In recently issued guidance, the Data Protection Commission (DPC) warned that existing data flows from Ireland to Northern Ireland, and the rest of the UK, face potential disruption in the event of a 'no deal' Brexit.
"In the event of a ‘no deal’ Brexit … the UK will become a 'third country' for the purposes of EU personal data transfers," the DPC said. "This will have repercussions for all organisations and bodies trading with or doing any other kind of business or correspondence with entities in the UK, including Northern Ireland. This is because personal data transfers to the UK will require the implementation of legal safeguards by the Irish-based organisations and bodies that are transferring the personal data."
"For example, if an Irish company currently outsources its payroll to a UK processor, legal safeguards for the personal data transferred to the UK will be required. If an Irish government body uses a cloud provider based in the UK, it will also require similar legal safeguards. The same will apply to a sports organisation with an administrative office in Northern Ireland that administers membership details for all members in Ireland and Northern Ireland," it said.
Currently, businesses within the EU can freely transfer personal data anywhere within the EEA, unless otherwise restricted by contract. This free flow of information is provided for under EU data protection laws – the General Data Protection Regulation (GDPR).
However, the GDPR places restrictions on the transfer of personal data outside the European Economic Area (EEA). Businesses are prohibited from transferring personal data to non-EEA countries unless they have in place one of a number of safeguards to ensure EU data is adequately protected when processed in those 'third' countries. In a 'no deal' Brexit, that will include where the data is transferred to the UK.
Among the 'legal safeguards' available to businesses seeking to facilitate personal data transfers outside of the EEA are model contract clauses and 'binding corporate rules'. The DPC encouraged Irish businesses to explore such safeguards to ensure data flows are not disrupted as a consequence of a potential 'no deal' Brexit.
The DPC said: "Next steps to consider for organisations transferring data to the UK, including Northern Ireland: map the personal data being transferred to the UK currently; determine if the transfers will need to continue beyond 30 March 2019; if this is the case, then assess the various transfer mechanisms to decide which one best suits the situation and work towards having it in place before 30 March 2019."
Dublin-based data protection law expert Dermot McGirr of Pinsent Masons, the law firm behind Out-Law.com, said all Irish businesses who deal with the UK, including cross border business who trade in Northern Ireland or have group companies in Northern Ireland, will need to take note of the guidance from the DPC.
"If your business is transferring personal data to the UK and there is a 'no deal' Brexit you will need to put in place legal safeguards, which in most instances will mean putting in place the EU approved model contract clauses," McGirr said. "If they have not done so already, Irish businesses need to start working on this issue now. If safeguards have not been put in place by 29 March and there is a 'no deal' Brexit they will have to stop transferring personal data to the UK until the required legal safeguards are put in place."
"As with the 'no deal' Brexit scenario generally, this has the potential to cause significant disruption to business," he said.
The UK government confirmed last month that some non-UK businesses will be obliged to appoint a UK-based representative under new data protection regulations being prepared for a potential 'no deal' Brexit. However, the UK government has set out plans to avoid a disruption to outbound UK data flows in a 'no deal' scenario.
It has said it will "transitionally recognise all EEA countries (including EU member states) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue", and "preserve the effect of existing EU adequacy decisions on a transitional basis". In addition, EU model clauses are to be recognised in UK law, with the Information Commissioner's Office (ICO) given powers to issue new data protection clauses. Further regulations will also allow businesses that have had BCRs authorised before Brexit to rely on those BCRs for data transfers post-Brexit, it said.
The UK is scheduled to leave the EU on 29 March 2019. While the UK government has negotiated a withdrawal agreement with the remaining 27 EU countries, the deal has yet to be ratified and it has faced stiff opposition from government backbenchers and opposition parties in the UK.