Brexit is on everyone's lips and companies have been discussing what to do for years. The mood swings between actionism and wait and see, the EU and UK will come to an agreement and not let the hundreds of companies down. It is no longer likely that the EU will reach an agreement with Great Britain. This is also reflected in Mrs. May losing vote after vote for an orderly Brexit. Now, almost too late, the question of what to do arises?
State of affairs – Brexit
Currently to date, there is no agreement between the EU and UK on the processing of personal data. Still until 29. March UK is a member of the European Union and thus also a member of the community of values and law. As long as this exists, also on the basis of the European fundamental freedoms every European citizen can work where he or she wants and also his or her data can be processed.
After the Brexit
Nonetheless, after Brexit, UK will be immediately in the same legal second of an insecure "third country", i.e. a country outside the EU and comparable to the U.S. Accordingly, processing of personal data of EU citizens is prohibited for the time being, as the legal basis is missing. This legal basis would first have to be created.
Bi-national treaties, agreements or even contracts between companies could be taken as the legal basis. So exactly parallel to the USA. Here we are currently also arguing about these contracts and agreements from EU-US Privacy shield to EU Modelclauses.
An EU-UK Privacy Shield will probably not be concluded and EU model clauses would first have to be approved and also released for use with the UK. From the Brexit Commission negotiations and public reports, it's all here as a negative.
No one can count on Mrs. May to give up her fist on this issue and not continue to blackmail the EU to influence other situations, such as the one in Northern Ireland for her own benefit. All flags are pointing to a hard Brexit.
Agreement with UK
From the negotiations with the US, the ECJ ruling on Safe Harbor and the current discussion, as well as the review of the EU-US Privacy Shield by the EU Parliament, we can quite well determine what criteria will come to an EU-UK agreement.
If you just look at the criticism of the US intelligence agencies and also the multiple procedures in the US, as well as the criticism of the EU Parliament from the end of 2018 on the EU-US Privacy Shield, you quickly realize that there is also an intelligence agency in the UK. This (GHDC) is no less active than the NSA and also strong in cooperation with the British intelligence service. The unified criticism and also literature assumes that this will be one of the sticking points and UK will be strictly controlled. Lost current status as a member state also means losing privileges to actually do what they wanted to do.
Consequences – companies leaving UK
It is mid-February and time is running out for companies in the UK or companies in Europe that have subsidiaries or partners in the UK. You need to act now and make tough decisions now. Because the only decision left is to export all data from UK and abandon personal data processing with UK.
From the press you can see that more and more companies, even corporations like Toyota and also SMEs (over 100) have moved their headquarters to the continent.
State data protection – audits announced
State data protection authorities in Germany and the remaining member states have already announced audits. Some want to specifically audit and also issue fines, because companies were and are aware of it. It becomes uncomfortable thus at the end of March and wait is no solution.