British voters have spoken and by a narrow majority decided in favor of the United Kingdom’s exit from the "European project." At present, no one knows whether, when and how the planned Brexit will occur. The existing political and legal uncertainty represents a major challenge for companies. Obviously, this also applies to the area of data protection law were it will be crucial whether the United Kingdom can obtain the status of a “safe third country” after the exit from the EU. Companies residing in the European Union may transmit personal data to such safe third countries, without having to meet additional requirements.
Furthermore, the new requirements of European data protection law must be observed. In the future, the General Data Protection Regulation will be relevant for European Union Member States. These new European data protection provisions must be strictly observed by companies starting from May 25, 2018, in order to avoid significant fines and civil sanctions.
If the United Kingdom becomes a Member State of the European Economic Area (EEA), no changes will result for EU companies, since the General Data Protection Regulation is also legally binding for and must be applied by the EEA States. If the United Kingdom decides not to join the EEA, however, it would have to observe the strict new European data protection law or at least provide equivalent national regulations. The question as to what the political willingness in the United Kingdom will be is like a glance into the crystal ball.
If the aforementioned alternatives are not used, data exchange between the European Union and the United Kingdom will be significantly impeded. This applies particularly in the event that the European Commission fails to classify the United Kingdom as a safe third country. All companies transmitting personal data, such as employee or customer data, to affiliated companies in the United Kingdom or to British business partners would be affected.
What to do?
While it is expected that transitional provisions will be adopted and exit negotiations will drag on for years, companies should use this time to take a critical look at their own points of reference in data protection law. In the course of this analysis, it can be discovered what long-term strategies under data protection law must be developed for the worst-case scenario, if exit negotiations should fail. An immediately lower level of data protection is not expected in the event of Brexit, however. Premature actions in the area of data protection are therefore not necessary.