To date, fines have been assessed up to €50 million (against Google), for lack of transparency in the use of personal information.  Individuals may also sue for damages, and in some countries they may be represented collectively by advocacy groups.  Thus, companies cannot afford to be complacent about GDPR compliance.

The UK continues to apply GDPR rules and is likely to continue to do so.  However, despite the fact that it was designed to facilitate the data flow between the EU and the UK, the Trade and Cooperation Agreement (TCA) that entered into force on January 1st, 2021, did not lay to rest all issues. Businesses established in and outside the UK will now have to tackle several challenges, which will involve ensuring compliance with both the EU and UK GDPR.

The EU GDPR applies to data processing activities “in the context of the activities” of organizations established in the EU / EEA, whether or not that processing actually occurs in the EEA. The assessment of whether a company maintains an establishment in the EEA is carried out according to Recital 22 of the EU GDPR, which requires an effective and real exercise of activity through stable arrangements, irrespective of its legal form.

This reflects the broad interpretation of establishment for data protection puposes that the Court of Justice of the European Union (CJEU) applied in the 2015 case of Weltimmo v NAIH (C-230/14). The EU GDPR also expands its territorial reach beyond this, to processing by businesses that do not have a physical establishment in the EEA but sell goods or services to individuals in the EEA or monitor their behavior in the EEA (see Art. 3(2) of EU GDPR).  “Monitoring behavior” is a broad concept, which includes using website cookies in order to profile customers in the EEA, carry out market surveys in the EEA, using CCTV in the EEA, or engaging in geolocation tracking via a user’s smartphone.

Following Brexit negotiations, on December 31, 2020, the UK enforced the UK GDPR, as tailored to UK law and procedure by the UK Data Protection Act 2018.  This is nearly  identical to its EU counterpart for now, although the rules may diverge over time following Brexit.  A business operating in the UK and in the EEA may then find itself caught between both legal regimes, having to ensure compliance with both.

Britain has confirmed that – at least for the time being – businesses can still send personal data from the UK to organizations in the EEA without additional formalities, maintaining its pre-Brexit position. The UK Government will, however, keep this decision under review until a later time.

However, bringing personal data into the UK from the EEA will prove to be more challenging, since the UK is no longer subject to the EU GDPR provisions that allow personal data to be moved through the EEA without additional formalities, unless the EU institutions formally make an “adequacy determination” in favor of the UK as for other “third countries” outside the EEA that are deemed to ensure that the “level of protection” guaranteed by the GDPR will not be “undermined”. While the British Government awaits the EU's decision in this regard, the TCA provides some breathing space for UK businesses, allowing personal data to be sent from the EEA to the UK until the end of June 2021. It is not guaranteed that an adequacy decision will be reached, but it is expected that this will be granted at least provisionally.

The European Commission has deemed only a few jurisdictions “adequate” so far:  Argentina, Uruguay, Jersey, Guernsey, Isle of Man, Andorra, Switzerland, Israel, New Zealand, Canada (to the extent that organizations are covered by the PIPEDA and similar Canadian data protection legislation), and Japan (private sector organizations).  The UK can allow free movement of personal data to those jurisdictions without creating issues with the EU. For other countries, it must require additional safeguards or derogations in parallel to the EU’s, or risk losing its own adequacy determination from the EU.  This has become more difficult, since the CJEU decision in Schrems II in July 2020, invalidating the EU-US Privacy Shield Program – one of the methods for legally sharing personal data between entities in the EU and the EEA and their affiliates or vendors in the US.  The Court decision upheld the validity of the EU standard contractual clauses (SCCs) for data transfer under Commission Decision 2010/87/EU (later amended by Commission Decision 2016/2297), but imposed substantial new obligations for European data controllers using this mechanism or Binding Corporate Rules, the other major vehicle for providing alternative safeguards for international data transfers. The judgment in Schrems II has important implications for the future regulation of international data transfers, and the European Commission has proposed a new set of SCCs with required supplemental documentation.

Article 27 of the EU GDPR lays down the obligation for controllers or processors falling into the extraterritorial scope of the EU to appoint GDPR representatives, and it fully applies to cross-border data processing between the EEA and the UK since January 1, 2021. The British Government is expected to set out an equivalent system that requires companies with operations but no establishments in the UK to appoint a UK GDPR representative.  (This is not the same as appointing a data protection officer or “DPO,” which some kinds of controllers and processors are required to do under GDPR Art. 37 and its UK equivalent.)  Appointing a GDPR representative is meant to  facilitate compliance and communications with European data subjectes and authorities when an organization is subject to GDPR but is not physically present in the EEA.

Processors or controllers caught by the extraterritorial jurisdiction of the EU GDPR (Art. 3.2) must comply with Art. 27 and appoint a GDPR representative unless an exception applies.  An organization does not need to appoint a representative when:

• It is a public authority or body; or
• Its processing is occasional; it does not include, on a large scale, processing of special categories of data (as referred to in Art.9 - i.e. information about health or sex life, data relating to race or ethnicity, religious or philosophical beliefs, political opinions, trade union membership, genetics, biometrics used for identification), or processing of data relating to criminal convictions and offenses; and it is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing.

The EU representative must be appointed in writing, must be mentioned in the company’s privacy policy, and will serve as a point of contact for inquiries by national data privacy authorities. The representative can be an individual or entity. It could be a European affiliate, for example, or a consulting or law firm, as long as it is EEA-based.

Understanding the particularities of privacy laws can be a daunting task for businesses, and data breaches can lead to significant reputation damage. Similarly, focusing on securing your place as an organization that focuses on data privacy rights can become a solid competitive advantage in your market.

The FLI team together with our partners can advise you on data protection compliance, cross-border data transfer agreements, security breach response, handling data subject requests, and risk management regarding claims and disputes.