Newsflash: Brexit, data transfers and local representatives
With the UK’s exit from the European Union (EU) and the European Economic Area, both UK and EU data controllers are now having to grapple with new cross-border data requirements. The UK GDPR essentially mirrors the requirements of the old GDPR, except that it applies to the UK only. Accordingly, for data exports outside the UK, the provisions of Articles 44 to 49 of the UK GDPR apply. The UK law adapts the previous European law with data exports outside the UK only being permissible if certain safeguards are met, such as on the basis of an adequacy decision, appropriate safeguards (e.g. approved data protection clauses), binding corporate rules, or when one of the specific derogations under Article 49 applies.
It is clear that the UK Government and EU institutions want mutual adequacy decisions permitting the free flow of data between the EU and UK. But to avoid UK-EU data flows grinding to a halt on 1 January 2021, a temporary fix was included in the UK-EU trade deal. Article FINPROV.10A provides that the UK is to be treated as if it remains part of the EU for the purposes of data transfers until 1 May 2021, extendable to 1 July 2021. This provision will lapse if an adequacy decision in relation to the UK is adopted by the European Commission (the desired outcome) or if the UK unilaterally alters its current data protection laws (not a likely outcome).
On this basis, it is very unlikely that Brexit will adversely affect the ability to transfer personal data between the UK and the EU. However, once the agreed extension ends, or as soon as an adequacy decision is adopted, data controllers who are established only in the UK will need to consider whether they need to appoint a local representative in an EU member state, and, likewise, data controllers established within the EU will need to consider whether they need to appoint a local representative in the UK.
Who will need to appoint a local representative?
The rules governing this are set out in Article 27 of the GDPR. These apply when a data controller processes (a wide definition) personal data of data subjects based in the EU. UK public authorities (including NHS trusts, NHS foundation trusts and CCGs) will not be obliged to appoint local representatives within the EU but all other data controllers who process such personal data must do so unless the data exports fall beneath certain thresholds. These are that the processing of data of data subjects in the EU is:-
- Occasional
- Does not include large scale processing of special category, personal data or data relating to criminal convictions or offences, and
- Is unlikely to result in a risk to the rights and freedoms of the data subjects
Note that ‘large scale’ is a term used throughout the GDPR and is amplified in guidance published by what is now the European Data Protection Board. Rather than providing concrete numbers it gives examples: a hospital would be a large scale processor of patient data but an individual physician would not be.
After the extension ends, or adequacy decisions are made, if a data controller processes the personal data of data subjects in the EU on anything other than an occasional basis it must appoint a local representative in an EU Member State. To assess this, data controllers must understand what their overall activity is in relation to data subject in the EU. For example, if the data controller has regular interactions with EU residents (for example through mailing lists, donors, contacts, or sales) even if this is a small part of your business, if it is ongoing, the processing will not be occasional. Also, if interactions with individual data subjects in the EU are one-offs, for example, an individual purchase, but there is a steady stream of interactions with different data subjects in the EU, this processing will not be occasional. In both circumstances the data controller must appoint a local representative. Similar provisions within the UK GDPR will mean that many EU data controllers will need to appoint a UK based local representative.
What makes an appropriate local representative?
Firstly, the representative must be in an EU country linked to the service provided. For most UK data controllers, an anglophone country such as the Republic of Ireland will have considerable practical benefits, provided there is genuine processing of personal data of the residents of that country. Alternatively, if a data controller has established links or contacts with EU based organisations (and this may be particularly significant for charities or other third sector organisations), it may be possible to secure their agreement to undertake the local representative role. This will especially be the case if the partner organisation also needs to appoint their own UK representatives – like-for-like arrangements may mean that a local representative can be sourced at minimum additional cost.
It is important to be aware that the role of local representative is not an advisory role. A local representative must hold a copy of the record of processing activities that all data controllers are required to maintain under Article 30 of the UK GDPR and the GDPR respectively. Beyond this, the role of the local representative is to be a liaison point for data subjects in the EU and EU regulators and the UK data controller (and vice versa).
For example if a data subject in the EU wishes to make a subject access request, the local representative’s responsibility is to pass on that request to the data controller and act as a point of liaison. They are not required to carry out the work of responding to the data subject request themselves. Likewise, in the event of a data controller in the UK experiencing a reportable data breach that included data subjects in the EU, there would need to be two breach reports – one made to the ICO in the UK, and another made via the local representative to their local supervisory authority. This does mean that a data controller could face separate enforcement action by the EU and UK regulators – the extent to which each regulator will have regard to the activities of the other remains to be seen.
Conclusion
In conclusion, therefore, while it is very unlikely that the free flow of the personal data between the UK and the EU will be interrupted by Brexit, there is nevertheless potentially some significant additional regulatory requirements. UK data controllers who are not public authorities should be assessing how they interact with data subjects in the EU and, unless they fall within the exception to Article 27, they will need to find and appoint a local representative, and equip them with the necessary information about the their use of personal data.
If you have any questions regarding this then please do contact Chris Alderson, details below: