International: GDPR, Brexit, Schrems II, and the Representative – why they impact companies outside and inside the UK
There's a famous Chinese curse: 'may you live in interesting times.' The current situation probably qualifies, even before we consider the current global COVID-19 ('Coronavirus') pandemic, there's more happening in the field of data protection law now than there ever has been, with the primary catalyst for change in this area was General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The global implications of the GDPR have inspired jurisdictions around the world to tighten up their own data protection laws to meet the modern challenges of the internet, social media, and targeted advertising. Tim Bell, Founder and Managing Director of DataRep, discusses recent changes to requirements for companies transferring data internationally, particularly outside and inside the EU and the UK, and discusses how Brexit may impact on the EU Data Protection Representative role under Article 27 of the GDPR.
Two years after the GDPR became enforceable, in May 2018, it would be comforting to state that the majority of companies which are governed by the GDPR are meeting its requirements. Unfortunately, this perhaps is not a realistic assessment – even if the majority of companies in the EU were compliant, the extra-territorial effect of the GDPR has resulted in many more companies being required to meet its rules, some of which continue to either ignore the GDPR or believe that it would be unenforceable in their jurisdiction.
Now Brexit and Max Schrems have added to the issues around the GDPR, including the appointment of an EU Data Protection Representative.
EU Data Protection Representative – Article 27
Brexit, 'UK GDPR,' and the new 'UK Representative' role for non-UK companies
The UK voted to leave the EU in 2016 and, on 31 March 2020, completed their separation and started a transition period, which is currently expected to run until 31 December 2020. During the transition period, EU laws (including the GDPR) will continue to apply to the UK as though it was still an EU Member State, but after the transition period EU laws will no longer apply directly (although any which are in force on that day are deemed incorporated in the UK's laws).
The effect of this is that, after the Brexit transition period ends, the UK will be a 'third country' for the purposes of the GDPR. The most-discussed effect is that companies transferring EU data to the UK will need to have a permitted mechanism to do so as the UK no-longer benefits from an assumption that they have GDPR-equivalent laws in place. Ideally the mechanism would be an adequacy decision from the EU, but there remain a number of obstacles to that, not least of which is the timescale as adequacy decisions can take years to reach.
Alternately, Standard Contractual Clauses ('SCCs') could be used. However, although cross-border transfers get all the headlines, there is another important GDPR change which will occur at that time to the Representative obligation as UK companies with no location in the remaining 27 EU countries will be required by Article 27 of the GDPR, as non-EU companies, to appoint an EU Representative if they intend to continue selling to the EU or monitoring people there.
The UK Information Commissioner's Office ('ICO') has issued some advice for UK companies in respect of the Representative. They recommend that UK-based companies aim to appoint a Representative in time for the end of the transition period if they do not have an EU establishment. That advice1 and the Representative-specific section2 is helpful for UK companies, but the ICO has seemingly declined to provide any advice to companies outside the UK, which are bound by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2) Regulations 2019 (together, the 'UK GDPR') with the same extra-territorial effect as the EU GDPR has with non-EU companies, about the additional issues they will face to meet the UK GDPR (over and above any EU GDPR compliance which is required).
In addition, there has been a new UK Representative role created by the UK, as a result of the way in which the UK has incorporated the GDPR into their national law. This obligation will apply to non-UK companies which sell to the UK or monitor people there, and this GDPR-style Representative requirement will apply to EU companies for the first time because, as companies with EU establishments, they had no need to make this appointment under the GDPR and, as a result, were probably never even aware of it. This new role also has the potential to catch out companies outside of Europe which need to appoint an EU Representative: they will not have a UK establishment (if they had, they would not have needed an EU Representative before Brexit) so they would need a separate UK Representative as well if they process UK personal data.
The result? A little-known obligation has been extended and separated into two separate little-known obligations, both of which remain outside of the field of vision for a large proportion of the companies to which they apply. There is a table in the summary section which provides a quick reference for which companies this applies to and how matters will change.
