The UK government has unveiled a series of amendments to the Privacy and Electronic Communications Regulations (PECR) to ensure the UK’s legal framework for data protection functions correctly after the UK leaves the EU and to prepare for the prospect of a No Deal Brexit. It is crucial that companies are attuned to these amendments, which come into effect on Exit Day possibly 31 October 2019, to ensure that they do not fall foul of data protection rules and avoid potentially hefty fines.
What is the PECR?
Whilst GDPR does not replace PECR, it does change the underlying definition of consent: PECR stipulates that you must not send marketing emails or texts to “individual subscribers” without ‘consent’. This will need to meet the GDPR standard of consent to ensure it is valid. This involves a clear affirmative action, such as an opt-in to receive such communications.
Whilst GDPR does not replace PECR, it does change the underlying definition of consent: PECR stipulates that you must not send marketing emails or texts to “individual subscribers” without ‘consent’.
There is an exemption within PECR called the Soft Opt-in, which states that you do not require consent where:
You have obtained contact details in the course of a sale;
You are only marketing your own similar products and services; and
You provided a simple opportunity to opt out of the marketing when you first collected the contact details.
What is the Scope of PECR?
The GDPR governs the data you use for email marketing, whilst the PECR defines the required permission to send email marketing. There is naturally much overlap between the GDPR and PECR as both aim to protect people’s privacy and therefore compliance with one shall help compliance with the other.
How is the UK Government Preparing?
To ensure that the UK legal framework for data protection functions correctly after the UK leaves the EU, the government is preparing a series of amendments. The first set of amendments, PECR Amendments No 1, will come into effect on the day the UK leaves the EU, and will:
Extend the GDPR standards to certain data processing activities outside the scope of EU law;
Make amendments to international transfers of personal data, institutions and member states; and
Formally amend the definition of consent in the PECR to mirror the GDPR definition.
What about US Transfers
The Privacy Shield is a framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and the US. It enables US organisations to more easily access personal data from entities based in the EU and protected by EU privacy laws.
This will provide some commercial and legal certainty for UK businesses in a “No Deal” scenario and UK data subjects will continue to have access to the redress mechanisms afforded by the Privacy Shield.
How Should I Prepare my Organisation
Relentless Comprehensive GDPR Assessment covers 10 core areas and 73 compliance controls
Businesses based in mainland Europe may need to appoint a UK-based representative to handle data protection matters on their behalf from October 31 2019.
The UK government confirmed. that some non-UK data controllers will be obliged to appoint a UK-based representative under new data protection regulations being prepared for a potential ‘no deal’ Brexit.
The UK regulations, which would only apply if an agreement on the terms of the UK’s withdrawal from the EU has not been ratified by the time the UK exits, will “replicate” provisions contained in the General Data Protection Regulation (GDPR), it said.
As well as applying to the processing of personal data by organisations established in the EU, the GDPR also applies to the processing of personal data of data subjects in the EU by organisations based outside of the Union where the processing relates to the offering of goods or services to those individuals or the monitoring of their behaviour as far as their behaviour takes place within the Union. The GDPR’s extra-territorial effects is confirmed in Article 3(2).
In such cases, non-EU based companies are generally required to designate an EU-based representative unless an exemption applies. The representatives are required to address all issues related to the data processing by the non-EU business that is subject to the EU’s data protection regime “for the purposes of ensuring compliance” with those rules. This includes liaising with data protection authorities or data subjects on the business’ behalf.
The duty to appoint a representative does not apply to public authorities or if the processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.
In its guidance note, the UK government said it “intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK”.
Other ‘no deal’ regulations in the data protection sphere will also be published “in the next few weeks”, the government said, including new regulations to “preserve EU GDPR standards in domestic law” and “maintain the extraterritorial scope of the UK data protection framework” in the event of a ‘no deal’ Brexit.
New regulations will also aim to provide for the continued free flow of personal data from the UK in a ‘no deal’ scenario. The government said it will “transitionally recognise all EEA countries (including EU member states) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue”, and “preserve the effect of existing EU adequacy decisions on a transitional basis”.
