In this series of short articles, Andrew Kimble, Ben Gibson and Matt Harris look at four big issues when it comes to GDPR post-29 March 2019.
A data breach might fall within the competence and regulatory reach of both the ICO and of an EU27 regulator, meaning that penalties could apply in more than one jurisdiction.
Organisations who are not established within the EU, but whose personal data processing activities fall within Article 3(2) may be obliged to appoint a representative within the EU to act as a point of contact and a point of enforcement, bringing non-EU/EEA organisations within reach of data protection regulators within the EU.
Once the UK is no longer a member of the EU, many UK organisations will remain within the scope of GDPR due to the nature of their personal data processing operations. However, they will also be subject to the parallel regime established by the DPA 2018. Consequently, a data breach might well fall within the competence and regulatory reach of both the ICO and of an EU 27 Regulator.
It is possible, but not inevitable, that the ICO would work together with EU27 regulators either to agree that enforcement will fall to one or the other of them, or to allocate monetary penalties between enforcement proceedings.
Article 83 requires that fines must be "effective, proportionate and dissuasive", which principles might act to mitigate against "double punishment". It is not a foregone conclusion, however, that an administrative fine issued by the ICO or an EU 27 regulator would be considered disproportionate merely because the other had also issued a fine in relation to the same matter. Further, arriving at a finding that a fine should be reduced or struck out as disproportionate might require costly and time-consuming proceedings.
UK businesses which process personal data of people in the EU in relation to the offering of goods or services in the EU or the monitoring of behaviour in the EU are at risk of being subject to parallel enforcement regimes and parallel sanctions. Given the uncertainty around final Brexit arrangements, UK businesses may feel the most productive approach at this stage is to ensure the ICO is mindful of the risk to UK business and seeks to establish principles protecting against double penalty.
Under Article 27 GDPR, UK businesses will be required to appoint a representative within the EU if processing EU data subject data, leading to possible cost implications for UK businesses.
Article 27 representatives
GDPR Article 27 requires non-EU data controllers and processors to appoint a representative within the EU if processing data of EU subjects.
Assuming that the UK becomes a "third country" (any country or territory outside the EEA) for GDPR purposes, then it would become necessary for such UK-based data controllers or processors to appoint a representative within the EU.
Such businesses should clearly identify their representative in their customer facing processing notices and privacy policies. Whilst some types of non-compliance with privacy law is not overtly apparent until issues emerge, a failure to clearly identify an Article 27 representative should be quite obvious.
As noted in our previous briefing in this series, data breaches affecting data subjects in the UK and also in the EU could result in enforcement proceedings, and possibly significant financial penalties and compensation awards both in the UK and the EU under separate enforcement actions.
Costs for UK businesses
Article 27 representatives provide EU data regulators and data subjects with a point of contact within the EU. Unhelpfully, recital 80 of the GDPR suggests that representatives may be subject to enforcement proceedings for breaches by their controller / processor appointer.
Consequently, a representative might be faced with the maximum GDPR fine of €20 million or 4% of global annual turnover (of its appointer). If that is the case – and there is a distinct lack of guidance on this point - it is then likely that Article 27 representatives will insist on robust indemnity obligations from their principals and to be paid fees commensurate to the risk (ie. quite significant).
In the absence of further guidance on representatives' liability, a business may wish to consider if it has, or should create, an EU-based subsidiary which could act as its representative.
We can provide advice and assistance to businesses with respect to the requirement to appoint a representative and the content of fair processing notices and privacy policies.
In the event of a data breach, a data subject may be able to claim compensation in parallel proceedings under both GDPR and UK data protection law post-Brexit. This will also effect the ability of controllers and processors to adjust liability amongst themselves.
Recovery of compensation
Both GDPR and applied GDPR (the term we are using to describe GDPR as implemented into UK law by the Data Protection Act 2018) provide data subjects with a right to claim compensation from data controllers and processors whose breach results in "material or non-material damage". Compensation includes financial loss but also extends to distress stemming from a personal data breach. This right is not restricted to claiming compensation under only one of the available regimes, and could result in parallel proceedings.
Loss that has been fully compensated for is no longer a loss.This is why, in the case of a claim for compensation for financial loss, if proceedings under GDPR were to result in full compensation, then it ought to be the case that there would be no provable loss in relation to any parallel proceedings under applied GDPR, and vice versa (however there remains the possibility of a controller / processor being sanctioned by an authority under both GDPR and applied GDPR).
Non material loss
However, there are possible implications in cases of a claim under both regimes for "non-material damage", such as distress. Unlike financial loss, distress is not easily quantified, and a situation might arise in which parallel proceedings result in separate, substantial awards of compensation for distress.
In each regime there is a mechanism allowing a controller or processor who has paid full compensation to recover from any other controller or processor who is responsible for the damage a proportion of the compensation corresponding to their share of responsibility for the damage. In each case, adjustment relates only to compensation paid under the specific regime.
Whilst legal obligations to protect personal data and the potential related liabilities cannot be contracted out of, parties should ensure that they have in place appropriate contractual provisions which may help to provide them with recourse against parties who have caused them loss due to data protection failings. Our expert data protection team can advise.
It is strongly advisable for organisations likely to rely on BCRs after Brexit to operate them from within the EU 27.
For transfers of personal data within corporate groups, binding corporate rules (BCRs) provide a useful avenue in cases where there is no adequacy decision in place. BCRs must be legally binding and enforceable by every member of a group of undertakings engaged in a joint economic activity. They must also confer enforceable rights on data subjects with regard to the processing of their personal data, and include the elements specified by GDPR Article 47(2).
GDPR, as applied in the UK under the Data Protection Act 2018, provides for BCRs to be approved by the ICO rather than by a supervisory authority within the EU 27. Consequently, post-Brexit BCRs will be valid only in relation to transfers from the UK to non-EU/EEA third countries. BCRs approved by the ICO would not (as things stand in the absence of further political agreement) permit a transfer of data from the EU/EEA into the UK. It remains strongly advisable for organisations likely to rely on BCRs after Brexit to operate them from within the EU 27. We can advise on the process for developing and applying for BCRs (within the UK and the EU).