Brexit? Yes? No? Maybe?Take the right precautions
The Brexit has been an ongoing topic in the news for months now and the planned date for its withdrawal, 31 October 2019, is slowly approaching. The fronts in the British parliament are hardened and it is questionable whether there will be a regulated Brexit or even a stay in the EU. It is therefore about time to deal with the consequences of an increasingly probable, unregulated Brexit.
Consequences of a hard Brexit
Uncertainty is growing among businesses and individuals affected by Britain’s withdrawal from the EU. This would also affect data protection.
The main problem is that after a hard Brexit the GDPR and all other regulations would lose their validity. The transfer of data, however, requires a legal basis. Great Britain would thus be classified as a “third country”. This would put them on an equal footing with third countries such as the USA. Experience with the Save Harbor Agreement, the US Privacy Shield or the CLOUD Act has shown that international data transfer is a very difficult construct.
Companies in the EU must therefore review all circumstances in which personal data is transferred or made available to companies in the United Kingdom and, if necessary, adapt it to applicable law. For example, a contract for contract data processing would no longer suffice as a legal basis after a hard Brexit. EU companies would then have to demand individual data protection guarantees from UK companies.
What is the EU going to do?
For now, well, probably nothing. Although there is the possibility of an adequacy decision under Article 45 of the GDPR, the EU will take no action until the end of March. This would certify a sufficient level of data protection in the UK and would eliminate the need for further authorisations.
What would happen if a controlled Brexit were to occur after all?
Should a regulated Brexit still occur, there is the possibility of follow-up agreements. According to BITCOM, European data protection would continue to apply until these agreements have been concluded. There would therefore be no data protection problems. However, as things seem right now, the prospects for this are not very likely. Appropriate precautions should therefore be taken.
Who is affected by Brexit?
The situation is particularly difficult for companies that have their registered office in Great Britain or if the parent company has its registered office there. But companies that transfer personal data there are also affected. According to a 2018 BITKOM survey, this applies to 14% of German companies.
But it also affects companies and institutions that use IT services from companies based in the United Kingdom, e.g. in the form of cloud solutions. Here, too, personal data is transmitted.
Obligation to provide information when transferring data to third countries
Not only is it necessary to adapt the contracts with British partners and service providers, but there is also an obligation to provide information. For legal reasons, the fact that data is transferred to third countries must also be recorded and published in the relevant places. However, companies should already do this now, regardless of whether it actually comes to a hard Brexit. The exchange of data with third countries must be noted in the following documents:
- Data protection agreement on your own website
- Information sheet on data processing
- Directory for order data processing
- Data protection impact assessments may also need to be carried out or reviewed
Possibilities of legally compliant data transmission with guarantees
In order to be able to carry out data transmission even after Brexit in accordance with the GDPR, appropriate guarantees must be created. There are the following possibilities:
Binding Corperate Rules
Binding Corporate Rules are considered a suitable guarantee for internal company data transfers to insecure third countries. Here it is assumed that the GDPR standards apply within the group of companies. When carrying out a joint activity, sales and cooperation partners as well as service providers outside the group may also be included. However, the introduction of binding corporate rules is a long and cost-intensive process and requires approval by the supervisory authorities.
http://www.privacy-regulation.eu/en/article-44-general-principle-for-transfers-GDPR.htm
EU standard contract clauses
A further and significantly shorter possibility to give data transmission a legal framework is the EU standard contractual clauses. These provide an adequate level of data protection for the recipient. In the case of the EU standard contractual clauses, the legal authorisation must always be reviewed in two stages. Firstly, the transfer of data must be permitted. Secondly, the data recipient must guarantee an adequate level of data protection.
http://www.privacy-regulation.eu/en/article-44-general-principle-for-transfers-GDPR.htm
Approved rules of conduct
According to the GDPR, it is also possible to introduce your own data protection standards through approved rules of conduct. This self-regulation is intended for industry associations and federations representing categories of data controllers or processors. It should be noted that although it is possible to implement stricter rules than legally required in one’s own code of conduct, the GDPR guidelines must not be undercut.
https://gdpr-info.eu/art-40-gdpr/
Individually negotiated contractual clauses or administrative arrangements
However, there is also the possibility of using individually negotiated contractual clauses or administrative agreements. Under the GDPR, in the absence of a decision under Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if it has provided appropriate safeguards and if the data subjects have appropriate rights and remedies at their disposal. Such safeguards include, for example, legally binding and enforceable documents between authorities or public bodies and binding internal data protection rules in accordance with Article 47 of the GDPR.
https://gdpr-info.eu/art-46-gdpr/
Exception: Datatransmission without warranty
But as the saying goes, exceptions confirm the rule. There are also exceptions for the transfer of data to third countries, in which the data may also be transferred without a suitable guarantee. According to Article 49 of the GDPR, the following conditions must be met:
- Explicit consent, taking the risks into account
- Data transmission necessary for contract fulfillment
- Transmission for the performance or conclusion of an interest in a contract concluded
- Public interest
- Assertion, exercise or defence of legal claims
- Protection of vital interests
- Transmission of data from registers to persons with a legitimate interest
- Details can be found here: https://gdpr-info.eu/art-49-gdpr/
Conclusion and recommendation
In the event of a hard Brexit, the burden on companies and institutions that transfer data to the UK or use services will increase, no matter what. But this is certainly not the end of business relations, as there are still some ways to meet data protection standards. Moreover, in the case of the UK, it is very likely that the third country rule will only apply for a limited period, as both the EU and the British should have an interest in removing any hurdles as quickly as possible.
The most important thing, however, is that you tackle the issue as quickly as possible. First, make sure if you are concerned at all. Don’t forget to check if there is an online service provider in the UK, such as a CRM or analysis service provider.
Secondly, check what measures are necessary to avoid endangering the legally compliant exchange of data and take precautions that can be implemented quickly in an emergency. This can also include separating from British service providers and resorting to providers from the EU. This eliminates any risk.
Finally, if you continue to use services from the United Kingdom, you should inform customers and users about the transfer of data to third countries. Do this now to be on the safe side.
Even if we do not hope so, but taking these into consideration, you are as well prepaperd as you can be!
These statements are without guarantee and claim to completeness. If you have any questions, please contact your data protection officer or lawyer of choice.
You care a lot about data protection? More about the topic can be found here: