Personal Data transfers between Ireland and the UK post Brexit – what you need to know and do
15 January 2021
The EU-UK Trade and Cooperation Agreement (Agreement) was signed on 30 December and governs the trading relationship between those parties after Brexit.
The Deal
In respect of the transfer of personal data, the Agreement provides that:
- the UK is granted interim/pseudo “adequacy” for 4 months (can be extended to 6 months) (EEA to U.K. data transfers during this period are not considered a transfer to a “third country”)
- during this period the UK cannot (broadly) change data laws as they stand at 31 December 2020 (it is unlikely this would have happened anyway)
- this period can be ended sooner by decision of the European Commission on the UK’s adequacy status
A decision on adequacy is expected by the European Commission during this interim period.
What does this mean?
Well for the next 4 – 6 months, it is business as usual if you are transferring personal data to either your affiliate companies or other third parties in the UK. So, you don’t need to use any of the safeguards set out in the GDPR, such as the Standard Contractual Clauses(SCCs), or carry out the due diligence recommended by the European Data Protection Board, that would be required for other countries outside the EEA (e.g. the US).
It is hoped that the EU will make an adequacy decision in respect of the UK by the end of the 6 month period (30 June 2021). An adequacy decision effectively says that they are satisfied that personal data is adequately protected there. In that event there will be no need to use those safeguards after that date either.
One thing that could scupper that adequacy decision is criticism of the UK’s surveillance laws contained in the Investigatory Powers Act 2016. During the Transition Period, there was some criticism of the powers granted to the UK Government to have access to large amounts of personal data under that Act. However much of this was regarded as political posturing as part of the Brexit negotiations.
What should you be doing?
- continue to map all data flows from Ireland to the UK
- reword relevant privacy notices to reflect the fact that the UK is no longer in the EU
- reword relevant data processing agreements to reflect the fact that the UK is no longer in the EU
- keep an eye on developments to see if the UK secures an adequacy decision in the next 4-6 months
- have a back-up plan to use other GDPR approved safeguards such as SCCs if they don’t
Given the sophistication of the UK’s data protection regime, it seems inconceivable that an adequacy decision will not be made in its favour however, watch this space.