growth. The EU estimates that the data economy in 2025 will be worth 829 billion euros in the EU alone. As far as personal data is concerned, the provisions of the EU General Data Protection Regulation (EU GDPR) must be observed. Within the EU, these provide a high level of protection for the handling of data and are enforced, in particular, by means of heavy fines.
The EU GDPR would like its standard of protection to apply even when data is transferred abroad. Data controllers should not be able to evade their obligations by transferring data abroad. The EU GDPR therefore regulates transfers to so-called third countries, i.e. countries outside the EU. The key requirement here is that the level of protection of the EU GDPR is not undermined. This can be assumed in two cases, namely where an adequacy decision of the European Commission exists for the third country concerned or where appropriate safeguards ensure an adequate level of protection for the data processing.
If an adequacy decision existed, personal data could easily be transferred to the UK. However, at present, no such decision has been taken. It formed part of the negotiations during the transition phase, which have not been successful so far. The possibility of a decision to this effect being adopted in the future cannot be ruled out, but this is unlikely to happen before the end of the transitional period.
Appropriate safeguards are instruments of data transfer. Apart from certain narrowly defined exceptions, their implementation is indispensable for data export in compliance with the EU GDPR. These include:
The appropriate safeguards will mean, in particular, organisational obligations for entrepreneurs, such as amending contracts with their UK partners. However, this is not all; following a judgment of the Court of Justice of the European Union (CJEU) of July 2020, further obligations exist. The supervisory authorities have already announced that compliance with these obligations will be a future focus of their activities. Accordingly, data exporters must also check whether an adequate level of protection exists in the country of destination before each data transfer, and if necessary, take additional measures.
Entrepreneurs are thus faced with the challenge of having to examine the legal situation in the UK with regard to data protection in addition to implementing a suitable data transfer instrument. In the first instance, they should contact their UK counterparts and request information. In addition, the fact that the UK has incorporated the provisions of the EU GDPR into national law is also likely to be relevant. Although it does not therefore continue to apply directly, it continues to have effect, although the British legislator may amend the regulations at any time. Furthermore, whether and to what extent public authorities have access to data must also be considered; the existing powers in the U.S. were the reason for the CJEU judgment.
Entrepreneurs should prepare themselves for the coming legal situation. There is the risk of fines being imposed from the beginning of the new year at the latest. The supervisory authorities recommend five steps to avoid this:
EU GDPR compliance requires German and British companies to make considerable adjustments. The associated costs are estimated at approximately 1.8 billion euros. For the time being, British companies wishing to transfer data to Germany do not need to take any further steps in view of Brexit; however, they are faced with the legal uncertainty of future changes in the law. In view of the importance of economic relations between Germany and the United Kingdom, an adequacy decision would be welcome.
Dr Michael Rath
Partner
Cologne
michael.rath@luther-lawfirm.com
+49 221 9937 25795