Schrems II, Privacy Shield, and SCCs
Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), despite causing a major issue for companies across the world, has not made a big impact on the Representative role. That is the case for both US companies using the EU-US Privacy Shield ('the Privacy Shield'), and even for non-US companies which use the SCCs (although they are separately now expected to undertake more due diligence on the potential for local laws to override the protections in those clauses). There is a hope that the decision in the Schrems II Case will result in greater attention to GDPR compliance from companies transferring personal data across international borders, but time will tell whether that is the case – for the moment, most companies impacted do not have the luxury of undertaking a wider compliance exercise, as they will have a considerably more urgent need to replace their current data transfer mechanism with one which complies with the GDPR.
As a quick commentary on the Privacy Shield, and the SCCs, there is a strong view that the appointment of a Representative should have been a part of the process of obtaining a Privacy Shield certification from the Federal Trade Commission ('FTC'), and should be part of the next version of the SCCs. Although many of the companies which used the Privacy Shield as the basis for their cross-border transfers will not need a Representative (as a result of having EU-based establishments), there is no doubt many will need one and may simply not be aware of this requirement, having been passed as suitable by an FTC process which does not mention it. Similarly, many companies which use the SCCs may have done so since their first publication in the early 2000s without reviewing their use or considering whether they are still adequate for their purpose, or even accurate as to what processing is occurring.
When the SCCs are next amended (noting that the Court of Justice of the European Union ('CJEU') declared as part of their ruling in the Schrems II Case that they remain sufficient in their wording, albeit not necessarily in operation), it could be recommended that a clause is inserted that, if the data recipient has no EU establishment, they will appoint a Representative to meet the requirements of the GDPR under Article 27. It is not a complex clause, interpretation is clear and meeting the obligation also relatively simple, assuming the company does not have any known areas of non-compliance which dissuade a Representative from accepting their appointment. However, seeing such a clause may be the first time in which a non-EU data processor, potentially much-farther down a sub-contracting chain from an EU-based data controller, is made aware of this obligation, and it reduces the chance that the obligation would remain unknown by companies which are working to meet the GDPR requirements based on what has been flowed down from their clients' contracts, rather than considering the GDPR directly. Similarly, when there is a new EU-US Safe Harbour to replace the Privacy Shield, there should be a question as part of the self-certification process which asks the US applicant to provide the contact address of their EU establishment and, if they have none, asks them to list their EU Representative's address as the alternative.
- EU Representative role: in addition to this being an obligation for companies which have never been in the EU, it will now also be a required appointment for UK companies with no EU location if they sell to the EU or monitor people there (see table below). The Representative should have a location in the country where the controller/processor has the most data subjects.
- UK Representative role: a new role which will require companies with no UK location, if they sell to the UK or monitor people there, to appoint a Representative in the UK. This is in addition to any existing obligation to appoint an EU Representative (see table below).
- Brexit: in addition to creating a new potential obligation on companies to appoint an EU and/or UK Representative, requires companies to consider the flow of data into and out of the UK, particularly EU data flowing into the UK.
- The Schrems II Case: invalidates the Privacy Shield, so US-based companies which had been signed up with that scheme will need to find a new mechanism to transfer EU (and UK) personal data across borders. If using SCCs, be sure to add a clause requiring the appointment of Representatives in the EU and/or UK if the data recipient has no locations there.
|Controller/processor location||Sell to/monitor UK only||Sell to/monitor (non-UK) EU only||Sell to/monitor UK and rest of EU|
|UK only (or UK and rest of world)||None||None||None||EU Representative required||None||EU Representative required|
|EU only (or EU and rest of world)||None||UK Representative required||None||None||None||UK Representative required|
|Rest of world only||EU Representative required||UK Representative required||EU Representative required||EU Representative required||EU Representative required||EU & UK Representatives required|
|UK and EU (or UK, EU, and rest of world)||None||None||None||None||None||None|
Tim Bell Founder and Managing Director
1. Available at: https://ico.org.uk/for-organisations/data-protection-at-the-end-of-the-transition-period/data-protection-at-the-end-of-the-transition-period/
2. Available at: https://ico.org.uk/for-organisations/data-protection-at-the-end-of-the-transition-period/data-protection-at-the-end-of-the-transition-period/the-gdpr/european-representatives/