Data protection consequences of the United Kingdom’s withdrawal from the EU
In addition to enormous economic consequences, the withdrawal of the United Kingdom in particular will have data protection consequences.
If no political solution can be found by then, the so-called “Brexit” will become legally binding on the 29th March 2019 at 11:00 p.m. British time. As a non-member of the European Union and the European Economic Area, the United Kingdom will thus become a so-called “third country” in the meaning of Art. 44 of the General Data Protection Regulation (GDPR). Companies from the EU and the United Kingdom now need to prepare for this “worst case scenario” at the latest.
Impact on EU companies
From a data protection perspective, EU companies have to deal with the consequences of the Brexit in so far as they transfer personal data of costumers or employees to processors, group companies or third parties based in the United Kingdom. A huge number of providers processing personal data, in particular in the IT sector, are based in the United Kingdom.
As indicated above, the United Kingdom is likely to be classified as a so-called third country in the meaning of the GDPR from 30th March 2019, whether or not the requirements of the GDPR will continue to apply there during a transitional period. In accordance with Art. 44 GDPR, the GDPR permits the transfer of data in third countries only in compliance with the European level of data protection. While the compliance is presumed for EU member states and the European Economic Area, it must be determined positively concerning third countries. This can be done by an adequacy decision by the EU Commission pursuant to Art. 45 (1) GDPR certifying that the respective states ensure a level of data protection that is in principle equivalent to that in Europe. If the Commission does not take this step, companies have to justify their transfer of personal data to the United Kingdom in other ways. This would be possible under the tight conditions of Art. 46 (1) GDPR, according to which the so-called “EU Standard Contractual Clauses” or “Binding Corporate Rules” would be worth considering first and foremost. Existing legal instruments regulating the transfer of personal data (data processing agreements or agreements pursuant to Art. 26 GDPR) need to be supplemented or replaced. Furthermore, the adaption of data protection information texts belongs to the mandatory tasks. Companies must inform their customers in a transparent way about data transfers to third countries; in case of a “no deal” Brexit also about transfers into the United Kingdom. There is also a need for action regarding to any new consent that may be required, information on the provision of information by data subjects, the mandatory records of processing activities, and a data protection impact assessment in the case of so-called high-risk data processing.
Impact on undertakings from the United Kingdom
In addition to the provisions of the UK Data Protection Act 2018 on international data transfer, British companies will continue to have to comply with the GDPR after the implementation of the Brexit when processing personal data of EU citizens. Insofar, it is not necessary for companies to have an establishment in the EU, Art. 3 (1) GDPR. It is sufficient that companies offer goods or services to data subjects in the EU or monitor the behaviour of data subjects in the EU. If such a company does not have a registered office in the EU, it is necessary to designate a representative in the EU pursuant to Art. 27 GDPR.
Mirror-inverted to the obligations of EU companies, UK companies, contractors and other beneficiaries should also prepare for requests from their European business customers for appropriate agreements regarding data transfers to the UK.
In the context of the impending “no deal” scenario the Brexit, both UK-based companies and European companies that transfer costumer data in course of their business activities should strive to implement all necessary measures to ensure an adequate level of data protection. The focus will be on the EU standard contractual clauses and the Binding Corporate Rules (BCR). Regarding the fact, that the implementation of these measures will take a considerable amount of time, a plan should be drawn up as soon as possible to ensure that the implementation is as structured and complete as possible.
We will be pleasured to support you in coping with the challenges associated with the Brexit in the field of data protection law.