Brexit has a serious impact on the transfer of personal data from Ireland to the UK (including Northern Ireland).
Many Irish businesses transfer data to the UK in many different ways, for example outsourcing HR, IT or payroll function to a UK based organisation or storing data in the UK on a server or in the cloud. Such businesses need to be aware of the implications of Brexit on data transfers and should ensure that their transfer complies with data protection law.
Adequacy decision
When the transition period ended on 31 December 2020, the UK became a "third country". This means that transfers of personal data from Ireland to the UK are treated in the same way as transfers of personal data to other countries outside the EU eg Australia or Brazil unless the European Commission issues what is known as an adequacy decision in respect of the UK.
An adequacy decision means that the European Commission has decided that the UK ensures an adequate level of data protection, thereby allowing personal data to be sent from an EU/EEA state to the UK without any further safeguard being necessary. In other words, the transfer is the same as if it was carried out within the EU.
As at 31 December 2020, an adequacy decision had not been issued by the European Commission. However, an alternative arrangement was agreed between the UK and the EU.
UK/EU Trade Agreement solves issue of data transfer post-Brexit
On 30 December 2020, the EU and the UK signed a Trade and Cooperation Agreement (Trade Deal) which sets out their future relationship following Brexit.
Under the Trade Deal, it was agreed that businesses can continue to transfer personal data from the EU/EEA to the UK for up to 6 months after 1 January 2021 or until an adequacy decision is adopted (whichever is earlier) (the Specified Period). The European Commission is currently assessing the adequacy of the UK's data protection law but it is not clear when an adequacy decision will issue.
It should be noted though that the above is subject to the proviso that the UK does not amend the data protection legislation in place as of 31 December 2020 and does not exercise specified designated powers (including approving new Standard Contractual Clauses or binding corporate rules), unless the EU agrees to same. If this happens, the Specified Period automatically ends.
Although under the Trade Deal transfers of personal data from the UK to the EU/EEA can continue without additional safeguards being put in place, as a sensible precaution, it would be advisable that businesses put in place alternative transfer mechanisms during the Specified Period to safeguard against any interruption to the free flow of personal data from the EU/EEA to the UK in the event the UK is not granted adequacy status by the EU. These safeguards include using (i) Standard Contractual Clauses; or (ii) Binding corporate rules, each of which are discussed below.
(i) Standard Contractual Clauses
The Standard Contractual Clauses (SCCs) consist of standard or template sets of contractual terms that the parties sign up to, to govern their relationship as data controller/processor. SCCs will most likely be the approach adopted by most Irish businesses to legalise the transfer of personal data to the UK.
The SCCs can be adopted by putting in place a stand-alone or new contract between the Irish controller and the UK recipient/processor or by incorporating the SCCs into an existing contract. In either case it is important to ensure that the other terms of the contract do not affect the operation of the SCCs, reduce data subject rights or reduce the level of protection which the UK entity is required to provide for the transferred data.
In the recent Schrems II[1] case, the Court of Justice of the European Union concluded that SCCs remain an “appropriate safeguard” for international data transfers but when using SCCs an organisation must verify “on a case-by-case basis” that the personal data being transferred will be adequately protected in the destination country in line with the requirements of EU law. That level of protection must be “essentially equivalent” to that guaranteed within the EU by the GDPR.
This means that organisations using SCCs must carry out an assessment to ensure transfers of personal data to the UK are GDPR-compliant. Such assessment measures include:
- Map and assess all flows of personal data to the UK.
- Where personal data is transferred under SCCs assess the nature of the transferring personal data, in particular:
- identify what personal data is being transferred;
- the sensitivity of this personal data; and
- whether some or all of this personal data is already in the public domain.
- Determine if the UK provides a satisfactory level of protection (currently this is probably the case, as the UK has implemented the GDPR, but the UK's data protection laws should be carefully monitored to identify divergence from EU law)
- Organisations may consider creating a risk questionnaire for completion by UK based data importers to help to assess the UK's surveillance laws.
- Consider additional measures and safeguards to address any risks identified.
- Re-evaluate at appropriate intervals the level of protection afforded to the data being transferred and monitor if there have been or will be any developments that may affect it.
- Document findings and decisions made.
(ii) Binding corporate rules
Multinational organisations may consider adopting Binding Corporate Rules (BCRs) as an alternative framework for compliant intra-group international data transfers. BCRs must undergo a rigorous approval process and are subject to supervision by a supervisory authority (such as the Data Protection Commission in Ireland). As with SCCs, the use of BCRs will need to be assessed on a case by case basis to ensure there are adequate protections in recipient countries.
What should businesses do?
Although, for the time being, businesses can freely transfer personal data to the UK, they should put in place alternative transfer mechanisms to safeguard against any interruption to such data flow should the UK not be granted adequacy status by the EU before 30 June 2021.
For all businesses, it is important to ensure that, operationally, data transfers are conducted and managed in a way that ensures that personal data is at all times protected to the level contemplated by the GDPR.
For more information or to discuss any Brexit related issues impacting your business, please get in touch with Maureen Daly (IP and Data Protection) or Emer Moriarty Crowley, Damian Maloney, Shaun O'Shea (Corporate and Commercial), Dorit McCann (EU, Competition & Procurement), Barry Cahir (Litigation and Insolvency), Sandra Masterson Power (Employment), or you usual Beauchamps contact.