From 30th March 2019, the UK will become a third country from a data protection perspective. Businesses need to be aware of the impact this will have on the transfer of personal data to the UK post-Brexit and put plans in place.
The General Data Protection Regulation 2016/679 took effect in all European member states, from 25th May 2018. The regulation brings with it a new and enhanced focus on protecting privacy rights, ensuring an equivalent standard of protection is maintained in all EU member states.
Countries outside of the European Economic Area (EEA) are known under the GDPR as third countries and companies who wish to transfer the personal data of an EEA citizen to a third country must do so in accordance with one of the permitted mechanisms set out in Chapter 5 of the GDPR.
Transfers to certain third countries can be legitimised where the European Commission (EC) has deemed those countries as having an adequate level of privacy protection. Such countries include Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the USA (limited to companies registered under the Privacy Shield framework).
To transfer data to a country not deemed to have an adequate level of protection, one of the alternative mechanisms of chapter 5 will need to be relied on, such as use of appropriate safeguards (Article 46), binding corporate rules (Article 47) or certain authorised derogations (Article 49).
No matter what mechanism is used, it will undoubtedly involve pre-transfer due diligence which in turn means added cost and time for European companies who do business with third country institutions, where that country has not been given the seal of approval by the EC.
While Brexit is one of the most talked about political events of our lifetime, it will also have significant and far-reaching consequences from a legal perspective from 30th March 2019 when Brexit takes effect. One such consequence in the context of data protection, is the departure of the UK from the regulatory scope of the GDPR, thereby rendering it a third country in the eyes of the EC. As a third country, data transfers to the UK by European institutions will only be permissible in accordance with one of the mechanisms discussed above.
As with many of the consequences of Brexit, this provides a new dimension to EU-UK commercial relationships, which will either require compliance (and the associated costs ) or separation. Potential loss of business from Europe is a significant threat for the UK, which will only be mitigated if the EC makes an adequacy decision in its favour, allowing EU-UK personal data transfers to be legitimised by Article 45 of the GDPR.
There is currently much speculation and debate amongst data protection practitioners as to the likelihood of the UK being awarded adequacy status. For the optimists, the fact that the UK has already aligned its data protection practices to the GDPR pre-Brexit will make an adequacy decision likely. However, the more pessimistic believe that the standard of protection in the UK is not on par with other European countries, which is evidenced primarily by the so called ‘snooper’s charter’, the Data Retention and Investigatory Powers Act 2016, which grants extensive surveillance and data retention powers to UK law enforcement agencies. The incompatibility of that legislation with EU law was recently acknowledged by the High Court of England and Wales, which confirmed that the Act would need changes to comply with EU law. Until then, however, the UK is at risk of falling short of the EC adequacy requirements.
The full practical significance of the UK’s change of status to a ‘third country’ remains to be seen. However, due to the potential implications from a data protection perspective, Irish companies doing business with the UK are advised to have a contingency plan in place before 30th March 2019.