How will Brexit affect data protection for the rest of the EU?
The past eighteen months have seen an increase in awareness of data protection and privacy issues. This is due primarily to the introduction of the General Data Protection Regulation (GDPR) in May of last year, and a series of high-profile data protection breaches, particularly on the part of large technology companies. Consumers are more mindful of their privacy rights. The Data Protection Commission’s recently published annual report showed a year on year increase of 56% in the total number of complaints received. Reports of data breaches, meanwhile, increased by 70% for the same period.
Data compliance and Brexit
While firms continue on their journey to full GDPR compliance, a significant headwind presents itself. Brexit has exercised the minds of Irish businesses for the past number of years. In the process, it has taken up considerable strategic time for executive teams. One of the less well-understood impacts is the effect the UK’s departure from the EU will have on data protection and privacy.
Many companies currently outsource their HR, IT or payroll functions to UK based organisations. Others may use UK suppliers for marketing communications and CRM software or to analyse their website traffic. Brexit will affect all of these activities.
Multiple possible scenarios
The transfer of personal data to and from the UK is a critical issue. How will firms who undertake transfers of such data remain compliant once Britain has exited the European Union? At present, Irish businesses face at least three possible departure scenarios:
- A ‘no deal’ Brexit, whereby the UK exits the EU without an agreement on 12th April
- A deal is agreed between the UK and EU, with an orderly transition period;
- An extension to the current deadline is agreed and Britain’s exit is delayed for a further period.
Each scenario presents a different set of data protection options for businesses. By far the worst is a ‘no deal’ Brexit. This would mean Britain immediately acquires the status of a ‘third country’ under GDPR. In that sense, it would be no different to a non-EU country such as Australia or Brazil. It would then have to seek an ‘adequacy decision’ from the EU, whereby the European Commission decides that a country meets adequate levels of data protection. Such decisions are in place with a range of nations globally, the most recent being Japan. However, firms expecting a quick resolution via an adequacy decision may be left waiting. Data privacy experts estimate the process could take up to 18 months.
The latter two scenarios – a deal with an orderly transition or a delay for an unspecified period –essentially see a continuation of the current status quo during that time, with Britain continuing to adhere to GDPR. Each would provide its own level of uncertainty as to post-Brexit data protection requirements and the timelines for when these would commence.
International data transfers
Currently, businesses in Ireland can transfer data to London as easily as to Limerick. Under the new regime, they will need to review existing transfer arrangements to ensure these remain GDPR compliant. The simplest and most likely option is the inclusion of Standard Contractual Clauses into contracts with UK processors and contractors. These are model data protection clauses approved by the EU. They allow for the free flow of personal data when embedded in a legally binding contract.
Another option, for multinational firms, is Binding Corporate Rules (BCRs). These are legally binding and enforceable internal rules and policies for data transfers within multinational companies.
The GDPR provides for other mechanisms, such as codes of conduct and certification schemes. However, these tools are only in development and not yet available.
Derogations also exist under GDPR, and could provide a short-term option in the event of a no-deal Brexit. Examples include obtaining the explicit consent of data subjects to carry out the transfer of their data; for completion or performance of a contract; if in the public interest or the vital interest of the data subject; or if there is a legal requirement. Lastly, firms may also claim legitimate interest. The European Data Protection Board advises that these derogations must be ‘interpreted restrictively’ and used mainly for activities that are ‘occasional and non-repetitive’.
Some readers may have noted commentary from the UK signalling it will transpose existing GDPR requirements into new UK legislation. It is important to recognise that whilst this may address the situation for businesses in the UK transferring personal data outward into the EU, it does not affect the EU’s designation of a post-Brexit UK as a third country.
Predicting the future
Ireland’s Data Protection Commission is seeking to raise companies’ awareness of Brexit’s impact. It is a difficult message to sell, due to the range of scenarios and uncertainty involved. The likely outcome of Brexit appears to change on an almost daily basis. There remains the chance of a ‘black swan’ event or last minute volte-face on the part of the UK government. On a purely practical level, it is difficult to see how firms, no matter how rigorously they wish to ensure compliance, will be in a position to prepare adequately for all potential scenarios. This is not a realistic situation for most companies, particularly small and medium sized businesses with limited resources.
Brexit poses myriad challenges. Not least in the area of data protection. It will be interesting to see how Irish industry responds over the coming weeks and months.