How does Brexit affect GDPR: What should UK companies consider?24 Jan 2020 // In the press
Alexander Egerton considers the effects Brexit will have on GDPR.
With all the media coverage of Brexit, perhaps insufficient exposure has been given to personal data and privacy law. Given how data centric business is increasingly becoming and the media coverage afforded to GDPR; that is surprising. This article looks at the most important changes, namely, the requirement to have representatives and then considers the post Brexit rules on international data transfers.
We now know that the UK will leave the EU at 11pm on 31 January and the single market on 31 December 2020. This certainty allows us to finally clarify how Brexit affects GDPR.
EEA representation for controllers: UK based organisations which do not have a branch, office or other establishment in any other EU or EEA state, but either offer goods or services to individuals in the EEA; or monitor the behaviour of individuals located in the EEA, will need to comply with the EU GDPR regarding this processing even after the UK leaves the EU.
As the organisation will not be an EEA-based controller or processor after exit date, the EU GDPR requires that the organisation appoints a representative within the EEA. This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data is being processed in this way are located.
The representative needs to be authorised, in writing, to act on the organisation’s behalf regarding its EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.
The representative may be an individual, or a company or organisation established in the EEA, and must be able to represent the organisation in respect of its obligations under the EU GDPR (e.g. a law firm, consultancy or private company).
The organisation should provide EEA-based individuals whose personal data it is processing with the details of the representative. This may be done by including these details in the privacy notice or in the upfront information provided to individuals when their data is collected. The organisation must also make it easily accessible to supervisory authorities – for example by publishing it on any website.
The appointment of the representative must be in writing.
If an organisation has to appoint an EEA representative it will have to also replicate the GDPR requirement to appoint a Data Protection Officer (or document why this appointment was not necessary) and to nominate a lead supervisory data protection authority in the EU.
UK representation for controllers: The UK government will replicate the GDPR’s requirements for controllers based outside the EEA to designate an EEA representative. The UK government intends that after the UK exits the EU, the UK version of the GDPR will require that a controller or processor located outside of the UK, but which must still comply with the UK GDPR, will be required to appoint a UK representative. This appointment will be identical to the EEA representative.
The GDPR restricts the transfer of personal data to countries outside the EEA. These restrictions apply to all transfers, no matter the size of transfer or how often the transfers are carried out. As the recipient country will not replicate the requirements of the GDPR any such transfer can only lawfully proceed if the transferring company is confident that the data subject has consented or the privacy laws of the recipient company, although not replicating the GDPR (in absence of adequacy), are robust. Data transfer rules are beyond the scope of this article but there are established procedures that can be used. Some of these (e.g. Standard Contractual Clauses) are subject to challenge so advice must be sought.
The data transfer rules only apply if the receiver is a separate organisation or individual. This includes transfers to another company within the same corporate group. However, if you are sending personal data to someone employed by you or by your company, this is not a restricted transfer. The transfer restrictions only apply if you are sending personal data outside your organisation.
For UK companies transferring personal data outside the EEA will experience no change as the UK transfer rules will mirror the current GDPR rules. The UK government has confirmed that it intends to recognise existing EU adequacy decisions.
‘Adequacy’ is the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards and thus can enjoy uninterrupted flow of personal data with the EU. As at February 2019 the Commission has made a full finding of adequacy for: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The Commission has made partial findings of adequacy about Japan, Canada and the USA.
For UK companies receiving personal data from the EEA, There will be no change during the transition period but although it is the ambition of the UK and EU to eventually establish an adequacy agreement, this won’t happen immediately in 2021. After the transition period has ended (31 December 2020) then until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses. Organisations in the UK that rely on data transfers from the EU should work with their EU counterparts to make sure alternative mechanisms for transfers (such as Standard Contractual Clauses) are in place. Each EU member state will have to provide their own rules for transferring data to the UK.
In summary the UK faces the prospect of being regarded as a third country following the end of the transition period – i.e. when the UK exits the EU and the single market. As a result, the transfer of personal data from organisations within the EU to other organisations in the UK will be subject to strict data transfer rules, as set out by the GDPR. EU organisations will have to ensure their transfers to UK are lawful and that’s not going to be as simple as it is now.
For UK companies transferring personal data outside the EEA: The UK will “transitionally recognise” all EEA countries (and Gibraltar) as providing an adequate level of protection for personal data, allowing organisations to transfer data freely.
If a UK organisation sends data to the US it must ensure that the US recipient has updated its privacy notice to expressly include data sent from the UK.
Despite Brexit, the GDPR will still have an impact on UK privacy laws. This demonstrates the reach of this EU Regulation beyond the EU. International companies across the globe with any EU citizens as customers will need to be aware of their new legal obligations and comply to avoid fines. With the high level of international business involving the EU, the GDPR may influence stronger data protection procedures around the world. That is the position for all third countries but the GDPR’s reach will be stronger in the UK as the UK is committed to replicating the GDPR. The volume of data transfers EU to the UK means that the UK cannot gamble with any future adequacy status conferred by the EU.
In the wake of the coronavirus outbreak, businesses should carefully consider whether they should notify an event of force majeure.Read now
Suzanne Jones examines directors' duties in her recent article.Read now