Privacy Shield companies and Brexit: Special focus on Data Transfers and the GDPR Representative

Less than 30 days to go before the UK officially exits the EU and becomes a third country. The countdown is set and there is still a lot of uncertainty around Brexit: will it happen with or without an Exit Agreement or will there be a last minute extension of the deadline? Have you anticipated the consequences as a Privacy Shield company?

Find out in this article how Brexit can affect you, including details on some actions that you can take to help you be prepared by 30 March 2019.

***

Business continues whether it’s with or without the UK, but companies need certainty as to which actions to take under data protection rules.

TheGeneral Data Protection Regulation” (the “GDPR”) became applicable as of 25 May 2018 in all EU Member States, including the UK but at this stage, the future of the UK is highly unpredictable.

Assuming the (rather unlikely) situation where the UK remains in the EU, there would be status quo. Therefore, this article focuses on how to help Privacy Shield companies anticipate the impact of Brexit under the GDPR and guide them towards the actions that they should take in the event that the UK leaves the EU on 30 March 2019 - with or without an Exit Agreement.

The first part of this analysis explains the data transfer mechanisms for Privacy Shield companies that deal with personal data coming from the UK. The second part describes under what circumstances Privacy Shield companies should appoint an EU Representative, which is a mandatory requirement of the GDPR for most Non-EU based companies.

1. Data transfer mechanisms - Privacy Shield and Brexit

This section is specifically aimed at US-based companies that are Privacy Shield Certified and concerned about the actions that they should take in the event that the UK leaves the EU – whether or not an Exit Agreement is reached – because data flows from the UK will no longer fall under the Privacy Shield Framework.

The US Government has already published its advice for Privacy Shield companies (See link below in the "References" section). A distinction must be made between a situation in which there’s an Exit Agreement which includes a Transition Period and a situation in which there is No Transition Period (and after the Transition Period is finished).

  1. First case scenario: Transition Period

During this Transition Period, which would apply right after 30 March 2019, EU rules (including data protection laws) will remain applicable until 31 December 2020. This means that the Privacy Shield Framework will still remain in place for data transfers with the EU (including with the UK). No additional action from the Privacy Shield company will be required.

  1. Second case scenario: No Transition Period

In the event that the UK and the EU do not finalise an Exit Agreement by 30 March 2019, Privacy Shield companies must take the steps below by 30 March 2019 (or by 31 December 2020 after the Transition Period is terminated).

(i) A Privacy Shield organization will have to update its public commitment to comply with the Privacy Shield to include the UK.  Public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield.  If an organization plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy.  Model language for these updates is provided below: 

(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view the certification, please visit https://www.privacyshield.gov/.

(ii) Second, organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework.

An organisation that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the UK after 30 March 2019 if there is no Transition Period or 31 December 2020, at the end of the Transition Period.

After such dates, an organization that has publicly committed to comply with the Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.

Click here to read our article on 4 of the most common mistakes made about the GDPR by Privacy Shield companies.

2. Appointment of an EU Representative - Privacy Shield and Brexit 

Depending on where a company is located, there are 12 different scenarios that could apply with respect to the requirement to appoint an EU-based GDPR Representative. 

Please find below a table which summarizes all possible scenario’s as well as specific details relating to Privacy Shield companies under scenarios 7 to 12 below: 

 

Appointment of an EU Representative
 

 

I have an establishment in the UK. Brexit

 

 

1. I am a UK-based company and I sell goods/provide services only in the UK/or I only target the UK

Your situation is considered to be internal to the UK. Therefore, under the GDPR rules, you don’t have to appoint an EU-Based Representative.

2. I am a UK-based company and I sell goods/provide services in the EU/EEA or target the EU/EEA

You will need to appoint an EU Representative.*

3. I am a UK-based company and I sell goods/provide services/target the UK & EU/EEA

You will need to appoint an EU Representative.*

4. I am an EU/EEA-based company and I only sell goods/provide services in the UK/ I only target the UK

Your company will need to appoint a UK Representative. This representative is different from the EU Representative and its appointment is governed by UK law, not the GDPR.

