Brexit has been a curious mixture of simple messages and complex legal effects. Today – writing around 7 months after Brexit and 4 months before the Brexit transition ends – there remain a number of problems with the UK and EU’s attempts to marry the two into a satisfactory ongoing relationship.
On its face, GDPR appears to be one of the easier parts of this post-Brexit regulatory framework – the EU keeps GDPR, and the UK has already incorporated it – almost-identically – into their law. However, there are two main changes which are important to recognise and prepare for, not only for UK and EU-based companies, but also for other companies which trade with either or both jurisdictions.
The change which achieves the most attention relates to cross-border transfers of data, which is already a hot topic following the Schrems-instigated fall of Privacy Shield and the issues which that has caused for thousands of US-based businesses. After Brexit, the UK will be considered a ‘third country’ by GDPR and, if the UK is not granted adequacy status under GDPR (a finding from the EU that the UK’s privacy protections are roughly similar to the EU’s, which is far from a simple matter due to surveillance powers retained by the UK government), companies which wish to transfer EU personal data to the UK would need to ensure that a GDPR-approved mechanism is used (standard contractual clauses being the most-likely).
The EU Representative – GDPR Article 27
Under GDPR Article 27, a company which is impacted by GDPR is required to appoint an EU-located Representative if it has no establishment in the EU. The definition of establishment is wide (it need not be an incorporated subsidiary or similar legal form) but, without such EU-based location, a company is obliged to appoint a Representative in most cases (the exemption for ‘occasional processing’ is carefully constrained, and the remaining exemptions are mostly relevant to public bodies only).
This ‘hidden obligation’, as we dubbed it prior to GDPR becoming enforceable, remains little-known. We believe this is mostly because large global companies have an EU establishment and don’t need a Representative, and the articles which smaller companies found on Google to assist their GDPR preparations generally don’t mention this requirement, because they were mostly written by EU-based lawyers for the EU-based companies they act for. As a result, many companies worldwide – where they sell globally but have no business case for an expensive European office – have not come across this obligation unless they’ve invested in a good lawyer or privacy consultant to take them through the GDPR process. It isn’t even addressed by the majority of the privacy technology platforms which are now available to assist companies with the various privacy laws.
Now – following Brexit – the situation becomes more complicated. Many companies, particularly those headquartered in English-speaking countries, may have previously avoided the Representative requirement because they have a UK office; that will no longer be sufficient, as the UK office will not be an EU establishment, so it will not prevent them from the obligation to appoint a Representative in the EU (although they would likely avoid the need for one in the UK, see later).
Whilst this will affect a significant number of companies, this will surprise UK companies more than most, as they probably would have never considered the question of a Representative before, having been based in the EU during the period they were gearing up for GDPR to come into force. All these UK companies which have enjoyed the ability to trade with the EU without restriction or tariff, will now find that – if they wish to continue doing so – they will need to appoint an EU Representative.
For reference, much of the operational detail of the requirements for an EU Representative is set out in European Data Protection Board guidelines 03/2018, which stipulate that the EU Representative:
- Should be established (i.e. have a location) in the EU country where the data controller/processor has the largest number of data subjects
- Should be easily available to data subjects in other EU countries (this may mean a requirement to appoint a Representative with locations in many countries, or a number of separate national/regional Representatives)
- Must not be the company appointed as DPO (if an external DPO appointment has been made)
The UK Representative – Data Protection Act 2018 (as amended)
The changes to the EU Representative aren’t the only part of the story though; the manner in which the UK has incorporated GDPR into UK law as ‘UK GDPR’ will, after post-Brexit amendments , create the new role of UK Representative.
In a similar manner to the GDPR obligation, a UK Representative must be appointed by a company which sells to the UK (or monitors people there) but has no UK location.
This means that EU companies without UK offices – which have also been comfortable to ignore the GDPR Representative obligation to date (and are likely not aware of it, given it’s irrelevance to EU-based entities) – will also need to make a UK Representative appointment if they wish to continue selling to the UK. This will come as a surprise to many of these companies, and for some of them (particularly those with more-onerous Brexit preparations to undertake relating to the movement of physical products between the EU and UK) they may not even become aware until after the obligation has arisen and they find themselves in breach of the UK law. That surprise will be compounded by the fact that the UK Information Commissioner’s Office, whilst making efforts to advise UK companies of the need for an EU Representative, are seemingly doing very little to spread the word about the UK Representative role (which they will be enforcing) to the non-UK companies which will be impacted by it.
For companies entirely outside of the (pre-Brexit) EU which, until now, have only needed an EU Representative, they will suddenly find that they need both their existing EU Representative, and now an additional UK Representative as well, if they wish to trade with both jurisdictions. There is a strong argument (both in terms of cost and convenience) for appointing a single company which can act as Representative across the EU and UK – DataRep provides combined EU & UK appointments to deliver convenience and value for our clients, and is the only Representative with a network of contact locations in all 27 EU countries and the UK, ensuring our clients have their Representative established in all EU countries where their data subjects are based, so they meet the EDPB guidelines.
A quick reference table is included below with the details of how the Representative requirement changes after the Brexit transition period ends and the UK has completed its “conscious uncoupling” from the EU.
In summary – if you’re required to be compliant with GDPR but don’t have an office in the EU, or if you’re required to be compliant with UK GDPR and don’t have an office in the UK – or both – you will need a Representative… or more than one!