After the House of Commons rejected the text of the treaty negotiated between the European Commission and the British Government on the withdrawal of Great Britain from the European Union (https://ec.europa.eu/commission/sites/beta-political/files/draft_withdrawal_agreement_0.pdf), a „hard brexit“ – the dissolution of the relationship without a divorce contract – has become more likely. This also has serious implications for data protection and the companies subject to it.
In its statement issued more than a year ago (http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=611943), the European Commission had already pointed out the serious consequences for data protection resulting from the departure of Great Britain. The Commission pointed out that after the Brexit, Great Britain would become a „third country“ to which the corresponding rules of the European General Data Protection Regulation (GDPR) for data transfer to countries outside the EU would apply (Art. 44 ff GDPR).
While the cross border transfer of personal data between the member states of the European Union is permissible without restrictions under data protection law, an adequate level of data protection must be demonstrated if the data are to be transferred to third countries. The GDPR provides various instruments for this purpose.
The silver bullet would be a so-called „adequacy decision“ of the Commission (Art. 45 GDPR). On the base of such decision a transfer shall not require any specific authorisation. But it would be an unrealistic presumption such a decision can be implemented in the short term, as it is not only a question of assessing the data protection law as amended last year, but also the entire legal system, including the highly controversial Investigations Powers Act (IPA), which grants the British security authorities comprehensive powers over personal data.
Appropriate safeguards to demonstrate the adequacy of data protection at the recipient (Art. 46 GDPR) are „standard data protection clauses“, approved binding corporate rules (BCR), approved codes of conduct (CoC) and certification mechanisms.
However, until recently, it looked as if companies could take their time looking for alternatives. The text of the agreement negotiated between the Commission and the British government provides in Art. 70 ff that the GDPR (with the exception of the provisions of the seventh section governing supervisory cooperation) should continue to apply in Great Britain for the planned transitional period of two years. It was also agreed that an adequacy decision should be prepared within the transitional period.
Now that the text of the agreement is out of date, there is an urgent need for action by companies exchanging personal data between the EU 27 and business partners in the UK. By the end of March 2019, they must fulfill the requirements of the GDPR for third country transfers by means of one of the above-mentioned instruments or by means of individual contractual arrangements and, if necessary, corresponding authorisation from the competent supervisory authorities. Otherwise, the corresponding transfer transactions would be illegal.
It is to be hoped that the European data protection supervisory authorities will assist the companies in an advisory capacity in this difficult matter.
Translated with www.DeepL.com/Translator