5. I am an EU/EEA-based company and I sell goods/provide services in the EU/EEA or target the EU/EEA

No action is needed. As a company established within the EU, the obligation to appoint an EU Representative does not apply to you.

6. I am an EU/EEA-based company and I sell goods/provide services in the EU/EEA or target the UK & EU/EEA

No action is required. As a company established within the EU, the obligation to appointment an EU Representative does not apply to you. You may however need to appoint a UK Representative for your customers located within the UK territory, but this obligation falls under UK law, not the GDPR.

7. I am a Non-EU-based company and I sell goods/provide services in the UK or target the UK

As long as the UK is still part of the EU, your company needs to appoint an EU Representative. After Brexit, if you can prove that you are only targeting the UK and not any EU country, then the appointment of an EU Representative will no longer be required.

8. I am a Non-EU-based company and I sell goods/provide services in the EU/EEA or target the EU/EEA

Your company’s situation will not change, regardless of Brexit. The GDPR will continue to apply to all other EU Member States. Therefore, you will still need to appoint an EU Representative.*

9. I am a Non-EU-based company and I sell goods/provide services in the UK & EU/EEA and I target the UK & EU/EEA

You will continue to fall under the scope of the GDPR. However, an important thing to keep in mind is that if your current EU Representative is located in the UK, because of Brexit, the UK will then be considered as a third country, and your appointment will not be valid anymore. To be able to remain GDPR compliant you will need to appoint an EU Representative* in another Member State. 

10. I am a Non-EU-based company and I have an establishment in the UK

Before Brexit, you did not need to appoint an EU Representative. Once the UK exits the EU and becomes a third country, you will need to appoint an EU Representative* in an EU/EEA country. 

11. I am a Non-EU-based company and I have an establishment in the EU/EEA

No action is needed. As a Non-EU-based company with an establishment in the EU/EEA, the obligation to appoint an EU Representative does not apply to you.

12. I am a Non-EU-based company and I have an establishment in the UK & EU/EEA

No action is needed. As a Non-EU-based company with an establishment in the UK and in the EU& EEA, the obligation to appoint an EU Representative does not apply to you.

* Unless you’re a public authority or body or if the processing is occasional, does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences, and the processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.

References

  • Agreement on arrangements between Iceland, the Principality of Liechtenstein, the Kingdom of Norway and the United Kingdom of Great Britain and Northern Ireland following the withdrawal of the United Kingdom from the European Union, the EEA Agreement and other agreements applicable between the United Kingdom and the EEA EFTA States by virtue of the United Kingdom’s membership of the European Union:

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/766995/Agreement_on_arrangements_between_Iceland__the_Principality_of_Liechtenstein__the_Kingdom_of_Norway_and_the_United_Kingdom_of_Great_Britain_and_Northern_Ireland_following_the_withdrawal_of_the_United_Kingdom_from_the_European_Union_.pdf

  • EDPB’s Information note on BCRs (Binding Corporate Rules) for companies which have ICO as BCR Lead Supervisory Authority:

https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12-infonote-bcrs-brexit_en.pdf

  • EDPB’s Information note on data transfers under the GDPR in the event of a no-deal Brexit:

https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12-infonote-nodeal-brexit_en.pdf

  • Explainer for the agreement on arrangements between Iceland, the Principality of Liechtenstein and the Kingdom of Norway, and the United Kingdom of Great Britain and Northern Ireland, following the withdrawal of the United Kingdom from the European Union:

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/766998/Explainer_-_UK-EEA_EFTA_Separation_Agreement.pdf

  • ICO’s Guidance on Data Protection and Brexit:

https://ico.org.uk/for-organisations/data-protection-and-brexit/

  • Privacy Shield official Government’s website on Brexit:

https://www.privacyshield.gov/article?id=Privacy-Shield-and-the-UK-FAQs

  • UK’s Government website on Brexit:

https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal

 

Contact

Contact us via e-mail: info@edpo.brussels

Call us: +32 2 216 19 71 

logo

European Data Protection Office