Brexit, GDPR, and the Timeline for Data Breaches
As of 1 January 2021, the Brexit transition period (Transition Period) ended, and the United Kingdom (UK) officially finalized its exit from the European Union (EU) and the 11th-hour commercial agreement (Agreement) should allow for a smoother transition on the data protection front as the General Data Protection Regulation (GDPR)¹ stops being directly applicable to the UK. It also provided the UK with a six-month grace period to hope for an adequacy decision that would allow for the free transfer of personal data from the EU to the UK.
- The issue of data transfers from the EU to the UK;
- The end of the One-Stop-Shop (OSS) mechanism for the UK; and
- The need for UK entities that would be subject to GDPR to appoint a representative further to Art. 27 GDPR.
However, aside from enacting the end of the OSS and commenting that “the EDPB has been liaising with the ICO [Information Commissioner’s Office, the UK’s Supervisory Authority] over the past months in order to enable a smooth shift to this new situation by ensuring that the EEA authorities follow a shared and efficient approach in handling the existing complaints and cross-border cases involving the ICO, whilst minimizing delays and possible inconveniences to affected complainants[,]” the EDPB did not comment on how such collaboration will effectively play out for companies whose lead Supervisory Authority was the ICO.
This is all the more relevant for data breaches, which were at the foundation of the largest GDPR fines enacted by the ICO prior to Brexit. While the general framework is substantially the same between GDPR and its UK equivalent, which implemented the EU regulation into UK’s national law (UK GDPR), the dissociative regimes may lead to companies having to comply with additional regulatory undertakings.
Both under GDPR and UK GDPR, companies are expected to notify their relevant Supervisory Authority within 72 hours from awareness of any breach that would create “risks” to individuals, as well as communicate to such individuals when the risks are “high.”
Various scenarios may happen, based on (i) the moment the personal data breach occurred, and (ii) the time of the notification to a Supervisory Authority:
- The breach and the notification occurred prior to the Transition Period (Scenario 1);
- The breach occurred prior to the Transition Period, but the notification occurred within 72 hours after the Transition Period (Scenario 2); or
- The breach and the notification occurred after the Transition Period (Scenario 3).
All three scenarios can be applied to situations where companies are now subject to both GDPR and UK GDPR (e.g., the breach occurred in the UK, but GDPR would also be applicable further to the Transition Period, or the breach occurred in the EU, but UK GDPR would also be applicable further to the Transition Period).
According to the Communications, Scenario 1 would be the most straightforward: A procedure was already underway and notified before the then-relevant Supervisory Authority. It is expected that the ICO and its EU counterparts, under coordination by the EDPB, will cooperate to handle, investigate, and, as need be, prosecute these cases. Companies should not, however, be expected to need any additional step in order to be compliant with both regimes.
Likewise, Scenario 3 should, in theory, be clear enough. As both the breach and its notification occurred after the Transition Period, companies will need to assess whether they are exclusively subject to one regime (GDPR or UK GDPR), or if both regimes are concurrently applicable. In the latter case, and due to the end of the OSS mechanism, companies will need to notify their personal data breach to both the ICO and the relevant lead Supervisory Authority in the EU.
Ideally, such assessment of the most relevant EU lead Supervisory Authority should have occurred prior to the Transition Period, and an EU representative, further to Art. 27 GDPR, should have been duly appointed. The EU Member State in which such a representative has been appointed should dictate the relevant EU lead Supervisory Authority.
However, further direction from the ICO and/or the EDPB would have been welcome for Scenario 2—in which the breach occurred prior to the Transition Period but the notification occurred within 72 hours, after the Transition Period.
In addition to the EDPB’s reassurance in its Communications, the ICO also stated that while it “may no longer be part of the One-Stop-Shop”, it would “still co-operate and collaborate with European supervisory authorities, as we did before GDPR and the One-Stop-Shop system, regarding any breaches of GDPR that affect individuals in the UK and other EU and EEA states.” But aside from providing guidance as to how notifications should be performed after the Transition Period, the ICO provided no concrete elements relating to the timeline.
Given the short timeline mandated to notify a breach, a limited number of events may be involved. However, as such a timeline starts running from the time of awareness, the numbers may be more substantial.
Indeed, under both GDPR (Art. 33 GDPR) and UK GDPR (Section 67 UK GDPR), the breach itself is the event that triggers the notification requirement. As such, any breach that occurred before the end of the Transition Period should be exclusively subject to GDPR, regardless of whether it has been discovered before or after the end of the Transition Period. As a consequence, UK companies should be able to notify their personal data breaches to the ICO, which would subsequently liaise with its counterparts (and vice versa for EU notification) under the legacy and cooperation mechanism detailed for Scenario 1.