The end of the Brexit implementation period on 31 December 2020 has brought with it significant changes to the data protection landscape for UK-based businesses. Amid headlines about data transfer issues and a potential adequacy decision for the UK in the coming months, businesses also need to be aware of significant changes to the way in which cross-border personal data breaches with a UK angle will need to be notified to data protection authorities (DPAs) in future.
The GDPR established a “one-stop-shop” principle, allowing companies to notify cross-border personal data breaches to a lead supervisory authority (LSA) in the EU / EEA Member State of their main establishment. A significant advantage of this system is that businesses usually need only to deal with a single DPA in relation to any investigation of the breach and any enforcement arising from it. Before the end of the transition period, the UK ICO could serve as an LSA for companies that had their main establishment in the UK in the event of a cross-border breach – indeed many high-profile breaches that have been investigated by the ICO since the implementation of the GDPR have been cross-border in nature, and have involved the ICO acting as LSA.
However, while the GDPR itself has been enshrined into domestic UK law, the ICO’s status has now changed. Data processing carried out in the context of a controller’s UK establishment(s) which affects data subjects in the EU / EEA will no longer qualify as cross-border data processing for the purposes of the GDPR and it will no longer be possible for the ICO to serve as LSA under the “one-stop-shop” principle.
The ICO has produced helpful guidance setting out what this will mean in practice in relation to cross-border personal data breaches with a UK element, including four example scenarios which can be summarised as follows:
- A personal data breach affecting natural persons in the UK and in one EU / EEA member state, where the controller is established only in the UK and in that EU / EEA member state, will – assuming the risk-of-harm threshold set out in Art 33 of the GDPR has been met – need to be notified to the ICO and to the DPA in the EU / EEA member state.
- If that personal data breach affects natural persons in the UK and in multiple EU / EEA member states, the breach will need to be notified to the ICO and to the DPA in the EU / EEA member state where the controller is established in that DPA’s capacity as LSA within the EU / EEA.
- If that personal data breach affects natural persons in the UK and in multiple EU / EEA member states – and if the controller is established in multiple EU / EEA member states – the breach will need to be notified to the ICO and to the LSA within the EU / EEA – which will need to be identified by reference to the applicable EDPB guidance.
- If that personal data breach affects natural persons in the UK and in multiple EU / EEA member states, but the controller has no establishments in the EU / EEA, the breach will in principle need to be notified to the ICO and to the DPA in each EU / EEA jurisdiction in which there are affected natural persons. This could mean that a controller needs to notify a large number of DPAs about the same breach and could in theory be investigated and fined by each of them.
Clearly, the fact that the ICO can no longer serve as LSA within the one-stop-shop mechanism complicates matters in relation to the notification of personal data breaches in the UK and across the EU / EEA.
Scenario four described above might, in particular, mean that significant additional resources are required in order to deal with the regulatory fall-out of a significant personal data breach. That said, if a UK controller has appointed an EU / EEA representative pursuant to Art 27 of the GDPR (which the GDPR requires it to do, if it is not established in the EU / EEA and it falls within the territorial scope of the GDPR as set out in Art 3(2)), it may be defensible to notify only the DPA in the member state where that representative is located, in accordance with applicable EDPB guidance. In this context, therefore, ensuring compliance with the requirements of Art 27 may now be very helpful to controllers in relation to any personal data breaches that might occur in future.
Equally, scenario three could present complex situations if it is not immediately clear which EU / EEA establishment should be considered the controller’s main establishment in the EU / EEA – and accordingly, which DPA should be considered the LSA in a particular context.
UK-based controllers would be well-advised to consider which of the above scenarios might apply to them in the event of a personal data breach and to update their policies, procedures and resource allocations accordingly.
Trainee solicitor, Nicolas Bennett-Jones, contributed to this article.