Data protection and Brexit / transfer of personal data to the UK

the problem

The United Kingdom of Great Britain is a third country within the meaning of the General Data Protection Regulation (GDPR) after Britain’s exit from the European Union on 01.01. If personal data is sent to Great Britain, it must be demonstrated that the data is also secure in the receiving country. According to the GDPR, several tools for establishing security are permitted.

1. The adequacy of the European Union Commission decision

A suitability decision is a decision made by the European Commission under Article 45 of the General Data Protection Act (GDPR) which specifies that a third country such as the United Kingdom provides an adequate level of protection for personal data. This decision means that personal data can be transferred from European Union member states and European Economic Area member states to this third country without any other requirements.

There is currently no adequate decision by the European Commission of Great Britain.

2. Data Protection Agreement / TCA Transitional Regulations

On December 24, 2020, the European Union and the United Kingdom agreed a Trade and Cooperation Agreement. The so-called TCA has transitional regulations on pages 406-408 for the transfer of personal data between the European Union and Great Britain. This transitional regulation will be effective until June 30, 2021 at the latest.

It should be noted that the Transitional Regulation stipulates that Great Britain may neither change its data protection laws nor take any measures that would effectively alter the current level of data protection.

This is problematic in several respects. The TCA Data Protection Agreement expires on the day this change takes effect in Great Britain. Certainly, any change in the law represents less risk due to the formal requirements of the action, and on the other hand, the actions taken by the government and their impact on data protection, cannot be controlled for those affected.

If the British government acts at the expense of the level of data protection, then data transfers from the European Union to the United Kingdom will necessarily become cross-border transfers to an insecure third country within the meaning of Article 44 et seq. Of GDP.

Unabhängig vom Handeln der britischen Regierung gelten ab dem 01.07.2021 Datenübermittlungen aus der EU nach Großbritannien als grenzüberschreitende Übermittlungen in ein unsicheres Drittland im Sinne der Art. 44 ff. DSGVO, wenn bis dahin kein Angemessenheitsbeschluss der EU-Kommission vorliegt oder ein dauerhaftes Datenschutzabkommen unterzeichnet is.

3. EU-Standardvertragsklauseln / SCCs

If there is neither an adequacy decision nor a data protection agreement, it is possible to secure the level of data protection through mutual contracts. To this end, the European Union has established standard contractual clauses or so-called SCCs. With the conclusion of these standard contractual clauses of the European Union, the transfer between the contracting parties is usually without consent.

For companies that conduct regular business operations with partners in Great Britain, it is thus logical to clarify the uncertainty in the current situation through their own agreements with the partner in question.

After the Schrems II decision of the European Court of Justice, the European Union’s standard contractual clauses are no longer in force without restrictions. Therefore, the European Union Commission adapted the Specialized Advisory Committees in November 2020 and issued new drafts. However, these have not yet been accepted.

The solution:

Until the EU Commission issues a suitability decision, the EU’s Standard Contractual Clauses remain a viable way to plan for compliance with the General Data Protection Regulation (GDPR) when transferring personal data with Great Britain. But due to the European Court of Justice ruling, caution is advised here until new drafts are approved.

If you do regular business with partners in the UK, take action. Our legal office specializes in data protection law and supports you in structuring your business operations with UK partners in a legally secure manner.