Guest blog written by Tim Bell, of DataRep. Tim Bell is the Founder and Managing Director of DataRep, a leading provider of EU and UK Representative services, via their unique network of contact locations in each of the 27 EU member states, Norway and Iceland in the EEA, and the UK, enabling them to represent clients regardless of where their data subjects are based.
Brexit is a subject which has been causing headaches for businesses since 2016 when the people of the UK voted for it. Among the many issues which have arisen as a result is around how GDPR will apply after the UK leaves the EU, and question have arisen on many aspects relating to this:
I should start by clarifying the initial ‘yes’ answer to this question – actually, the EU GDPR will no longer protect the personal data of UK-based individuals, because this EU law has no jurisdiction over the post-Brexit UK. However, before Brexit, the UK incorporated the GDPR into their own law (using the Data Protection Act 2018) and, after Brexit, that law has been administratively updated to work for a UK separate from the EU (using the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020). This is referred to as the UK GDPR.
So, although EU GDPR won’t protect UK personal data, the UK has an almost-identical set of obligations in place when handing UK data.
It’s also worth noting that a UK company will still need to observe the requirements of EU GDPR if they’re processing EU personal data to an extent that they are caught by the extra-territorial reach of EU GDPR (i.e. if they’re providing goods and/or services to the EU, or monitoring people there – GDPR Article 3(2)).
Which brings us to the next question: what rules apply to companies outside the UK, when processing the personal data of UK-based individuals?
In short, the UK GDPR has the same extra-territorial reach as EU GDPR – if a company is providing goods and/or services to the UK, or monitoring people there, they will be required to meet GDPR standards in the handling of UK personal data which is processed (etc) as a result (UK GDPR Article 3(2)).
For companies in the EU, which are already processing personal data in this manner, their operational handling of that data may not need to change significantly – and the same should be true of companies outside Europe (although their Representative obligations may change, see below), because they have been obliged to process UK personal data in line with EU GDPR before Brexit, and will continue to be bound to the almost-identical obligations of UK GDPR post-Brexit.
This is the area where the most change may be needed – although a full answer to this has been deferred for six months.
Essentially, the issue is around whether the EU deems that the UK is protecting personal data in line with the requirements of EU GDPR, so that the EU doesn’t expect any additional safeguards to be put in place when EU personal data is sent to the UK.
Because the UK GDPR is almost the same as the EU GDPR, the automatic assumption would be that the protections of personal data are the same in both jurisdictions. However, that fails to take into account either legal interpretation or enforcement issues, which will also be considered by the EU when taking a decision on this point.
The UK is now a ‘third country’ for the purposes of EU GDPR, meaning that transfers of EU personal data to the UK must use a recognised mechanism. The easiest mechanism, and the one which the UK hope to be agreed, is where the EU find that the third country’s data protection regime is roughly similar to GDPR, so that they can declare that country’s position ‘adequate’. When this adequacy finding is awarded to a country, no additional protection needs to be added when transferring EU personal data to that country, making such transfers as easy as transferring personal data between EU member states.
It should be noted that this adequacy issue only arises in the EU to UK direction; the UK has already recognised the EU as adequate under UK GDPR, and also the countries which the EU has deemed adequate. This means that UK personal data can continue to flow to the EU without additional protections being necessary.
There was not enough time before the end of the Brexit transition period for the EU to fully consider whether the UK is adequate, so the UK has not been granted this status. However, in recognition of the UK’s position as a previous EU member (whose data processing had therefore been assumed adequate), and also to prevent a ‘cliff-edge’ Brexit scenario for the businesses which would be affected, the EU has granted the UK an adequacy extension for 4 months, with the possibility (likelihood) of a further 2-month extension, to enable the discussions about adequacy to be completed.
Recently (writing in February 2021), a draft adequacy decision for the UK has been issued, so it now appears likely that the UK will be granted adequacy status, subject to a review every four years. That decision has yet to be ratified, but it looks more likely now than ever before that the UK will be found to be adequate.
If the UK is not granted adequacy status at the end of this process, it will be necessary for companies which wish to send EU personal data to the UK to use one of the other mechanisms – most-likely the standard contractual clauses (SCCs). These standard contracts, written by the EU, put protections in place between the data exporter and data importer, so that the (impliedly-inadequate) protections of the data importer’s country are reinforced by contract. The SCCs are currently being updated (a consultation on the proposed new SCCs has now ended), but whatever their new form it’s likely that their use would also need to involve an assessment of whether the SCCs are likely to be overridden by local law – e.g. can the data importer’s government insist that the importer share that information – among other aspects, following the Schrems II ruling.
Data transfers between the UK and the rest of the world remain subject to the same (UK GDPR) obligations as those between the EU and the rest of the world (under EU GDPR) – but enforcement and interpretation by the UK may change over time.
In short, yes.
The UK GDPR includes the same Article 27 as EU GDPR, which requires a company based outside the EU (which is caught by GDPR’s extra-territorial reach) to appoint a Representative in the EU to act as their European privacy contact. Reworded to replace “EU” with “UK”, the UK GDPR requires a company based outside the UK to appoint a UK Representative.
This means that companies without an establishment in either jurisdiction will need to appoint a Representative in both. This group is actually likely to be least-surprised by this change, as they will have already had the obligation under EU GDPR to appoint a Representative in the EU; they will either be covered by their Representative already (if their Representative has establishments in both the EU and UK), or will need to appoint a Representative in the jurisdiction where they no-longer have representation (e.g. if their existing Representative is in one of the remaining 27 EU countries, they will need to appoint a new one in the UK).
This will be a much larger surprise for companies in the EU and UK, as they will never have had to deal with this GDPR obligation before – and will likely never have even heard of it! Because the Representative obligation has, pre-Brexit, only applied to non-EU companies, it has simply never been part of the GDPR conversation in the EU (and therefore UK) until now. EU-based companies – who, to be fair, have been told in broad terms that the UK’s GDPR position remains the same – seem to be having a particularly hard time hearing this message.
The European Data Protection Board guidance (03/2018) expects the EU Representative to have an establishment in the EU country where the appointing controller/processor has the most data subjects, and also that data subjects in other EU countries should have easy access to the Representative – meaning it may be necessary to appoint a Representative with multiple locations (or multiple Representatives) if your data subjects are located across the EU. This doesn’t apply to the UK Representative, which can be located anywhere in the UK. The guidelines also confirm that the same provider should not be appointed both Representative and external DPO for the same company.
Please note that the adequacy decision (or not) has no bearing on this requirement – companies in adequate countries are obliged to make this appointment the same as those who don’t have the benefit of an adequacy finding.
A table has been provided below with the details of how the Representative obligation has changed for companies, depending on where they have establishments:
It’s impossible to say with any degree of certainty, but it appears likely that the UK will diverge from the EU to some extent. The biggest driver of change is likely to be the interpretation of the rules by the UK supervisory authority – the Information Commissioner’s Office (ICO) – and the UK courts. Although these bodies may continue to view the EU’s approach as persuasive, and maintaining (or chasing) an adequacy finding will be part of the decision-making for the ICO, the courts will follow the legal precedents of their own jurisdictions, which will almost-certainly start to develop differences post-Brexit.
The (data protection) future remains unwritten!