This briefing was updated on 19 January 2021.
Brexit, your business and data: processing European personal data - updated January 2021
One of the biggest impacts which Brexit will have had on UK organisations from an operational point of view, is on their processing of personal data about European Union (EU) citizens once the UK leaves the EU. This is the second of two briefings in which we continue to explore the implications of Brexit for UK organisations which process personal data, and their ongoing compliance with data protection law.
In this briefing, we consider how UK businesses conducting cross-border trading in the EU will be affected by the General Data Protection Regulation (2016/679) (GDPR) as it applies in the EU (and the EEA, by virtue of incorporation of GDPR into the EEA Agreement), now that the UK has left the EU, and in particular, how the end of the transition period has brought about:
- the requirement to adjust to having a new data protection regulator in place of the ICO (in respect of their EU activities); and
- the requirement to appoint a representative in the EU.
The first point is not a surprise – businesses trading overseas, particularly when consumer facing, regularly need to decide how far to mould their trading operations around complying with local law to the letter, or whether to take the risk of a "one size fits all" approach, which is already the case with GDPR. The second point is new to UK businesses. In this briefing, we aim to not only inform you of the issues, but also draw your attention to the practical steps you should think about now, if you haven't already done so.
This briefing note was first written prior to the end of the transition period, as a list of data protection action points for businesses to follow in order to prepare for the end of the transition period. However, at the time of update, the UK has formally left the EU (on 31 January 2020) and the transition period came to an end on 31 December 2020. Nevertheless, the points are still pertinent for any business which has yet to turn its attention to Brexit preparedness, or is in the process of making operational changes.
Please note that none of the issues that we write about in this note are affected by the data bridge that was put in place in the Christmas Eve Trade Co-operation Agreement between the EU and the UK, and that we will write about in the context of Brexit and data transfers in our briefing on that topic, which is the process of being updated.
As we saw in that briefing, during the transition period, the GDPR continued to apply to those organisations in the UK which fell within its scope, to both their processing of personal data about UK data subjects and their processing of personal data about EU data subjects. However, the landscape changed when the transition period came to an end: businesses which operate in both the UK and the EU now have two data protection regimes to consider.
The UK's data protection standard did not change during the transition period. The European Union (Withdrawal) Act 2018 transposed the GDPR onto the UK statute book so that it could continue to apply in the UK during the transition period. Additional legislation came into effect at the end of the transition period, which "anglocised" certain aspects of EU GDPR (and the Data Protection Act 2018) so that it would make sense when applied, as part of UK domestic law, effectively creating a 'UK GDPR' which now applies, essentially, to the processing of personal data by UK based controllers and processors (in the context of activities related to their UK bases), and to the processing of personal data about UK data subjects as a result of the offering of goods and services to them, or the monitoring of their behaviour.
In addition to complying with data protection law in the UK, UK businesses will need to comply with GDPR as it applies in the EU, if:
- they have an establishment within the EU and process personal data in the context of the activities of that establishment; or
- they are not established in the EU (ie they just have an office in the UK or another third country), but they process personal data of data subjects who are in the EU, where the processing activities are related to the:
- offering of goods or services to such data subjects in the EU; or
- monitoring of their behaviour (as far as their behaviour takes place within the EU).
(Organisations in the UK will also have to continue to comply with GDPR, in respect of any personal data about EU data subjects which they held and processed before the end of the transition period (and which they continue to process), as well.)
Of course UK businesses trading in other Member States already need to comply with GDPR as interpreted under two (or more) separate systems of law, as GDPR allows local derogations in Member States, and variances will exist. However, the UK has traditionally adopted a high standard of data protection in comparison to other Member States. So in practice, for the time being, and while the two systems are broadly parallel, there may not be many instances where UK businesses will need to adapt their operations to be in line with different data protection standards in the EU. Therefore this shouldn't, in theory, be a major problem for now.
However, Brexit has thrown a spanner in the works when it comes to coordinating EU operations via the "one stop shop" (OSS) principle, which would normally have been a handy way of dealing with deviances in approach to data protection amongst the Member States.
Until the end of the transition period, UK businesses could benefit from the OSS principle, which allows a single data protection authority (it would have been the ICO for most UK businesses) to be designated as the lead supervisory authority (LSA) for organisations, provided that the organisation can demonstrate that they have a "main establishment" (or "single establishment") in that jurisdiction (see box below for further details). The LSA for a business becomes the sole interlocutor for cross-border processing issues.
