Predictions about the Brexit negotiations are probably a mug’s game. Despite the fact that Boris Johnson’s government is the stupidest and most incompetent of my lifetime, it’s clearly not impossible that the EU will give the UK some kind of trade deal at the end of them. It’s also not impossible that part of the package will be an (unearned) data protection adequacy deal, solving at a stroke a huge number of 2021 headaches for UK and EU businesses. If that happens, the rest of this blog is outdated until the CJEU comes for 2020’s most unlikely Christmas present with the receipt.
However, let’s assume that the UK doesn’t get adequacy, and from January 1st 2021, the UK is a third country. There are all sorts of potential considerations, but one of them affects my business directly. Will 2040 Training, and small businesses like it, need an EU representative? After all, I have customers and clients in the EU, and I process their personal data. Do I need to search out one of the suddenly very excited companies who offer this service, hoping that a lack of adequacy will bolster their profits? I probably still have some contact details because every single time I run my Brexit webinar, I get contacted by someone hoping that I might plug their service. Yes, mate, I’m going to do an advert for you on my free webinar that not even I am making money from. That sounds like a thing that would happen.
What do the EU GDPR rules say? Get used to ‘EU GDPR’ and ‘UK GDPR’, non-pedants, they’re now in the 2040 style guide. Article 3 of the GDPR says that it applies to the processing of personal data about people (AKA ‘data subjects’) in the EU where the processing activities relate to “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union“, or where the controller is monitoring subjects in the Union. To underline a point many people have made many times, there’s no mention of ‘citizens’; if you’re alive and physically present in the EU, this applies to your data.
Should a controller outside the EU be doing such a thing, they then have to appoint a representative in the EU to allow subjects to exercise their rights, deal with enforcement, and other tasks necessary to handle the otherwise absent but data processing controller. The exception to this is where the processing is low risk. To give the full text from Article 27, you’re exempt your processing is:
occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing
To misquote a show from the 1980s which I probably shouldn’t have enjoyed: “Do They Mean Me?”
I say no. First, I do not offer goods or services to data subjects in the EU. They are not specifically forbidden from booking places on my courses or asking my paid advice, but I do not target them. My courses are deliberately (and after a forthcoming tweak of my website) explicitly aimed at the UK market. I price in pounds sterling. I talk about the GDPR as implemented in the UK, the UK DPA 2018 and the Information Commissioner. The fact that some lovely EU people choose to book does not remove the reality that my courses are aimed, and so I believe, offered to data subjects in the UK.
But what if I’m wrong? What if the fact that I have EU customers means that I ‘offer’ products or services to the EU. Well, the processing is occasional (EU punters are less than 1% of my business), I never process special categories or criminal data, and the level of data I process (names, mostly business occasionally personal email addresses, mostly business occasionally home addresses) is unlikely to cause a risk to my customers’ rights and freedoms.
As alluded to above, I will be changing my website a little to underline that I am a UK business, catering to the operation of Data Protection and Privacy law in the UK. I’ve always enjoyed the rather grandiose claims of other people in the sector to be running worldwide operations, but I’ve never pretended to be anything other than a UK operator, never more so than today. I think the UK is going to diverge from the EU in many unhelpful ways, but for my business purposes, we’re out of the EU, and while what happens there will be interesting and influential, it is something else happening somewhere else, not a process that the UK is any longer a part of.
Of course, even if I thought I met the requirements, the chances of enforcement are next to nothing. A recent Wired magazine article didn’t make a convincing case for the possibility that small businesses like me would be an obvious target for the ire of EU regulators, and even if I was, would any action be enforceable? Could I receive a reprimand from Helen Dixon? Will the good folk of North Rhine-Westphalia be verboten from booking on my courses? I can absolutely see the possibility of some European DP Authority wanting to make a point about Brexit if relations between the UK and the EU go sour (sourer?), but I don’t think pursuing a UK small business for not having a representative will be the eye-catching regulatory coup they’ll be looking for.
Unless Sir David Frost brings home the bacon from the negotiations, I’m sure we’ll see more adverts and hype from the representative sector, but I think the average business should be circumspect. Even the lowest price representative package is a waste of money if you don’t really need one, and the threshold isn’t as low as you might think. For UK businesses who consciously and regularly solicit EU business, it is a serious question but even for them (SPOILER ALERT) it’s far from the biggest problem presented by Brexit. As this benighted year draws to its merciful close with some vaccine shaped hope on the horizon, I still believe Brexit will come to punch us all hard in the face, and my fellow small business owners should not be lured into spending anything that they don’t need to.