UK: Brexit has transitioned – what next for GDPR, data transfers, EU Representatives?
Back in September 2020, prior to the end of the Brexit transition period and the realisation of the EU-UK Brexit Trade and Cooperation Agreement ('TCA'), Tim Bell, Founder and Managing Director of DataRep, provided us with insight on the impact of Brexit, Schrems II and EU Representatives inside and outside of the UK in his previous article. With the transition period now behind us and the data protection provisions of the TCA now revealed, Tim provides us with the legal consequences of Brexit, addressing key issues such as the applicability of EU law, data transfers, adequacy and the requirement for UK-based controllers to appoint an EU Representative and vice versa.
- There is no need for additional measures in respect of the transfer of UK personal data to the EU
- For the next four (plus two) months, there is no need for additional measures in respect of the transfer of EU personal data to the UK – but that may change at the end of that six-month adequacy extension
- Companies which no longer have an establishment in the EU (e.g. because their European office is in the UK) and process EU personal data, or who have no establishment in the UK and process UK personal data, will likely need to appoint a Representative in the jurisdiction(s) where they have no establishment
Brexit has been one of those major events which has impacted almost every company in the UK, and also many others around the world if they trade with the UK. That is something it has in common with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which also impacted every UK company as a then-member of the EU, and also those companies outside the EU and UK which trade with them.
Fortunately, the UK had almost-completely incorporated the GDPR into its own law ('the UK GDPR' under the Data Protection Act 2018, as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) so, even though the GDPR doesn't apply in the UK any more, the rules which UK businesses (and non-UK businesses processing UK personal data) apply to the processing of personal data have changed very little after Brexit. UK-based data subjects continue to enjoy the benefit of the protections offered by the GDPR, and UK companies continue to be obliged to apply GDPR-equivalent obligations to their processing of personal data.
However, there have been a couple of changes which are worth noting, both for UK companies and those outside the UK – even companies in the EU. The two key changes are around data transfers (which has been deferred for 6 months) and the need to appoint a Representative, in the UK and/or EU.
Data transfers between the EU and UK
In respect of data transfers, this is only a change in one direction – the UK has already recognised the EU as adequate in its data processing, so UK personal data can continue to pass to the EU in the same manner as it did when the UK was an EU member state. More-problematic, and still unclear in the long-term, is whether the EU will find the UK adequate so that EU data can flow in the other direction to the UK without the use of an additional mechanism (such as the use of standard contractual clauses ('SCCs')).
The TCA established between the EU and UK in the final days of 2020 included a provision which effectively extends an adequacy finding to the UK – but only for six months. The actual duration of this adequacy extension is four months, extendable by a further two months, but – even though the author has largely given up predicting the timetables of Brexit – I find it unlikely that the full six-month period won't be needed – or preferred.
During this period the UK will make its submissions to the EU Commission that it will – post-Brexit – continue to expect a GDPR-equivalent level of protection to the EU personal data it receives, to give assurance that there is no need for further protections such as SCCs.
A detailed consideration of the likelihood of this process resulting in a UK adequacy finding are (fortunately) outside of the scope of this article, but the main pros and cons are briefly summarised below:
- Pros for UK receiving an adequacy status:
- The provisions of the GDPR are almost completely incorporated into UK law, which theoretically means that the UK will continue to apply the same rights and protections as before.
- The UK's supervisory authority, the Information Commissioner's Office (ICO), despite receiving a degree of criticism, is among the best-funded of the EU's data protection authorities, and has made some high-profile enforcement actions, albeit that the largest fines issued have been slashed on negotiation with the offending parties.
- Cons for UK receiving an adequacy status:
- The UK is now able to depart legislatively from the GDPR, and other EU laws, as it chooses. Also, the decisions of UK courts will no longer be constrained by the findings of the Court of Justice of the European Union ('CJEU'), and can be made in line with their own interpretation of the UK GDPR (although it's anticipated that CJEU rulings will remain persuasive). As the UK moves incrementally away from the GDPR in their rules and interpretations, this could lead to a gap which eventually causes the EU to believe the UK no longer protects EU personal data to the same level as the EU.
- Surveillance undertaken, or permitted, by the UK (for example by the use of the Investigatory Powers Act 2016, dubbed the 'snoopers charter'), and the sharing of surveillance data with other countries (notably via the 'Five Eyes' agreement between the UK, USA, Canada, Australia and New Zealand), is a big potential stumbling block for an adequacy finding. This had been largely overlooked by the EU while the UK remained part of the club, but would unavoidably be considered in more detail as part of an adequacy consideration process.
