Provisional legal certainty for data transfers to the United Kingdom – the draft Brexit agreement offers a four-month transition period from January 1, 2021 (DSK conference December 28, 2020)
–
(MSC) The conference of the independent data protection supervisory authorities of the federal and state governments (DSK) provided information on current events in a current press release dated December 28, 2020:
“According to this, transfers of personal data from the EU to the United Kingdom of Great Britain and Northern Ireland should not be regarded as transfers to a third country (Art. 44 GDPR) for a transitional period. This period begins with the entry into force of the agreement and ends when the EU Commission has made adequacy decisions concerning the United Kingdom in accordance with Art. 45 (3) GDPR and Art. 36 (3) Directive (EU) 2016/680, but no later than four Months. This end date can be extended by two months if none of the parties involved object ”. (DSK December 28, 2020)
The aim of the Brexit agreement, according to the EU Commission: “To facilitate digital trade by removing unjustified obstacles”. At the same time, “high standards for the protection of personal data should be guaranteed”.
Data traffic can therefore take place unhindered until the end of April or with an extension until June 30, 2021.
Up to this point in time, the EU Commission must agree an adequacy decision with the UK.
At the end of June, we can currently assume two scenarios:
- Despite all previous differences, the two parties achieve an adequacy shot or
- The hard Brexit will be carried out without an adequacy decision and the UK will be considered a third country from 07/01/2021.
If no adequacy resolution is agreed, it will be exciting to see whether the UK can be classified as a “safe third country” – such as Argentina, Israel, Canada (partly), New Zealand, Switzerland … In these countries, a data protection level corresponding to European law can be assumed and unrestricted data transfer is possible. Negotiations have been going on for a few months, but experts doubt that the deadline for the necessary agreements will be sufficient.
One point of criticism for such an agreement is currently the role of the British secret services and their connections to the American secret services, manifested in the UKUSA treaty of 1946 between the UK and the USA. In this treaty, Australia, Canada and New Zealand are also represented as surveillance-friendly states (Five Eyes Alliance), which, however, did not constitute an obstacle to classification as safe third countries in Canada and New Zealand.
If, however, this adequacy decision is not possible, and thus no adequate protection of the data of EU citizens can be guaranteed, Great Britain would from 1.07. belong to the category of unsafe third countries such as China, Russia, India and also the USA. This means that Art. 44 ff DS-GVO is to be applied and data may only be transferred if “the controller or the processor has provided suitable guarantees and provided that the data subjects have enforceable rights and effective legal remedies”. (Art 46 GDPR).
Of course we are optimistic and hope that the last case described will not occur. Nevertheless, we should deal with this scenario.
Therefore our tip: Clarify the existing connections and thus data transfers to companies in the UK and think about alternatives that may work without an adequacy decision. Perhaps in this case the conclusion of standard data protection clauses will be necessary, i.e. the possibility envisaged by the EU Commission to secure the data transfer by means of pre-formulated contractual clauses. However, you must also pay attention to the use of suitable technical and organizational measures in order to legally enable data transfer.
We are keeping an eye on the expiry of the deadline – but we also assume that our authorities will not tolerate any exceptions in the event of a hard Brexit. As early as June 2019, our Federal Data Protection Officer Ulrich determined:
“There will definitely be no transition or regulatory grace period. Should data be transmitted without a corresponding legal basis, this would constitute a data protection violation that can be sanctioned in principle. ”(Handelsblatt, September 5, 2019).
– .