One of the biggest impacts which Brexit may have on UK organisations from an operational point of view, is on their ability to continue to process personal data about European Union (EU) citizens once the UK leaves the EU. This is the second of two briefings in which we continue to explore the implications of Brexit for UK organisations which process personal data, and their ongoing compliance with data protection law.
In this briefing, we consider how UK businesses conducting cross-border trading in the EU will be affected by the General Data Protection Regulation (2016/679) (GDPR) as it applies in the EU (and the EEA, by virtue of incorporation of GDPR into the EEA Agreement), when the UK becomes a third country following Brexit and, in particular, how they will need to:
- adjust to having a new data protection regulator in place of the ICO (in respect of their EU activities); and
- appoint a representative in the EU.
The first point will not come as a surprise – businesses trading overseas, particularly when consumer facing, regularly need to decide how far to mould their trading operations around complying with local law to the letter, or whether to take the risk of a "one size fits all" approach, which is already the case with GDPR. The second point will be new to UK businesses. In this briefing, we aim to not only inform you of the issues, but also draw your attention to the practical steps you should think about now.
As we saw in our first briefing, upon Brexit, GDPR will continue to apply in the UK to the processing of personal data about UK data subjects. But following B(rexit)-Day, the UK will cease to be a member of the EU, and it will become a "third country" (i.e. a country outside of the European Economic Area) for EU purposes. As such, how UK businesses have to comply with GDPR as it applies in the EU raises issues which are additional to those faced in complying with GDPR as it is applied in the UK.
Following B-Day, in addition to complying with GDPR in domestic law, UK businesses will need to comply with GDPR as it applies in the EU, if:
- they have an establishment within the EU and process personal data in the context of the activites of that establishment; or
- without having an establishment in the EU, they process personal data of data subjects who are in the EU and the processing activities are related to the: - offering of goods or services to such data subjects in the Union; or - the monitoring of their behaviour (as far as their behaviour takes place within the EU).
Of course UK businesses trading in other Member States already need to comply with GDPR as interpreted under two (or more) separate systems of law, as GDPR allows local derogations in Member States, and variances will exist. However, the UK has traditionally adopted a high standard of data protection in comparison to other Member States. So in practice, there may not be many instances where UK businesses will need to adapt their operations to be in line with different data protection standards in the EU. Therefore this shouldn't, in theory, be a major problem.
No more "One Stop Shop"?
However, Brexit has thrown a spanner in the works when it comes to coordinating EU operations via the "one stop shop" (OSS) principle, which would normally have been a handy way of dealing with deviances in approach to data protection amongst the Member States.
Currently under the GDPR, UK businesses can benefit from the OSS principle, which allows a single data protection authority (usually the ICO for UK businesses) to be designated as the lead supervisory authority (LSA) for organisations, provided that they can demonstrate that they have a "main establishment" (or "single establishment") in that jurisdiction (see box below for further details). The LSA for a business becomes the sole interlocutor for cross-border processing issues.
UK businesses that currently benefit from this mechanism are able to use their LSA to coordinate actions and complaints regarding cross-border processing (e.g. a complaint originating in France or Germany), with the help of other "concerned DPAs" (i.e. other data protection authorities in Member States affected by the processing).
The difficulty for many UK businesses is that, following B-Day when the UK becomes a third country, the ICO can no longer be the LSA. It follows that unless UK businesses can demonstrate otherwise or structure their operations accordingly, their main establishment (as defined in the GDPR and explained in European Data Protection Board (EDPB) guidelines) will be in the UK, not in the EU. Therefore, they will no longer be able to benefit from having a LSA in the EU or from the OSS principle in general. Instead they will have to deal with the supervisory authorities in each relevant Member State.
Unfortunately, without an establishment which can clearly be shown to be a "main" or "single" establishment, or indeed without any physical presence in the EU, businesses must deal with each supervisory authority in each Member State in which they are active, so it would be prudent to ensure you are familiar with the reach of your operations from a GDPR perspective.
Representatives of controllers and processors based in "third countries"
Even if a UK business has no establishment within the EU, the GDPR can still, in the instances set out at the beginning of this briefing, apply. However, a new requirement for such businesses (and indeed any business outside the EU to which GDPR applies by virtue of its extra territorial effect and which to date has relied on an EU representative based in the UK) is that they will have to appoint a representative in the EU, in one of the countries where affected EU citizens live.
The representative will be the primary point of contact for UK businesses for cooperating and communicating effectively with supervisory authorities and data subjects on issues of data processing, for the purposes of ensuring compliance with the organisation's obligations under the GDPR and must be authorised by the business to be addressed in addition to, or instead of, that business. Consequently, you should only appoint someone you would trust to pass on communications to you promptly – traditionally businesses have appointed a fellow group company in comparable situations, but this won't be feasible for everyone.
Failure to appoint a representative pursuant to GDPR could result in a fine up to the greater of €10 million or 2% of global turnover, so this should definitely make it onto the list of Brexit action points for UK businesses.
So, what should you do to prepare?
UK businesses to which the GDPR applies should consider the following steps in preparation for Brexit:
- Check for material variances in interpretation of the GDPR in those Member States where your data subjects reside (for example, variances in data breach notification requirements or requirements to appoint a data protection officer), to avoid the risk of falling foul of EU practices or interpretations which differ from those of the UK. Any such variances should be worked into a business' internal response and privacy policies.
- Consider if you are still able to benefit from the OSS principle/consider whether this is something which is particularly desirable for your business. If it is, and to the extent that you are able to influence the situation, do you have a particular LSA in mind? In order to benefit, you'll need to show that you have a "main" or "single" establishment in the particular Member State of the LSA. See box for further details.
- Appoint an EU representative if you do not have an establishment in the EU – and update your privacy policies/data collection notices with this information.
WHAT IS THE MAIN OR SINGLE ESTABLISHMENT?
According to Article 29 Working Party guidance (adopted by the replacement EDPB), the "main" or "single" establishment of a business will generally be the place of central administration, which is the place where decisions about the purposes and means of personal data processing are taken.
For many UK businesses this would have been based in the UK, but if you are part of a wider corporate group, it may well be that you have operations or group companies within Europe which would fulfil this criteria; or if the matter is particularly important for you, that you could restructure your businesses to achieve this. According to the guidance, in borderline cases and where it is difficult to determine the main establishment, it is important to ensure that the entity in question:
- has authority to implement decisions about processing personal data;
- can assume liability for the processing; and (perhaps most significantly)
- has sufficient assets to meet the (now hefty) potential sanctions
Be prepared to substantiate your decision with appropriate evidence, as in cases where no real exercise of management activity or decision making takes place at the main establishment, the relevant supervisory authorities (or ultimately the EDPB) can make the decision for you.