The United Kingdom (UK) finally left the EU on 31 January 2020. The withdrawal agreement provides for the UK to continue to be treated largely as an EU member state until the end of the transition period on 31 December 2020, while both sides work out the future rules for cooperation. For the period after this, current prime Minister Boris Johnson announced on 3 February in a written statement:
Brexit also affects the subject of data protection. To date, the General Data Protection Regulation (GDPR) has applied in the UK. As of 31 December 2020, the UK will become a third country within the meaning of the GDPR. Based on existing agreements, data exchange with the UK would then only be possible if the latter raises its data protection standards to a level that corresponds to that of the EU and the Commission issues an adequacy decision.
However, Prime Minister Johnson announced in no uncertain terms that the GDPR – just like all other EU regulations – will be done away with and replaced by a British provision. There is therefore a real danger that the standards of the GDPR will not be met. In this case, companies that process personal data in the UK will have to take action. For data centre operators domiciled in Continental Europe, on the other hand, this creates opportunities.
Migrate data to Europe?
Data centre operators in Europe could benefit from this situation and have already been preparing for years for precisely this scenario, including by expanding such data centre capacities in Continental Europe. Personal data that is at present physically stored in data centres in the UK will possibly have to be migrated back to the European Union. In particular, the data centre hubs in Frankfurt am Main and Amsterdam could benefit from this development. In view of the already limited available capacities in the existing data centres at present, this could entail further investments in new data centres and corresponding (energy) infrastructure. In addition, it can be expected that the number of data centre transactions will increase further in the future.
At the same time, however, this could also mean that data of British service providers that has been hosted up to now in Continental Europe will be migrated back to the UK.
Adapt existing agreements
If a transfer of personal data back to Continental Europe is not an option, companies should critically examine their existing data processing agreements and prepare for the completion of Brexit.
Companies should ensure that, in the event that the UK leaves the EU without a corresponding adequacy decision, they continue to be GDPR-compliant. Specifically, they should ensure that the EU standard contractual clause is agreed with British processors.
Brexit presents possibilities and opportunities for data centre operators in Continental Europe. However, much depends now on how the reform of data protection in the UK will turn out. Companies should in any case check which of their agreements require action from the point of view of data protection.