The United Kingdom has now left the European Union. However, until 31st December 2020, EU laws, which include the General Data Protection Regulation (GDPR), continue to apply to the U.K. This is the transition period.
Once the transition period has ended, the GDPR will still apply to U.K. businesses that do not have an a branch or office in the European Economic Area. This will be needed if they wish to offer goods or services to the EEA. It also applies if the business wishes to monitor the behaviour of data subjects in the EEA. Also, the U.K. government has now written the GDPR into U.K. law and is known as the UK GDPR.
As with the EU GDPR, the UK GDPR will apply to organisations established in the U.K. that process personal data. This is regardless of where that processing takes place. It will also apply to organisations outside the U.K. if they offer goods or services to the EEA. This also applies if they intend to monitor the behaviour of data subjects in the EEA and the UK. As a result, some organisations may be subject to the concurrent jurisdiction of the EU GDPR and the UK GDPR.
We have considered six data protection issues you may not have considered but you should do by year’s end.
Who will be your lead supervisory authority?
As of 1st January 2021, the Information Commissioner’s Office (ICO) in the United kingdom will no longer be a “supervisory authority” under the EU GDPR. Organisations carrying out cross-border data processing and that previously considered the ICO to be their lead authority will need to identify a different EEA authority. This new authority will then be their new lead authority. This does not apply to U.K. based organisations that only process the personal data of U.K. residents. For those businesses, the ICO will continue to be the supervisory authority.
When changing from the ICO, organisations may not have a choice as to which supervisory authority fulfils the lead role. This is according to Article 56 of the GDPR. It states that the lead supervisory authority is that of the jurisdiction where the controller or processor has its main or only establishment within the EU. However, certain organisations may have some flexibility. If previously only in the UK, setting up an EEA business may give them the flexibility required.
There are differences in approach between the various supervisory authorities across the bloc. This may have a role in influencing where such a new establishment may be located. Some of these differences are anecdotal and hard to evidence. However, the recent decision in “Schrems II” has necessitated supervisory authorities making public statements, from which some of the differences can be seen.
The French supervisory authority, Commission nationale de l’informatique et des libertés (CNIL), has stated it is considering the “Schrems II” judgment in depth to draw out the consequences. The Irish Data Protection Commissioner, meanwhile, stated, “It is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” Berlin’s Commissioner for Data Protection and Freedom of Information has gone even further. They stated that organisations that it supervises should now repatriate all personal data that has been transferred to the U.S.
This divergence of approach across the EU may influence any choice that exists as to the preferred replacement lead supervisory authority.
Data privacy representatives
U.K. organisations that continue to be subject to the EU GDPR following Dec. 31 may need to appoint a data privacy representative in the EEA. Similarly, organisations that become subject to the UK GDPR as of Jan 1, 2021, may need to appoint a data privacy representative in the U.K. As with data protection officers, there are a number of practical factors to consider, including the location of establishments of the controller or processor within the EU, appropriate language skills and availability to cooperate with supervisory authorities.
Data Protection Officers
Organisations that currently have a DPO should consider whether such DPO will continue to be accessible to their establishments and data subjects in the UK and the EEA.
However, accessibility is important. Consideration should be given, for example, to the language capabilities and time zones of the DPO and any data subjects. A DPO based in the UK who only speaks English may not be deemed accessible to data subjects in Germany who only speak German. In this example, the position becomes exacerbated by Brexit.
The WP29 Guidance on DPOs recommends that the DPO be based within the EU. Numerous international organisations are likely to have organised their group affairs so that their DPO is based in the UK. Post-Brexit, these arrangements will need to be reconsidered.
The location of your DPO will need to change. This could mean a change in your people or even additional resources. This is particularly true if your business intends to have a DPO in the UK as well as the EU.
From 1st January 2021, UK businesses and individuals will no longer be eligible to hold a .eu domain. Why? EU domains can only be registered or held by EU citizens, EU member state residents or organisations established in the EEA.
A UK business that has one or more of these domains needs to make a decision. They might want to consider reassigning them to a group entity that is established in the EEA. This will need to be an officially registered business. Alternatively, they could use a provider of proxy ownership and licensing services. If that cannot be done, then additional domain names will need to be acquired and the content transferred.
International Data Transfers
The Court of Justice of the European Union upheld the use of standard contractual clauses for international personal data transfers. However, the impact on the ability to use SCCs to transfer data to the United States is still to be understood. In relation to Brexit, two questions need to be asked:
1. Will the UK allow the transfer of personal data to the United States using SCCs post-Brexit?
2. Will the EU allow the transfer of personal data to the UK with this use of SCCs?
The answer to the first question right now is yes. The UK currently recognises the SCCs as a mechanism to transfer personal data out of the UK. “Schrems II” does not appear to have changed that position.
The answer to the second question is more complex. “Schrems II” focused on the U.S. surveillance laws. However, the criticisms levelled at the United States government apply equally to the UK government. The national security laws of the UK are putting at risk the ability to use SCCs to transfer personal data to the UK. If an adequacy decision isn’t forthcoming, this could well be problematic for UK businesses.
Representative in Europe Services
For non EU/EEA businesses that currently use an agency service as their EU representative, a change may also be required. We offer these services and if there isn’t an adequacy decision, we would normally have to cease doing so. However, we are establishing an EEA business in order to be able to continue to offer the service. Businesses will need to consider where they have this service currently and how they will move forward. They will need to consider a change in order to comply with the EU GDPR.
The issues for businesses arising from Brexit are many and varied. Data protection is just one of many. However, as data is of increasing importance to most businesses, then priority in preparing for Brexit is vital.
What are you doing to prepare for Brexit? Is Privacy and Data Protection in your plan as a priority?
If you need help with your understanding of Brexit planning, or perhaps you need help with the deployment of a DPO, please call us today on 03333 22 1011 or contact us here.