The Role of a Representative under EU and UK GDPR after Brexit
1. Trade and Cooperation Agreement
Up until the end of the transition period on 31 December 2020, the obligation to appoint a representative for privacy related matters was only relevant for companies in the European Union (including United Kingdom) when it came to vendor due diligences of companies without an establishment in the EU. Now that the United Kingdom has left the European Union, they both form two separate markets with different regulatory and legal provisions. Since GDPR is an EU regulation, it will generally no longer be applicable in the UK after Brexit. However, the UK government has incorporated GDPR into UK data protection law. So, from 1st January 2021 onwards, the UK version of GDPR (“UK GDPR”) is effective and companies must comply with it. The good thing is that the deviations the UK GDPR makes from the EU version mainly pertain to the adoption of a UK application only, rather than altering a company’s obligations. Therefore, the practical impact is minimal – companies already complying with GDPR before 1st January 2021 will still comply with EU and UK GDPR after the end of the transition period, except for the following:
There are two big implications of Brexit on compliance with data protection regulations:
- the obligation to appoint a representative in the EU, the UK, or both; and
- the data flow between the EU and the UK, which is subject to the Trade and Cooperation Agreement (“TCA”), agreed on in December 2020 by both the EU and the UK.
We discuss those as well as other privacy related implications of Brexit here.
The obligation to appoint a representative
To put the following into context, let us take a brief look at the obligation under Art. 27 GDPR and its implications pre-Brexit. Art. 27 GDPR obliges companies based outside the EU to appoint a European representative if they are processing personal data of European individuals that relates to offering goods or services to, or monitoring the behaviour of, individuals in the EU. The role of the representative is to act as a contact point to local data protection authorities as well as individuals. As EU based companies were not affected by this obligation, unsurprisingly it was not too prominent within the EU. However, this “hidden obligation” went from zero to a hundred with the UK implementing their own version of the GDPR, which provides for the same obligation in a UK-only-context. From an outside perspective, this means that there are two legal provisions now which could oblige companies to appoint a representative in either the EU, the UK, or even both. The implications should be considered by most companies, no matter if they are based in the EU, the UK, or elsewhere.
Art. 27 UK GDPR corresponds with Art .27 EU GDPR and therefore both provisions oblige companies in the same way to appoint a representative if companies:
- offer goods or services to individuals; or
- monitor the behaviour of individuals.
What “offering of goods and services” means is subject to the EDPB’s guidelines on the territorial scope of the GDPR (Guideline 3/2018). Even though these guidelines will not be directly relevant to the UK law anymore, the ICO have stated that they still provide helpful guidance when dealing with specific issues. Hence, when determining the territorial scope of the GDPR the EDPB guidelines can help, as long as the UK government does not adopt new regulations concerning this topic or the ICO publishes a contradicting statement. According to the EPDB’s guidelines, different factors need to be considered when determining if a company is offering their goods or services to individuals in a specific region. Some factors to be considered are:
- using languages spoken in a specific region or offering payments in the currency of such region;
- using Google or Facebook ads to address a market, or any other marketing activity directed towards customers in such market;
- mentioning references or testimonials relevant for a specific market;
- the activity at hand being of an international nature, such as certain tourist activities;
- mentioning local addresses or phone numbers to be reached by individuals in the same region;
- use of top-level domains in such market;
- offering the delivery of goods to individuals in the respective region.
Also, the interpretation of the criteria “monitoring an individual’s behaviour“ is subject to Guideline 3/2018. Not all online collection or analysis of personal data of individuals in the EU qualifies as “monitoring”. Monitoring the behaviour of data subjects implies an intention to collect data for a specific purpose. Therefore, any kind of tracking of individuals on the internet, including the potential subsequent use of profiling techniques, qualifies as “monitoring”. According to the EDPB, monitoring may not only take place on the internet but also through wearables and other smart devices. Monitoring activities include:
- behavioural advertisement;
- geo-localisation activities, in particular for marketing purposes;
- personalised diet and health analytics services online;
- market surveys and other behavioural studies based on individual profiles;
- monitoring or regular reporting on an individual’s health status.
Any company conducting such activities should be aware of the implications. EU companies who until now never had to think about the need to appoint a representative should determine whether they are targeting UK individuals and hence need a UK representative. The same goes for UK companies: Even though the EU GDPR’s provisions remain the same, UK companies which have no establishment within the European Union should assess whether they fall under the obligation to appoint a European representative under Art. 27 GDPR, now that the UK has become a “third country” from an EU perspective. Companies based outside the EU and the UK – who ideally were already aware of this obligation under GDPR before Brexit – should carefully assess whether they need to appoint a UK representative under the new UK provisions. In order to comply with both, the EU law on one hand and the UK law on the other, they might need to appoint two representatives now. If they have already appointed a European representative but this representative does not have an establishment within the UK, the company needs to appoint an additional UK representative. The same applies to companies whose European representative was based in the UK and has no establishment within the EU. They might now have to appoint a European representative established in the EU. The most favourable option might be to appoint a representative who has establishments in both the EU and the UK. Please refer to our GDPR FAQ as well as our UK privacy FAQ for answers to all of your further questions regarding the representative obligation.
Implications of the “Brexit Deal” on data transfer
One of many burning questions relating to the UK leaving the EU was what effect it would have on data transfer from the EU to the UK and vice versa. While the UK declared that data transfers from the UK to the EU would be permitted, the EU held to their position that any data transfer from the EU to the UK would fall under the GDPR provisions regarding international data transfers. Nevertheless, the EU have started working on an adequacy decision which would make transfers much easier by allowing data to flow without any additional safeguards being necessary. As the ruling of the European Court of Justice back in July 2020 (Schrems II) delayed the EU’s work on adopting an adequacy decision, and with the transition period coming to an end on 31 December 2020, it did not look all that bright for EU-UK data transfers. Fortunately, emerging concerns were addressed by the TCA which provides for a maximum “bridging period” of six months, allowing the EU more time to reach their adequacy decision. During this bridging period data can be transferred as usual. However, it is not sure whether an adequacy decision will be adopted or not. Companies who are transferring data from the EU to the UK should therefore already put in place alternative safeguards before the end of the bridging period.
- acquired before the end of the transition period and processed under the EU GDPR; or
- processed based on the Withdrawal Agreement. Legacy data will continue to be subject to the EU GDPR (also called the “frozen GDPR”). The ICO therefore recommends businesses to identify which data was gathered before the end of the transition period. Since the UK data protection law currently aligns with the frozen GDPR, in practice businesses may not need to make any changes to comply with the Withdrawal Agreement. However, the UK government stresses businesses to take stock of personal data in order to identify and track legacy data. If an adequacy decision is granted by the European Commission, these provisions will cease to apply. Resources: Gov.uk Guidance: Using personal data in your business or other organisation, EU Commission: ICO: International data transfers