Financial Services Ireland

VIEWPOINT

Brexit sparks wholesale disruption of personal data transfer

Read more


As the uncertainty over Brexit persists despite the looming deadline of 29 March, the UK crashing out of the EU with a “No Deal” Brexit is looking increasingly likely.  The absence of a Withdrawal Agreement means that EU law will cease to apply to, and in, the UK as of 30 March 2019.  Therefore, all businesses concerned must prepare, make necessary decisions and complete all required administration actions before 30 March 2019 in order to avoid disruption or risk of operating outside the legal data protection framework.

Pat Breen, Minister of State with special responsibility for Trade, Employment, Business, EU Digital Single Market and Data Protection, addressed the Irish National Data Protection Conference on the 24th of January, advising that any EU-based organisation that transfers personal data to the UK needs to examine their position as a matter of urgency.  There is currently no EU adequacy decision planned prior to Brexit, nor are there EU-driven interim measures being considered.  Therefore, organisations must rely on one of the alternative mechanisms allowed for under GDPR, such as standard contractual clauses, binding corporate rules, consent or reliance upon certain exceptions.  It is for each organisation to decide the most appropriate approach for their specific business circumstances.

Another conference speaker shared his thoughts a little more plainly, stating that in the absence of an appropriate mechanism, EU personal data transfers to the UK will simply be “illegal” and therefore now is not the time for “sticking your head in the sand”.

In reality there will be a large number of organisations who will be non-compliant when Brexit finally occurs, so what are the practical considerations for your organisation?

Be informed

  • The Irish Data Protection Commission (DPC) has issued preliminary guidance which is relevant for any Irish entities that have data processing operations that involve transfers of personal data to the UK.
  • Additionally, the UK Information Commissioners Office has issued guidance to UK entities who both transfer personal data to and from the UK.
  • The UK government has published the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“Exit Regulations”) with the purpose of ensuring the continuous application of the relevant regulatory frameworks when the UK leaves the EU. In short the UK will transpose the GDPR into UK law which we will refer to as the UK GDPR.
  • The EDPB (European Data Protection Board) at its sixth plenary session, 24th January 2019 discussed the possible consequences of Brexit in the area of data protection.  Members agreed to cooperate and exchange information regarding their preparations and the tools available to transfer data to the UK, once the UK will no longer be part of the EU.  Keep an eye out for their press release.

Don’t rely on adequacy:

The adequacy process will only begin when the UK leaves the EU and officially becomes a third country.  The road to an adequacy decision is far from certain, and it requires political will and a strong desire to trade on both sides.  Even then, there is no certainty – there is a small matter of the UK Investigatory Powers Act (commonly referred to as “The Snoopers Charter”), which is considered by many as inconsistent with EU law.

Investigate the legal mechanisms:

  • Binding Corporate Rules are an option, but will not address immediate requirements as they can be an expensive and lengthy process
  • Standard Contractual Clauses (model clauses) are EU-approved standard contracts that require adaptation for GDPR but are also not without issue.  SCC’s are currently being examined in the context of Facebook and the Irish supreme court, the outcome of which remains unclear.

Take practical steps:

  • Consult your DPO
  • Map your data, include your cloud environment and social media
  • Determine whether transfers could be temporarily suspended or will need to continue beyond 30 March 2019
  • Consider additional technical and organisational measures that could be temporarily adopted (e.g. encryption or anonymization)
  • Assess the various transfer mechanisms to decide which (if any) can be put in place before 30 March 2019
  • Examine your supply chain e.g. UK processors
  • Consider appointing a UK representative, aligned to the UK “Exit Regulations”
  • Identify your risk, material exposure and update your risk register
  • Document a considered and defensible position, and consider using a DPIA approach to develop this

What is the alternative? 

Doing nothing is always an option. However this comes with significant risk in this case.

Data Protection Authorities may not have the necessary resources to identify and / or investigate all incidences of non-compliance with respect to UK data transfers. However, should the DPC have cause to investigate an organisation in the event of a breach or complaint it may be difficult to avoid the scrutiny.  It would be unwise to assume the DPC would overlook UK personal data transfer non-compliance!

Privacy interest, civil liberties and not-for-profit groups represent a serious indirect enforcement method for privacy rights.  The €50m fine issued by CNIL to Google resulted from a complaint submitted by Max Schrems, NOYB (none of your business) and the European Centre for Digital Rights.

The world of privacy is changing rapidly and at the present moment is being fanned by Brexit flames; hence, a considered and measured approach will take your organisation a long way.

If you would like to discuss any of the above or particular concerns that you may have in more detail, don’t hesitate to contact us.

 

Alison Murphy

Privacy Leader, Cyber Centre
Alison's Full Profile