In July, the U.K. government introduced the Data Protection and Digital Information Bill, setting out its proposed amendments to U.K. data protection laws. The proposals stem from a consultation conducted by the Department for Digital, Culture, Media and Sport last year. The consultation received nearly 3,000 responses from domestic and overseas organizations representing a cross-section of the U.K. economy. However, not all changes proposed in the bill were included in the consultation process. The removal of the requirement for overseas companies to appoint a U.K.-based representative was one of the changes not included in the bill.
The role of the representative
To understand the role of the representative, it helps to understand the U.K. General Data Protection Regulation was intended to ensure comprehensive protection for the rights of individuals and establish a level playing field for companies active in the applicable market irrespective of where they are located. Article 3(2) extends the reach of the U.K. GDPR to include controllers and processors not located in the U.K. but that offer goods or services to individuals in the U.K. or monitor their behavior. Given this extraterritorial reach, Article 27 requires overseas controllers and processors to appoint a representative in the U.K. to be their local point of contact for "all issues relating to processing for the purpose of compliance with the [GDPR]." There are some exceptions to the requirement, including, in the interests of fairness and proportionality, for smaller organizations and those carrying out low-impact processing.
What does a U.K. representative do? A familiar analogy is that of a footballer appointing an agent to represent them. Anyone wishing to communicate with the footballer in a commercial capacity will likely be directed to their agent. Similarly, one of the main functions of a U.K. representative is to facilitate effective and timely communication between the overseas organization that appointed it and U.K. stakeholders, including:
- Data subjects, nongovernmental organizations, and privacy-related interest groups.
- The U.K. Information Commissioner's Office.
- U.K. companies.
The possibility of barriers such as language, time zone or a lack of local contact information may make it significantly harder for U.K. stakeholders to exercise their rights and/or ensure compliance with U.K. privacy laws in respect of an overseas company. A good U.K. representative acts as an ambassador for U.K. privacy laws by explaining, training, facilitating, and translating between the languages of different countries and distilling complex legal concepts into practical business solutions. Why this is important is shown by the following case study:
Case Study: Accessibility of the world's top gaming companies
An industry prone to the requirement to appoint a representative is the gaming industry because its digital product is mainly distributed via online channels without an establishment in the targeted markets. We analyzed the top gaming companies by market capitalization according to Companiesmarketcap.com. Of 188 companies:
- Only two are located in the U.K.
- 80% are located in non-English speaking regions.
- Of that 80%, the majority (118) are headquartered in the Asia-Pacific region, including Japan (56), China (33), Taiwan (14) and Korea (11).
- Of these 118, fewer than 50% have a privacy notice in English, and only 39% have accessible contact details for privacy-related queries.
Gaming applications are often targeted at children; these factors make it difficult, if not impossible, for them or their parents to identify the right gaming company, find the applicable privacy notice, and the relevant contact details to exercise their privacy-related rights. This is a snapshot of one industry sector. The same story is replicated across a digital economy growing in its reach to U.K. consumers.
The U.K. representative can be a solution to these obstacles by taking over the role of a local addressee. However, a good representative is far more than just a communications channel. Much like the footballer's agent, the representative has specific skills and knowledge that can assist the overseas organization in understanding the requirements of U.K. privacy laws in the context of its dealings with U.K. stakeholders. This, in turn, benefits any U.K. companies with which the overseas organization does business. Some representatives have developed additional services from their experience in the role, including, for example, software tools for handling data subject requests or data breaches and bespoke legal services.
The government's rationale behind the proposed change
The proposed change is simple: complete removal of Article 27 from the U.K. GDPR, resulting in the immediate loss of the requirement for overseas businesses to appoint a U.K. representative.
With the lack of public consultation, you could be forgiven for expecting the U.K. government to have provided a detailed explanation of its rationale for removing the requirement to appoint a U.K. representative. However, the justification in the explanatory notes is limited (paragraph 185). It says that "in order to identify an organisation's representative, one must first identify the relevant controller or processor anyway, resulting in duplication and an unnecessary burden on organisations." This explanation appears to completely overlook the reasons for and benefits of the role of the representative.
The government's impact assessment includes a slightly more considered appreciation of the representative's role (paragraphs 543 - 544), but it's fair to say the evidence presented on the impact of the change is far less convincing. This is acknowledged in the impact assessment as it states, "there is limited information and data on the benefits of having an Article 27 representative" because "it applies exclusively to businesses and organizations outside of the UK which makes gathering evidence very challenging." By its own admission, the U.K. government recognizes the challenges of interacting with overseas organizations. If U.K. policymakers find it hard to elicit information from overseas businesses, other U.K. stakeholders may also face difficulties in doing so without the help of a representative.
