It remains to be seen whether the UK will ‘crash out’ of the EU when it leaves at 00.00am CET on 30th March, 2019. Should this happen, the UK will become a ‘Third country’ for the purposes of EEA personal data transfers. This means data that was once able to flow freely between the UK and EEA without any specific safeguards, will no longer be possible. This affects Irish (and European) businesses and organisations dealing with parties in the UK, including Northern Ireland. In light of recent guidance from the Irish Data Protection Commission (DPC) and the UK Information Commissioner (ICO), we explain below the main implications of a ‘no deal’ Brexit for organisations transferring data between Ireland/ the EEA and the UK, and the steps they should be taking in order to ensure that data can continue to flow. If your organisation uses a UK entity to provide any service, it is quite likely that a personal data transfer is taking place and plans should be made on how to deal with this in a no-deal scenario.
Steps to ensure data continues to flow
- “Adequacy Deal”: The ideal scenario for the continued free flow of data would be for the UK to strike an ‘adequacy’ deal with the European Commission (EC). This would mean UK data protection laws are of an equal standard to that in the EEA. Note: An adequacy finding will not be in place before 30th March 2019, rendering the UK a third country lacking adequate protection if no withdrawal agreement can be struck.
- Standard Contractual Clauses (SSCs): SCCs are model contracts approved by the EC, which implement contractual safeguards between the data exporter and importer. As the most popular alternative mechanism of transferring data outside the EEA, they are available to download on the EC website. The ICO has provided a guide for small to medium sized organisations aimed at helping you decide if SCCs are relevant, and minimising the expense of putting them in place.
- Other transfer mechanisms: The DPC has provided information on other available transfer mechanisms and derogations for specific situations and we provide a snapshot of these in our article GDPR and International Data Transfers.
Transfers from the UK to Ireland / the EEA
Post-Brexit, the UK Government has said the UK will continue to acknowledge the EEA Member States as having an adequate level of protection for safeguarding personal data. This is welcome news if you are an Irish organisation receiving data from the UK, as that personal data can continue to flow freely from the UK to Ireland/ the EEA.
Transfers from Ireland to the UK
The DPC’s December guidance has indicated the next steps to take for Irish organisations transferring data to the UK:
- Map the personal data that is currently being transferred to the UK;
- Establish whether the transfers will need to continue beyond 30th March 2019;
- If yes, then evaluate the various transfer mechanisms to decide which one best suits your situation, and work towards having it in place before 30th March 2019;
Also, because both processors and controllers are required to implement appropriate safeguards, all kinds of organisations – including those with intra-group service arrangements and those with third parties – must make the necessary changes.
“Six Step Approach”
The ICO has designed a helpful ‘Six Steps to Take’ guide to help all organisations make the precautionary preparations that will help ensure data flows continue post-Brexit.
The status of Ireland-UK data transfers post-Brexit looks more uncertain than ever in light of the resounding defeat of Theresa May’s Withdrawal Proposal. Any development in the area could have a significant impact on data transfers and prudent precautions should therefore be taken. There will be a steady flow of information and guidance from the Irish DPC, UK ICO and the UK Government as the withdrawal date of 30th March edges closer, so be sure to check these sources regularly.