December 2018
Data
When the UK leaves the EU, it will become, in EU terms, a third country. Data protection and sharing is governed within the EU by the General Data Protection Regulation (GDPR). That means that the transfer of personal data to the UK will be subject to the rules on international transfers set out in the
GDPR and other relevant EU directives and regulations.
The Commission, in its Contingency Action Plan of 13 November 2018, set out the broad toolbox available within GDPR and other relevant EU directives and regulations for data transfers to third countries, which would be relevant in a no deal Brexit.
This toolbox includes in particular the so-called ‘appropriate safeguards’ (e.g. administrative arrangements) that can be used by both the private sector and public authorities.
In addition, EU law contains a number of derogations for specific situations that allow data transfers even in the absence of appropriate safeguards, for instance if the data subject provides explicit consent, for the performance of a contract, for exercise of legal claims or for important reasons of public interest. These are the same tools that are used with most countries in the world for which no adequacy decision exist.
Business and public sector organisations which currently share personal data with organisations based in the UK should therefore, in accordance with the Commission guidance, assess their current arrangements and ensure that they will be compliant with GDPR and other relevant EU directives and
regulations for data transfers to third countries from 29 March 2019 (postponed to 31 January 2020, with a transitional period to effective withdrawal on 31 December 2020).
July 2019
Transfer of Personal Data
Data protection and sharing is governed within the EU by the General Data Protection Regulation (GDPR). That means that when the UK leaves the EU it will become a third country and the transfer of personal data to the UK will be subject to the rules on international transfers set out in the GDPR and other relevant EU directives and regulations. The European Commission, in its Contingency Action Plan of 13 November 2018, set out the broad toolbox available within GDPR and other relevant EU directives and regulations for data transfers to third countries, which would be relevant in a no deal Brexit.
This toolbox includes in particular the so-called ‘appropriate safeguards’ that can be used by both the private sector and public authorities, including:
Approved standard contractual clauses
Binding corporate rules
Administrative arrangements.
EU law also contains a number of derogations for specific situations that allow data transfers even in the absence of appropriate safeguards, for instance if the data subject provides explicit consent, for the performance of a contract, for exercise of legal claims or for important reasons of public interest. These are the same tools that are used with most countries in the world for which no ‘adequacy’ decision exists.
A specific EU preparedness notice on data protection is also available to provide guidance. In April, the EU Commission reiterated its position that there are appropriate tools available under the GDPR for data transfer to third countries and that contingency measures or an adequacy agreement are therefore not necessary.
On the basis of this guidance from the Commission, last December the Irish Data Protection Commissioner (DPC) has issued advice on data protection issues arising as a result of Brexit. Both provide guidance on the provisions which are in place for the transfer of personal data to a third country. The DPC in February published further detailed guidance on the transfer of personal data to the UK and Northern Ireland, specifically in the event of a no deal Brexit.
In January, all government departments commenced a review of their processes for the treatment of personal data with the UK in a no deal scenario. At an inter-departmental forum in February the implications of a no deal Brexit for personal data transfers were discussed, with advice and guidance from the Department of Justice and Equality, the Office of the Attorney General and the Chief State Solicitor’s Office. All departments, in conjunction with those agencies/bodies under their aegis, have now completed a systematic exercise to map the extent and nature of their personal data transfers to the UK, including Northern Ireland. This exercise also identified the appropriate safeguards and derogations that will be put in place in accordance with the safeguards under the GDPR should the UK become a third country.
Of course, preparing for a no deal Brexit is not just a matter for EU and public sector entities, but also for those private sector organisations that currently share personal data with organisations based in the UK. In addition to its guidance, the DPC has engaged with a range of stakeholders including: meetings with the various trade groups and the SME group in IBEC, participation in Enterprise Ireland roadshows and the All Island Civic Dialogue, engagement with the Law Society Data Protection and IP committee, and cross-government consultation.
Next Steps
Between now and 31 October, the Government will take the following steps:
Departments and agencies will use the additional time to 31 October to refine their plans for the transfer of personal data with the UK, and to identify any outstanding issues that need to be resolved.
Communications and outreach activities will be stepped up to promote awareness and action amongst the private sector as part of the next phase of Government communications.
Between now and 31 October, the Government calls on business to:
Take preparatory actions in accordance with the European Commission guidance: assess current arrangements and develop plans to ensure compliance with GDPR and other relevant EU Directives and Regulations for data transfers to third countries in a no deal scenario.