Brexit and GDPR – don’t forget the EU Representative!
Updated: Apr 11, 2019
Unless you’ve been living under a rock, the word “Brexit” will have crossed your path at some point in the last few months (and years). Without going into the merits (or lack thereof) of Brexit, it’s clear that many companies are going to be impacted by this historic political event – and not just those in the UK.
There are many issues for businesses to deal with, both generally and in respect of their data protection regime, but I would like to deal with one particularly close to our hearts here at DPR Group – the requirement for a company to appoint an EU Data Protection Representative under Article 27 of GDPR.
Firstly, let’s dispel a couple of myths – that after Brexit: (1) UK companies will not need to meet the requirements of GDPR, and (2) that UK-based individuals will not have the benefit of its protection.
In the UK, the Data Protection Act 2018 (“DPA18”) came into force last year, and will remain in place after Brexit. Although GDPR is directly enforceable in EU states without local laws implementing its requirements, the UK (like most EU countries) has made the decision to incorporate it directly into their law to make enforcement simpler. In addition, the law enacted in the UK to give effect to Brexit (The European Union (Withdrawal) Act 2018, “Withdrawal Act”) will automatically incorporate into UK law all the EU law which impacts the UK at the time of Brexit, including GDPR.
The effect of this is that, even after a no-deal Brexit, UK-based individuals will be able to rely on (roughly) GDPR-equivalent rights against UK-based organisations.
The key point is this: after the UK leaves the EU, it will become a “third country” for the purposes of GDPR. This means that, as a result of Article 27 of GDPR, any company in the UK which (a) processes the personal data of individuals in the EU, and (b) has no office in the remaining 27 EU countries, will be required to appoint an EU Representative with effect from 29 March 2019 [NOTE: The potential for a no-deal Brexit has since been delayed, first to 12 April and now to 31 October 2019] .
Whilst this requirement under GDPR is still considered to be the “hidden obligation” for non-EU companies as a result of the lack of discussion on this issue, there has been some mention of this by the UK Information Commissioner’s Office (“ICO”) in their recent Brexit checklist “Leaving the EU – six steps to take”. The ICO makes it clear that UK companies, without an EU office, processing EU personal data will be required to appoint an EU Representative. It is hoped that most UK companies to which this obligation applies will be ready, but research suggests that many UK (and other) companies are not fully prepared for Brexit – largely, I presume, because there is no clear agreement on what Brexit will ultimately look like.
There is also expected to be a requirement for non-UK companies to appoint a UK Representative if they don’t have an “establishment” in the UK. The UK Government (by way of the Department for Digital, Culture, Media and Sport) issued no-deal Brexit guidance on 13 December 2018 which roughly follows the position agreed in the prospective EU-UK Withdrawal Agreement (which, at the date of writing, appears unlikely to be agreed). The guidance states that the intention post-Brexit is that a UK Representative will be required by any company which processes the personal data of UK-based individuals but is not established in the UK. The current UK law includes no requirement for this (the DPA18 includes no obligation equivalent to Article 27 of GDPR) but the legislation by which this requirement would be added - whether Brexit occurs with a deal or without - has already been laid before the UK Parliament (The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019), so it is expected that this will be a requirement post-Brexit. The good news for DPR Group’s clients is that we will be retaining our UK contact location after Brexit, so we will continue to be able to represent our clients with this London establishment – no additional UK Representative will be required!
The good news for DPR Group’s clients is that we will be retaining our UK contact location after Brexit, so we will continue to be able to represent our clients with this London establishment.
As a side note, I’d add that a failure to have the Representative obligation in law should not be fatal to the UK’s desire to be declared ‘adequate’ by the EU for the purposes of cross-border transfers; there is no equivalent obligation imposed by any of the currently-adequate countries.
There are a number of other data protection issues which are raised by Brexit, including cross-border transfers of personal data UK>EU / EU>UK / UK>others (the UK will not have the benefit of ‘adequacy’ status in the event of a no-deal Brexit), for which official and third-party guidance exists and investigates the issues in more depth than I can here. Of particular personal interest is the extra-territorial enforceability of the UK law. The UK government guidance mentioned above states that the UK law should have extra-territorial effect in the same manner as the GDPR, which sets up the intriguing prospect of extra-territorial data protection enforcement being tested by the UK against the EU before the EU has had the opportunity to test extra-territorial enforcement of GDPR against another country. Although this won’t be possible in the immediate future (the UK will have to alter the DPA18 to make this possible, which is likely to be low on their immediately-post-Brexit list), it would create the possibility that the EU courts reject enforcement of the UK law against EU data processors and, accordingly, scupper their own international enforcement of GDPR (although I presume this outcome is unlikely).
In summary, if you’re a company which (a) has no establishment in the remaining 27 EU countries (either because you’re solely based in the UK, or based in the UK and other locations but without an EU establishment) and (b) you process the personal data of EU-based individuals, you will need to appoint an EU Data Protection Representative.
Tim Bell is the Managing Director of DPR Group, a leading provider of EU Data Protection Representative services through its network of 28 contact locations (one in each EU country – and the UK). If you require an EU Representative, or are not sure whether you need one, please feel free to contact us to discuss the issues at firstname.lastname@example.org.
Please note that nothing contained in this blog post is intended to be treated as legal advice. Advice relevant to your specific circumstances should be obtained before taking any actions.
NOTE: updated 7 January 2019 to take account of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019