Brexit and Data Protection Law – if the UK becomes a third country without a deal
In case of an unregulated hard Brexit, the European Data Protection Law would also come down with full force: The United Kingdom would become, from one day to the next, a “normal” third country and would also be treated as such by the EU Data Protection Law. The transfer of personal data from the EU to the United Kingdom would only be legitimate if and as long as specific conditions are met.
The EU General Data Protection Regulation (GDPR) establishes a uniform level of data protection throughout the European Union which allows free data exchange within the EU: Since the same Data Protection Law (in principle) equally applies in all EU Member States, personal data may be transferred within the Union across the internal frontiers without any special requirements or conditions, as they are equally well protected in all Member States via the GDPR.
Data transfer to third Countries only under special conditions
As soon as the United Kingdom leaves the European Union, it will become a third country from one day to the next. Under the GDPR, personal data may be transferred to a third country only if specific conditions are met, as described below.
If the Brexit is unregulated, i.e. without any special agreement between the Union and the Kingdom, the aforesaid also applies to the UK – immediately and directly, as of 29 March 2019 at 00:00 CET, without any grace period, as provided for in Art. 71 of the Draft Agreement of 14 November 2018 which was rejected by the House of Commons on 15 January 2019: It was planned therein that the GDPR should continue to apply to the UK until the end of 2020. For the time thereafter, a national UK Data Protection Law was to be established to provide essentially the same level of data protection in the UK as within the European Union.
What does that mean for companies established in the EU?
In terms of data protection, an unregulated Brexit particularly affects the “remainers” in the EU, namely, the EU-based companies that wish to exchange data with UK-based companies. The EU companies are then so-called “data exporters”, and they therefore have to set the stage for data transfer that is compliant with EU data protection law. If the requirements are not met, data must not be transferred to the third country. If data are transferred nevertheless, the EU-based companies are committing a data protection violation. It is therefore in the direct interest of EU-based companies to comply with the GDPR requirements for transfers to third countries.
The goal of special provisions of the GDPR for exporting data to third countries is the best possible protection of personal data and the persons to whom they relate in the third country. Data transfer to a third country is permitted only if
- the European Commission has decided, by means of an adequacy decision, that the third country ensures an adequate level of protection,
- or appropriate safeguards have been provided
- or the transfer can be justified by one of the derogations set forth in the GDPR.
Adequacy decision of the Commission
With regard to some third countries, the European Commission did confirm that an adequate level of data protection does exist in these countries. These include, inter alia, Canada, Japan, Switzerland and Israel., Personal data may be transferred to these countries without establishing additional safeguards.
With regard to the UK, however, there is no such decision, and it is unlikely that such a decision will be taken in the near future. In a notification of 14 November 2018, the Commission in this regard simply stated:
“(…) the adoption of an adequacy decision is not part of the Commission’s contingency planning.”
Providing “appropriate safeguards
”The export of data to third countries may take place if the data exporter provides “appropriate safeguards” to ensure an adequate level of data protection. In particular, this includes the use of the so-called “Model Clauses” which were previously approved by the Commission. These Model Clauses are currently still applicable in principle, in modified form, but are not unchallenged. In fact, they are currently under review in the context of proceedings pending before the European Court of Justice. It cannot be ruled out that these Clauses may suffer the same fate as the Safe Harbour Agreement, which was declared invalid by the ECJ.
“Appropriate safeguards” also include binding corporate rules (BCR) within groups of undertakings, which, however, must be approved beforehand by the supervisory authorities.
Derogations for specific situations
The GDPR provides a number of “derogations for specific situations” in which a transfer of data to a third country is permitted even without an adequacy decision and without “appropriate safeguards”. This includes, in particular, the case where the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers. Personal data, as another example, may also be transferred to a third country if this transfer is necessary for the performance of a contract concluded with the data subject or concluded in his/her interest.
Whether the data transfer is covered by one of the derogations must always be carefully examined on a case-by-case basis.
It is important to keep in mind that ensuring compliance of the third country transfer alone is not sufficient; in addition, the obligation to provide information must be fulfilled. The data subjects must be given information about the intention to transfer personal data to a third country and also about how the adequate level of data protection will be ensured.
What does that mean for UK-based companies?
The GDPR is European Union Law and applies directly in all EU Member States. One would think that the GDPR therefore does not have any relevance for UK-based companies after the UK’s withdrawal from the EU. But this is not the case: Companies established in third countries are also fully subject to the rules of the GDPR if they offer goods or services to individuals in the Union and in this context process personal data of persons residing there. For example, a British online shop that offers and sells goods to the EU, is subject, without restrictions, to the rules of the EU Data Protection Law. The same applies where the behavior of individuals residing in the European Union is monitored out of the third country (e.g. via web tracking).
For such UK companies, the unregulated Brexit therefore means that they are subject to the strict EU data protection regulations due to their activities in the EU, but (being companies in a third country) no longer benefit from the principle of the free transfer of data.
Do not forget assessment Stage 1
The question whether and under what conditions the transfer of data to a third country is compliant with the GDPR concerns Stage 2 of the assessment of whether the personal data may be transferred from one body to another. Irrespective of whether the recipient of the data is located inside or outside the EU, companies must first assess whether or not the data transfer to a third party is GDPR-compliant at all, which requires applying a specific legal basis.
In particular, EU-based companies that intend to transfer personal data to the United Kingdom must be prepared for an unregulated Brexit. It must always be assessed on which legal basis the transfer of personal data to the UK can take place as of the Brexit reference date, and appropriate measures must be taken to ensure an adequate level of data protection.