The future of economic relations between Germany and the UK with regard to data protection

Brexit will change Europe - not only in terms of trade in goods, but also in terms of data exchange. Transferring data within the EU is simple, but transferring data to countries outside the EU (which, from a data protection perspective, will in future include the UK) is only possible under certain conditions.

The importance of data streams is enormous

According to the 2020 European Strategy for Data, data is an essential resource for economic growth. The EU estimates that the data economy in 2025 will be worth 829 billion euros in the EU alone. As far as personal data is concerned, the provisions of the EU General Data Protection Regulation (EU GDPR) must be observed. Within the EU, these provide a high level of protection for the handling of data and are enforced, in particular, by means of heavy fines.

Cross-border data exchange is regulated

The EU GDPR would like its standard of protection to apply even when data is transferred abroad. Data controllers should not be able to evade their obligations by transferring data abroad. The EU GDPR therefore regulates transfers to so-called third countries, i.e. countries outside the EU. The key requirement here is that the level of protection of the EU GDPR is not undermined. This can be assumed in two cases, namely where an adequacy decision of the European Commission exists for the third country concerned or where appropriate safeguards ensure an adequate level of protection for the data processing.

No adequacy decision by the European Commission before the end of the transitional period

If an adequacy decision existed, personal data could easily be transferred to the UK. However, at present, no such decision has been taken. It formed part of the negotiations during the transition phase, which have not been successful so far. The possibility of a decision to this effect being adopted in the future cannot be ruled out, but this is unlikely to happen before the end of the transitional period.

Anyone wishing to transfer data to the UK in the future should rely on appropriate safeguards

Appropriate safeguards are instruments of data transfer. Apart from certain narrowly defined exceptions, their implementation is indispensable for data export in compliance with the EU GDPR. These include:

  • Standard data protection clauses: contractual clauses approved by the Commission, which both the data importer and the data exporter include in their contracts
  • Binding corporate data protection rules: internal rules approved by the Commission for data transfers within a group of undertakings
  • Approved code of conduct and certification:Measures which require a complex procedure before the Commission and therefore have no practical significance (so far).

The appropriate safeguards will mean, in particular, organisational obligations for entrepreneurs, such as amending contracts with their UK partners. However, this is not all; following a judgment of the Court of Justice of the European Union (CJEU) of July 2020, further obligations exist. The supervisory authorities have already announced that compliance with these obligations will be a future focus of their activities. Accordingly, data exporters must also check whether an adequate level of protection exists in the country of destination before each data transfer, and if necessary, take additional measures.

The significance of current case law for data transfers to the UK

Entrepreneurs are thus faced with the challenge of having to examine the legal situation in the UK with regard to data protection in addition to implementing a suitable data transfer instrument. In the first instance, they should contact their UK counterparts and request information. In addition, the fact that the UK has incorporated the provisions of the EU GDPR into national law is also likely to be relevant. Although it does not therefore continue to apply directly, it continues to have effect, although the British legislator may amend the regulations at any time. Furthermore, whether and to what extent public authorities have access to data must also be considered; the existing powers in the U.S. were the reason for the CJEU judgment.

What German entrepreneurs should do now

Entrepreneurs should prepare themselves for the coming legal situation. There is the risk of fines being imposed from the beginning of the new year at the latest. The supervisory authorities recommend five steps to avoid this:

  1. identify data transfers to the UK;
  2. determine data transfer instrument for the respective situation;
  3. implement data transfer instrument:
    • review the level of data protection;
    • take additional measures, if necessary;
    • implement formal procedural steps, contract amendments, etc. if necessary;
  4. update documentation, processing inventory and data protection impact assessment;
  5. adapt the privacy statement to inform the data subjects.

EU GDPR compliance requires German and British companies to make considerable adjustments. The associated costs are estimated at approximately 1.8 billion euros. For the time being, British companies wishing to transfer data to Germany do not need to take any further steps in view of Brexit; however, they are faced with the legal uncertainty of future changes in the law. In view of the importance of economic relations between Germany and the United Kingdom, an adequacy decision would be welcome.

Dr Michael Rath

Dr Michael Rath
+49 221 9937 25795