With the news that the UK and European Union have agreed a post-Brexit trade deal, many people will be wondering what will be changing for their businesses and what they will need to know after the 1st of January 2021, as the transition period ends.
The good news is that initially, both sides as part of the trade deal have agreed to keep current data transfers going between the EU and UK for the next 6 months after the Brexit Transition period ends on January 1st 2021. This is to allow for more time for an adequacy decision to be made by the EU on the UK’s data protection framework.
However, the UK receiving such a decision is not as straight forward as we may think. Given the recent Schrems II case by the CJEU, and the likelihood of the UK actively pursuing a trade deal after Brexit with the USA, the EU may not look at such a deal favourably in regard to its decision given the history of the USA’s national security agencies intrusion of people’s personal data.
Such a decision would mean that companies within the UK dealing with EU personal data would need to work with tier EU-based customers and suppliers on alternative data transfer arrangements. This for many organisations will likely be Standard Contract clauses. Other arrangements could include Binding Corporate Rules (BCRs) or Ad-hoc clauses agreed by European data protection authorities (Art.46, GDPR) and Derogations for specific situations (Art. 49, GDPR.).
Even these alone may no longer be enough following the Schrems II case. Fortunately, the European Data Protection Board has released some helpful and pragmatic guidance on how to beef up data transfer protections. Giving a list of recommended technical, contractual, and organisational measures that can be taken to protect people’s personal data.
For businesses that are based within the EU, but process UK personal data, the UK has already announced its own “adequacy decision” for the EU and so personal data flows from the UK to the EU may continue as they are.
Now, assuming everything works out well and the EU grants the UK adequacy there is still one obstacle to UK businesses, Article 27. Article 27 of the GDPR requires all organisations that processes EU personal data to have an office or representative based within the EU for data subjects to contact regarding data protection issues. This will need to be addressed whether there is an adequacy decision or not and will require some work for organisations to arrange if they are yet to do so.
You will also need to authorise the representative in writing to act on your behalf regarding your GDPR compliance, and to deal with any EU supervisory authorities or data subject requests as they come in.
Your organisation’s representative may be an individual, or a company/organisation established in the EU/EEA and must be able to represent your organisation in handling your obligations under the GDPR (e.g., a law firm, consultancy, or other company). In practice the easiest way to appoint a representative for Article 27 may be under a simple service contract.
The twist to this, is that the UK is also going to expect organisations that process UK personal data from outside the UK, to also have representatives within the UK. So, any EU based organisations and those based in other countries across the world will need a representative within the UK. This has not yet been finalised in law, however the intention to do so has been published on the ICO’s website. This will mean an organisation based in the USA for example that deals with customers in the UK and USA will end up needing two representatives.
Of course, you could choose to run the risk of not appointing a representative if you think the cost may be too high. According to research by technology magazine Wired, prices for representation services for Article 27 are relatively low: companies charge fees that range from €150 (£130) to a maximum of €5,000-€6,000 (£4,500-5,400) a year, depending on the amount of personal data a company processes. However, the fines for not doing so are almost certainly higher. As of yet there are yet to be any fines under the GDPR for infringement of article 27, however such an infringement could net a penalty of 2% of an organisation’s global turnover or €10,000,000 whichever is higher, as per Article 83 of the GDPR.
If you still have questions on the subjects raised in this piece, which is understandable given the complexity of some of the subject matter, then please do speak to a qualified data privacy expert.