The LSA can be used to coordinate actions and complaints regarding cross-border processing (e.g. a complaint originating in France or Germany), with the help of other "concerned DPAs" (i.e. other data protection authorities in Member States affected by the processing).
The difficulty for many UK businesses is that, with effect from the end of the transition period, the ICO can no longer be the LSA. It follows that unless UK businesses can demonstrate otherwise or structure their operations accordingly, their main establishment (as defined in the GDPR and explained in European Data Protection Board (EDPB) guidelines) will be in the UK, not in the EU. Therefore, they cannot benefit from having a LSA in the EU or from the OSS principle in general.
Unfortunately, without an establishment which can clearly be shown to be a "main" or "single" establishment, or indeed without any physical presence in the EU, UK businesses must now deal with each supervisory authority in each Member State in which they are active, so it would be prudent to ensure you are familiar with the reach of your operations from a GDPR perspective.
Even if a UK business has no establishment within the EU, the GDPR can still, in the instances set out in section 2 of this briefing, apply. However, a new requirement for such businesses (and indeed any business outside the EU whose personal data processing activities are such that the GDPR applies by virtue of its extra territorial effect and which to date has relied on an EU representative based in the UK) is that they have to appoint a representative in the EU, in one of the countries where affected EU citizens live.
The representative will be the primary point of contact for UK businesses for cooperating and communicating effectively with supervisory authorities and data subjects on issues of data processing, for the purposes of ensuring compliance with the organisation's obligations under the GDPR, and must be authorised in writing by the business to be addressed in addition to, or instead of, that business – a service contract between the UK business and the representative would suffice. Consequently, you should only appoint someone you would trust to pass on communications to you promptly – traditionally businesses have appointed a fellow group company in comparable situations, but this won't be feasible for everyone.
Failure to appoint a representative pursuant to GDPR could result in a fine up to the greater of €10 million or 2% of global turnover, so this should definitely make it onto the list of Brexit action points for UK businesses.
To the extent they haven't done so already, UK businesses to which the GDPR applies should consider taking the following steps:
- Check for material variances in interpretation of the GDPR in those Member States where your data subjects reside (for example, variances in data breach notification requirements or requirements to appoint a data protection officer), to avoid the risk of falling foul of EU practices or interpretations which differ from those of the UK. Any such variances should be worked into a business' internal response and privacy policies.
- Consider if you are still able to benefit from the OSS principle/consider whether this is something which is particularly desirable for your business. If it is, and to the extent that you are able to influence the situation, do you have a particular LSA in mind? In order to benefit, you'll need to show that you have a "main" or "single" establishment in the particular Member State of the LSA. See box for further details.
- Appoint an EU representative if you are processing personal data about EU data subjects and you are doing so from the UK or another base outside the EU – and update your privacy policies/data collection notices with this information, to make sure that you are complying with your transparency obligations in this regard.
- Addressing data flows, particularly from the EEA to the UK if the EU decides not to grant an adequacy decision in favour of the UK (please see our separate briefing on this topic).
- Check data collection notices for references to relevant laws and transfers of personal data from and to the EEA, to make sure they are up to date.
- Review existing data protection impact assessments dealing with international transfers to ensure that risk profiles don't change at the end of the transition period (you may well have done this already in light of the CJEU's decision in Schrems II (please see our briefing for further details).
- Check internal accountability documentation such as your record of processing activities for any necessary changes to terminology or for provisions on international transfer, to make sure they are up to date.
- Check that contract references, eg to 'Data Protection Legislation', are up to date and still make sense.
According to Article 29 Working Party guidance (adopted by the replacement EDPB), the "main" or "single" establishment of a business will generally be the place of central administration, which is the place where decisions about the purposes and means of personal data processing are taken.
For many UK businesses this would have been based in the UK, but if you are part of a wider corporate group, it may well be that you have operations or group companies within Europe which would fulfil this criteria; or if the matter is particularly important for you, that you could restructure your businesses to achieve this. According to the guidance, in borderline cases and where it is difficult to determine the main establishment, it is important to ensure that the entity in question:
- has authority to implement decisions about processing personal data;
- can assume liability for the processing; and (perhaps most significantly)
- has sufficient assets to meet the (now hefty) potential sanctions
Be prepared to substantiate your decision with appropriate evidence, as in cases where no real exercise of management activity or decision making takes place at the main establishment, the relevant supervisory authorities (or ultimately the EDPB) can make the decision for you.