Business craves certainty and Brexit is currently giving us anything but. At the time of writing, it’s looking increasingly likely that Britain will leave the EU without a withdrawal agreement. This blog rounds up the latest developments on data protection after a no-deal Brexit. (Appropriately, we’re publishing on Data Protection Day, the international campaign to raise public awareness about privacy rights and protecting data.)
Under the General Data Protection Regulation, no deal would mean the UK will become a ‘third country’ outside of the European Economic Area. Last week, the Minister for Data Protection Pat Breen said a no-deal Brexit would have a “profound effect” on personal data transfers into the UK from the EU. Speaking at the National Data Protection Conference, he pointed out that although Brexit commentary has focused on trade in goods, services activity rely heavily on flows of personal data to and from the UK.
“In the event of a ‘no-deal’ Brexit, the European Commission has clarified that no contingency measures, such as an ‘interim’ adequacy decision, are foreseen,” the minister said.
This means personal data transfers can’t continue as they do today. At 11pm BST on Friday 29 March 2019, the UK will legally leave the European Union. All transfer of data between Ireland and the UK or Northern Ireland will then be considered as international transfers.
Despite the ongoing uncertainty, there are backup measures, as the Minister pointed out. “While Brexit does give rise to concerns, it should not cause alarm. The GDPR explicitly provides for mechanisms to facilitate the transfer of personal data in the event of the United Kingdom becoming a third country in terms of its data protection regime,” he said.
The latest advice from the Data Protection Commissioner is that Irish-based organisations will need to implement legal safeguards to transfer personal data to the UK after a no-deal Brexit. The DPC’s guidance outlined some typical scenarios if the UK becomes a third country.
“For example, if an Irish company currently outsources its payroll to a UK processor, legal safeguards for the personal data transferred to the UK will be required. If an Irish government body uses a cloud provider based in the UK, it will also require similar legal safeguards. The same will apply to a sports organisation with an administrative office in Northern Ireland that administers membership details for all members in Ireland and Northern Ireland,” it said.
Some organisations and bodies in Ireland will already be familiar with the legal transfer mechanisms available for the transfer of personal data to recipients outside of the EU, as they will already be transferring to the USA or India, for example.
BH Consulting’s senior data protection consultant Tracy Elliott says that data protection officers should take these steps to prepare for the UK’s ‘third country’ status under a no-deal Brexit.
· review their organisation’s processing activities
· identify what data they transfer to the UK
· check if that includes data about EU citizens
“Consider your options of using a contract or possibly changing that supplier. If your data is hosted on servers in the UK, contact your hosting partner and find out what options are available,” she said.
Larger international companies may already have data sharing frameworks in place, but SMEs that routinely deal with UK, or that have subsidiaries in the UK, might not have considered this issue yet. All communication between them, even if they’re part of the same group structure, will need to be covered contractually for data sharing. “There are five mechanisms for doing this, but the simplest and quickest way to do this is to roll out model contract clauses, or MCCs. They are a set of guidelines issued by the EU,” Tracy advised.
Sarah Clarke, a specialist in privacy, security, governance, risk and compliance with BH Consulting, points out that using MCCs has its own risks. The clauses are due for an update to bring them into line with GDPR. Meanwhile the EU-US data transfer mechanism known as Privacy Shield is still not finalised, she added.
In the short term, however, MCCs are sufficient both for international transfers between legal entities in one organisation, and for transfers between different organisations. “For intra-group transfers, binding corporate rules are too burdensome to implement ‘just in case’. You can switch if the risk justifies it when there is more certainty,” Sarah Clarke said.
The European Commission website has more information on legal mechanisms for transferring personal data to third countries. The UK Information Commissioner’s Office has a recent blog that deals with personal data flows post-Brexit. You can also check the Data Protection Commission site for details about transfer mechanisms and derogations for specific situations. The DPC also advises checking back regularly for updates between now and Brexit day.