Post-Brexit, the UK will be considered a “third country” and any transfers of personal data, even within a group of companies, will be considered to be a transfer outside the EEA. Irish and European data protection laws require certain conditions to be met before any personal data may be transferred to a “third country”, one of which is the designation by the EU Commission, following a review of the UK’s data protection laws, of the UK as a country offering an “adequate” level of data protection equivalent to that protection offered in the EU.
Matt Hancock, the UK government minister responsible for data protection, made it clear on the publication by UK Government of the “White Paper on the United Kingdom’s exit from and new partnership with the European Union” that the GDPR will come into effect in the UK on 25th May 2018. Therefore data controllers and data processors in the UK will be bound by the GDPR until the Article 50 process is complete. Importantly, Minister Hancock noted that he did not foresee any significant changes being made to UK data protection law.
EU regulators and courts have adopted a very strict interpretation of “adequacy” effectively requiring substantial equivalence with the EU data protection regime. So far, only Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay have been approved in full. Canada has been approved for certain types of personal data and the transfer of advance airline passenger data to the US, Canada and Australia has also been approved.
Whilst the UK have committed themselves to the GDPR, it may be noted that considering the UK recently passed the Data Retention and Investigatory Powers Act 2016 (aka the Snoopers’ Charter), giving sweeping powers of surveillance and retention to UK law enforcement agencies, it is questionable whether the EU Commission will so readily approve the UK as providing “adequate” levels of data protection. Indeed, the Court of Justice of the EU (CJEU) has already called the Snoopers’ Charter into serious question, giving the sense that should it still be in force following Brexit, the UK may be unlikely to get the EU stamp of approval for data transfers.
Whilst the initial introduction of the GDPR will mean business as usual between Ireland and the UK in terms of data transfers, what happens once Brexit formally happens is crucial. If the UK receives formal approval from the Commission for data transfers, then any concerns Irish companies may have will fall away. However, if the Commission feels that the UK’s laws do not meet the “adequacy” standard, businesses in the UK would be subject to the same restrictions that currently apply to data transfers from the EU to the US – namely, they can happen only in certain specified situations which includes the use of:
It should be noted that implementing SCCs or BCRs can be both costly and complex for Irish businesses and any bi-lateral agreement would need both EU and UK approval. It should also be noted that although officially a non-EU member state post-Brexit, the UK will nonetheless bound by the GDPR as it will still apply as a matter of EU law to UK businesses in relation to their sales of goods and services into, or monitoring individuals in, the EU.
To put this issue into perspective, where an Irish company has a UK-based operation and holds, for example, payroll data about Irish or other EU nationals in that UK base, it may need to start considering whether another EU country should act as the base instead. Alternatively, the company may instead have to adopt compatible standards to the new EU rules (such as BCRs). Otherwise, unless and until the UK receives Commission approval or some form of bi-lateral agreement is reached, any transfers of payroll data from Ireland to the UK post-Brexit will fall foul of the GDPR. It should also be noted that any company found to have transferred payroll in breach of the GDPR may be subjected to a fine of 4% of its global turnover or €20m, whichever is higher.
If the UK retains the GDPR post-Brexit, the UK courts, although not bound to have regard to decisions of the CJEU, are likely to be heavily influenced by the CJEU, either because they will be conscious of the “adequacy” issue or because the CJEU’s approach closely aligns with a modern, universal approach to data protection. In any event, Irish business with UK operations need to be aware of the data privacy challenges that Brexit poses and should monitor the progress of Brexit with this very much in mind.
© 2017 KPMG, an Ireland partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.