In addition, EU standard contractual clauses, which also facilitate data transfers, are to be recognised in UK law, with the Information Commissioner’s Office (ICO) given powers to issue new data protection clauses, the government said.
Further regulations will also allow businesses that have had ‘binding corporate rules’ (BCRs) authorised before Brexit to rely on those BCRs for data transfers post-Brexit, it said. The ICO will continue to be able to authorise new BCRs under domestic law after Brexit, it said.
No-Deal Brexit: GDPR Compliance Requirement for an EU Representative
Leaving the EU (with or without a deal) does not mean that all EU legislation would cease to have effect in the UK, including the EU’s General Data Protection Regulation 2016 (“GDPR”). Organisations looking to transact business in the EU will have to comply with the GDPR if their activities require them to process the personal data of EU data subjects. Please refer to our recent article on the international transfer of personal data.
One example of an obligation that applies to non-EU states is the requirement under Article 27 of the GDPR to have a European representative where a controller or processor offers goods or services to individuals in the EU or monitors the behaviour of individuals located in the EU.
When the UK leaves the EU, controllers and processors in the UK are likely to have to appoint a representative in an EU member state if they wish to continue offering their services anywhere in the EU.
A controller or processor would not need to appoint a representative under the following circumstances:
they are a public authority; or
the processing of personal data they are undertaking is
of low risk in relation to data protection rights; and
does not involve special category or criminal offence data on a large scale.
We recommend that legal advice is sought to determine whether there is a requirement to appoint a representative. Where there is such a requirement and the controller or processor fails to do so, the fine under the GDPR is up to the greater of €10million or 2% of the organisation’s total worldwide annual turnover.
Appointing a representative
The representative must be authorised in writing to act on behalf of the UK controller or processor in respect of:
EU GDPR compliance;
dealing with any supervisory authority regarding GDPR compliance; and
dealing with data subjects regarding GDPR compliance.
A “representative” can be an individual, a company or an organisation (e.g. a law firm). They must be able to represent the controller or processor in relation to their obligations under the GDPR. This requires an understanding of the obligations, as well as having the appropriate measures in place to ensure compliance.
Representatives are required under the GDPR to maintain a record of processing activities. Article 30 of the GDPR sets out the requisite information and states that records must be in writing. These are to be made available to the supervisory authority on request.
In recital 80 of the GDPR there is also a word of warning to those appointed as representatives. Recitals are not binding, but do give an indication of what might happen in certain circumstances. Recital 80 states that in the event of non-compliance by the controller or processor, the designated representative “should” be subject to enforcement proceedings. There is little or no explanatory guidance on what such proceedings might entail: i.e. a monetary fine or enforcing compliance. Representatives will need to consider how they can protect themselves in the event they are subject to enforcement proceedings, whether by means of insurance or through the controller or processor providing an indemnity in the contract of appointment to cover any loss incurred due to their non-compliance.
UK equivalent approach
The UK government has said that it intends to adopt the same arrangement in reverse for controllers based outside the UK who wish to transact business in the UK and process UK data subjects’ personal data. Proposed regulations are due to come into effect when the UK leaves the EU. This would mean that non-UK controllers would need to appoint representatives in the UK where they are processing UK personal data and fall under the relevant requirements.
Under a no-deal Brexit, “representation” requires immediate consideration from UK-based controllers or processors to ensure compliance. There are already companies offering “No Brexit, No fee” contracts in relation to appointing a representative, presumably to assist controllers and processors to implement a “plan B” if the UK leaves the EU without a deal.
At Relentless Data Privacy and Compliance we are accepting EU Representative instructions on the basis that the controller or processor will be covered in the event of BREXIT no Deal. If a deal is agreed before the 31st of October 2019, the instruction will be annulled or deferred until the end of an agreed withdrawal agreement.
Today we discuss the effects of BREXIT for EU businesses post 31st October 2019.
EU businesses that intend to transfer personal data to the UK after Brexit’s latest deadline 31st October 2019 should document their decisions to do so and notify data subjects of those arrangements, a European data protection watchdog has said.
This article helps a five-step plan for organisations to ensure compliance with EU data protection laws when accounting for a potential ‘no deal’ Brexit.
