Data protection and Brexit
With Brexit at the forefront of our minds, it is essential to highlight some of the key issues that UK businesses will face in respect of data protection after we leave the EU.
The problem with transferring data from the EU to the UK is well rehearsed, and the difficulties with the existing safeguards to allow transfers have been discussed previously.
Less attention has been paid to the possible need for a UK business to have a formal EU data protection representative.
Even less discussion has been had about the impact on potential fines for UK businesses where things go wrong with respect to personal data. Because the UK will be outside the “one stop shop” approach relating to EU cross-border processing, UK businesses will be liable to independent action from each EU supervisory authority.
Will you need a representative in the EU?
One issue which seems to have slipped under the radar in the Brexit debate is whether after leaving the EU, UK businesses will need to appoint a representative in the EU? For many businesses, the EU GDPR will continue to apply to them and the answer as to an EU representative is likely to be “yes”.
What does the GDPR say?
Article 3 of the GDPR deals with territorial scope. There are two criteria to fall territorially into the EU GDPR: the “establishment” criterion and the “targeting” criterion. Ffor those who do not have offices or branches in an EEA member state, the relevant test will be “targeting” under paragraph 2:
“[GDPR] applies to the processing of personal data of data subjects who are in the [EEA] by a controller or processor not established in the [EEA], where the processing activities are related to:
(a) The offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the [EEA]; or
(b) The monitoring of their behaviour as far as their behaviour takes place within the [EEA].”
(There is a very limited exception which applies if your processing is only occasional, of low risk to the data protection rights of individuals and does not involve the large scale use of special category or criminal defence data. There is a further exception for public bodies).
The assessment of whether a business falls into this “targeting” criterion needs to consider, amongst other matters, relevant European guidance. For this note, we are assuming that the Article 3(2) criterion is triggered.
If you fall within the territorial scope then under Article 27, whether you are a controller or a processor, you must designate in writing a representative in the EEA.
A “representative” is defined as a natural or legal person established in the EEA, who represents the controller or processor in relation to their obligations under the GDPR.
The representative must be established in one of the EEA member states where the data subjects are, whose personal data is processed in relation to the offering of goods or services or whose behaviour is being monitored.
The authority of the representative covers dealing with supervisory authorities, data subjects and others on all issues related to processing. The authority can be in addition to or instead of the controller or processor. In most cases, joint responsibility is likely to be the preferred option.
In relation to data subject rights, while the representative will not be responsible for complying with them, the representative must facilitate communication between data subjects and the controller/processor so data subject rights can be exercised effectively.
The representative must also be able to communicate with data subjects and the relevant supervisory authorities in the language or languages used by them.
In any event, designating a representative will not prevent anyone from bringing legal action against the controller or processor.
It important to remember that the obligation applies to processors, as much as to controllers.
The written mandate to the representative is likely to take the form of a simple services agreement, but you will need to take account of any mandatory provisions of the law of the Member State in which the representative will be based.
You will also need to provide information about your representative to data subjects, such as in your privacy notice or in a data collection form. Supervisory authorities in the EU will also need this information, so it would be a good idea to include it on your website, which is accessible from EEA countries.
It is likely to prove difficult to find a suitable representative, given that supervisory authorities will be able to initiate enforcement action (including the ability to impose fines) against the representative (in the same way as they could against the appointing controller or processor).
Although guidance states that a representative can act for a number of non-EEA based entities, one of the problems is likely to be that the representative will need to have a good grip on the business or activities of the controller or processor and be able to deal with one or more EEA supervisory authorities for that entity.
The guidance also knocks on the head any idea of using an EEA based external data protection officer (DPO) (associated with an entity) as the representative of that entity in the EEA, because a DPO has to have a degree of independence, which would be incompatible with the “mandate” which the controller or processor would need to give to the representative.
It may be that, over time, a separate business or profession of “EEA representative” develops, but there does not appear to be any such structure at present.
Finally, do remember that another problem that arises after Brexit will relate to cross EU border processing. If you do this, the UK’s ICO will no longer be a supervisory authority that can be part of the “One Stop Shop” approach. If you are processing the data of EU data subjects and continue to be subject to the EU GDPR, you will be responsible for dealing with each relevant EU supervisory authority individually – and each can take action against you for any breach.
What about UK Representatives?
At the moment, it appears to be the intention of the UK Government that “UK GDPR” will require a controller or processor based outside the UK, but who needs to comply with UK GDPR, to appoint a similar UK based representative.
For more information, please contact the author.