To date, fines have been assessed up to €50 million (against Google), for lack of transparency in the use of personal information. Individuals may also sue for damages, and in some countries they may be represented collectively by advocacy groups. Thus, companies cannot afford to be complacent about GDPR compliance.
The UK continues to apply GDPR rules and is likely to continue to do so. However, despite the fact that it was designed to facilitate the data flow between the EU and the UK, the Trade and Cooperation Agreement (TCA) that entered into force on January 1st, 2021, did not lay to rest all issues. Businesses established in and outside the UK will now have to tackle several challenges, which will involve ensuring compliance with both the EU and UK GDPR.
The EU GDPR applies to data processing activities “in the context of the activities” of organizations established in the EU / EEA, whether or not that processing actually occurs in the EEA. The assessment of whether a company maintains an establishment in the EEA is carried out according to Recital 22 of the EU GDPR, which requires an effective and real exercise of activity through stable arrangements, irrespective of its legal form.
This reflects the broad interpretation of establishment for data protection puposes that the Court of Justice of the European Union (CJEU) applied in the 2015 case of Weltimmo v NAIH (C-230/14). The EU GDPR also expands its territorial reach beyond this, to processing by businesses that do not have a physical establishment in the EEA but sell goods or services to individuals in the EEA or monitor their behavior in the EEA (see Art. 3(2) of EU GDPR). “Monitoring behavior” is a broad concept, which includes using website cookies in order to profile customers in the EEA, carry out market surveys in the EEA, using CCTV in the EEA, or engaging in geolocation tracking via a user’s smartphone.
Following Brexit negotiations, on December 31, 2020, the UK enforced the UK GDPR, as tailored to UK law and procedure by the UK Data Protection Act 2018. This is nearly identical to its EU counterpart for now, although the rules may diverge over time following Brexit. A business operating in the UK and in the EEA may then find itself caught between both legal regimes, having to ensure compliance with both.