GDPR: Brexit Implications on UK, EEA & Third Countries

Scott Blackmer
Scott Blackmer
April 12th, 2021

The EU General Data Protection Regulation (GDPR) controls how organizations collect, use and store personal data. It applies to both businesses based in the European Economic Area (EEA) and to those with no physical establishment in the EU, but with operations that fall into the extraterritorial scope of the GDPR.  Fines for GDPR violations can reach €20m or 4% of the annual worldwide turnover (whichever is higher).

To date, fines have been assessed up to €50 million (against Google), for lack of transparency in the use of personal information.  Individuals may also sue for damages, and in some countries they may be represented collectively by advocacy groups.  Thus, companies cannot afford to be complacent about GDPR compliance.

The UK continues to apply GDPR rules and is likely to continue to do so.  However, despite the fact that it was designed to facilitate the data flow between the EU and the UK, the Trade and Cooperation Agreement (TCA) that entered into force on January 1st, 2021, did not lay to rest all issues. Businesses established in and outside the UK will now have to tackle several challenges, which will involve ensuring compliance with both the EU and UK GDPR.

The EU GDPR applies to data processing activities “in the context of the activities” of organizations established in the EU / EEA, whether or not that processing actually occurs in the EEA. The assessment of whether a company maintains an establishment in the EEA is carried out according to Recital 22 of the EU GDPR, which requires an effective and real exercise of activity through stable arrangements, irrespective of its legal form.

This reflects the broad interpretation of establishment for data protection puposes that the Court of Justice of the European Union (CJEU) applied in the 2015 case of Weltimmo v NAIH (C-230/14). The EU GDPR also expands its territorial reach beyond this, to processing by businesses that do not have a physical establishment in the EEA but sell goods or services to individuals in the EEA or monitor their behavior in the EEA (see Art. 3(2) of EU GDPR).  “Monitoring behavior” is a broad concept, which includes using website cookies in order to profile customers in the EEA, carry out market surveys in the EEA, using CCTV in the EEA, or engaging in geolocation tracking via a user’s smartphone.

Following Brexit negotiations, on December 31, 2020, the UK enforced the UK GDPR, as tailored to UK law and procedure by the UK Data Protection Act 2018.  This is nearly  identical to its EU counterpart for now, although the rules may diverge over time following Brexit.  A business operating in the UK and in the EEA may then find itself caught between both legal regimes, having to ensure compliance with both.

Britain has confirmed that – at least for the time being – businesses can still send personal data from the UK to organizations in the EEA without additional formalities, maintaining its pre-Brexit position. The UK Government will, however, keep this decision under review until a later time.

However, bringing personal data into the UK from the EEA will prove to be more challenging, since the UK is no longer subject to the EU GDPR provisions that allow personal data to be moved through the EEA without additional formalities, unless the EU institutions formally make an “adequacy determination” in favor of the UK as for other “third countries” outside the EEA that are deemed to ensure that the “level of protection” guaranteed by the GDPR will not be “undermined”. While the British Government awaits the EU's decision in this regard, the TCA provides some breathing space for UK businesses, allowing personal data to be sent from the EEA to the UK until the end of June 2021. It is not guaranteed that an adequacy decision will be reached, but it is expected that this will be granted at least provisionally.

The European Commission has deemed only a few jurisdictions “adequate” so far:  Argentina, Uruguay, Jersey, Guernsey, Isle of Man, Andorra, Switzerland, Israel, New Zealand, Canada (to the extent that organizations are covered by the PIPEDA and similar Canadian data protection legislation), and Japan (private sector organizations).  The UK can allow free movement of personal data to those jurisdictions without creating issues with the EU. For other countries, it must require additional safeguards or derogations in parallel to the EU’s, or risk losing its own adequacy determination from the EU.  This has become more difficult, since the CJEU decision in Schrems II in July 2020, invalidating the EU-US Privacy Shield Program – one of the methods for legally sharing personal data between entities in the EU and the EEA and their affiliates or vendors in the US.  The Court decision upheld the validity of the EU standard contractual clauses (SCCs) for data transfer under Commission Decision 2010/87/EU (later amended by Commission Decision 2016/2297), but imposed substantial new obligations for European data controllers using this mechanism or Binding Corporate Rules, the other major vehicle for providing alternative safeguards for international data transfers. The judgment in Schrems II has important implications for the future regulation of international data transfers, and the European Commission has proposed a new set of SCCs with required supplemental documentation.

