The Data Protection Act 2018, the GDPR and non EU Businesses – Beware the long arm of UK and EU law
Background – the GDPR
On 25 May 2018 the General Data Protection Regulation (GDPR) came into force across the EU. Many businesses and their advisers outside the UK and the EU will be familiar with it. For the GDPR applies not just to businesses established in the EU – where there is a broad concept of an establishment under EU law which extends beyond a subsidiary to include branches and even sales agents of offshore businesses.
The GDPR also applies to businesses with no physical presence in the EU if the business either monitors the behaviour of people in the EU (e.g. via cookies or Internet tracking or profiling) or it offers goods or services to people in the EU (including free of charge).
The Data Protection Act 2018 (DPA 2018)
What businesses and their advisers located outside the EU may be less familiar with is that the UK now has its own new data protection law in addition to the GDPR – the Data Protection Act 2018 (DPA 2018) which was enacted in May 2018 and operates in parallel with the GDPR and fills in gaps the GDPR leaves EU member states to fill.
The DPA 2018 also has its own extra-territorial application. Like the GDPR the DPA 2018 applies in the following two cases:
There is an establishment in the UK
1. the personal data processing takes place in the context of the activities of an establishment of a controller or processor in the UK, whether or not the processing takes place in the UK. Here the UK legislator has helpfully defined that an establishment in the UK includes:
- a) an individual who is ordinarily resident in the United Kingdom,
- b) a body incorporated under the law of the United Kingdom or a part of the United Kingdom,
- c) a partnership or other unincorporated association formed under the law of the United Kingdom or a part of the United Kingdom, and
- d) a person not within paragraph (a), (b) or (c) who maintains, and carries on activities through, an office, branch or agency or other stable arrangements in the United Kingdom
There is no establishment in the UK but the GDPR still applies and goods or services are offered to data subjects in the UK or there is monitoring of data subjects in the UK
2. the GDPR itself applies to the offshore processing where:
- a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
- b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
- c) the processing activities are related to:-
i. the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or
ii. the monitoring of data subjects’ behaviour in the United Kingdom.
Implications for non EU Businesses
If you have an establishment in the UK or even if you don't have an establishment in the UK but offer goods or services to data subjects in the UK or you monitor data subjects in the UK then your business will have to comply with both the GDPR and the DPA 2018.
The DPA 2018 has a number of provisions additional to the GDPR including in relation to the processing of special category data and criminal conviction data which non EU businesses may also need to comply with. Also if you offer information society services to children in the EU then the DPA 2018 states that the age of consent in the UK for data protection purposes is 13 years (rather than 16 years as set by the GDPR).
For further information please contact Simon Stokes.