The U.K. government considers the cost for an overseas organization to retain the services of a representative is a potential barrier to trade with the U.K. (paragraphs 546 – 551). While there is a cost associated with engaging a U.K. representative, the figures given in the impact assessment are, to our knowledge of the marketplace, abnormally inflated. So much so that the annual cost cited in the impact assessment for a large organization to retain a U.K. representative is ten times higher than the typical market rate at a whopping 50,000 GBP annually. While DCMS cites a lack of reliable data for these figures, most providers publish their pricing online such as Prighter, DataRep, GDPR Local or EDPO, to name but a few.
The impact assessment includes a separate figure for the administrative costs associated with having a representative. On the one hand, there are no formal requirements to appoint a representative other than it must be recorded in writing, creating minimal administrative burden in making the appointment. On the other hand, organizations can achieve substantial cost savings by leveraging the appointment of the representative to increase the efficiency of their privacy-related internal processes. The potential benefits of having a representative are, therefore, considerably greater than the minimal administrative burden of having to retain one.
It is also important to remember that the requirement to appoint a representative is not specific to the U.K. It exists under the EU General Data Protection Regulation from which the U.K. version is derived and has been replicated across several other jurisdictions, including China, Serbia, Switzerland, Thailand and Turkey, a list of countries that continues to grow. The U.K. is turning its back on a basic privacy concept, which is being increasingly adopted worldwide. Indeed, the further the U.K. diverges from the EU GDPR with the plethora of other changes proposed under the bill, the greater the level of complexity in the regulatory landscape that overseas organizations face, making it even more likely that they would benefit from a representative to guide and advise them.
The government has recognized the impact that this proposal, coupled with the extensive list of other amendments in the bill, may have on the adequacy decisions of the EU Commission. This is particularly important given that the decisions in respect of the U.K. are the only ones to include a sunset clause limiting the period of adequacy to four years before further consideration is required by the EU Commission. Of course, the EU Commission may revoke its decisions at any time if it feels that the data protection laws of the U.K. no longer provide an essentially equivalent level of protection to those of the EU.
What hasn't been considered
The impact assessment addresses the advantages of the change for overseas organizations. What it glosses over are the ramifications for U.K. stakeholders. Not only will it make communication with overseas companies significantly harder, but there is also a real risk of an overall dip in compliance without such overseas organizations benefitting from the knowledge and expertise of a U.K. representative.
This raises the important point of trust and a question that DCMS should be asking: Will the loss of the benefits a U.K. representative offers come with a price tag of a reduction in consumer confidence and willingness to engage with overseas providers in the first place? Because first and foremost, the requirement to appoint a U.K. representative is born out of a need for compliance, and the motivation for compliance in any commercial setting is always the need to provide protection for individuals and ensure a functioning market.
If the rights of U.K. stakeholders are not protected, they are not likely to trust those with whom they engage, which in turn may reduce the volume of transactions that occur and threaten the performance of the U.K. market.
As the High Court put it in Sanso Rondon v. LexisNexis Risk Solutions U.K. Ltd  EWHC 1427 (QB):
"The appointment by an Art.3.2 controller of a representative … signals … a recognition of the bargain involved: the burden to be shouldered for the benefit to be gained. It is an acceptance of the application of Art.3.2 and a signal of good intent."
Or, as the defendant put it: "The bad guys do not appoint Art. 27 representatives."
And so, if the appointment of a representative is a differentiator for trustworthy companies, the impact of this change on the ease with which individuals can exercise their rights could reduce consumer confidence and negatively affect the U.K. market rather than reducing trade barriers.
First, the requirement to appoint a U.K. representative could, and arguably should, remain untouched for the reasons set out above.
It is true that some providers offer little more than a postbox service. To ensure a representative delivers benefits to all U.K. stakeholders, the ICO could be required to produce guidance on what to look for in a representative, such that they employ qualified data privacy professionals located in the U.K. who are readily available to support and facilitate any interaction with U.K. stakeholders.
Further, the U.K. government could require the representative to register with the ICO. Overseas organizations are required to register with the ICO to pay the relevant data protection fee. This process includes providing their data protection officer's name and contact details if applicable. It would be easy to amend the registration form and capture the U.K. representative's information. If the representative is registered with the ICO, this would also minimize the ICO's efforts in identifying and contacting the representative.
If you want to comment on this post, you need to login.