Global menu

Our global pages

Close

DPC Guidance on Data Transfers in the Event of a 'No-Deal' Brexit

  • Ireland
  • General

16-01-2019

On 21 December 2018, the Data Protection Commission (DPC) issued an ‘important message’ on personal data transfers to and from the UK in the event of a ‘no deal’ Brexit.

The DPC’s guidance will be relevant for any Irish entities that have data processing operations involving transfers of personal data to the UK, including Northern Ireland.

Data flows from Ireland to the UK after March 2019

If the UK leaves the EU on 30 March 2019 without the Withdrawal Agreement (i.e. a ‘no-deal’ Brexit), the UK will become a ‘third country’ under EU data protection law. To continue to lawfully transfer personal data to the UK and Northern Ireland, Irish entities will be required to put a ‘transfer mechanism’ in place from 30 March 2019.

Where transfers of personal data are made to a recipient outside the European Economic Area (a third country) additional safeguards in the form of a transfer mechanism are required to ensure adequate protections in line with EU standards. Some Irish organisations will already be familiar with the legal transfer mechanisms available in the case of transfers to countries such as the USA or India.

Some countries data protection regimes (such as Israel or Argentina) are recognised by the EU Commission as ‘adequate’ and therefore do not require further safeguards. However, no such recognition of the UK regime will be in place by the end of March 2019 and therefore legal transfer mechanisms would be required.

According to the DPC, this will have implications for all organisations and bodies trading with or doing any kind of business or correspondence with entities in the UK, including Northern Ireland. The Irish based organisations transferring the personal data will be required to implement the legal safeguards, most commonly through the use of EU approved standard or model contractual clauses.

The DPC gave examples of scenarios where transfer mechanisms are required such as an Irish company that outsources its payroll to a UK processor, an Irish government body that uses a cloud provider based in the UK, and a sports organisation with an administrative office in Northern Ireland that administers membership details for all members in Ireland and Northern Ireland.

Data flows from the UK to the EU after March 2019

The UK government has stated that the current practice of permitting personal data to flow freely from the UK to EU Member States will continue in the event of a ‘no-deal’ Brexit.

Data flows from the UK to non-EU countries after March 2019

In addition, the UK will implement a legal mechanism similar to standard or model contractual clauses that mirrors that of the EU in order to facilitate transfers from the UK to non-EU counties. It will also recognise as ‘adequate’ the countries already recognised as adequate by the EU.

Next steps as advised by the DPC

The DPC is advising the following ‘next steps’ for organisations transferring data to the UK including Northern Ireland:

  • Map the personal data being transferred to the UK currently;
  • Determine if the transfers will need to continue beyond 30 March 2019;
  • If this is the case, then assess the various transfer mechanisms to decide which one best suits the situation and work towards having it in place before 30 March 2019.

Disclaimer

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

< Go back

Print Friendly and PDF
Register to receive regular updates via email.