When transferring data to the UK, you should: identify what processing activities will imply a personal data transfer to the UK; determine the appropriate data transfer instrument for your situation; implement the chosen data transfer instrument to be ready for 31 October 2019; indicate in your internal documentation that transfers will be made to the UK; update your privacy notice accordingly to inform individuals.
Currently, data can flow freely to the UK as it is a member of the EU and subject to the General Data Protection Regulation (GDPR).
The GDPR places firm restrictions on the transfer of personal data outside the EEA. Businesses are prohibited from transferring personal data to non-EEA countries unless they can evidence one of a number of safeguards to ensure EU data is adequately protected when processed in those ‘third’ countries. In a ‘no deal’ Brexit, this will include where personal data is transferred to the UK.
Standard Contract Clauses (SCCs)
Standard Contract Clauses (SCCs) are “a ready-to-use instrument” for businesses planning data transfers to implement. SCCs were “likely to be relevant to most Irish businesses that transfer personal data to the UK” in a ‘no deal’ Brexit scenario.
SCCs, also known as model clauses, were developed by the European Commission for use in cross-border contracts. They create a contractual framework for how personal data should be handled when transferred outside of the EU to ‘third countries’.
The Commission has previously issued decisions that endorse model clauses as tools providing for adequate protection of personal data when used for data transfers, as is required by EU data protection law. The use of model clauses has therefore become widespread among international businesses which many companies have come to rely on for demonstrating compliance.
Other legal mechanisms for underpinning EU-UK data transfers post-Brexit may be more difficult to put in place given the time left before Brexit is scheduled to take effect.
While businesses planning data transfers can modify or add to SCCs to “provide appropriate safeguards” particular to their own situation, the “tailored” clauses must be authorised for use by organisations’ local data protection authority.
Binding corporate rules’ (BCRs)
Similarly, ‘binding corporate rules’ (BCRs), which businesses can commit to facilitate intra-group data transfers outside of the EEA, need approval by the relevant national DPA.
Some of the other tools for underpinning data transfers, provided for in the GDPR, are not available to use yet.
Under the GDPR it is open to industry bodies to develop codes of conduct or establish certification schemes that set “binding and enforceable” standards on data transfers and allow organisations that sign-up to the code or certify against the scheme to demonstrate their compliance with the requirements around data transfers set out in the Regulation. However, to-date, no such codes or certification mechanisms have been developed for data transfers.
Derogation’s apply to the GDPR’s main rules on data transfers. EU businesses may be able to turn to the derogations as a basis for transferring personal data to the UK in the event of a ‘no deal’ Brexit. However, the derogation’s “must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive
One of the listed derogations is where businesses obtain the explicit consent of data subjects to carry out the transfer of their data, having explained the possible risks of the arrangement. Others include where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject, and where the transfer is necessary for important reasons of public interest, where it is necessary to protect the vital interests of individuals where the data subject is physically or legally incapable of giving consent, or where it is necessary for the establishment, exercise or defence of legal claims.
Where none of the derogations listed apply, data transfers that are not repetitive and limited in volume may still be permitted where it is necessary “for the purposes of compelling legitimate interests” the business is pursuing, so long as those interests are not overridden by the interests or rights and freedoms of the data subject and “suitable safeguards” are provided for, and the data controller will be required to inform the ICO, or other relevant local supervisory authority.
The issue remains for processor transfers – the requirements of the GDPR in relation to external transfers are not limited to those made by a controller,” data protection law expert processors also are subject to the strict international transfer requirements.”
EU / US Privacy Shield
The UK government has said that, in a ‘no deal’ Brexit scenario, data flows from the UK to the EU will not be disrupted. And for data transferred to the USA the UK government will respect EU/US privacy shield.
Relentless GDPR Services cover all aspects of GDPR Delivery.
Post Brexit the UK will cease to be part of the European Union on 31st October 2019 in the absence of a “deal” to extend the deadline. One implication of this is that UK businesses which hold, obtain or use data about EU citizens after the 29th will most likely have to formally appoint a “EU representative” within the EU for data protection purposes.