Article 27 of the EU GDPR lays down the obligation for controllers or processors falling into the extraterritorial scope of the EU to appoint GDPR representatives, and it fully applies to cross-border data processing between the EEA and the UK since January 1, 2021. The British Government is expected to set out an equivalent system that requires companies with operations but no establishments in the UK to appoint a UK GDPR representative.  (This is not the same as appointing a data protection officer or “DPO,” which some kinds of controllers and processors are required to do under GDPR Art. 37 and its UK equivalent.)  Appointing a GDPR representative is meant to  facilitate compliance and communications with European data subjectes and authorities when an organization is subject to GDPR but is not physically present in the EEA.

Processors or controllers caught by the extraterritorial jurisdiction of the EU GDPR (Art. 3.2) must comply with Art. 27 and appoint a GDPR representative unless an exception applies.  An organization does not need to appoint a representative when:

  • It is a public authority or body; or
  • Its processing is occasional; it does not include, on a large scale, processing of special categories of data (as referred to in Art.9 - i.e. information about health or sex life, data relating to race or ethnicity, religious or philosophical beliefs, political opinions, trade union membership, genetics, biometrics used for identification), or processing of data relating to criminal convictions and offenses; and it is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing.

The EU representative must be appointed in writing, must be mentioned in the company’s privacy policy, and will serve as a point of contact for inquiries by national data privacy authorities. The representative can be an individual or entity. It could be a European affiliate, for example, or a consulting or law firm, as long as it is EEA-based.

Understanding the particularities of privacy laws can be a daunting task for businesses, and data breaches can lead to significant reputation damage. Similarly, focusing on securing your place as an organization that focuses on data privacy rights can become a solid competitive advantage in your market.

The FLI team together with our partners can advise you on data protection compliance, cross-border data transfer agreements, security breach response, handling data subject requests, and risk management regarding claims and disputes.

Join 10,000 legal professionals
on our mailing list.

Expertly curated emails that will keep you up to date with the latest in the industry.

Scott Blackmer

Scott Blackmer

Scott leads the Americas Management Team. Previously a partner at WilmerHale, Scott advises private and federal clients in technology and is regarded as a leading authority in intellectual property and international trade. He has served as an advisor on privacy, data protection and digital identity to various Fortune 500 entities as well as government organizations.

With extensive experience in all matters related to data protection and cybersecurity, in both consumer and human resources contexts, Scott is an expert in a wide range of legal issues that companies face in online and mobile business, especially across borders.

Related Articles

November 9th, 2020 The Rise of Digital Banking

In 2015 a study made by FIS found that only 23% of customers believe their banks are fulfilling their expectations. Now, in the COVID-19 era, a recent survey conducted by PwC shows that even though consumers are happier with the banking services provided, the new risks of the industry are competitors and mostly non-traditional competitors. In fact, KPMG has stated that banks are encouraged to use channels that haven’t been prioritized in the past.

Starting with 1990, digitalization has been a constant in the financial industry. This trend that continues to grow is driven by new customer expectations. When today's consumer evaluates financial services, they don't compare banks anymore. They compare experiences. Thus, banks adopted new technologies to improve their services, and create smarter digital service offerings.

With a digital-first focus, the banking game has changed, as shown by the new disruptive proposals that appear in the industry. The latest of which, is virtual banking.

See more
November 9th, 2020 The Future of Fintech Regulation Landscape

It has been two years since the Office of the Comptroller of the Currency (“OCC”) announced the “Fintech Charters” plan. Whilst it has faced great challenges, with the lawsuit filing against this motion, the OCC has persisted with its plan with the Second Circuit. It is important to examine the opportunities, challenges as well as impacts that the charters will have on the regulatory landscape of the fintech companies.

See more
November 9th, 2020 Land Owner Transparency Act

A signature piece of legislation addressing hidden ownership of real estate will be coming into force in British Columbia. Effective November 30, all acquisitions of interest in land will be subject to LOTA’s disclosure rules.

See more
Copyright © 2021 First Law International
143 Avenue Louise, B-1050 Brussels, Belgium. Privacy Policy

Get Started

Whatever your industry, connect with a member of our cross-border team today. We’ll take care of the rest.