Brexit and UK Privacy Representation
1. Trade and Cooperation Agreement
After the UK left the EU, the Withdrawal Agreement provided for a transition period for the negotiation of the future relationship between the UK and the EU. Just before the end of the transition period, 31st December 2020, both parties reached a Trade and Cooperation Agreement (“TCA”), which is rather sparse on detail on data protection. However, it fortunately addresses the biggest concern of a hard Brexit: data flow from the EU to the UK (see below 5. EU-UK data transfer for more details). Other than that, there are no major provisions regarding data protection, especially no changes for the need of appointing an EU or UK representative after the end of the transition period. Therefore, businesses without an entity, branch or other establishment in the EU and/or the UK, which are offering goods and services or monitor data subjects are required to appoint a representative in the markets they reach out to.
References: ICO FAQs
2. Situation from 1st January 2021 onwards
Until 1st of January 2021, the obligation to appoint a representative under Art 27. GDPR only affected businesses based outside the EU (including the UK). Therefore, this obligation was not too prominent to businesses based within the EU and the UK. With the UK leaving the EU, this “hidden” obligation to appoint a representative now may become very relevant precisely, but not only, to those businesses based in the UK, as well as to those based within the EU.
With the end of the transition period, the “UK GDPR”, together with an amended version of the Data Protection Act 2018 came into force in the UK. Equivalent to the EU GDPR, the new UK data protection framework obligates businesses who are based outside of the UK but reaching out to the UK market to appoint a representative inside the UK. So, from an outsider’s perspective there are now two legal provisions which may oblige businesses to appoint a representative: the EU GDPR, which applies to businesses who are based outside the EU on one hand, and the UK GDPR, which applies to businesses based outside the UK on the other. Therefore, the ICO already informed business very early about the possible obligation to appoint a representative in the EU and/or the UK.
Do non-UK companies need to appoint a UK representative?
The UK government stated that from 1st January 2021 onwards, companies who are located outside of the UK, whether in the EU or in a third country, will have to appoint a UK representative according to Art. 27 UK-GDPR, if they:
- offer goods or services to individuals in the UK; or
- monitor behaviour of individuals in the UK. We have adapted our SaaS solution for UK representation and can offer you our LegalTech services from our UK office.
Do UK companies need to appoint an EU representative?
Generally, companies which have no establishment in the EU need an Art. 27 GDPR representative if they:
- offer goods or services to individuals in the EEA
- monitor behaviour of individuals in the EEA. Since the UK is no longer a Member State after the end of the transition period, consequently an establishment in the UK does not count anymore as an EU establishment. From an EU perspective, the UK is considered a third country then. Therefore, this general rule obliges UK companies, who fulfil the criteria above, to appoint an EU representative. As a law firm we offer you a SaaS solution for the representation in all EU member states.
Data flow from the EU to the UK
The TCA allows data to flow freely from the EU (and EEA) to the UK for a period of a maximum of six months, which is called the “bridging period”. After this time, the European Commission will hopefully have decided on the adoption of an adequacy decision. If no decision by the European Commission has been made by then, the bridging period will come to an end regardless and the UK will have to provide alternative mechanisms to ensure legal processing of personal data from the EU. In a statement on 28 December 2020, the ICO recommends that UK businesses that work with EU or EEA organisations who transfer personal data to the UK should put in place alternative transfer mechanism for the EU-UK data flow before the end of April 2021. The UK government also advises UK businesses to put in place alternative transfer mechanisms as a sensible precaution. The most relevant would be Standard Contractual Clauses (SCCs). The ICO provides guidance and interactive tools to build SCCs. If the European Commission does not adopt an adequacy decision by the end of the six-month period, the UK will have to comply with the EU GDPR transfer restrictions. Generally, data transfer is possible if it is covered by an adequacy decision, an appropriate safeguard, or an exception. If there is no adequacy decision, the EEA sender can make transfers to the UK, if they put in place appropriate safeguards. If there are no adequacy decision and no appropriate safeguards in place, the EEA sender will still be able to transfer data to the UK if one of the EU GDPR exceptions applies. However, the ICO informs UK businesses that according to the EDPB guidance, these exceptions must be interpreted restrictively and mainly relate to transfers that happen on an occasional basis and are non-repetitive.
Resources: ICO statement in response to UK Government’s announcement on the extended period for personal data flows, that will allow time to complete the adequacy process, EU Commission: Data protection after the end of the Brexit transition period for small businesses and organisations
Data flow from the UK to the EU
The UK government states that there are currently no changes for the data flow from the UK to the EU/EEA, Gibraltar and other countries considered adequate by the EU. Transfers from the UK to the EU are therefore permitted, but UK businesses should update their documentation and privacy notices to cover those transfers. The government stated that it will keep this under review.
6. Legacy Data
Art. 71(1) of the Withdrawal agreement contains provisions for “legacy data” in case no adequacy decisions are adopted by the European Commission. Legacy data consists of data of individuals outside of the UK, which was:
- acquired before the end of the transition period and processed under the EU GDPR; or
- processed based on the Withdrawal Agreement. Legacy data will continue to be subject to the EU GDPR (also called the “frozen GDPR”). The ICO therefore recommends businesses to identify which data was gathered before the end of the transition period. Since the UK data protection law currently aligns with the frozen GDPR, in practice businesses may not need to make any changes to comply with the Withdrawal Agreement. However, the UK government stresses businesses to take stock of personal data in order to identify and track legacy data. If an adequacy decision is granted by the European Commission, these provisions will cease to apply. Resources: Gov.uk Guidance: Using personal data in your business or other organisation, EU Commission: ICO: International data transfers