The Data Protection Commission (DPC) has recently published preliminary guidance on transfers of personal data to the UK in the event of a ‘no deal’ Brexit.
Under EU data protection law it is possible to transfer personal data to countries within the EEA with no additional restrictions. However, transfers to countries outside the EEA i.e. to ‘third countries’ require additional safeguards to be put in place.
In its preliminary guidance, the DPC confirmed that, in the event of a ‘no-deal’ Brexit on 30 March 2019, the UK will become a ‘third country’ for the purposes of EU personal data transfers. Accordingly, the rules applicable to transfers to third countries as set out in Chapter V of the General Data Protection Regulation (the “GDPR”) will apply to transfers of personal data to the UK and one of the transfer mechanisms or one of the additional safeguards must be implemented.
The most straight forward way to transfer personal data to a ‘third country’ is where the third country has been recognised by the EU as having an “adequate” data protection regime. However, the DPC has also confirmed in its preliminary guidance that no such recognition of the UK data protection regime will occur before the end of March 2019.
This has significant implications for companies or organisations that transfer personal data out of Ireland to the UK (including Northern Ireland). In the event of a ‘no deal’ Brexit and before 29 March 2019, Irish entities that wish to continue to transfer personal data to the UK will need to put in place additional legal safeguards to lawfully transfer this personal data. For many companies, such additional legal safeguards will likely be the deployment of standard or model contractual clauses into contracts with their counterparties and/or suppliers.
While awaiting further clarity on whether a ‘no deal’ Brexit will occur (hopefully clearer after the UK Parliamentary vote on 15 January 2019), businesses should start preparing for this possibility. In its preliminary guidance, the DPC sets out steps for entities to consider which include reviewing personal data transfers to determine if any personal data is transferred to the UK and determining if these must continue beyond 30 March 2019. Where personal data transfers are to continue in the event of a ‘no deal’ Brexit, then businesses will need to consider the best transfer mechanism available and ensure, in accordance with the DPC’s preliminary guidance, that it is in place by 30 March 2019.
It is to be expected that it may take some time to identify data flows and negotiate revised contractual arrangements with third parties, therefore companies should add this workstream to their growing Brexit contingency planning.