With Brexit, Great Britain also left the scope of the GDPR. In terms of data protection law, the UK will be considered an insecure third country by the summer of 2021 at the latest. The European Union Commission wants to avoid this if possible.
The unpleasant, often overlooked, consequences of Brexit include the impact on data protection. Because with Great Britain leaving the Union, the European Union’s General Data Protection Regulation (GDPR) has also lost its validity in the United Kingdom. This means that since January 2021, it has become completely illegal to transfer personal data from the European Union to Great Britain, to store it there or to process it.
Legal until summer 2021
The immediate intervention of overzealous data protection authorities continues to block the transitional agreement that was passed simultaneously with the Brexit agreement and provides a six-month grace period for cross-border data flows until mid-2021.
The fact that the General Data Protection Regulation (GDPR) in Great Britain validates with Brexit is due to its legal structure. The General Data Protection Regulation is one of the regulations of the European Union that came into effect immediately in all member states when it entered into force.
For comparison: the EU Consumer Rights Directive, on the other hand, is a directive. It gives all member states a deadline within which they must adapt their national laws so that EU requirements are met. For online retailers dealing with UK customers, this means that consumer rights in the European Union will continue to apply in the UK even after Brexit, as they have been included in UK law books.
The United Kingdom becomes a “third country”
This does not apply to the GDPR. It lost jurisdiction in Great Britain with Brexit, and the old British data protection laws previously enforced were automatically back in effect. From an EU perspective, this makes the UK a “third country” without an adequate level of data protection.
Both sides definitely want to avoid this situation which is already happening as of August 2021. The British side has already reacted and declared that data transfer to the EU is essentially harmless. What is still missing from the EU is the so-called “fitness decision”. It will indicate that the country has a level of data protection that does not necessarily comply with the GDPR, but still gives EU citizens adequate protection against search and misuse. For example, the European Union Parliament took such a decision with respect to Japan.
There are two types of drafts
Regarding Great Britain as well, the European Union Commission is working very hard to get such a convenient decision on the rails. It has already prepared two drafts and submitted them to the relevant committees. However, the situation in Great Britain poses similar problems as it does in the United States, where transferring data from the European Union is currently not legally possible. For example, a 2016 law gives GCHQ far-reaching powers to discover data. GHCQ working closely with the US National Security Agency does not make things any better.
Concern before the European Court of Justice
Thus, the European Parliament’s convenience decision to protect data in the UK by the European Court of Justice could still be waived – just like the Safe Harbor and the Privacy Shield, the two data protection agreements that the European Union has so far negotiated with the USA. Internet activist Max Schreams filed a lawsuit, and the European Court of Justice came to the conclusion that the level of data protection in the United States is insufficient. Schrems had already announced that he would carefully study a similar agreement with the British.