In focus: Brexit and Data Protection

Nov 18, 2020

Cross-border data flows enable trade. Many businesses rely on the ability to transfer personal data about their customers or employees to be able to offer goods and services.  Any restriction on the ability of data to flow freely would act as a trade barrier. Countries in the EU are bound by the General Data Protection Regulation (GDPR) which ensures that personal data can be transferred safely across-borders. Will Brexit impact upon this?

What is Data Protection law?

Data protection law covers situations where information about somebody (‘personal data’) is used by another person or organisation, other than in a purely personal context.  Legislation regulates the ways and circumstances in which personal data might be processed.

The General Data Protection Regulation (GDPR) is the legislation which applies to most kinds of processing of personal data (other than for personal context), across the EEA (the EU plus Iceland, Norway, and Liechtenstein). GDPR means that data controllers within the EU are not allowed to transfer personal data outside of the EU/EEA unless the high standards that apply under GDPR are maintained.

What is personal data?

Personal data covers things like name, date of birth, email address, address, phone number, location data or physical characteristics. It doesn’t have to be in written form. It can include photos, audio or video recordings that are processed electronically or as part of a filing system.

Processing data means using personal data in any way such as collecting, storing, retrieving, consulting and disclosing.

What type of data is transferred between the EU and UK?

To assess if you are transferring personal data between the UK and EU (i.e. cross-border) consider the following:

  • Are you outsourcing your HR, IT or payroll function to a cross-border organisation?
  • Are you using a cross-border server or a server in the cloud to store personal data?
  • Are you using software (such as for email or databases) provided by a cross-border company which may involve transferring personal data to a cross-border server?
  • Are you using a cross-border marketing company to send communications to your customers?
  • Is your pension scheme based cross-border?

Why is the ability to exchange data so important?

Cross-border data flows enable trade. Many businesses rely on the ability to transfer personal data about their customers or employees to be able to offer goods and services or even to run cloud-based email or file-storage systems. 

Any restriction on the ability of data to flow freely would act as a trade barrier.

What will happen after Brexit?

During the transition period, the EU will continue to treat the UK as if it were a Member State and data can continue to flow between the UK and the EU/EEA.  When the transition period ends, the UK will not automatically benefit from this free flow of data.

Brexit, particularly a no-deal Brexit, will have an impact on the data protection obligations of UK and EU/EEA data controllers.  

When preparing for a no-deal exit, the UK committed to retain GDPR legislation in domestic law at the end of the transition period but will have the independence to keep the framework under review.  This means that the UK government will automatically recognise the EU as adequate for data transfers. Outbound transfers of data from the UK to the EU/EEA will not therefore be restricted as long as UK data protection rules are followed.

The EU did not reciprocate, however, and will treat the UK as a third country until an adequacy decision is made. To ensure data flows continue after Brexit, the UK would therefore need to secure an adequacy decision from the European Commission.  In the meantime, appropriate safeguards are needed for data transferring into the UK from the EU/EEA.

What is an ‘adequacy decision’?

The European Commission may grant an ‘adequacy decision’ to allow cross-border transfers of personal data from the EU/EEA to the UK because the UK has been found to have an adequate level of data protection safeguards when compared to the EU.  This means that once the UK has been awarded an adequacy status, information can pass freely between the UK and the EU/EEA without further safeguards being required.

What happens if a decision on adequacy is not reached by 31 December 2020?

The transition period will end with no arrangements to ensure adequate levels of data protection in place. Therefore, the UK will be treated as any other ‘third country’ (any country outside the EU/EEA) without an adequacy decision.  This means that the UK and EU/EEA will exchange data based on their individual international transfers rules. At the moment the UK and EU/EEA both have similar rules based on the GDPR, but this might change in time.

For Irish companies transferring data to the UK

If a party in the EU/EEA sends personal data to someone who is outside of the EU/EEA (including the UK), they must comply with GDPR rules on international transfers of personal data. Therefore, specific safeguards will need to be put in place to ensure adequate protection for data. The GDPR sets out a number of mechanisms for the transfer data to third countries.  The most common of these mechanisms is ‘standard contractual clauses’.

Standard Contractual Clauses

The standard contractual clauses (SCC) are a set of standard contractual terms and conditions to which the data controller and recipient or data processor both sign up. Both sides give contractually binding commitments to protect personal data in the context of the transfer from the EU/EEA to a third country.

For example, this can be done by putting in place a new/stand-alone contract between an Irish- based controller and a UK based recipient.

More information

The Data Protection Commission in Ireland has set out the following guidance on data and Brexit:

For UK companies transferring data to the EU/EEA

There are currently no changes to the way you send personal data to the EU/EEA. 

The Information Commissioner’s Office in the UK has set out some further guidance. The HMRC  has also released data-related guidance.