General
There are EU wide data protection laws which seek to protect the privacy of personal information, They are embodied in the GDPR, the General Data Protection Regulation. The laws are surprisingly broad in scope and create very significant rights for individuals about whom data is held.
The EU data protection rules and principles will apply (it appears) in the UK under UK data protection legislation, at least immediately after Brexit
Very broadly, a hard Brexit would require that traders have enhanced controls for any transmission of personal data by traders in and out of the EU to the UK under Irish/EU law and in and out of the UK to Ireland and the EU under the UK in certain circumstances where UK law applies. The former circumstances will be more relevant, but the latter circumstances may also arise in relation to Northern Ireland.
Even if a business’ data alone does not comprise personal data in the commonly understood sense, it could be controlled under the data protection legislation where it could identify a living person in connection with other data held or accessible by the traders or certain others with whom it has a relationship,depending on the circumstances.
The definition of personal data is set out below
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
EU Wide Personal Data Rules
The basic rules relevant to handling other people’s personal information, e-commerce and email marketing are EU wide rules at present. Traders will have encountered these rules particularly in the run-up to the GDPR which commenced in May 2018 and generally in industry practice.
At present and most likely in most scenarios post-Brexit, the EU and UK rules are likely to remain broadly similar. The UK would be free to revise these rules. Traders must be aware and vigilant for the possibility that post-Brexit the UK may revise these rules in a way that will impact their business.
The principles and rules in the GDPR in relation to personal data now apply directly in both Ireland and the UK. The GDPR is a directly applicable EU regulation so that the exact same law applies throughout the EU. The UK has already passed legislation the effect of which will be to replicate the EU rules 100% on day one of Brexit as they now are, as domestic UK law. This will take effect on the effective date of Brexit (which may be a sudden hard Brexit or after a transitional period
The Data Rules and Principles
Personal data must be gathered with the express unambiguous freely given consent of the person. The data must be accurate and kept up to date. Furthermore significant controls apply if the data is sensitive. Personal data may be acquired and held only for a number of specified legitimate purposes
Data must be processed i.e. used, only in a manner compatible with consent and for the purpose concerned. The data must not be excessive in relation to the purpose concerned. It must not be kept any longer than needed.
The person concerned must be given details of the data controller, the persons, and entities who may have it or use it. The principle of transparency requires that information be given to the persons concerned about the identity of the controller and the purpose of the processing information.
Personal data must not be retained beyond the time which is strictly necessary. The must be high-security measures and protection against unauthorised and unlawful processing accidental loss destruction et cetera of the data.
Consent and Rights of Data Subject
For most practical purposes, explicit consent is required to the acquisition and use of personal data including in particular the use of the data by (e.g. group companies and any third-party contractors) in accordance with the above criteria. An extra consent or other basis is required to send personal data out of the EU (or the UK under UK law), even to servers in the other place.
This includes where applicable the fact that the controller intends to transfer the data to a third country (outside the EU and outside the UK in the case of the UK law post Brexit) the existence of an adequacy decision by the Commission or reference to appropriate suitable safeguards and the means by which to obtain a copy where they may be made available. Where the personal data is obtained from a third party the controller must provide the person concerned with similar details.
Data Subject’s Rights
The data subjects (i.e. the persons concerned) have extensive rights which can be asserted. To ensure fair and transparent processing, there is a right to obtain confirmation and communication of particulars of the data concerned which are being processed. They must be given specific information when the data is collected about who will have it and how it is to be processed and used.
Data subjects (i.e. the persons concerned) are entitled to obtain extensive information on how has been used. They have a right to object to the processing and use of the data. There are some exceptions, but the implications of the legislation are far-reaching and create obligations for any entity holding personal data.
When Irish or UK Data Law would Apply
Irish data protection law applies to the processing of personal data when the data controller is established in the State and the data is processed in the context of that establishment. It also applies when the data controller is established neither in the state nor in another EU state (UK post Brexit) but uses equipment in the State for processing data other than for transit purposes.
UK data protection law will apply to the processing of personal data when the data controller is established in the UK and the data is processed in the context of that establishment. It will also apply when the data controller is not established in the UK but uses equipment in the UK for processing data other than for transit purposes. This latter ground may make UK data protection law applicable to you.