The representative is not intended to simply be a box ticking appointment. It will act as the go between and single point of contact for all data protection matters, whether with individual citizens or data protection authorities, and must maintain records of the processes activities (ROPA) an organisation makes of EU citizens’ data. The representative can be a company or an individual, but it must be mentioned in the privacy information organisations make available to EU citizens.
If your business is required to appoint a representative and does not, action by a European data protection regulator could cause interruption to your business or result in legal action being taken against you.
Which businesses appoint a representative?
Any non-EU business or organisation which systematically offers services to EU citizens or processes data about EU citizens after Brexit is likely to continue to be subject to the General Data Protection Regulation (“GDPR”) and will likely be required to appoint an EU representative.
Technically, non-EU organisations are subject to GDPR if they obtain or process EU citizens’ personal data, either in connection with offering “goods and services” to them (including free services) or “monitoring their behaviour”.
A representative is not required if the organisation already has an “establishment” within the EU (meaning it is already subject to EU laws) or if it meets a limited set of exemptions.
What constitutes “offering goods and services”?
The business or organisation must “envisage” providing goods or services to EU citizens. The fact that EU citizens can access a website or otherwise identify the provider may not be enough to make an organisation subject to GDPR, but evidence that EU citizens are intended to be able to receive goods or services is likely to be enough.
What is implied by the term “monitoring their behaviour”?
“Monitoring” will not result from routine online collection or analysis of personal data (for example, website analytics) or occasional contacts with persons within the EU. However, any focused or deliberate analysis of EU citizens, including via behavioural advertising/marketing, conducting surveys, or conducting statistical analyses of personal data – whether for the business or organisation’s own purposes or those of another – is likely to amount to “monitoring”.
What actions should I take to prepare?
Organisations which makes use of EU citizens’ data need to determine whether they will be subject to GDPR after “Brexit” as a result of offering goods/services or monitoring behaviour – and, if so, whether any exemptions in Article 27 allow them to avoid appointing a representative.
If a representative is required, it must be appointed by the “Brexit” date and must be able to fulfil its functions, including having access to all necessary records, by that date.
By preparing in advance of the 31st of October 2019 will ensure your organisations compliance.
Data protection is unlikely to be foremost in people’s minds when considering the impact of Brexit, whether it be soft or hard, deal or no deal. The UK Government has, however, recently issued papers about various topics in a ‘no deal’ situation and one of these entitled: Data protection if there’s no Brexit deal.
In the event of a ‘no-deal’ Brexit, with no agreed arrangements covering data protection, the Government is advising organisations to prepare appropriate contracts to ensure any transfer of European Union citizens’ personal data to the UK is compliant with privacy laws.
The UK faces the prospect of being regarded as a third country when it exits the EU. As a result, the transfer of personal data from organisations within the EU to other organisations in the UK will be subject to strict data transfer rules, as set out by the EU General Data Protection Regulation (GDPR). EU organisations will have to ensure their transfers to UK are lawful and that’s not going to be as simple as it is now.
You may have heard talk about ‘adequacy’ and speculation if the UK will be given ‘adequacy status’. Let’s explain.
What is adequacy ?
It’s all about demonstrating to the EU that the UK is a safe place for data processing so that restrictions on data transfers are not imposed. The European Commission can assess non-EU countries’ level of personal data protection to see if it is essentially of an equivalent level to that of the EU. If a country ‘passes’ the rigorous testing, the Commission can make an Adequacy decision.
Countries with adequacy are not bound by the appropriate safeguard requirements set out in Article 46 and Article 47of GDPR and personal data can flow unrestricted.
The European Commission has so far recognised the following countries as providing adequate protection: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. We should also mention the US-EU Privacy Shield, which is a recognised control for data transfers between the US and EU. This is limited to organisations in the US who sign up to the Privacy Shield framework.
Most recently in July 2018, the EU and Japan agreed to recognise each other’s data protection systems as ‘equivalent’.
Will the UK automatically be awarded adequacy status?
