The UK government confirmed last week that some non-UK data controllers will be obliged to appoint a UK-based representative under new data protection regulations being prepared for a potential 'no deal' Brexit.
The UK regulations, which would only apply if an agreement on the terms of the UK's withdrawal from the EU has not been ratified by the time the UK exits, will "replicate" provisions contained in the General Data Protection Regulation (GDPR), it said.
As well as applying to the processing of personal data by organisations established in the EU, the GDPR also applies to the processing of personal data of data subjects in the EU by organisations based outside of the Union where the processing relates to the offering of goods or services to those individuals or the monitoring of their behaviour as far as their behaviour takes place within the Union. The GDPR's extra-territorial effect is confirmed in Article 3(2).
In such cases, non-EU based companies are generally required to designate an EU-based representative unless an exemption applies. The representatives are required to address all issues related to the data processing by the non-UK business that is subject to the UK's data protection regime "for the purposes of ensuring compliance" with those rules. This includes liaising with data protection authorities or data subjects on the business' behalf.
The duty to appoint a representative does not apply to public authorities or if the processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.
In its guidance note, the UK government said it "intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK".
Other 'no deal' regulations in the data protection sphere will also be published "in the next few weeks", the government said, including new regulations to "preserve EU GDPR standards in domestic law" and "maintain the extraterritorial scope of the UK data protection framework" in the event of a 'no deal' Brexit.
New regulations will also aim to provide for the continued free flow of personal data from the UK in a 'no deal' scenario. The government said it will "transitionally recognise all EEA countries (including EU member states) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue", and "preserve the effect of existing EU adequacy decisions on a transitional basis".
In addition, EU standard contractual clauses, which also facilitate data transfers, are to be recognised in UK law, with the Information Commissioner's Office (ICO) given powers to issue new data protection clauses, the government said.
Further regulations will also allow businesses that have had 'binding corporate rules' (BCRs) authorised before Brexit to rely on those BCRs for data transfers post-Brexit, it said. The ICO will continue to be able to authorise new BCRs under domestic law after Brexit, it said.
The Information Commissioner's Office (ICO) issued its own new guidance on data protection in a 'no deal' Brexit scenario last week too. At the time, data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, highlighted how UK-to-UK data transfers could be impacted by a 'no deal' Brexit.
The UK is scheduled to leave the EU on 29 March 2019. While the UK government has negotiated a withdrawal agreement with the remaining 27 EU countries, the deal has yet to be ratified and it has faced stiff opposition from government backbenchers and opposition parties in the UK.