It was a kind of Christmas miracle, the agreement between the European Union and the United Kingdom, which took place on 24. December 2020 and thus a few days before the deadline on 31. December was closed. The trade agreement made it possible to avoid the hard Brexit at the last minute. The contract concerns on 44 sides not only the movement of goods, but also areas such as air and road transport as well Social security – and also regulates data protection.

If there had been no regulation for the export of data via the English Channel, Great Britain would have become a so-called third country overnight. The transmission of personal data would then only have been possible under very strict conditions. The restrictions would have had a catastrophic impact on data traffic.

According to a study by the industry associations Digitaleurope and techUK, six out of ten European companies transfer data to the United Kingdom. For them there is now a short time corridor in which they have to agree on the future handling of personal data. If they fail to do this, a lot is at stake, not only for companies, but also for EU citizens.

Six months deadline According to the EU Commission, the aim of the Brexit Treaty is “to facilitate digital trade by removing unjustified obstacles. At the same time,” high standards for the protection of personal data are to be guaranteed “. The agreement stipulates that Great Britain will not be classified as an unsafe third country for a transitional period. The prerequisite is that the British adhere to their national data protection regulations based on the GDPR for this period. A deviation would only be with EU approval permitted.

The data traffic can therefore continue to flow unchanged until the end of April. This transition period can then be extended by another two months. The EU Commission must include a so-called adequacy decision by the end of June at the latest the United Kingdom agree. Negotiations on this should begin immediately.

Controversial special regulation However, well-known British law professors are of the opinion that EU law does not even allow such special regulations as in the Brexit Treaty. In addition, the agreement would contradict the GDPR, which regulates the export of data outside the EU. Because formally, the United Kingdom left the EU on January 1st and is no longer a member state. On the other hand, it is argued, for example, that the convention is an international treaty that takes precedence over EU law.

The conference of the local data protection supervisory authorities apparently has no problem with the agreed special path. In a press release at the end of December, they expressly welcome the “provisional legal security for data transfers to the United Kingdom”. The agreement would prevent the “previously feared serious legal uncertainties”. The British data protection authority ICO praised the contract as “the best possible regulation for UK organizations that process personal data from the EU”.

Safe third countries If the deadline set by the treaty ends, there are two scenarios in the room at the end of June: The two parties, who have so far been at odds, agree rely on the adequacy decision. If there is no agreement, the tough data protection Brexit will follow with delay.

Basically, the world is divided into three areas in this country. The transfer of personal information within the EU, in which the GDPR applies uniformly, is legally unproblematic. The second category includes safe third countries to which transfer is possible and permitted without restriction. “Safe” are those states to which the European Commission has confirmed a level of data protection that corresponds to European requirements. These currently include, for example, Argentina, Canada (only commercial organizations), Israel, New Zealand, Switzerland and, for some time now, Japan.

This second category could be from summer 2021 can also be classified in the United Kingdom. According to the responsible EU Commission, corresponding negotiations have already been underway for a few months. However, experts doubt that the necessary agreement can be reached in such a short period of time. The negotiations with Japan lasted much longer.

In terms of content, there are also doubts that a level of data protection comparable to that of the EU can actually be assumed in the UK. Above all, the strong role of the secret services is viewed critically. These are closely networked with the American services and also part of the “Five Eyes” community. In addition to the USA and Great Britain, Australia, Canada and New Zealand also belong to this elite circle of surveillance-friendly states. At least in the last two countries mentioned, this did not prevent recognition as a safe third country.

A dozen countries apply currently as safe third countries for the EU Commission in matters of data protection. This should 2021 also include the United Kingdom.

Insecure third countries All other countries are classified as insecure third countries whose national law does not guarantee sufficient protection of the data of European citizens. If no agreement is reached by the end of June, Great Britain would also fall into this classification, which already includes China, India, Russia and the USA. Passing on information to these countries is not strictly prohibited. However, there are some legal hurdles that must be clarified before the first transfer.

For such states, the strict provisions of Art. 44 ff. GDPR. The conclusion of so-called standard data protection clauses (SDK) is particularly relevant in practice. These are contract clauses formulated by the EU Commission that are concluded between the company exporting the data and the recipient in the third country.

The idea behind this is that the parties involved commit themselves in writing to the high data protection standards to uphold the EU. These specifications regulate, for example, the obligations of those involved, liability or participation in arbitration proceedings. In practice, it is important that the formulation templates must be adopted unchanged. However, the EU Commission is currently working on reformulating the clauses, which will probably be finished at the beginning 2021.

In addition, according to the case law of the European Court of Justice, additional technical and organizational protective measures must usually be taken, in particular to protect EU citizens from all too careless access by foreign secret services. These protective measures include, for example, the anonymization and encryption of data.

A data transfer to a third country can also be legitimized by the consent of the respective person concerned. The voluntary requirements must be observed. Another difficulty in practice is the requirement that the data subject must be explicitly informed about the planned processing of his data before giving his consent and that his consent can be revoked at any time. In this case, the information about him must be deleted immediately.

Prepare for an emergency IT companies are well advised to take the threatening dangers seriously and to use the delay to thoroughly prepare for the possible “data protection Brexit”. This includes first of all analyzing your own dependency on UK companies and looking for possible alternatives.

It is recommended for important and indispensable partners, for example in the areas of IT, human resources or finance to plan a scenario without an adequacy decision in good time. Standard data protection clauses in particular will be the means of choice for this purpose. If you prepare this by the end of June, you can change quickly in the middle of the year in an emergency. This also includes defining and preparing additional technical and organizational measures to protect the data of EU citizens.

In contrast to the comparable legal situation in the USA after the Schrems II ruling last year Year it is unlikely that the local data protection authorities will act mildly in the event of violations of the strict GDPR requirements for data transfer to the UK.

folder 3 / 2021 In c’t 3 / 2021 we tested WiFi routers. We wanted to know what advantages Fritzbox & Co. with Wi-Fi 6 bring compared to the previous models. How you can secure your communication reliably and without loss of comfort, we explain in one major focus. Many users are currently working from home and have to share the management with their family members – a new tariff and short contract periods could help. We also tested fast SSDs, inexpensive 5G smartphones and much more. You can read about these and other topics in c’t 3 / 2021. The output is from 15. 1. 2021 available in the Heise shop and at the well-stocked magazine kiosk.

(hag)