Given recent Brexit- related events, many Irish organisations will again be concerned about the possibility of the UK leaving the European Union without any withdrawal deal in place. With this in mind, the ByrneWallace Data Protection / GDPR Team re-cap on issues previously highlighted to Irish-based organisations in relation to how they can remain compliant with EU Law when transferring personal data to the UK in the event of a “no-deal” Brexit.
How do I transfer personal data to the UK after a “no deal” Brexit?
Under EU data protection law, transfers of personal data to recipients outside the European Economic Area (EEA) are considered to be transfers to a “third country” and therefore require “appropriate safeguards” to be put in place before the personal data is transferred.
To date, the EU Commission has recognised Andorra, Argentina, Canadian commercial organisations, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, the USA (within the Privacy Shield framework), and Japan as third countries which provide adequate protection under Article 45 of the General Data Protection Regulation (GDPR). Personal data can flow from the EEA to each of these “third countries” without any further steps being taken.
In the event of a “no deal” Brexit, however, no such recognition of the UK’s data protection regime will be in place and the UK will become a “third country” for the purposes of EU personal data transfers. Consequently, no personal data may be transferred to the UK without a safeguard being in place.
If your organisation transfers personal data to an entity in the UK (including Northern Ireland) you should consider how you can lawfully continue to transfer personal data to the UK following a “no deal” Brexit. For example, if you are an Irish company which currently outsources payroll to a UK payroll processor or you use a cloud provider based in Northern Ireland, you should ensure that you have appropriate legal safeguards in place.
My organisations transfer personal data to the UK. What safeguards can we put in place now in the run-up to a “no-deal” Brexit?
The most commonly used mechanism for transfers to “third countries” are the standard or model contractual clauses (SCC’s) under Article 46 of GDPR. In summary, these are standard clauses between an EEA-based “data exporter” and non-EEA-based “data importer”, approved by the EU Commission, which ensure that any personal data leaving the EEA will be protected to the standard of EU data protection law.
There are two sets of SCC’s for restricted transfers between controllers, and one set for transfers between controllers and processors. There are currently no SCC’s which deal with processor to sub-processor transfers. Accordingly, for processors, it is necessary to appropriately structure contractual arrangements, such that transfers to sub-processors outside of the EEA can be legally made.
You can adopt the SCC’s via a new standalone contract between your organisation as an Irish-based exporter and the UK-based importer. As well as setting out the SCC’s, the contract could also include other commercial clauses (such as liability and indemnification clauses) - provided these other clauses do not affect the operation of the SCC’s or reduce data subjects’ rights.
If you already have a contract in place with a UK-based processor under Article 28(3) of GDPR, you can incorporate the SCC’s into the existing contract by way of a written variation, provided that the terms of the existing contract do not affect: (i) the SCC’s; (ii) data subjects’ rights; or (ii) the level of protection which the UK processor is required to provide for the transferred data.
In addition to the SCC’s, GDPR provides for other safeguards (such as binding corporate rules) which are less commonly used to safeguard transfers of personal data from the EEA to third countries. Given the time period involved in setting up these alternative mechanisms, however, it is highly unlikely that your organisation can have these in place in time for 31st October 2019. GDPR also makes exceptions to the requirement for safeguards, but only in limited circumstances (such as for important reasons of public interest or where data subjects consent) which are not likely to be appropriate if your organisation transfers personal data regularly.