To date, regulations in the EU and in the UK are governed by the harmonized requirements of the EU Data Protection Directive 95/46. When the EU General Data Protection Regulation comes into force in May 2018, it will strengthen the harmonization of data protection law in the EU on a high level. This will enable the transfer of personal data within the EU Single Market in the same way as within the home country.
This procedure would no longer apply if the UK leaves the EU. The UK would then generally apply as a third country, with a potentially unsafe level of data protection.
From a data protection perspective, the UK would therefore have a similar position to the USA. Data transfers to the USA are subject to strict requirements. The end of the Safe Harbor mechanism following a judgment by the European Court of Justice in October 2015, has further aggravated the situation for companies.
The successor to the Safe Harbor mechanism, the so-called "EU-US Privacy Shield" agreement with the USA, was approved by the European Commission in July 2016 and can therefore be applied. However, it remains to be seen whether this agreement also satisfies the requirements, established by the European Court of Justice, for the protection of European data.
It is possible that the transfer of data to the UK will in future become more difficult in a similar manner to data transfers to the USA. In particular, this would affect the commonplace instrument of order data processing that enables the forwarding of data without the consent of the parties involved. The following are examples of questions that could arise for companies with branches in the UK, that are themselves the branch of a UK company, that work with companies in the UK or that transfer data to the UK in another way.
- How can company-wide central storage of data in the UK be structured?
- How can contracts with service providers in the UK, who receive data or view it via remote access (e.g. within the scope of maintenance agreements), be designed?
- Do data flows have to be diverted to other EU countries and new data storage set up there?
- What protection measures must EU subsidiaries of UK companies take against data access by UK parent companies?
- How can due diligence processes be structured during cross-border company acquisitions?
Ultimately, the deciding factor will be what level of data protection the UK arranges, and what agreements are made when withdrawing from the EU. If the UK maintains data protection laws as per the EU model, it is conceivable that the European Commission will grant the UK the status of a third country with an appropriate level of data protection, similar to the case with other European non-EU member states. If this is delayed until after a Brexit takes effect, it may create a dangerous data protection gap for companies.
Much remains unclear here, all the more so as the EU General Data Protection Regulation for the year 2018 is likely to throw up new questions even within the EU.