With the end of the Brexit transitional period approaching, attention is turning to how UK based businesses can function effectively from the beginning of 2021. Amongst a range of issues to consider is how the highly regulated area of personal data is impacted. In this article we attempt to simplify the position and explain the steps that luxury businesses need to consider taking.
Our key message is that if you have not already begun to think about this then you need to do so as soon as possible, in order to minimise the potential disruption to your business.
However, the reality is that very many luxury businesses are not purely domestic, and they are likely to have some connections with the rest of Europe. Here, the position is more complex when it comes to handling the personal data of customers and employees.
To Illustrate the position, we are going to take the example of a UK headquartered luxury business selling to consumers in the UK and in the EU on-line and through retail stores operated by subsidiary companies in Italy, Germany, France and Spain. During the Brexit transition period which ends on 31 December 2020 the EU GDPR continues to apply. However, from 1 January 2021 the main changes you need to prepare for are as follows:
For customers based in the EU they will continue to benefit from the protection of the EU GDPR and that is what the UK parent must comply with in relation to them. For UK based customers dealing with the UK parent, the UK DPA will apply to them. For UK customers dealing with the Continental European subsidiaries, the EU GDPR will apply. As things stand, there is no practical distinction between the UK DPA and EU GDPR in terms of what you need to tell customers, and their rights, so there is no need for any changes except to update privacy policies issued to customers, to make it clear which regime covers them depending on where they are located and which Group company is dealing with them.
Relationships with regulators
The UK Information Commissioner (ICO) is likely to be your current lead supervisory authority for data protection across all of your businesses in Europe. This means that if any complaints are made or problems arise anywhere, they will be handled by the ICO. That will end on 31 December. For the customers (and employees) of the parent company based in the UK, the ICO will continue to be the regulator. However, for individuals based in the rest of Europe, they will be able to turn to their local data protection regulators to handle any complaints or issues. And for UK customers dealing with the subsidiaries they can refer complaints to regulators where the relevant subsidiary is located. This could mean you will be dealing with a complex web of multiple regulators without one of them taking a lead role. You should ensure that anyone in the Group dealing with complaints from customers and with compliance issues is aware of this, and that you are capable of acting in a coordinated way across the Group if problems arise.
Because you are dealing from the UK with customers in the rest of Europe (through online sales), you will need to appoint an EU based representative to be a point of contact for those customers and for EU based regulators. The EU representative must be in one of the countries where you have customers. It might make sense to appoint one of your subsidiaries in Italy, Germany, France or Spain to perform this role. Guidance from the European Data Protection Board (EDPB), the collective body of all EU based regulators, provides that ideally the EU representative should be appointed in a country where the majority of EU based customers are located, but this is not a strict requirement.
It is fair to say that in the first couple of years of the EU GDPR the obligation for GDPR regulated organisations based outside the EU to appoint an EU Representative has been more honoured in the breach than in its observance. However, in June 2020, in its report on the first two years of the EU GDPR, the EU Commission singled out this area of non-compliance as one for specific focus. So, the rather relaxed approach to this requirement seems to be ending and UK based businesses might become a particular focus for attention from some EU regulators after the end of this year. Also note that under the UK DPA, there is a reciprocal requirement for your EU subsidiaries to appoint a UK representative if they have customers in the UK. It might be most convenient for that to be the UK parent company.
When you appoint an EU or UK representative you will need to explain who they are and how to contact them in the privacy notices issued to your affected customers.
Sharing personal data
You will need to consider how your EU subsidiaries can share personal data with you. This is most likely to be data about customers or employees, and “sharing” personal data can be as simple as the UK head office accessing remotely the personal data about customers or employees held by its EU subsidiaries.
The reason to consider this is because the UK becomes a “third country” in EU GDPR terms from 1 January 2021. Your EU subsidiaries will therefore need to put in place an EU approved “gateway” allowing transfers from the EU to the UK. If they do not, then an EU based regulator might block those transfers and apply other sanctions such as fines. Again, this might be an early regulatory focus for some EU regulators.
At the moment the UK is seeking what is known as an Adequacy Decision from the EU Commission which will act as an automatic gateway for any transfers from the EU to the UK. It might be thought that the UK will readily fulfil the necessary criteria of having “essentially equivalent” data protection laws to the EU in light of its past membership of the EU and the wholesale adoption of EU GDPR into domestic law from 1 January 2021. However, this is not proving straightforward, partly because it is tied up with the overall negotiations of the EU/UK trade deal and also because of a recent decision of the Court of Justice of the EU about cross-border data transfers in a case called Schrems II (which we refer to in more detail below).
The bottom line is that it is no longer safe to assume that an Adequacy Decision will be granted to the UK by 31 December 2020 or at all. Without it, transfers of personal data from the EU to the UK will be at risk immediately as from 1 January 2021. We therefore recommend that companies adopt another gateway mechanism and get it ready to apply from the beginning of next year.
The most likely candidate for an alternative gateway is Standard Contractual Clauses (SCCs), sometimes called EU Model Clauses. These are, as described, standard clauses drafted by the EU Commission that are entered into between the transferring party (the exporter) and the receiving party (the importer) that are designed to ensure that EU data protection standards are maintained to an essentially equivalent level once the data is transferred.
However, the position regarding the use of the SCCs has been made more complex recently by the decision of the Court of Justice of the EU in Schrems II (see our background article here). In summary, though the Schrems II decision upheld the use of SCCs, it made it plain that, before the transfers take place, the exporter (with the importer’s help), needs to carry out an assessment of whether the laws of the importer’s country will not put at risk the essentially equivalent level of protection which the SCCs are designed to confer.
Again, it might be thought that this assessment would be straightforward as the UK has and will continue to apply EU GDPR. However, some commentators have referred to the UK’s law enforcement and national security laws and its arrangements for sharing data with America and other third countries as a potential problem. For the moment a credible assessment needs to be made by the exporter if SCCs are going to be safely relied on, and that assessment should be recorded for future reference in case any EU based regulators or individuals question it.
You should also bear in mind that the EU Commission has indicated that it intends to bring out new versions of the SCCs. However, the timing for this is not clear and may well have been put back by the complexities introduced by the Schrems II ruling. In summary, we do not think it is prudent to wait for new versions of the SCCs to be made available before putting in place a compliant gateway.
In our example, Binding Corporate Rules (BCRs) might also be another possible gateway. These are intra-group data sharing arrangements approved by EU regulators which are again designed to put in place sufficient safeguards. However, they take a long time to prepare and approve and are an expensive option, meaning that they are really only suitable in practice for larger groups of companies. They are in any event potentially subject to the same issues as with SCCs when it comes to considering UK national security and law enforcement provisions.
Note that you do not need a “gateway” for transfers from the UK to the EU as the UK Government’s view is that the EU will provide “adequate” protection to UK transferred data.
Apart from altering Privacy Notices, don’t forget to also update your records of processing to set out the new arrangements you have put in place to deal with the impact of the end of the Brexit transition period.
Further sources of information
You might like to consider the ICO’s Guidance here. We recommend you keep this under review to see if it is updated, particularly as the EU/UK trade negotiations continue over the next few months and as regulatory guidance emerges on the impact of the Schrems II decision.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, September 2020