Since this post was originally published on 21st March 2019, the landscape has changed so much! On 22nd May 2019, with just 7 days until the UK was due to leave the European Union, Brexit was extended by at least a further 2 weeks until 12th April 2019 to give the British PM a chance to broker a solution to avoid a no-deal Brexit. When this solution did not present itself, the EU and the UK agreed to postpone the exit date until 31st October 2019 rather than watch the UK crash out of the EU on 12th April. And so, my original point stands: With every passing week, one thing about Brexit becomes clearer – nothing is clear! The threat of a no-deal Brexit has receded significantly but has not disappeared completely therefore businesses should still address the issues as outlined below to future-proof their data transfers.
Businesses are unsure how to prepare for Brexit as the issues of whether or not there will be a deal and whether or not the UK will actually leave the EU on 29th March is up in the air. However, businesses need to plan for the worst-case scenario. In the world of data protection, this is very difficult but the DPC (Data Protection Commission, Ireland), the ICO (Information Commissioner’s Office, UK) and the EDPB (European Data Protection Board) have all released guidance, which is helpful and instructive (here, here and here)
What everyone agrees upon is that if the UK leaves the EU on 29th March without a deal, they will become a third country within the meaning of the GDPR. This means that data transfers to the UK from any country within the EEA have to be made subject to one of the safeguards set out in Chapter 5 of the GDPR. While an adequacy decision would be the best way of ensuring a continued free-flow of personal data between the EEA and the UK, this will not be in place by 29th March and may not be in place for some time after that.
As every day brings a new Brexit development, it is hard for businesses to make concrete plans however the following most common situations will arise:
Irish based company receiving personal data from a UK based client:
Where an Irish based company (data processor) is receiving personal data from a UK based client (data controller), this transfer will be governed by domestic UK legislation. Currently, this is the Data Protection Act 2018 (here). This Act was obviously enacted to bring the GDPR within the domestic law of the UK so the procedures contained therein are aligned with those of the GDPR. Furthermore, the UK government has stated its intention is that the GDPR would be brought into UK law and the Government would enable data to flow from the UK to the EEA in the event of a no-deal Brexit (here). The Irish based processor must still process the personal data in accordance with the rules as set out in the GDPR.
Irish based company transferring personal data to a UK based supplier:
Where an Irish based company (data controller) is transferring personal data to a supplier in the UK (data processor), the transfer must be subject to one of the safeguards set out in Chapter 5 of the GDPR. In this instance, the most appropriate transfer safeguard will likely be the Standard Contractual Clauses (here) There are also SCCs for controller to controller transfers). These clauses are a one-size-fits-all tool so may not be appropriate for all situations. One thing to note about the SCCs is that they cannot be amended and must be incorporated in their entirety into an agreement. Additional clauses on business issues can be included in the overall agreement between the controller and processor but such clauses cannot contradict the SCCs. Parties should be aware that these clauses pre-date the GDPR.
International inter-group personal data transfers:
Where there are inter-group transfers that cross EEA lines, the most appropriate safeguard for these type of transfers are likely to be Binding Corporate Rules (BCRs). They are codes of conduct, which will govern the transfer of personal data from an EEA based member of the group to a non-EEA based member of the group. The disadvantage with this type of safeguard is that BCRs have to be submitted for approval to an EEA supervisory authority where at least one of the companies is based. The European Data Protection Board has issued guidelines on what are the criteria for identifying your lead authority. Working Party 29 (the precursor to the EDPB) issued two working documents on Binding Corporate rules (for controllers here and for processors here ).
There are some other additional safeguards which can be used to transfer personal data from the EEA to a third country and these are identified in the guidelines from the various bodies linked above. If you are concerned about the impact Brexit will have on data transfers that are crucial to your business, speak to our subject matter experts for further advice, call us: 1800 903 552 or e-mail us.