Data protection: UK soon to be an insecure third country?

Brexit is likely to keep lawyers, authorities and courts busy for a long time to come. Just recently in this article I pointed out the potential problems with the Ltd. as a legal form. Perhaps a much more relevant problem could be data protection.

This problem particularly affects clients of mine who use providers in the UK, for example to display advertising in apps, to obtain statistical information from games, or to offer payment services. This generally leads to personal data being transferred to the UK or providers from the US being granted access to their own data, even after the disorderly Brexit that is now becoming increasingly likely. This could affect some very relevant middleware vendors.

However, this is not without problems, because according to the GDPR, all countries outside the European Union or outside associated countries, are to be considered third countries. After a disorderly Brexit, at least for a transitional period, this will also affect the United Kingdom. This means that personal data may no longer be transferred to the UK without further ado. Something else could only apply if, just in time for Brexit, there is a so-called adequacy decision by the EU that declares the UK a safe third country. Whether this will happen is difficult to predict. The EU is likely to be preoccupied with other problems for the time being. Incidentally, such a resolution is also necessary from a purely formal point of view, even though the new data protection law has of course also been introduced in the United Kingdom, where I do not wish to dispute the fact that there is a thoroughly adequate level of data protection. However, it remains to be seen whether this will continue to be the case after a Brexit, which is indeed taking place because people there would like to emancipate themselves from strict EU dictates.

Of course, there are also other possible exceptions, such as a separate contract with the provider to comply with European data protection (but including regular review!), or the necessity, because services are performed in the UK.

Not sufficient, on the other hand, is the exclusive information of customers or players within the framework of a data protection statement in which a hidden reference is made to a data protection transfer. All that would be sufficient is a clear explanation and information within the framework of a user registration, for example, with direct confirmation by the customer. Existing customers would also have to be informed about the problem and required consents would have to be obtained.

Of course, I can’t see into the future either, so I don’t know what else will happen in the next 2 months. However, the risk is there and data protection authorities are becoming very active with regard to fines. Everyone should therefore check their apps, online stores and third-party providers carefully, check data protection declarations, terms and conditions and contracts, and take precautions if in doubt. Better now than just before the end. Of course, a conversation with me or a colleague can’t hurt either!

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.