The Data Protection Commissioner (DPC) has released important preliminary guidance to Irish companies with data processing operations which involve the transfer of personal data to the UK, including Northern Ireland.
Under EU data protection law, transfers of personal data to recipients outside the European Economic Area (EEA) are considered to be transfers to a “third country” and therefore require “additional safeguards” to be put in place in order to ensure continued application of the EU’s data protection standards.
In the event of a ‘no deal’ Brexit, i.e. the UK leaving the EU on 30 March 2019 without having a withdrawal agreement in place which contains provisions dealing with how data protection matters will be handled, the UK will become a “third country” for the purposes of EU personal data transfers.
Flows of personal data to the UK as a “third country” after 30 March 2019
The EU Commission has so far recognised Andorra, Argentina, Canadian commercial organisations, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, the United States of America (within the Privacy Shield framework), and Japan as third countries which provide adequate protection of personal data under Article 45 of the General Data Protection Regulation (GDPR). The effect of such recognition is that personal data can flow from the EEA to that third country without any further safeguard being necessary.
No such recognition of the UK’s data protection regime will be in place by the end of March 2019.
The most commonly used alternative mechanism for transfers to “third countries” are the standard or model contractual clauses under Article 46 of the GDPR. These are standard clauses approved by the EU Commission that implement contractual safeguards between the “data exporter” and “data importer” and ensure that any personal data leaving the EEA will be protected to the standard of EU data-protection law. There are two sets of standard contractual clauses for restricted transfers between a controller and controller, and one set between a controller and processor.
Notably, there are currently no standard contractual clauses which deal with processor to sub-processor transfers. It is necessary to appropriately structure contractual arrangements, such that processor transfers to sub-processors outside of the EEA can be legally made.
In addition to the standard clauses, Article 46 of the GDPR also provides for further measures which are less commonly used to safeguard transfers of personal data from the EU to third countries. These include binding corporate rules regarding transfers of personal data from EEA entities to non-EEA entities within multinational corporate groups (it can take up to 18 months to have binding corporate rules approved for use, so this is often not a practical solution). Firms can also rely on approved codes of conduct or certification mechanisms provided that the controller or processor in the third country has committed to comply with the appropriate safeguards, including as regards data subjects’ rights.
Derogations (under Article 49 of the GDPR) are exemptions from the requirement for an adequacy decision pursuant to Article 45 or of appropriate safeguards pursuant to Article 46. Derogations allow transfers in specific situations, including (i) transfers based on consent; (ii) transfers for the performance or conclusion of a contract; (iii) transfers for the exercise of legal claims, or (iv) transfers to protect the vital interests of the data subject where they cannot give consent or for important reasons of public interest.
What can Irish companies and organisations do to prepare for the data processing implications of a “no deal” Brexit?
The implications of a “no deal” Brexit as described above will have important repercussions for all organisations and bodies trading with or doing any other kind of business or correspondence with entities in the UK (including entities in Northern Ireland).
Companies should consider whether they currently transfer any personal data to the UK and how this can legally continue in the event of a “no deal” Brexit. For example, an Irish company that currently outsources its payroll to a UK processor or uses a cloud provider based in the UK will need to have appropriate legal safeguards in place.
The DPC has advised that any EU companies who transfer personal data to the UK:
(a) map what personal data they currently transfer to the UK;
(b) determine if the transfers of personal data will need to continue beyond 30 March 2019; and
(c) if this is the case, assess the various transfer mechanisms to decide which one best suits their situation and work towards having it in place before 30 March 2019.