The impact of Brexit on Data Protection law

The laws surrounding intellectual property is one area which will definitely be affected by Brexit, whatever form it takes, as protection of IP at a pan-European level has been an area of legislative activity for the EU for some time.

Whilst the Government has brought in some laws aimed to protect rights potentially affected by Brexit, there are still areas where the reciprocal nature of the regimes would require a trade deal following exit.  Rights holders should also be aware that the arrangements the Government has put in place may not be permanent, and also that the EU has not always reciprocated: for example the EU has not agreed to recognise the exhaustion of IP rights for EU products put on the market in the UK, and so IP rights owners in the EU could prevent the export of UK goods into the EU.

Whether we end up with a trade deal which leaves us following EU law as closely as possible in this area or no-deal at all, most of the rules around data protection will stay the same because the main EU data protection regulations (being the ePrivacy Directive (2002/58/EC)) and the General Data Protection Regulation (GDPR)) have already been largely implemented in the UK by the Privacy and Electronic Communications Regulations 2003 (PECR) and the Data Protection Act 2018 and the UK government has made it clear that it intends to maintain the standards set by the GDPR after the end of the Transition Period.

If you are a business which is solely based in the UK and which has no contacts or customers in the EEA, you will need to continue to comply with PECR and GDPR but you will not need to take any additional steps in order to ensure data protection compliance after the end of the Transition Period.

If you are a business in the UK which has customers in the EEA or which has an office, branch or other established presence in the EEA, you will need to comply with both UK and EU data protection regulations after the end of the Transition Period. You may also need to designate a representative in the EEA.

The UK government has stated that transfers of personal data to the EEA will not be restricted. So if your business sends personal data from the UK to the EEA you will still be able to do so at the end of the Transition Period. However, if a business or organisation in the EEA (including a group company) is sending you personal data, then you will need to take extra steps (as outlined in section 2 below) to ensure that the data can continue to flow.

All UK businesses

In order to minimise any risk to your business from a data protection perspective at the end of the Transition Period you should:

  • Ensure that you comply with PECR and the GDPR.
  • Review your processes to identify any situations in which your business transfers personal data to the EU or receives personal data from the EU.
  • Update your privacy notices and other data protection documentation to ensure that any necessary changes are made. For example, to ensure that references to Europe, the EU or the EEA are amended to reflect the fact that the UK will no longer fall within those definitions.

UK businesses which receive personal data from the EEA

If you are a UK business which receives personal data from businesses or organisations in the EEA (including group companies), you should take the following steps to ensure that the data flow can continue at the end of the Transition Period:

  • Consider whether the EEA to UK data transfers will still be required at the end of the Transition Period.
  • Put in place contracts between you and the senders on EU-approved terms, known as standard contractual clauses (SCCs) so that these apply at the end of the Transition Period. 
  • SCCs will be required in almost all circumstances, unless the data transfers are between a large multinational group of companies and the group already has approved binding corporate rules (BCRs) in place.

UK businesses with customers in the EEA or with offices, branches or other establishments in the EEA

If you are a UK business which has customers in the EEA or which has offices, branches or other establishments in the EEA, you should take the following steps to minimise the risks to your business from a data protection perspective at the end of the Transition Period:

  • Identify the European countries in which your EU customers are predominantly based. This is required because your UK activities will be covered by UK law and your European activities will be covered by EU law. Once you know where your customers are based, you should identify how EU data protection law is handled in those countries to ensure you remain compliant.
  • Check which European data protection regulator will be your ‘lead supervisory authority’ as this will help you identify whether you need to register with that authority and how you should handle correspondence with that authority in the event of a data breach etc.
  • If you are only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you will need to comply with the EU data protection regime in relation to these activities. In most cases you will also need to appoint a suitable representative in the EEA (see below for more details).

UK businesses which need to appoint an EU Representative

If you are a UK-based controller or processor of personal data:

  • which has with no offices, branches or other establishments in the EEA; but
  • which offers goods or services to individuals in the EEA or which monitors the behaviour of individuals in the EEA.

You will need to:

  • Consider whether you intend to continue carrying out such processing at the end of the Transition Period.
  • Appoint a representative in the EEA (unless you are exempt, see the section below for more information). This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing are located. Your European representative may be an individual or a company or organisation established in the EEA (for example, a law firm, consultancy or private company).
  • Put in place a service contract or other written mandate for your European representative authorising them to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.
  • Update your privacy notice and website to include contact details and other information about your European representative.

You will not need to appoint a European representative if:

  • you are a public authority; or
  • your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

EU businesses which need to appoint UK Representatives

The UK government has said it intends that at the end of the Transition Period, a controller or processor which is located outside the EU, but which is still required comply with the UK data protection law (for example because it offers goods or services to individuals in the UK or because it monitors the behaviour of individuals in the UK), must appoint a UK representative.