Data is an important asset to retailers, and they will have been watching developments post-Brexit carefully. The EU GDPR no longer directly applies in the UK, but the UK now has its own (largely similar) "UK GDPR" (see our guidance on UK GDPR here). Most businesses in the UK are subject to the UK GDPR, and may also be subject to the EU GDPR. It will be important to monitor whether divergence between EU GDPR and UK GDPR begins to happen – if it does, this could have important economic and legal implications.
EU GDPR and UK GDPR:
- If a retailer is established in the UK, but holds or otherwise processes individuals' data (for example, by offering goods and services or monitoring individuals' behaviour, perhaps through analytical cookies) in the EU, it may be subject to both data protection regimes (UK GDPR and EU GDPR). And, for similar reasons, retailers established in the EU may be subject at one and the same time to EU GDPR and UK GDPR. Whilst the two regimes are broadly similar, there is now the potential for enforcement action to be brought against retailers simultaneously in the UK and EU.
- UK retailers who regularly supply goods to (or monitor the behaviour of) EU-based consumers may need to appoint an EU representative under EU GDPR in an EU member state, if they do not have an establishment in the EU. Similarly, retailers in the EU offering goods or services to (or monitoring the behaviour of) individuals in the UK may also be subject to UK GDPR, and need to appoint a representative under UK GDPR in the UK.
- The Dutch data protection authority has recently issued a significant fine against an online platform which had failed to designate an EU representative.
International data transfers:
- Just days before the end of the bridging period provided for in the Trade and Co-operation Agreement, the European Commission issued decisions on 28 June 2021 conferring adequacy on the UK's post-Brexit data protection regime. This means that transfers of personal data from the EEA to the UK can continue, with the UK having already decided to allow continued data flows from the UK to the EU. Retail businesses will be relieved at this outcome but should be aware that the adequacy decisions contain sunset clauses which require them to be reassessed after four years, and their validity may also be the subject of challenge before the European Court of Justice.
Read more about the impact of Brexit on data protection, the provisions in the TCA relating to digital trade and the Commission's decision conferring adequacy.