As the uncertainty over Brexit persists despite the looming deadline of 29 March, the UK crashing out of the EU with a “No Deal” Brexit is looking increasingly likely. The absence of a Withdrawal Agreement means that EU law will cease to apply to, and in, the UK as of 30 March 2019. Therefore, all businesses concerned must prepare, make necessary decisions and complete all required administration actions before 30 March 2019 in order to avoid disruption or risk of operating outside the legal data protection framework.
Pat Breen, Minister of State with special responsibility for Trade, Employment, Business, EU Digital Single Market and Data Protection, addressed the Irish National Data Protection Conference on the 24th of January, advising that any EU-based organisation that transfers personal data to the UK needs to examine their position as a matter of urgency. There is currently no EU adequacy decision planned prior to Brexit, nor are there EU-driven interim measures being considered. Therefore, organisations must rely on one of the alternative mechanisms allowed for under GDPR, such as standard contractual clauses, binding corporate rules, consent or reliance upon certain exceptions. It is for each organisation to decide the most appropriate approach for their specific business circumstances.
Another conference speaker shared his thoughts a little more plainly, stating that in the absence of an appropriate mechanism, EU personal data transfers to the UK will simply be “illegal” and therefore now is not the time for “sticking your head in the sand”.
In reality there will be a large number of organisations who will be non-compliant when Brexit finally occurs, so what are the practical considerations for your organisation?
Don’t rely on adequacy:
The adequacy process will only begin when the UK leaves the EU and officially becomes a third country. The road to an adequacy decision is far from certain, and it requires political will and a strong desire to trade on both sides. Even then, there is no certainty – there is a small matter of the UK Investigatory Powers Act (commonly referred to as “The Snoopers Charter”), which is considered by many as inconsistent with EU law.
Doing nothing is always an option. However this comes with significant risk in this case.
Data Protection Authorities may not have the necessary resources to identify and / or investigate all incidences of non-compliance with respect to UK data transfers. However, should the DPC have cause to investigate an organisation in the event of a breach or complaint it may be difficult to avoid the scrutiny. It would be unwise to assume the DPC would overlook UK personal data transfer non-compliance!
Privacy interest, civil liberties and not-for-profit groups represent a serious indirect enforcement method for privacy rights. The €50m fine issued by CNIL to Google resulted from a complaint submitted by Max Schrems, NOYB (none of your business) and the European Centre for Digital Rights.
The world of privacy is changing rapidly and at the present moment is being fanned by Brexit flames; hence, a considered and measured approach will take your organisation a long way.
If you would like to discuss any of the above or particular concerns that you may have in more detail, don’t hesitate to contact us.
This article was written by Alison Murphy, Senior Manager, Financial Services Advisory.