But for companies operating across Europe, and indeed across the world, with establishments or customers in the UK, Brexit also has implications in terms of the applicability of the UK data protection framework to their operations. The UK government has published its catchily-titled draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (DP Exit Regs), which amend the territorial applicability provisions of the UK’s Data Protection Act 2018 (DPA 2018) to ensure the law applies appropriately after the exit day.
At present, under section 207 of the DPA 2018, the law applies to:
(a) The processing of personal data which takes place in the context of the activities of an establishment in the UK, mirroring the wording of Article 3(1) GDPR but referring to the UK rather than the EU as a whole. S. 207(7) incorporates the provisions of GDPR recital 22: the fact that an “establishment” includes a person who “maintains, and carries on activities through… other stable arrangements” in the United Kingdom; and
(b) Processing of personal data relating to an individual in the UK by a controller or processor which is not established in any EU Member State, but which offers goods or services to, or monitors the behaviour of, those individuals in the UK. This means that a company with no establishment in the UK, but an establishment in the EU27 that offers goods or services to, or monitors the behaviour of, individuals in the UK would not be subject to the DPA 2018.
However, the DP Exit Regs are set to amend this. One aspect of the DP Exit Regs is that they amend the GDPR itself insofar as it applies to the UK, and the resulting text is called the “UK GDPR.” With regard to territorial scope, the UK GDPR essentially replicates GDPR Article 3, but refers to the UK rather than “the Union,” with limited additional exclusions for the public sector.
In and of themselves, these amendments do not seem controversial, so the initial response might be “so what?” Well, applying the UK’s DPA 2018 in this way means in the first place that companies which would not have been caught previously (i.e., those in the EU27 without an establishment in the UK but offering goods or services to individuals in the UK or monitoring those individuals) will have to consider the extra layer of obligations set out in the DPA 2018 which goes beyond those set out in the GDPR.
For example, Schedule 1, Part 4 of the DPA 2018 requires companies processing special category data to have a policy document explaining how that special category data is processed, as well as extra elements to be included in the Article 30 Records of Processing document relating to the special category data and compliance with the appropriate policy document. It is therefore clear as a result of Brexit, complying with the GDPR does not leave multinationals which target the UK market entirely off the hook when it comes to meeting UK law data protection requirements.
Perhaps even more important is that multinationals which are subject to the DPA 2018 will have to deal with the UK Information Commissioner’s Office in relation to any matters affecting UK data subjects, even if the processing in question is cross-border processing under the jurisdiction of a lead supervisory authority under the GDPR’s One Stop Shop. For example, personal data breaches would have to be notified to the ICO in addition to any EU27 lead supervisory authority. Similarly, any BCR applicants dealing with another EU supervisory authority as their lead reviewer will also have to coordinate the approval process with the ICO in order to cover data transfers out of the UK. Furthermore, the ICO will also have competence to investigate concerns related to UK data subjects outside of the GDPR’s One Stop Shop, meaning it may yet play a leading role in the development and enforcement of European data protection law in the coming years.
Authored by Paul Maynard