Data traffic with Great Britain – what to do when the hard Brexit comes?

25. February 2019

25. February 2019 – The European Data Protection Board (EDPB) is now increasing the pressure on companies. Great Britain and the EU are still struggling for an exit regulation to the forthcoming Brexit. The British House of Commons has spoken out against a no-deal Brexit. However, it is becoming more and more unlikely that an agreement can be reached in the few remaining weeks.Therefore, with regard to data protection there may be an unregulated “hard Brexit” on the cut-off date of 30 March 2019. From the data protection point of view, Great Britain would have to be considered as a third country in the sense of the DSGVO. Personal data may then only be transferred between the EU and Great Britain if the increased requirements of Art. 44 et seq. GDPR are fulfilled.

Jürgen H. Müller, deputy Federal Data Protection Officer in Germany, has now increased the pressure on companies. After a meeting of the EDPB, he said that in the event of a no-deal Brexit, there would be no grace period with the data protection authorities turning a blind eye and tolerating data transfers without the necessary prerequisites. In case of a hard Brexit, affected companies would immediately have to expect a consistent crackdown by the authorities.

The GDPR provides the data user with several instruments for data exchange with a third country – which would include Great Britain after a hard Brexit. Companies with existing “binding corporate rules” can base their processing on these rules. For a quick solution, companies can primarily fall back on standard contract clauses. In any case, it is necessary to check in advance whether the standard texts correspond to the specific data transfer processes taking place. Only if the standard data protection clauses reflect the actual processes they can justify the processing. In addition, there is in principle also the option of a data transfer by way of exception under Art. 49 GDPR.

In the long term, an adequacy decision by the European Commission would ensure legal certainty. As already for Japan (see article) the Commission would confirm that the level of data protection in Great Britain is equivalent to the EU’s level. This would allow an unimpeded flow of data between Great Britain and the EU.

However, it will hardly be possible to reach an adequacy decision before Brexit. The European Commission first has to examine whether the British data protection regulations meet the data protection requirements of the EU. This process can take several months or even years. In this context, it should be noted that already in 2017 the British government has begun adapting the British data protection law to the regulatory level of GDPR. It remains to be seen whether this will be done in the foreseeable future. One point of contention, for example, could be the British intelligence activities. For instance, the intelligence agency GCHQ has recently announced its intention to carry out extensive hacker attacks abroad in the future. The compatibility of these attacks with the fundamental rights of the GDPR has still to be clarified.

It is currently being considered to postpone Brexit until 2021. However, it remains to be seen whether the British government will actually formally request a postponement from the EU. Therefore, in view of the limited time available, companies should put a great effort into verifying until planned Brexit on 30 March 2019 whether their data processing activities with British foreign reference comply with the strict requirements of the GDPR and they should, if necessary, consult with the supervisory authorities on interpretation aids. Necessary adjustments must be made in time, especially to avoid high fines in accordance with data protection regulations.


If you have any questions, please write to us.