With the entire Brexit situation in turmoil, organisations will (or should) be starting to plan for every eventuality, including a no deal (and no transition) exit. There are various ways that Brexit will affect data protection practices in the UK. While attention is often focused on cross-border data flows, organisations should also be considering the impact of Brexit on their participation in the one stop shop, as well as the location of their lead Supervisory Authority (Lead SA) and Data Protection Officers (DPOs).
Quick recap on 'one stop shop principle' and Lead SAs
One of the GDPR's aims was to reduce the regulatory burden on businesses processing personal data in more than one EU Member State. It introduced the principle of a 'one stop shop' which allows organisations whose processing of personal data substantially affects or is likely to substantially affect data subjects in more than one Member State to nominate a Lead SA in the Member State of their main establishment. Ordinarily (but not always) this will be the place of its central administration. (See our article for more on what this means in practice).
While having a Lead SA means that controllers only need to deal with a single regulator, national SAs remain competent to investigate and enforce data protection law if a complaint is directed to them, or if there is an infringement within their Member State or which substantially affects only data subjects located within it.
Could the ICO still be your Lead SA after Brexit?
When the UK exits the EU on 29 March (at the earliest), the Information Commissioner's Office (ICO) will no longer be an SA for GDPR purposes and will not participate in the one stop shop mechanism or the consistency and cooperation procedure unless there is a withdrawal agreement and we enter into a transition period. If that happens, the issue of the Lead SA will become relevant at the end of transition. The ICO will also lose its power to be the Lead SA for approving BCRs. It is possible that a future deal might change that but for now, it is important for cross-border businesses which have the ICO as their Lead SA to review this, so that any potential issues are headed off before Brexit.
Should you re-consider the location of your Lead SA?
Businesses which currently have their main establishment in the UK carrying out data processing across the EU, should be thinking about where their Lead SA will be once the ICO is no longer an SA for GDPR purposes and indeed, whether they will be able to nominate one.
These businesses should carry out an evaluation of their activities in other Member States and establish where their main establishment will be once the UK is not in the EU. This will most likely be the place of central administration in the EU but that principle is overruled where the decisions about the processing of personal data are taken in another EU establishment.
The main establishment for GDPR purposes will always be the one which has decision making powers in relation to the data processing operations. If there is no such establishment (for example where these decisions are taken outside the EU), there will be no main establishment and the business will not be able to take advantage of the one stop shop.
Businesses without a main establishment in the EU will be required to appoint a representative in the EU and will be regulated by the local SAs in each jurisdiction in which they are active through their representative (see our article for more on representatives).
If you need a new Lead SA, where will it be?
An appealing choice for businesses looking around for a new Lead SA ahead of Brexit, will be one that is well aligned with the UK and the ICO in terms of approach. On that basis, and because it is the only other English speaking common law Member State, Ireland might look like the obvious candidate. However, forum shopping won't work – as demonstrated by the recent decision of the French regulator the CNIL when considering whether Google could claim to have its main establishment in Ireland.
The CNIL determined that Google's Irish presence was not enough for the Irish Data Protection Commission to be the lead SA for certain processing because the Irish entity did not have decision making powers over the relevant processing operations at the time. Google is appealing the decision but it is not yet clear whether this issue will be the focus of the appeal.
The Google CNIL decision confirms the requirement for real decision making to occur in the establishment in the Member State of your Lead SA. It may be that you have different Lead SAs in relation to different processing operations. While this initially seems counter-intuitive given that the aim of the one stop shop is to reduce the regulatory burden by providing for a single lead regulator, not all businesses will fit the required model.
Where no substantial decision making takes place in the EU in relation to a set of data processing operations, there will be no main establishment and no Lead SA for those operations and the SAs in each Member State in which the processing operations take place or the relevant data subjects are located which will be competent to act.
Designating your Lead SA should be carried out carefully for different processing operations and it may be advisable to open a dialogue with the relevant SA to help determine the main establishment for your organisation.
If any SA suspects forum shopping (or that it is not the most appropriate Lead SA), it has the power to challenge the organisation's decision. Again, this power was demonstrated in the Google, CNIL case in which the CNIL and the other relevant SAs decided that it was the CNIL rather than the Irish DPC which was competent take decisions regarding certain specific processing operations by Google.
And what about the DPO?
The question that follows on from the discussion around Brexit and Lead SAs is whether or not cross-border businesses which currently have their DPO based in the UK will need a DPO based in the EU after Brexit.
The GDPR does not state where a DPO must be located. Instead, it simply says that the DPO must be easily accessible from each establishment of that organisation. Given its geographical location, it could be argued that a DPO located in the UK will still be easily accessible for establishments in the EU post Brexit. However, in 2017, the Article 29 Working Party issued guidance (now adopted by the EDPB) that recommended that a DPO be located within the EU, unless the controller or processor has no establishment there.
The more cautious organisations carrying out a lot of processing in the EU may look to move their DPO to the EU after Brexit. Alternatively, different group companies may want to appoint DPOs in one or more EU Member State while retaining a DPO in the UK. However, as the WP29 guidance on this issue is not binding and has not been tested in the courts, it is it is hard to say whether this will be strictly necessary.
It is worth noting that in the recent Google CNIL decision, the absence of a Google DPO in Ireland was one of the relevant factors in determining that Google did not have its main establishment in Ireland for the relevant processing operations.
Organisations which do decide to change the location of their DPO should remember that they are required to communicate their DPO's contact details to their Lead SA (or relevant SAs if there is no Lead). Similarly if there is a new Lead SA as a result of Brexit, businesses need to provide it with details of their DPO wherever the DPO is located.
Next steps
Many UK businesses with cross-border data processing will not yet have needed to put too much thought into the location of their main establishment for GDPR purposes. For some businesses, designating a Lead SA in the EU will be straightforward, but for others it will be a complex decision and they may find they are no longer able to benefit from the one stop shop.
Businesses carrying out processing of personal data across the EU that currently have the ICO as their Lead SA should be considering whether they have a main establishment in the EU (remembering that this requires some real decision making in that establishment), and if so, start to engage with them. If there is no Lead SA in the EU, then businesses may have to begin engaging with all relevant SAs in EU Member States.
If there is no establishment in the EU at all, then they may have to appoint a representative.
Businesses also need to think about the location of their DPO, whether it fulfils the "easily accessible" requirement and whether it would be wise to have a DPO located in the EU.
