As the possibility of a no-deal Brexit becomes a potential reality, Irish entities that conduct business with or in the United Kingdom (UK) should be aware that mechanisms must be in place by 30 March 2019 to ensure the lawful transfer of any personal data—treating the UK just like other countries such as the USA are treated now, without any agreement to the contrary. In the event of a no-deal Brexit, there would be no legal framework in place to do otherwise.
A no-deal Brexit is becoming a very likely scenario, particularly due to the fact that no withdrawal agreement is yet in place. The UK Government is even advising its residents via 30-second public announcements and a website that they should be preparing for a no-deal Brexit. And, although the UK Parliament is expected to vote on an exit agreement on 15 January—the same deal that EU member states already approved—there remains little confidence in Parliament’s ability to agree on a proposed exit plan.
Warnings Ireland’s Data Protection Commission (DPC) recently warned Irish entities that they will need to have procedures in place to handle data transfers to the UK in the event of a no-deal Brexit. The DPC is Ireland’s independent authority responsible for upholding individuals’ rights to personal data protection and regulates organisations based in Ireland that process people’s personal data in the course of their business.
Under current European Union (EU) data protection laws, the free movement of personal data is guaranteed between all EU member states. Transferring personal data to recipients outside the European Economic Area is considered a transfer to a “third country,” requiring additional safeguards to ensure compliance of the EU’s data protection standards.
In the event of a no-deal Brexit, in which the UK exits the EU on 30 March 2019 without a withdrawal agreement, the UK would become considered a “third country” for the purposes of EU personal data transfers, according to the DPC.
The EU Commission has alerted EU member states about the UK’s potential “third country” status, noting that the EU rules for transfer of personal data to third counties would apply in a no-deal Brexit situation.
Guidance The EU Commission has outlined legal mechanisms that can be used for transfers from an EU member state to a third country, stating that, “[s]ubject to any transitional arrangement that may be contained in a possible withdrawal agreement . . . the EU’s data protection rules . . . allow a transfer if the controller or processor has provided ‘appropriate safeguards.’”
According to the EU Commission, safeguards may be provided for by:
- Standard Contract Clauses;
- binding corporate rules;
- approved codes of conduct with binding and enforceable commitments of the controller or processor in the third country; or
- approved certification mechanisms with binding and enforceable commitments of the controller or processor in the third country.
The EU has also provided determinations whether countries outside the EU provide adequate levels of data protection. According to the EU Commission’s website, the EU basis its adoption of adequacy decisions on:
- a proposal from the European Commission;
- an opinion of the of the European Data Protection Board;
- an approval from representatives of EU countries; and
- the adoption of the decision by the European Commissioners
“The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data,” according to the EU Commission website.
The EU Commission has stated that no decision on an adequacy decision will be taken in relation to the UK, until after it leaves the EU.
Gov.UK issued its own guidance on data protection in the case of a no-deal Brexit, saying there would be “no immediate change in the UK’s own data protection standards,” because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.”
However, Gov.UK notes that the legal framework governing transfers of personal data emanating from the UK would change and that organisations would need to “take action to ensure EU organisations were able to continue to send . . . personal data.”
Bottom line Any Irish entity that conducts business in the UK should seek the assistance of a Solicitor who is knowledgeable in data protection matters to ensure their data protection plan provides for the lawful transfer of data from Ireland to the UK in the event of a no-deal Brexit.