So – for the moment – nothing has changed in this area, but it would make sense at this stage for companies to consider what they would do if the UK isn't found to be adequate in the long-term, and additional mechanisms are required to transfer EU data to the UK.
The EU and UK Representative
The change which has happened at the end of the Brexit transition period, and which will not be impacted by a finding of adequacy or otherwise, is the need for data controllers and processors to appoint a Representative in the jurisdictions where they no longer have an establishment.
This requirement under Article 27 of the GDPR created an obligation on any data controller/processor without an EU establishment to appoint a Representative in the EU. The Representative is effectively the privacy 'face' of that entity in the EU; operationally it receives communications from data subjects (i.e. DSARs) and EU supervisory authorities in the EU, and holds a copy of the records of processing activity (under Article 30 of the GDPR) and makes this available to the authorities on request. In addition, the Representative acts as a secondary point of liability for the unpaid GDPR fines of its clients.
When the UK updated the UK GDPR post-Brexit, it created a similar role for data controllers/processors without a UK establishment – essentially, companies which have no UK presence but which process UK personal data as a result of providing goods and/or services to the UK, or monitoring individuals in the UK, will be required to appoint a UK Representative.
Overall, that appears relatively simple. However, the Representative has always been the unloved child of GDPR, and – two and a half years after the GDPR became enforceable in 2018 – it remains one of the lesser-known GDPR obligations.
The lack of knowledge of the Representative role is particularly pronounced in Europe, where it has simply never been a part of the conversation – EU companies haven't needed a Representative, so the (extensive) GDPR commentary has largely avoided referring to it in preference for more-pressing obligations like the data protection officer ('DPO'), privacy notices, Data Protection Impact Assessments etc.
However, many companies in the UK will now need an EU Representative if they wish to continue to process EU data, and many EU companies will need a UK Representative. Also, many companies outside the EU have a single location in Europe – whether that’s in the EU or the UK – and they will now lack an establishment in the other jurisdiction, creating a new need to appoint a Representative.
For companies which now need an EU Representative, there are a few considerations about location(s) they need to bear in mind when making the appointment – the European Data Protection Board ('EDPB') Guidance 03/2018 confirms that the Representative should be established in the EU member state where they have the most data subjects, and also that data subjects in other member states should have 'easy access' to the Representative – they extent to which access must be eased is currently not part of this guidance, but we have generally considered this to require a Representative to have a location no further than a country neighbouring the data subject's home nation. As a result, data controllers/processors which have data subjects across the EU may need a Representative with many locations, or to separately appoint Representatives in different countries.
This location obligation is much simpler in the UK – anywhere in the UK is sufficient – but the other obligations in the EDPB guidance will apply, particularly that the Representative not be the same provider as the DPO, if an external DPO is used (this prevents a conflict of interest arising between the contractually-obliged role of Representative, and the independence required for a DPO).
Although there are a couple of exemptions to the Representative obligation, the only one which might apply for most data controllers/processors is the “occasional” exemption – but this should be applied with care, as it is generally considered not to apply to companies which only occasionally process EU/UK personal data in a processing activity which is a usual part of their business. The current good-practice interpretation, in line with how “occasional” is interpreted in respect of the DPO obligation, is that “occasional” processing occurs only where EU (or UK, as appropriate) personal data is processed in a manner which is outside the usual course of business for that data controller/processor.
Once one or more Representatives have been appointed, their contact details should be added to the controller/processor's privacy notice, so that the data subjects in those jurisdictions can contact the Representative. Unless exempt from the obligation to prepare records of processing activities under Article 30 of the GDPR, these should also be updated to include the Representative(s), and a copy provided to those Representatives.
A summary of the position for companies in the EU, UK or rest of the world is set out in the table below:
Required actions for UK/EU controllers and processors
- Data controllers and/or processors:
- with no EU establishment, which provide goods and/or services to the EU or monitor individuals there, must appoint an EU Representative (and add the details to their privacy notice/records of processing activity)
- with no UK establishment, which provide goods and/or services to the UK or monitor individuals there, must appoint a UK Representative (and add the details to their privacy notice/records of processing activity)
- which transfer EU personal data to the UK (regardless as to where that controller/processor is based) should consider what mechanism they will use to achieve this, if the UK has not been granted adequacy status at the end of the temporary UK adequacy extension (4+2 months from 1 January 2021)
Tim Bell Managing Director