- Brexit is coming – What companies need to think about now
- “Deal or no deal”: No matter the outcome, the United Kingdom will be considered a “third country” under GDPR
- Urgent need for action to meet GDPR requirements
Brexit also poses challenges for German companies when it comes to data protection. Whether there is a deal or a hard Brexit: In either case, the United Kingdom will become a third country under the GDPR once they leave the EU. This compels companies to check their cross-border processing of personal data as a matter of urgency, as the eco Association once again reminds companies today. The recommendation also applies to everyone who uses cloud services in any form – from email services to online storage to the purchase of services from abroad. EuroCloud Deutschland_eco e. V. has produced a short guide on this subject, which can be downloaded free of charge from https://go.eco.de/Brexit-and-Cloud_Legal.
“The withdrawal of the United Kingdom from the EU does not create any fundamental problems for the use of cloud services,” says lawyer and data protection auditor Dr. Jens Eckhardt, Member of the Board of EuroCloud Deutschland_eco e. V. “Nevertheless, there is an urgent need for action to fulfil the GDPR requirements in time for the withdrawal.”
No grace period for data transfers to UK
The EU General Data Protection Regulation (GDPR) also applies to the use of cloud services. It permits the cross-border processing of personal data within the European Union (EU) (Article 1 (1), Articles 44 et seq. GDPR). As a result of the EU withdrawal, the data protection treatment of the data transfer to the United Kingdom (UK) will change. Irrespective of the outcome of the exit negotiations between the EU and the UK, this will in future be comparable to the requirements for Switzerland or the USA.
This requires an independent additional legal basis for all data transfers to the United Kingdom, for which the processing company is liable. The European Commission has promised an adequacy decision pursuant to Article 45 GDPR. However, this decision has not yet been taken and it will not be taken in the event of a hard Brexit. The fact that there is no legal grace period is a further aggravating factor. Once the withdrawal happens, a data transfer is unlawful and subject to a fine, unless the provisions of Articles 44 et seq. GDPR are complied with or a transitional agreement has been agreed upon as part of a withdrawal deal. It is still unclear whether there will be a managed withdrawal or a no deal Brexit. In order to ensure the continuation of cloud services, alternative adequacy regulations must therefore be created.
The so-called standard contractual clauses1are the first option for implementation in the short-term. For cloud services which are typically classified as order processing, the Standard Contractual Clauses (Processors)2 should be used. These are ready-to-use templates. However, it is imperative to note that these standard contractual clauses must be only filled in – and not varied or modified – in order to be valid.
The European Data Protection Board (EDPB), an association of the national data protection supervisory authorities of the EU Member States, also points out the urgent need for action. In its information paper3 of 12 February 2019, the EDPB expressly confirmed that the standard contractual clauses are a “ready-to-use instrument”.
Cloud services can also face challenges on another level: Cloud services that, from a data protection point of view, are offered from the UK by the cloud provider often use other subcontractors in third countries. The UK company acts as a kind of “bridgehead”. The data protection border is only crossed at the contractor-subcontractor level. After leaving the EU, however, this will be considered a further transfer to third countries. As a consequence, the data protection re-evaluation must not be limited to the first level of outsourcing, but must cover the entire subsequent chain of subcontractors.
2https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087, as of 13 March 2019
3Information note on data transfers under the GDPR in the event of a no-deal Brexit https://edpb.europa.eu/our-work-tools/our-documents/other/information-note-data-transfers-under-gdpr-event-no-deal-brexit_en, as of 13 March 2019
About EuroCloud Deutschland
EuroCloud Deutschland (www.eurocloud.de) is the association of the German cloud computing industry and represents its members in the European network EuroCloud. EuroCloud Deutschland promotes the acceptance and needs-based provision of cloud services in the German market. The association is in constant dialogue with its European partners in the EuroCloud network in order to find global solutions and to pave the way for international business relationships. EuroCloud Deutschland was founded in December 2009 and is part of eco – Association of the Internet Industry.