An event hosted by the Irish Computer Society (ICS) this week provided clarity about the position on data transfers with the UK in a post-Brexit world.

The Irish Minister for Data Protection, Pat Breen, presented at the National Data Protection Conference, saying that in the wake of recent news, the Government was making plans for a possible no-deal Brexit.

“A no-deal outcome is not the one that we want but given the ongoing political uncertainty in London, it is only prudent at this stage to accelerate preparations for a no-deal Brexit,” Mr Breen said.

The Minister highlighted the importance of data flows in enabling ongoing business transactions.

“Whilst much of the debate on Brexit and its consequences has focused on the possibility of tariffs on goods, all of you will be aware of the centrality of data flows to a digital economy based around services.

“The simplest and most effective mechanism for facilitating such data transfers is a European Commission ‘adequacy decision’, which recognises the data protection regime of the country or organisation concerned as providing levels of data protection essentially equivalent to those of the EU.  Where such a decision has been taken, data transfers to the country or organisation can proceed without hindrance or formality,” he explained.

However, Mr Breen warned that a no-deal Brexit would have a profound effect on how personal data is transmitted from the EU to the UK. 

“Flows of personal data to and from the UK are essential to business. In the absence of a withdrawal agreement, the UK will become a third country on leaving the EU and personal data transfers cannot continue as before. In the event of a ‘no-deal’ Brexit, the European Commission has clarified that no contingency measures, such as an ‘interim’ adequacy decision, are foreseen. 

“This means that data transfers to the UK in the event of a ‘no-deal’ Brexit must initially rely on alternative mechanisms other than an adequacy decision, as set out in the GDPR.” 

Mr Breen discussed a range of possible mechanisms, including Standard Contractual Clauses that can be inserted into contracts to ensure the application of European data protection principles, some of which have already been approved by the European Commission.

He also said that companies can apply legally binding corporate data protection rules once approved by a data protection authority. Codes of Conduct and Certifications can be used to demonstrate compliance with the GDPR, once approved by a data protection authority and the European Data Protection Board (EDPB). The GDPR also provides for other situations not covered by codes and certifications, such as for reasons of public interest or where the subject has given explicit content.

“While Brexit does give rise to concerns, it should not cause alarm. The GDPR explicitly provides for mechanisms to facilitate the transfer of personal data in the event of the United Kingdom becoming a third country in terms of its data protection regime.

The Minister invited attendees to access materials developed by the Data Protection Commission (www.dataprotection.ie) covering the status of personal data transfers to and from the UK in the event of a ‘no-deal’ Brexit.

ICS CEO, Jim Friars, who hosted the event on behalf of The Association of Data Protection Officers, said it was good to get clarity on how we will move forward in a post-Brexit world.

“We do so much business with the UK, all of which is supported by an easy flow of data between the two economies. It is essential we reach an adequacy decision similar to the one recently completed between the EU and Japan. We should also bear in mind that this adequacy decision took almost 18 months to agree so we need to prepare right away,” he said.