With the UK set to trigger Article 50 next month, there has been widespread discussion of the effects that Brexit will have on Ireland in particular. When it comes to the issue of Data Protection, there is a certain level of uncertainty when cross-border data transfer between the Republic and Northern Ireland is taken into account. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) does not need to be written into UK law to apply there, while they are still an EU jurisdiction. However, upon their exit from the EU, what will the protocols be for the transfer of data between the Republic of Ireland, an EU State, and Northern Ireland, as part of a non-EU United Kingdom?
What Brexit could mean
UK Prime Minister Theresa May has given the end of next month (March 2017) as the latest date for the triggering of Article 50. This will be followed by approximately two years of negotiations, wherein representatives from the UK and the EU will enter into talks surrounding the UK’s exit from the European Union. This means that when the GDPR becomes effective on 25 May 2018, the UK will very likely still be a part of the EU.
For transferal of data gathered from citizens of the ROI, the GDPR will still apply. The regulations apply to data about individuals who are citizens of EU member states. Therefore, companies in NI who collect data about ROI citizens must be compliant, regardless of UK membership. This precedent for this was set by cases such as Max Schrems’ action against Facebook (Case C-362/14 Maximillian Schrems v Data Protection Commissioner, Court of Justice of the European Union). The finding of the court proceedings was that any third-party country to which data about EU citizens can be transferred only if the country in question “ensures an adequate level of data protection”.