Written by Tim Bell, Founder and Managing Director of DataRep.
What we know so far
- UK GDPR places almost-exactly the same requirements on data processing as EU GDPR does – for both local companies and those outside those jurisdictions
- Data transfers from the UK to the EU remain adequate – no additional safeguards are necessary
- Data transfers from the EU to the UK are adequate for 4+2 months from the end of the Brexit transition – but it would be prudent for UK-based companies receiving EU personal data to consider the alternate mechanism they would put in place if an adequacy status is not agreed for the UK at the end of the adequacy extension, so they don’t have to get this in place urgently
- Companies may need to appoint a Representative in the EU and/or UK, if they process the personal data of individuals in those jurisdictions and have no establishment there
Brexit is a subject which has been causing headaches for businesses since 2016 when the people of the UK voted for it. Among the many issues which have arisen as a result is around how GDPR will apply after the UK has left the EU, and questions have arisen on many aspects relating to this:
- Will a UK company still have to follow GDPR after Brexit?
- To what standard will non-UK companies have to protect UK personal data after Brexit?
- How does this affect personal data transfers between the EU and UK, and the UK and the rest of the world?
- If non-EU companies need to appoint an EU Representative under GDPR, will non-UK companies have to appoint a UK Representative after Brexit?
- Will the UK law diverge from that in the EU over time?
The detail is set out below, but the quick answers are: yes (UK companies will still have to follow GDPR after Brexit), largely the same protections will exist for UK personal data after Brexit (including for non-UK companies), yes (non-UK companies may have to appoint a UK Representative), and maybe (UK law might diverge from the EU over time).
Will a UK company still have to follow GDPR after Brexit?
I should start by clarifying the initial ‘yes’ answer to this question – actually, the EU GDPR will no longer protect the personal data of UK-based individuals, because this EU law has no jurisdiction over the post-Brexit UK. However, before Brexit, the UK incorporated the GDPR into their own law (using the Data Protection Act 2018) and, after Brexit, that law has been administratively updated to work for a UK separate from the EU (using the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020). This is referred to as the UK GDPR.
So, although EU GDPR won’t protect UK personal data, the UK has an almost-identical set of obligations in place when handing UK data.
It’s also worth noting that a UK company will still need to observe the requirements of EU GDPR if they’re processing EU personal data to an extent that if they are caught by the extra-territorial reach of EU GDPR (i.e. if they’re providing goods and/or services to the EU, or monitoring people there – GDPR Article 3(2)). Which brings us on to the next question…
To which standard will non-UK companies have to protect UK personal data after Brexit?
Which rules apply to companies outside the UK, when processing the personal data of UK-based individuals?
In short, the UK GDPR has the same extra-territorial reach as EU GDPR – if a company is providing goods and/or services to the UK, or monitoring people there, they will be required to meet GDPR standards in the handling of UK personal data which is processed (etc) as a result (UK GDPR Article 3(2)).
For companies in the EU, who are already processing personal data in this manner, their operational handling of that data may not need to change significantly – and the same should be true of companies outside Europe (although their Representative obligations may change, see below), because they have been obliged to process UK personal data in line with EU GDPR before Brexit, and will continue to be bound to the almost-identical obligations of UK GDPR post-Brexit.
How does this affect personal data transfers between the EU and UK, and the UK and the rest of the world?
This is the area where the most change may be needed – although a full answer to this has been deferred for six months – until June 2021.
Essentially, the issue is around whether the EU deems that the UK is protecting personal data in line with the requirements of EU GDPR, so that the EU doesn’t expect any additional safeguards to be put in place when EU personal data is sent to the UK.
Because the UK GDPR is almost the same as the EU GDPR, the automatic assumption would be that the protections of personal data are the same in both jurisdictions. However, that fails to take into account either legal interpretation or enforcement issues, which will also be considered by the EU when taking a decision on this point.
The UK is now a ‘third country’ for the purposes of EU GDPR, meaning that transfers of EU personal data to the UK must use a recognised mechanism. The easiest mechanism, and the one which the UK hope to be agreed, is where the EU find that the third country’s data protection regime is roughly similar to GDPR, so that they can declare that country’s position ‘adequate’. When this adequacy finding is awarded to a country, no additional protection needs to be added when transferring EU personal data to that country, making such transfers as easy as transferring personal data between EU member states.
There was not enough time before the end of the Brexit transition period for the EU to fully consider whether the UK is adequate, and so the UK has not been granted this status. However, in recognition of the UK’s position as a previous EU member (whose data processing had therefore been assumed adequate), and also to prevent a ‘cliff-edge’ Brexit scenario for the businesses which would be affected, the EU has granted the UK an adequacy extension for 4 months, with the possibility (likelihood) of a further 2-month extension (potentially up to June 2021), to enable the discussions about adequacy to be completed.
It should be noted that this adequacy issue only arises in the EU to UK direction; the UK has already recognised the EU as adequate under UK GDPR, and also the countries which the EU has deemed adequate. This means that UK personal data can continue to flow to the EU without additional protections being necessary.
