4 min read

Brexit and Breaches: A tale of two fines

Read more

By Patrick Hill


Published 17 December 2020


Much has been written about the impact of Brexit on data protection matters. However, little has been said about the consequence for the world of cyber and the risk that an entity may now be subject to multiple regulatory enforcement decisions, including fines, from different data protection authorities as a result of a data breach.

Under the current data protection regime, the EU GDPR’s co-operation and consistency procedures (coined the “One Stop Shop”) allows organisations conducting cross-border data processing to nominate a lead supervisory authority that will be responsible for regulating all cross-border processing and enforcing the EU GDPR.

In the event of a cross-border personal data breach, where the notification threshold under Article 33 EU GDPR is met, the impacted data controller can notify its lead supervisory authority only, rather than notifying all supervisory authorities concerned for the purposes of the incident. Should that supervisory authority conclude that the incident merits a fine under the GDPR, even if multiple EU countries are in scope for the breach, only one fine will be issued by the lead supervisory authority, acting in cooperation with the other supervisory authorities.

However, from 1 January 2021, once the UK leaves the EU, the Information Commissioner’s Office (the “ICO”) will no longer be capable of being designated a lead supervisory authority or participating in the so-called One Stop Shop. As a result, in the event of a cross-border personal data breach, notification obligations for businesses are about to get a little more complicated.

In terms of the statutory framework that the UK is adopting post Brexit, the UK Government has confirmed that it will implement a UK GDPR, on the same terms as the EU GDPR. However, in addition to being in scope for the purposes of the new UK GDPR, a UK entity may also still be caught by the EU GDPR to the extent that it is caught by the territorial scoping provisions (see Article 3 EU GDPR), in the same way that it may currently apply to a US entity, for example.

What this means in practice is that for UK entities with no EU establishments, but where the data processing activities are likely to substantially affect individuals in one or more EU member states (for example where they sell products into the EU), they will no longer be undertaking cross-border processing under the EU GDPR if they have no office, branch or other establishment there. In the event of a notifiable breach, they will not be able to benefit from the One Stop Shop, and will have to notify the ICO together with the supervisory authorities in all impacted EU and EEA states.

For a UK entity with a European branch, for example in France, in circumstances where there is a notifiable breach, the entity would be required to notify the ICO and the Commission nationale de l'informatique et des libertés (“CNIL”) in relation to any cross-border processing. Both the ICO and CNIL would have authority to issue fines under the UK GDPR and EU GDPR respectively, but there would be no requirement for the ICO and the CNIL to co-operate over such enforcement action. 

A final example is where a UK entity has a European branch in France, for example, and that French office sells products into Spain and Germany.  Although there would be no cross-border processing for the UK entity, there would be cross-border processing in relation to the French office’s data processing activities within Spain and Germany. As a result, the entity would be able to benefit from the One Stop Shop in relation to the French, Spanish and German data processing activities, notifying a single supervisory authority in only one of those countries, but it would still need to notify the ICO as well. As a result, there is again the potential for the ICO and the European regulator to both issue fines against the data controller, under the two statutory regimes, being the EU GDPR and UK GDPR.

These scenarios illustrate the fact that businesses are left far more exposed in terms of GDPR risk rating post Brexit.  Whilst there is no way to get round the potential obligation to notify the ICO and at least one European supervisory authority in the event of a cross-border breach, it is critical that businesses now carry out an analysis to ascertain whether they can rely on the One Stop Shop mechanism in relation to European cross-border processing activities. 

Entities that have carried out this analysis will be saved time and hassle in the event of a notifiable cross-border breach, when the business will already be under considerable pressure and strain. Knowing who the lead supervisory authority is will simplify the notification process, allowing the controller to notify the ICO and its lead supervisory authority in Europe only, as opposed to multiple European data protection regulators. 

For advice in connection with identifying and nominating a lead supervisory authority, please contact Patrick Hill or Eleanor Ludlam.