Earlier this year, I already warned about Brexit and data protection in this article. However, that was before the UK’s final exit from the EU. As is known, the United Kingdom has left the European Union since February 1, 2020, which is why all EU laws apply in the United Kingdom only on the basis of a transitional phase at the current time. However, this will expire on Dec. 31, 2020. If no treaty is concluded between the European Union and the United Kingdom by that date, the country would be considered a third country for the purposes of many laws and treaties on January 1, 2021.
And this, of course, also affects data protection law.
Now, if one takes into account how the UK is currently in breach of treaty with the EU, it is not unlikely that no agreement will be in place on January 1, 2021.
Therefore, as of January 01, 2021, it will then hardly be possible to transfer personal data to the UK without violating European and German data protection regulations. For the exchange of data between German and British companies, this will result in stricter rules from this date, provided the EU Commission does not classify the United Kingdom as a safe third country by then. Such resolutions do exist, for example, for Switzerland or Japan. For a further decision, it would have to be ensured that the previous level of data protection can continue to be maintained. In view of the British government’s statements that it wants to establish its own and independent data protection rules, however, an EU decision seems at least highly questionable.
British companies are therefore no longer obliged to comply with the current binding data protection requirements of the GDPR from January 1, 2021, which also means that contracts with British service providers would have to be put to the test.
In addition to cloud services, providers of payment services are also particularly problematic. If no agreement is reached between the EU and the UK, the transmission of payment data to providers in the UK would be illegal. Whether this is still possible within the framework of the standard contractual clauses is difficult to answer conclusively in view of the statements just made by the British government that it wants to lower the level of data protection.
This is especially true since, in case of doubt, it could be difficult for as provider to guarantee the data subject rights of its own users or buyers without it being clear how contractual claims could be enforced in a situation without agreement and without codified commercial relations. Providers thus make themselves massively vulnerable to attack in case of doubt and could find themselves exposed to major claims for damages from data subjects if data subject rights cannot be fulfilled because the previous partners do not fulfill their obligations.
In view of the legal uncertainty, partners are unlikely to be able to effectively provide the guarantees required of data processors under Article 46 of the GDPR, even if these are set out in writing.
At present, hardly anyone can seriously judge whether an agreement will be reached and, if so, whether such an agreement will also include regulations on the handling of data privacy, or whether certain topics may be sidelined for a few more months in order to reach a fundamental agreement.
Since the problems apply not only to new transmissions but also to archival data, the issue should be addressed in a timely manner to avoid running into legal and technical problems at the end of the year.