A detailed consideration of the likelihood of this process resulting in a UK adequacy finding are (fortunately) outside of the scope of this article, but I’ve quickly summarised the main pros and cons below:
- Pros for UK receiving an adequacy status:
- The provisions of GDPR are almost completely incorporated into UK law, which theoretically means that the UK will continue to apply the same rights and protections as before.
- The UK’s supervisory authority, the Information Commissioner’s Office (ICO), despite receiving a degree of criticism, is among the best-funded of the EU’s data protection authorities, and has made some high-profile enforcement actions, albeit that the largest fines issued have been slashed on negotiation with the offending parties.
- Cons for UK receiving an adequacy status:
- The UK is now able to depart legislatively from GDPR, and other EU laws, as it chooses. Also, the decisions of UK courts will no longer be constrained by the precedents of the European Court of Justice, and can be made in line with their own interpretation of the UK GDPR (although it’s anticipated that ECJ rulings will remain persuasive). As the UK moves incrementally away from GDPR in their rules and interpretations, this could lead to a gap which eventually causes the EU to believe the UK no longer protects EU personal data to the same level as the EU.
- Surveillance undertaken, or permitted, by the UK (for example by the use of the Investigatory Powers Act 2016, dubbed the ‘snoopers charter’), and the sharing of surveillance data with other countries (notably via the ‘Five Eyes’ agreement between the UK, USA, Canada, Australia and New Zealand), is a big potential stumbling block for an adequacy finding. This had been largely overlooked by the EU while the UK remained part of the club, but would unavoidably be considered in more detail as part of an adequacy consideration process.
If the UK is not granted adequacy status at the end of this process, it will be necessary for companies who wish to send EU personal data to the UK to use one of the other mechanisms – most-likely the standard contractual clauses (SCCs). These standard contracts, written by the EU, put protections in place between the data exporter and data importer, so that the (inadequate) protections of the data importer’s country are reinforced by contract. The SCCs are currently being updated (a consultation on the proposed new SCCs has now ended), but whatever their new form it’s likely that their use would also need to involve an assessment of whether the SCCs are likely to be overridden by local law – e.g. can the data importer’s government insist that the importer share that information – among other aspects, following the Schrems II ruling.
Data transfers between the UK and the rest of the world remain subject to the same (UK GDPR) obligations as those between the EU and the rest of the world (under EU GDPR) – but enforcement and interpretation by the UK may change over time.
“If non-EU companies need to appoint an EU Representative under GDPR, will non-UK companies have to appoint a UK Representative after Brexit?“
In short, yes.
The UK GDPR includes the same Article 27 as EU GDPR, which requires a company based outside the EU (which is caught by GDPR’s extra-territorial reach) to appoint a Representative in the EU to act as their European privacy contact. Reworded to replace “EU” with “UK”, the UK GDPR requires a company based outside the UK to appoint a UK Representative.
This means that companies without an establishment in either jurisdiction will need to appoint a Representative in both. This group is actually likely to be least-surprised by this change, as they will have already had the obligation under EU GDPR to appoint a Representative in the EU; they will either be covered by their Representative already (if their Representative has establishments in both the EU and UK), or will need to appoint a Representative in the jurisdiction where they no-longer have representation (e.g. if their existing Representative is in one of the remaining 27 EU countries, they will need to appoint a new one in the UK).
This will be a much larger surprise for companies in the EU and UK, as they will never have had to deal with this GDPR obligation before – and will likely never have even heard of it! Because the Representative obligation has, pre-Brexit, only applied to non-EU companies, it has simply never been part of the GDPR conversation in the EU (and therefore UK) until now. EU-based companies – who, to be fair, have been told in broad terms that the UK’s GDPR position remains the same – seem to be having a particularly hard time hearing this message.
The European Data Protection Board guidance (03/2018) expects the EU Representative to have an establishment in the EU country where the appointing controller/processor has the most data subjects, and also that data subjects in other EU countries should have easy access to the Representative – meaning it may be necessary to appoint a Representative with multiple locations (or multiple Representatives) if your data subjects are located across the EU. This doesn’t apply to the UK Representative, which can be located anywhere in the UK. The guidelines also confirm that the same provider should not be appointed both Representative and external DPO for the same company.
Please note that the adequacy decision (or not) has no bearing on this requirement – companies in adequate countries are obliged to make this appointment the same as those who don’t have the benefit of an adequacy finding.
A table has been provided below with the details of how the Representative obligation has changed for companies, depending on where they have establishments:
Will the UK law diverge from that in the EU over time?
It’s impossible to say with any degree of certainty, but it appears likely that the UK will diverge from the EU to some extent. The biggest driver of change is likely to be the interpretation of the rules by the UK supervisory authority – the Information Commissioner’s Office (ICO) – and the UK courts. Although these bodies may continue to view the EU’s approach as persuasive, and maintaining (or chasing) an adequacy finding will be part of the decision-making for the ICO, the courts will follow the legal precedents of their own jurisdictions, which will almost-certainly start to develop differences post-Brexit.
What effect will that have? Only time will tell…
Tim Bell is the Founder and Managing Director of DataRep, a leading provider of EU and UK Representative services, via their unique network of contact locations in each of the 27 EU member states, Norway and Iceland in the EEA, and the UK, enabling them to represent clients regardless of where their data subjects are based.