BREXIT Could Impede the Transfer of Personal Data

  • BREXIT will change the legal foundation for the exchange of personal data between Germany and Great Britain

  • Companies with locations in Great Britain should start preparing themselves now for a range of scenarios

BREXIT will change the legal conditions for the transfer of personal data between Great Britain and the EU states. Until now, the level of data protection of a Member State has been taken per se as sufficient, without any further examination. So data transfers within the European Union are handled in exactly the same legal manner as data transfers within Germany. Further assessment or special contractual structures, like those with the USA, are not required.

After BREXIT, Great Britain will become a third country, and in this situation, the applicable laws are currently Para 4 b of the German Federal Data Protection Act (for Germany) and in future Art. 44 et seq. of the European General Data Protection Regulation (GDPR): Anyone wishing to transfer personal data to a third country must ensure that the destination state guarantees a sufficient level of data protection.

British government striving for stability for data transfers

“Whether or not a country has a sufficient level of data protection is something that the EU Commission determines. If the Commission so decides, then a transfer to a given third country is possible without further examination of the responsible positions,” says Dr. Katharina Küchler, Attorney in the Legal Department at eco – Association of the Internet Industry. This is clearly what the British government is striving for. On page 45 in point 8.38 of the whitebook published by the British government in February 2017, it is stated that “The stability of data transfer is important for many sectors – from financial services, to tech, to energy companies” and in point 8.40, “As we leave the EU, we will seek to maintain the stability of data transfer between EU Member States and the UK”.

Investigatory Powers Act may conflict with understanding of EU data protection

However, is the EU Commission actually likely to grant Great Britain a sufficient level of data protection? The Investigatory Powers Act, concluded at the end of 2016 may make this difficult. It grants the British secret service, among other things, extensive rights to surveillance of telecommunications companies and Internet providers. “If a country’s level is not found to be generally sufficient, then the positions responsible must continuously examine the permissibility of data transfers and ensure that the individuals whose data is being transferred obtain a guarantee of the protection of their personal rights,” according to Dr. Küchler. A transfer is then only possible, for example, on the basis of EU standard contractual clauses, Binding Corporate Rules or similar instruments, such as the EU-US Privacy Shield in the case of the USA.

External Data Protection Officer to prepare for a range of scenarios

The problem of data transfers affects companies that want to transfer data to Great Britain in connection with their business relationships, and companies with locations on both sides of the English Channel. Neither German data protection law nor the GDPR recognize intra group exemptions. Data protection officers in companies with a British parent company should therefore start preparing themselves for a range of scenarios and examine current data flows – especially against the backdrop of increased fines, which may loom from May 2018 with the GDPR.

The largest European Internet industry association, eco is offering support in the preparation process. On request, the association can provide an external operational Data Protection Officer to member companies. The association, among other things offers specialist advice on, the fulfilling of the data protection requirements, trains the staff, and undertakes a data protection audit. Through this, companies fulfill their legal obligations. Further information can be found at go.eco.de/dataprotection