Unless a Brexit deal is reached between UK & the EU before 31st October 2019 which covers data protection & data transfer arrangements, the answer is no. The Commission would need to go through an assessment process before adequacy could be granted. Despite pleas from the UK Government for this process to start, the Commission’s current position is that it will not commence the process until the UK has left the EU and become a third country. Article 45 of GDPR sets out what the Commission should take into account when considering whether to grant adequacy.
Is the UK likely to be awarded adequacy status?
If the UK leaves the EU on October 31st 2019 with no agreement surrounding data protection & data transfers, the UK Government has stressed, “there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it”.
It is widely hoped this will go a long way in persuading the EC to grant adequacy. However, there are concerns the Commission will take a more detailed look at the UK’s crime and national security legislation during its assessment, and in particular the controversial Investigatory Powers Act 2016. This has been criticised by the European Court of Human Rights for giving too much power to security and intelligence services which could violate individual privacy.
Japan will be the first adequacy decision made under GDPR so the UK Government can learn a lot from the process, the EDPB (European Data Protection Board) opinion that has been requested, and the final adequacy decision (once published). Japan has a different data protection regime and has had to agree to add to their national law to get adequacy. Therefore, given the UK implemented Directive 95/46 and has implemented GDPR, a decision that the UK is not adequate would seem unlikely. However, as a third country the UK will be subject to greater scrutiny, and Brexit is unprecedented, so nothing is certain.
The EC’s process for reaching an adequacy decision typically lasts several months (even years) and there is no guarantee it will be granted.
So, what do organisations need to do?
Let’s be clear, if no agreement is reached the UK will become a third country to the EU and will not have adequacy – at least not right after Brexit. So new restrictions for EU-UK data transfers will apply – at least in theory.
UK to EU transfers
The transfer of personal data from the UK to EU member states will, according to the Government, remain unaffected. The Government has stated, “In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.”
EU to UK transfers
UK organisations which receive any transfers of personal data of EU citizens, or any personal data from EU member states, need to prepare for the possibility of no deal. Initially, at the least, the UK will not be deemed an adequate country and there will be a burden for compliance with Articles 46-49 of GDPR on organisations sending personal data to the UK.
Organisations are being advised now to work with their EU partners to ensure compliant transfer of personal data between the UK and EU can be achieved.
The Government is advising that for the majority of organisations the most relevant legal basis for such transfers would be Standard Contractual Clauses (SCCs). These EC-approved data protection clauses, often known as model clauses, need to be embedded within contracts (without any changes), or added as an appendix to an existing contract, which may need to be reviewed on this point to avoid ambiguity. They cover the contractual obligations between both parties to protect the rights of the individuals whose data is being transferred. So model clauses are the way to go.
UK entities that are part of multinationals will as equally be affected as pure UK only organisations, where personal data is transferred into U.K. from EU. However, multinationals that already have approved Binding Corporate Rules (BCRs) may not be affected as a BCR is more focused on the group approach to management of personal data including data transfers. Some multinationals have also set up a framework agreement incorporating EU Standard Contractual Clauses, and here such an Agreement may well survive Brexit as the U.K. company described as a data exporter simply switches to a data importer. This, however, would not be the case where the U.K. entity was signed as an exporter on individual standard contractual clauses, based contracts.
Anything More to Note?
Organisations based outside the EU which offer goods and services to EU citizens, or monitor the behaviour of EU citizens, fall under the scope of GDPR Article 27, which includes the requirement for such organisations to nominate a representative in one of the EU member states. So, after Brexit, when the UK is outside the EU, this article will bring many UK organisations within its scope.
Also, worth considering is whether your organisation is currently relying on the EU-US Privacy Shield. If so this will need revisiting, as upon Brexit the UK will not be part of this arrangement.
In this period of uncertainty, it would appear prudent to start preparing for what may come – i.e. abide by existing legislation but anticipate possible changes and scrutiny to businesses processes impacted by cross-EU data-sharing. One would need a crystal ball to predict the outcome of any Brexit deal (at the time of writing only six months away), but it is entirely possible a period of ambiguity might result as political manoeuvrings are completed.
As ever, businesses which act in good faith, recording and justifying any changes to business processes and decisions, will be less vulnerable than those which do not – Keep Calm and Prepare