With the UK set to trigger Article 50 next month, there has been widespread discussion of the effects that Brexit will have on Ireland in particular. When it comes to the issue of Data Protection, there is a certain level of uncertainty when cross-border data transfer between the Republic and Northern Ireland is taken into account. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) does not need to be written into UK law to apply there, while they are still an EU jurisdiction. However, upon their exit from the EU, what will the protocols be for the transfer of data between the Republic of Ireland, an EU State, and Northern Ireland, as part of a non-EU United Kingdom?

 

 

What Brexit could mean

UK Prime Minister Theresa May has given the end of next month (March 2017) as the latest date for the triggering of Article 50. This will be followed by approximately two years of negotiations, wherein representatives from the UK and the EU will enter into talks surrounding the UK’s exit from the European Union. This means that when the GDPR becomes effective on 25 May 2018, the UK will very likely still be a part of the EU.

For transferal of data gathered from citizens of the ROI, the GDPR will still apply. The regulations apply to data about individuals who are citizens of EU member states. Therefore, companies in NI who collect data about ROI citizens must be compliant, regardless of UK membership. This precedent for this was set by cases such as Max Schrems’ action against Facebook (Case C-362/14 Maximillian Schrems v Data Protection Commissioner, Court of Justice of the European Union). The finding of the court proceedings was that any third-party country to which data about EU citizens can be transferred only if the country in question “ensures an adequate level of data protection”.

[i]

The circumstances for the lawful transfer of personal data from ROI to NI or UK branches, even within organisations, are limited. Under the GDPR, the destination of the data must be deemed an information ‘safe-haven’. The UK will automatically lose its safe haven status upon exit, but it is possible that a deal may be struck between representatives from each group akin to the one developed between the US and the EU. This would involve the UK meeting the standards of data protection defined by the EU, allowing them to regain status as an approved destination for data transfer.

It is true that the UK Government have publicly acknowledged the unique position of the ROI and the storied and deeply-entwined histories of the countries. While it is strictly possible that the UK could include provisions specifically relating to the transfer of data across Anglo-Irish borders, these provisions would likely have to be given a green light by the EU. If it were the case that any facet of new UK legislation conflicted with European law, a difficult roadblock would present itself. Due in large part to the fact that rulings made by the EU court are routed in the EU Charter of Fundamental Rights, overriding of the findings is challenging even for non-EU countries.

Speaking before the result of the Referendum that began Brexit proceedings, a spokesperson for the Information Commissioner’s Office (ICO) stated that

“the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”

 

 

In Conclusion

Upon the exit of the UK from the EU (and the EEA), data transfer into and out of Irish organisations to the UK or NI would be subject to new legislation. Where the information pertains to EU citizens, GDPR guidelines must be met. Other data would be subject to other standards of data protection rules, such as those defined in Binding Corporate Rule frameworks. This will include information sent “intra group”.[ii]

An alternative to this would be the negotiation of a new arrangement that will facilitate the lawful and secure transfer of data out of the EU to the UK. Precedents for this model can be seen in the agreement made with the USA, The EU-US Privacy Shield, which replaced the previous Safe Harbour agreement that was found defunct following the Snowden leaks.[iii]

If special regard is given to the UK-Republic of Ireland relationship, it is likely that arrangement will have to meet requirements, and will be subject to the approval of, the European Union.

 

Notes


[i] Report here: http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf

[ii] FAQ on data transfers to “Third Countries. Available here: http://ec.europa.eu/justice/policies/privacy/docs/international_transfers_faq/international_transfers_faq.pdf

[iii] More information on Edward Snowden and leaked data here: http://uk.businessinsider.com/snowden-leaks-timeline-2016-9?r=US&IR=T