Kaveh Cope-Lahooti
Background
The future of trade between the United Kingdom and the EU, including the Republic of Ireland, post-Brexit has been at the centre of the negotiations between the British government and European institutions. The UK is Ireland’s largest trading partner, after the USA[1], and many businesses rely upon the flow of goods, people and information between the two neighbouring countries. With a no-deal Brexit now a real possibility (albeit one both the UK and EU insist they are doing the utmost to prevent) the closer that the 30 March 2019 deadline approaches, the Irish Data Protection Commission has released guidance on the procedures Irish businesses should take if this eventualises (available here).
The difficulties stem from the fact that the UK will be considered, from the EU’s point of view, as a ‘third country’ with regard to data transfers (we have elaborated on the meaning of this for the UK here). Suffice to say – in the absence of an EU adequacy decision (similar to what exists for Switzerland or even the Privacy Shield for the USA) which permits data transfers to be transferred freely to such countries without any strenuous procedures, specific measures will have to be followed by businesses. The European Commission has outlined that it has no plans to consider an adequacy decision for the UK, somewhat obscurely, considering that the UK has effectively implemented the GDPR in full as per the Data Protection Act 2018.
Safeguards
As such, essentially, the measures that will be required are the same used to transfer personal data to countries that are not either in the EU or considered adequate – such as the case for the majority of Asian, South American or African countries where Irish businesses may already have outsourcing operations (such as using IT developers in India, for example). These measures will include:
- Binding Corporate Rules (BCRs)– these are applicable for large organisations that have operations across Ireland and the UK (and potentially more jurisdictions). However, as these will need approval from the Data Protection Commission and possibly other supervisory authorities, organisations are unlikely to put them in place before the Brexit deadline;
- Standard Contractual Clauses (SCCs) – these are agreements that can be signed as an Annex to any existing contracts you have with UK-based providers, who will be considered ‘Data Importers’ from Ireland. Although slightly outdated, they are fairly easy to implement where organisations have a limited number of UK-based providers that they can easily amend contracts with. Such measures can also be signed with an organisations’ subsidiaries abroad.
It should be noted that the Data Protection Commission has elaborated on many of these measures here.
These measures will be required to be applied to all Irish businesses’ cross-border data processing operations. In particular, cross-border data processing operations will generally involve where information is outsourced to other companies, or where companies share or jointly perform business operations that involve personal data being used or transferred to the UK from Ireland. For example, the Irish Data Protection Commission gives the example of where an Irish company currently outsources its payroll to a UK processor or even uses a cloud provider based in the UK.
However, with regard to larger services providers in the UK that are used by Irish businesses (for example, software providers or cloud providers), where it may be difficult to agree on BCRs or SSCs before 30 March 2019 (due to the difference in bargaining power), Irish firms could consider using EU or even US-based providers. In addition, where there are any transfers to an organisation’s own offices in the UK, including Northern Ireland, it might be worth considering if these operations can be carried out in Ireland instead, or an EU-based office.
Other possibilities
As a last-case scenario, to validate the data transfers to the UK, businesses could also rely on more ad-hoc measures, such as:
- Seeking consent from individuals directly for data transfers to the UK. This is unlikely to be useful in the payroll example above, as consent cannot generally be used in employment situations.
- Relying on exceptions, such as where transfers are necessary for the performance of a contract with the data subject or in the interest of the data subject – such as if you have a global mobility scheme for employees or need to process payments abroad for customers. However, as ‘necessary’ is to be construed narrowly, this will not extend to outsourcing processing.
Another issue that the Data Protection Commission considers is the situation where data are transferred from Ireland to the UK, but then sent onward from the UK to other third countries. In these situations, from an Irish perspective, Irish businesses will focus on making these transfer legal from an Irish legislative perspective. Therefore, as above, this means that if such data transfers are onwards to the EEA, they will not need any additional measures, but where they are sent to third countries, they will need similar measures as above.
Next Steps for businesses
As a result, Irish firms should therefore be considering evaluating their UK-based suppliers or processors, and whether measures are in place. Although the best advice for businesses at the current time (particularly with regard to data protection) will be to prepare for the worst, it should be noted that these measures may not, in fact, be needed, if the following occurs:
- As part of the UK Government’s agreement with the EU (which still needs approval by the UK Parliament), the UK and EU agree that from 30 March 2019 until 31 December 2020, a ‘Transition Period’ will take place during which EU law, including EU data protection law, will continue to apply to and in the UK. This will mean that special measures are not required vis-à-vis the UK;
- The UK takes a position to not leave the EU by the proposed deadline; in such case the EU law will still apply in full;
- If a no-deal Brexit still occurs, the European Commission nevertheless makes an adequacy decision with regard to the UK.
Footnotes
[1] Ireland exports, imports and trade balance By Country 2016. (2018). World Integrated Trade Solutions. Retrieved 22 December 2018 from: https://wits.worldbank.org/CountryProfile/en/Country/IRL/Year/LTST/TradeFlow/EXPIMP/Partner/by-country
The Law of the Horse - Privacy, Copyright & Internet Law 