Brexit and data protection, review contracts and service providers

Earlier this year, I already warned about Brexit and data protection in this article. However, that was before the UK’s final exit from the EU. As is known, the United Kingdom has left the European Union since February 1, 2020, which is why all EU laws apply in the United Kingdom only on the basis of a transitional phase at the current time. However, this will expire on Dec. 31, 2020. If no treaty is concluded between the European Union and the United Kingdom by that date, the country would be considered a third country for the purposes of many laws and treaties on January 1, 2021.

Key Facts

The United Kingdom left the EU on February 1, 2020; the transition phase ends on December 31, 2020.
In the absence of an agreement, the United Kingdom will be considered a third country from January 1, 2021.
It will be difficult to transfer personal data to the UK without EU Commission classification as a safe third country.
British companies no longer have to comply with GDPR rules from January 1, 2021, which has consequences under contract law.
If no agreement is reached, the transfer of payment data to UK providers would be prohibited.
Legal uncertainties could make providers liable if user data is not processed correctly.
Problems affect both new transmissions and archive data: timely discussion is important.

And this, of course, also affects data protection law.

Now, if one takes into account how the UK is currently in breach of treaty with the EU, it is not unlikely that no agreement will be in place on January 1, 2021.

Therefore, as of January 01, 2021, it will then hardly be possible to transfer personal data to the UK without violating European and German data protection regulations. For the exchange of data between German and British companies, this will result in stricter rules from this date, provided the EU Commission does not classify the United Kingdom as a safe third country by then. Such resolutions do exist, for example, for Switzerland or Japan. For a further decision, it would have to be ensured that the previous level of data protection can continue to be maintained. In view of the British government’s statements that it wants to establish its own and independent data protection rules, however, an EU decision seems at least highly questionable.

British companies are therefore no longer obliged to comply with the current binding data protection requirements of the GDPR from January 1, 2021, which also means that contracts with British service providers would have to be put to the test.

In addition to cloud services, providers of payment services are also particularly problematic. If no agreement is reached between the EU and the UK, the transmission of payment data to providers in the UK would be illegal. Whether this is still possible within the framework of the standard contractual clauses is difficult to answer conclusively in view of the statements just made by the British government that it wants to lower the level of data protection.

This is especially true since, in case of doubt, it could be difficult for as provider to guarantee the data subject rights of its own users or buyers without it being clear how contractual claims could be enforced in a situation without agreement and without codified commercial relations. Providers thus make themselves massively vulnerable to attack in case of doubt and could find themselves exposed to major claims for damages from data subjects if data subject rights cannot be fulfilled because the previous partners do not fulfill their obligations.

In view of the legal uncertainty, partners are unlikely to be able to effectively provide the guarantees required of data processors under Article 46 of the GDPR, even if these are set out in writing.

At present, hardly anyone can seriously judge whether an agreement will be reached and, if so, whether such an agreement will also include regulations on the handling of data privacy, or whether certain topics may be sidelined for a few more months in order to reach a fundamental agreement.

Since the problems apply not only to new transmissions but also to archival data, the issue should be addressed in a timely manner to avoid running into legal and technical problems at the end of the year.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: Damages Data protection Law Judgments Laws Payment Privacy service Sicherheit Standard contractual clauses Verträge