The UK: They left the EU; did your data?

As many of you may know, the United Kingdom officially left the European Union on January 31, 2020, after forty-seven (47) years of membership. What does this mean? Well the short answer is: we do not really know yet.  The UK and the EU are now in a “transition period” that will last until at least December 31, 2020. But, that transition period can be extended up to two (2)  years if both the UK and the EU agree, with the goal of “provid[ing] more time for citizens and businesses to adapt.” (Yes, the audible groans of frustration are permitted at this point). 

While there are many concerns related to Brexit and the larger business and personal implications, this article will focus on the data security and privacy impacts. 

So, what does this mean today?

Even with the uncertainty of a transition period, there still are some knowns today (or really, starting as of January 31st). First, the UK is no longer part of the EU. Yes, that seems redundant but it implies that any data transfers into the UK are now considered “[t]ransfers of personal data to third countries.” See GDPR, Chapter V. For many US based companies, this has real, practical ramifications. Many US companies used the UK as their primary, or “main establishment,” within the EU. With the ease of communication in the UK, it was a natural choice. Often, that selection meant storing EU-related personal data within the UK (to minimize data transfer obligations) and interfacing primarily with the UK’s Information Commission Office (i.e., the UK Data Protection Authority). 

But, now, that entire infrastructure is outside of the EU. Companies need to re-think their structures and determine: (1) should they — or can they — move their main European headquarters to another country? And, (2) should they — or can they — move their European data storage to a non-UK location?

If the UK is your only option  

If remaining primarily in the UK is the only reasonable option, then companies should ensure  they are adequately addressing the representative requirements under the GDPR. Article 27 requires controllers and processors not “established within the Union” to “designate a representative in writing in the Union.” Companies also need to review all of their data processing agreements under Article 28 to ensure that any data transfer clauses are appropriately included in those agreements.

Further, the GDPR requires that data subjects be informed when their personal data is being transferred outside of the EU.  Both Articles 13 and 14 (dealing with notice requirements to data subjects), expressly require that data subjects be informed 

“that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.”

See Articles 13(1)(f); 14(1)(f). Reading these provisions in conjunction with the implications of Brexit, do you need to now inform all data subjects that there data, by virtue of being processed within the UK, now is being transferred to a “third-country”? The administrative burden of re-informing data subjects alone can be challenging. 

Picking between European Member States

If you decide to move your European establishment to another country within the EU, you can address some of these challenges since you would no longer be transferring data to a third country, so you would not need to name a representative. However, you do need to select a new location for this establishment. For many US companies, that can be a challenge, both logistically and legally. 

Germany, Ireland and the Netherlands — just to name a few — are actively soliciting companies to relocate their headquarters to those countries. For ease of communication, Ireland appears to be a natural choice for many US companies. The technology infrastructure in and around Dublin is already exploding, seeing “exponential growth” thanks to major companies such as Google, Facebook, and Microsoft establishing their EU headquarters in Ireland. 

But, there are more than just linguistic components to be considered when determining the best location to establish a company within Europe, especially from a GDPR perspective. It is important to consider the activity of an individual Member State Data Protection Authority. Not all Data Protection Authorities operate or view the GDPR the same. Further, not all Authorities have the same impact, both within the Member State itself or the EU generally. Certain Authorities are stricter with their fines, actively enforcing the GDPR and its many requirements while at least seven (7) data protection authorities have yet to issue any fines since the GDPR went into effect in 2018. So, before you sign on the dotted line to make that transition to a new location, make sure you understand the perspective of the Data Protection Authority and the aggressiveness of its GDPR enforcement. In other words, perform due diligence on the country before making the transition. 

Additionally, a company should ensure that whichever country it moves to has the infrastructure to support its business. Are there data centers with your required sophistication and capacity? Does the region offer sufficient talent to address any human resource needs? Is there relevant research and other academic efforts that can provide unique opportunities for your business? Is there a match between your business and the local culture? 

What could happen after the Transition Period?

If we knew, trust me, we would tell you. Data Protection is a key consideration in the negotiations between the UK and the EU in the post-transition period relationship. All signs point to that fact that the UK will either negotiate a specific GDPR adequacy decision between the EU and the UK, or the UK will basically implement a UK version of the GDPR (which is basically already has in the UK Data Protection Act of 2018). Regardless, there will be some type of alignment. But, how much alignment is still to be seen. 

So, what does Brexit mean for you now? The short answer is that there are many considerations to be made when addressing whether or not you need to leave the UK. The key is that the clock is currently ticking and you need to be addressing this now! Do not wait until December 31, 2020 to be starting this conversation. The implications Brexit will have on organizations is vast and data protection is just (albeit a hugely important) one of them. And remember, as we often say in privacy, luck favors the prepared!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.