Take-up of GDPR training courses has, naturally, been strong this year, given the May 25th 2018 deadline after which the provisions of the EU’s data protection laws became fully enforceable.
The headline news was that serious breaches of these data privacy laws could result in a maximum fine of €20m (£17m) or 4% of global turnover. When Facebook was recently fined £500,000 over serious breaches prior to the new sanctions becoming effective, many commentators pointed out that this could have resulted in fines many multiples of the one actually imposed, up to $1.6bn (£1.2bn).
As if data controllers – either organisations that store and process personal data, or the individuals within organisations responsible for compliance – didn’t have enough to worry about, another data management complexity might have slipped their notice, as it was not hugely reported.
In March, the EU quietly announced that, with the UK withdrawing from the EU, UK-registered sites would no longer be able to use the .eu domain name. If this is a domain extension that your organisation uses, there is a reasonable likelihood that you will need to mothball it (though we will look at possible opportunities for exemption in a moment).
In a statement, the European Commission said: “As of the withdrawal date, undertakings and organizations that are established in the United Kingdom but not in the EU and natural persons who reside in the United Kingdom will no longer be eligible to register .eu domain names,” the document states, adding, “or if they are .eu registrants, to renew .eu domain names registered before the withdrawal date.”
Taking a hardline position, the EC said that existing .eu domains could be cancelled as soon as Brexit occurs (29 March 2017) with no right of appeal.
This will affect more than 300,000 UK registrations – not a universal problem, but certainly statistically significant since around 10% of all .eu registrations are in the UK.
That, as they say, would appear to be that. However, Chloe Fernandez of law firm Boyes Turner sees what she calls “a glimmer of hope” for companies affected: “Today’s announcement notes that its decree is ‘subject to any transitional arrangement that may be contained in a possible withdrawal agreement’ – meaning that it could form part of a large Brexit agreement between the UK government and EU.”
In other words, this could be an item for compromise in the on-going Brexit negotiations. Fernandez points out that companies domiciled in Norway, Lichtenstein and Iceland are permitted to use the .eu domain, so the UK might be able to benefit from a similar dispensation.
It would be a wise data controller, though, for an organisation that relies on a .eu domain to look at a Plan B. In particular, moving websites is exponentially complex according to size: e-commerce and highly functional websites are not easy to shift – and given the politicisation of Brexit, there’s no guarantee that businesses will have lots of time to make the move and stay compliant. Complex websites involve user data – and the .eu debacle might demand another round of GDPR thinking to stay the right side of the law.