Companies within the European Union are faced with major challenges if they want to transfer personal data from the EU to the USA or the UK. A data transfer takes place, for example, when employee data is exchanged with subsidiaries based there or simply when useful IT tools are applied from companies with offices in these countries (e.g. Gmail, Amazon, Cloud Drive).
Great Britain as a third country under data protection law after Brexit
While the USA have always been regarded as a third country from a European data protection perspective, this will also be the case for Great Britain next year once Brexit has been completed. This has consequences for companies that transfer data to Great Britain. They must implement technical and organizational measures to ensure that an appropriate level of data protection is maintained. As a result, additional investments will be necessary for data protection compliance in 2021. These will, however, stay within a manageable scale as long as it is possible to fall back on familiar structures that have already been established for data export to the USA.
Use of synergy effects for data transfer to the USA
Just like between the EU and the USA, there is currently no decision on adequacy between the EU and Great Britain for the time after Brexit, which guarantees a legal basis for lawful data transfer. After the European Court of Justice declared the EU-US Privacy Shield to be invalid in July 2020, companies had to establish new legal bases for data transfer to the USA and in most cases used adapted standard contractual clauses or binding corporate rules. To ensure an adequate level of data protection when transferring data to the UK, the same basic instruments can be used and synergy effects exploited at the same time, provided that country-specific adjustments are made.
Our experienced attorneys for data protection law will be happy to advise you on how to overcome the challenges that may arise.
Continue reading:
Data Protection: Companies Must Appoint an EU Representative
Three steps to legal certainty in data protection