On Jan. 31, 2020, the United Kingdom left the European Union. Until Dec. 31, however, EU laws, including the General Data Protection Regulation, continue to apply in the U.K.
Following the transition period, the GDPR will continue to apply to U.K. organizations that do not have an establishment in the European Economic Area if they offer goods or services to or monitor the behavior of data subjects in the EEA. In addition, the U.K. government has written the GDPR into U.K. law (with necessary changes to tailor its provisions to the U.K.).
Similar to the EU GDPR, the U.K. GDPR will apply to organizations established in the U.K. that process personal data, regardless of where that processing takes place. It will also apply to organizations outside the U.K. if they offer goods or services to or monitor the behavior of data subjects in the U.K. Consequently, some organizations may be subject to the concurrent jurisdiction of the EU GDPR and U.K. GDPR.
Here are five data protection issues that organizations may not — but should be — thinking about in advance of Dec. 31.
Lead supervisory authority
From Jan. 1, 2021, the U.K’s Information Commissioner’s Office will no longer be a “supervisory authority” under the EU GDPR. Organizations that carry out cross-border data processing and that previously considered the ICO to be their lead supervisory authority will need to identify which EEA supervisory authority will be their new lead authority. This does not apply to U.K.-based organizations that only process the personal data of U.K. residents, for whom the ICO will continue to be the only relevant supervisory authority.
Where a change from the ICO is necessary, organizations may not have a choice as to which supervisory fulfills the lead role; according to Article 56 of the GDPR, the lead supervisory authority is that of the jurisdiction where the controller or processor has its main or only establishment within the EU. However, certain organizations may have some flexibility, particularly if they were previously only established within the U.K. and now wish to set up an establishment in one of the remaining 27 member states.
There are differences in approach between the various supervisory authorities across the bloc, which may have a role in influencing where such a new establishment may be located. Some of these differences are anecdotal and hard to evidence. However, the recent decision in "Schrems II" has necessitated supervisory authorities making public statements, from which some of the differences can be seen.
The French supervisory authority, Commission nationale de l'informatique et des libertés, has stated it is considering the "Schrems II" judgment in depth to draw out the consequences. The Irish Data Protection Commissioner, meanwhile, stated, “[I]t is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” Berlin’s Commissioner for Data Protection and Freedom of Information has gone even further and stated that organizations that it supervises should now repatriate all personal data that has been transferred to the U.S. This divergence of approach across the bloc may influence any choice that exists as to the preferred replacement lead supervisory authority.
Data privacy representatives
U.K. organizations that continue to be subject to the EU GDPR following Dec. 31 may need to appoint a data privacy representative in the EEA. Similarly, organizations that become subject to the U.K. GDPR as of Jan 1, 2021, may need to appoint a data privacy representative in the U.K. As with data protection officers, there are a number of practical factors to consider, including the location of establishments of the controller or processor within the EU, appropriate language skills and availability to cooperate with supervisory authorities.
Organizations that currently have a DPO should consider whether such DPO will continue to be accessible to their establishments and data subjects in the U.K. and the EEA. There are a number of facets to the question of “accessibility." Consideration should be given, for example, to the language capabilities and time zones of the DPO and any data subjects. A DPO based in the U.K. who only speaks English may not be deemed accessible to data subjects in Germany who only speak German, for example. In this example, the position becomes exacerbated by Brexit. The WP29 Guidance on DPOs recommends that the DPO be based within the EU. Numerous international organizations are likely to have organized their intragroup affairs so that their DPO is based in the U.K. Post-Brexit, these arrangements will need to be reconsidered. The location of the DPO may need to change, which may require a change in personnel or indeed additional personnel if the organization wants or needs to have a DPO in the U.K., as well as the EU.
From Jan. 1, 2021, U.K. companies and individuals will no longer be eligible to hold a .eu domain. This is because .eu domains can only be registered or held by EU citizens, EU member state residents or organizations established in the EEA. U.K. companies should review whether they currently hold any .eu domains and consider reassigning them to a group entity under their control that is established in the EEA (subject to tax considerations) or to a provider of proxy ownership and licensing services. If that is not possible or desirable, then additional domain names will need to be procured and the content of the relevant sites transferred.
International personal data transfers
Although the Court of Justice of the European Union upheld the use of standard contractual clauses for international personal data transfers, its impact on the ability to use SCCs to transfer data to the U.S. is still to be resolved. In the context of Brexit, this leads to at least two questions: Will the U.K. allow the transfer of personal data to the U.S. using SCCs post-Brexit, and will the EU allow the transfer of personal data to the U.K. using SCCs?
The answer to the former — at least for now — is "yes." The U.K. will recognize the SCCs as a mechanism to transfer personal data out of the U.K., and "Schrems II" does not appear to have changed that position.
The answer to the latter is more complicated. Although "Schrems II" focused on the U.S., many of the criticisms leveled at the U.S. surveillance laws apply equally to U.K. surveillance laws. In the absence of an adequacy decision (which itself may be imperiled by the U.K.’s national security laws), the use of SCCs to transfer personal data to the U.K. could well be adjudged to be problematic.
The issues for businesses arising from Brexit are many and varied, and data protection is, of course, just one. However, given data’s increasing importance to organizations of all kinds, it is one that should be given appropriate priority in the planning processes.
Photo by Rocco Dipoppa on Unsplash
If you want to comment on this post, you need to login.