Brexit: Data Protection and EU-UK Data Flows

The implications of Brexit for EU-UK data flows are the subject of on-going uncertainty, despite recent public statements made by the UK Information Commissioner’s Office and UK Data Protection Minister. Businesses who are involved in EU-UK data flows, or who will be in the future, are grappling with this uncertainty (among many others relating to Brexit). In this briefing, we examine some of the likely paths forward that may allow companies based in Ireland (or other EU Member States) to transfer personal data to the UK after the date on which the UK leaves the EU (the “Exit Date”).  

Irish and UK data protection laws and practice are very similar (but not identical).

With effect from 25 May 2018, current data protection laws throughout the EU will be replaced by a new regime, primarily comprising the General Data Protection Regulation (“GDPR”). Since the UK will still be in the EU in May 2018, the GDPR will also apply in the UK. It is widely expected that from the Exit Date (which is not expect to be any earlier than in March 2019), the UK will have national data protection laws that closely resemble the then applicable EU data protection law regime.

Under the GDPR, from the Exit Date unless and until steps are taken to ensure that the UK is deemed by the European Commission to have an ‘adequate’ data protection regime, or an alternative mechanism is agreed, transfers of personal data from EU Member States (including Ireland) to the UK will not be able to continue in the same manner as is currently the case. Instead, the EU-based transferring entity would need to take appropriate steps to ensure it could rely on one of a limited range of mechanisms for lawfully transferring personal data outside the EEA to territories which have not been deemed ‘adequate’.

In early February 2017, the UK Government publicly stated that its Brexit goals include ensuring that, from the Exit Date, crossborder flows of personal data between the UK and the EU could continue on an “unhindered” and “uninterrupted” basis (the “Ideal Position”). In principle, the Ideal Position is achievable, however the UK will require the cooperation and approval of the Commission or other EU institutions to agree an alternative legal mechanism.

A comprehensive adequacy decision for the UK?

The making of an adequacy decision by the Commission in respect of the UK on the Exit Date might seem straightforward and a desirable outcome for many stakeholders. However, the legal requirements that apply to an adequacy decision of the Commission, and recent legal challenges to existing adequacy decisions, are such that it might not be straightforward in practice.

Making a legally robust adequacy decision that would take effect on the Exit Date would be challenging from a timing perspective. Even assuming these challenges could be overcome, it is not certain that the UK regime post-Brexit would be deemed to be adequate, despite its likely close similarities with the EU regime. One area in which issues might arise is the UK’s approach to restrictions of individuals’ privacy rights and remedies for the purposes of national security and counter-terrorism. Recent efforts by the UK to enact robust surveillance laws effectively have been held to be incompatible with EU law.

Alternatives

For transfers to any country outside the EEA (eg the UK after the Exit Date) where adequacy decisions do not apply, current potential alternative transfer mechanisms include: (i) where consent has been obtained from the data subjects; (ii) where the transferor and transferee enter a contract including ‘model clauses’ approved for this purpose by the Commission (though these are currently under challenge in proceedings before the Irish courts); or (iii) where the transferor and transferee are part of the same corporate group and have adopted ‘binding corporate rules’ that have been approved by competent authorities. While these alternative mechanisms are used widely to facilitate transfers from the EU to territories such as India and Japan, etc, they can be costly and administratively burdensome.

Under the GDPR, similar rules will apply regarding transfers of personal data outside the EEA (though there are some differences). For transfers to countries which have not been deemed adequate, the same alternative mechanisms will be available or, for the first time, it may be possible to rely on certification mechanisms or codes of conduct (details of which have yet to be fleshed out).

It has also been speculated that as a potential stop-gap or permanent alternative to a full adequacy decision, the UK and EU might seek to adopt something akin to the EU-US Privacy Shield. However it is notable that the EU-US Privacy Shield is currently under challenge before the EU courts and that further challenges are expected.

A further potential alternative envisaged by the GDPR would be for certain industry sectors (eg financial services) within the UK, rather than the entirety of the UK, to seek to achieve deemed ‘adequate’ status by the Exit Date.

Practical steps

It is recommended that businesses who are currently transferring personal data from Ireland to the UK (or likely to do so in the near future) should:

  1. establish what personal data flows currently take place (or are planned);
  2. consider what steps would be required to ensure that EU-UK personal data flows could continue in compliance with applicable law post-Brexit if the Ideal Position is not achieved by the Exit Date (such as implementing agreements containing the ‘model clauses’ to cover the transfers); and
  3. continue to monitor relevant developments regarding lawful mechanisms for transferring personal data out of the EU.

Contributed by Mark Ellis

Download PDF

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.