• The EU e-commerce legislation provides a common EU wide basis for the provision of information society services throughout the European Union. They are broadly services provided wholly over the Internet.
  • There are strong principles which provide for the exclusive regulation of such providers in their home EU state. This is to facilitate the provision of their services without further requirements in the state to which the service is directed. There are common EU wide standards providing for a range of matters, including minimum information and other consumer rights.
  • After Brexit information society providers established in the UK providing information society services into the EU, may not rely on UK home state regulation and the rules which preclude authorisation and regulation in the EU state in which the service is provided.
  • Equally information society providers into the UK may be similarly restricted or subject to regulation in the UK in the absence of equivalent treatment to UK providers within the EU.

Data Protection / Privacy

  • After 2021, the United Kingdom will have its own independent data protection rules in identical terms to the EU General Data Protection Regulation. Under both the EU and UK legislation, there must be a legal basis for the transfer of personal data in and out of the EU and UK respectively.
  • A key objective of the trade negotiations is that each of the EU and UK assess the others’ privacy rules with a view to recognising them to allow free flow of personal data between the EU and UK. If no adequacy decision is made, then businesses and others transferring personal data between the EU and UK must rely on an alternative basis under EU and UK law.
  • The Withdrawal Agreement provides continued protection of personal data transmitted to and from the United Kingdom while it was an EU member state or during the transition period.
  • In the absence of an adequacy decision or appropriate safeguards, the transfer of data may take place on one of the grounds defined in GDPR including by consent, necessitated by a contract and other public interest reasons. Within groups, there may be approved binding corporate rules. Codes of conduct may be approved in relation to transfers.
  • If none of the other bases for transfer apply, then in the absence of an EU and UK decision on adequacy of the other’s rules, an agreement containing specified terms may be required between the data transferor and the data recipient which provides rights to the persons who are the subject of the data.

GDPR Representatives

  • Companies established outside the European Union are required to appoint an EU representative if they offer goods and services to individuals in the EU or monitor their behaviour. The European Data Protection Board guidelines 3/2018  provides guidance on what amounts to offering goods and services in the EU. Certain important exceptions apply in Article 27 GDPR .
  • The UK government has indicated that data controllers and processors located outside the UK will need to appoint a UK representative if they process the personal data of UK citizens.
  • The GDPR representative may be appointed in any EU state for  the purpose of the whole EU. The representative must be appointed by the controller or processor in writing addressed to the supervisory authorities and data subjects.
  • The representative acts as an intermediary between the authorities and data subjects (persons the subject of the information) and the business outside the EU which processes or controls their data. The representative is to maintain certain records and make them available to the supervisory authorities.
Share this article