A company incorporated in Ireland is deemed established in Ireland. Under the above criteria post Brexit, traders may be deemed subject to both EU and UK rules, in the context of an Irish company where they use equipment in the UK for processing data.
The GDPR also applies to the processing of personal data of persons who are in the EU (UK under UK law) by a person not established in the EU (UK under UK law after Brexit) where processing activities are related to the offering of goods or services irrespective of whether a payment of the person concerned is required or the monitoring of the behaviour which takes place within the EU.
Data Controller and Processor
The data controller is anybody who either alone or in conjunction with others controls personal data. Personal data is any information that could identify a living individual either alone or in conjunction with other information it may hold. Data processing means keeping, collecting, storing, using, or disseminating personal data. The data processor is an entity which processes personal data on behalf of the data controller.
The exact categorisation of activities as a data controller and data processor depends on the very particular context. Traders may be data processor for clients who are data controllers. In other cases, traders may be a data controller relative to your clients.
The data must be used and obtained only on the basis of the consent of the person concerned or on some other legal basis. This may include some other legitimate basis such as the necessity for the performance of the contract with the person concerned or to take steps at that person’s request prior to entering a contract.
Using Third-Party Data Processors
It is an obligation of a data controller (traders on in some contexts their clients) to only use processors (which might be the business) which provide sufficient guarantees to implement the appropriate technical and organisational measures to meet the requirements of the GDPR. The processor shall not engage another processor without the specific or general written consent of the controller (subcontracting by the trader).
In the case of a general written authorisation the processor shall inform the controller of unintended changes regarding the addition or replacement of other processors giving the controller the opportunity to object to such changes.
The processing must be governed by a contract or other legal arrangement under EU member state law that is binding on the processor with regard to the controller and the subject matter and duration of the processing the nature and purpose of the processing the type of personal data categories of the data subject and the obligations of the controller.
The above principles, although they sound abstract, are highly relevant where traders in any way hold or use personal information. The cross-border issues are doubly relevant in that moving data about EU persons to the UK data centre under EU law and moving data about UK customers into the EU under UK law.
Two Main Scenarios
There are two principle scenarios where data protection may impact businesses. The more significant one is in the event of a hard Brexit or a Brexit without UK data protection adequacy recognition by the EU. In this context, the UK would become a third country for the purpose of EU data protection law. This requires extra protections to justify movement of personal data out of the EU un
The political declaration already in place contemplates that the EU will review and seek to recognised UK law as offering sufficient protections so that the additional requirement for moving data in and out of the EU and UK would not apply in the circumstances.
The Commission will endeavour to adopt an adequacy decision by the end of 2020, provided applicable conditions are met. The adoption of the proposed adequacy decision will involve:
- a proposal from the Commission;
- an opinion from the European Data Protection Board;
- approval from representatives of EU countries; and
- the adoption of the adequacy decision by the European Commissioners.
The proposed time frame is a comparatively short period of time for the Commission to reach a decision on adequacy. Business should follow the position as to recognition over the course of 2020.
Mechanisms to Validate Transfer
There are a number of mechanisms under which such protections can be put in place. They include the very express consent of the persons concerned. This ground will not usually be available especially in relation to data collected historically.
Use (processing) of personal data for the purpose of a contract or legal obligation within the above bounds is lawful. There is also a basis for processing based on legitimate interests. This will not generally be available in regular commercial relationships. Even if it was available, the initial acquisition of the data would require explicit consent.
There are then a number of alternative mechanisms including ultimately putting in place a contract between traders and the entity to whom data is transferred which gives those third parties certain rights. This involves incorporating certain terms and conditions into contracts with an entity outside the jurisdiction where personal data that traders hold, or use may move across the EU /UK border.
Adequacy Decision
Data may not be transferred out of the EU (and correspondingly from UK perspective, out of the UK) unless the country to which the transfer is made has adequate protection for the privacy of data subjects and data processing. The Data Protection Commission and the Information Commissioner in the UK have the power to prohibit the transfer of data.
The EU maintains an approved list of countries to satisfy the requirement. It involves the EU making an adequacy decision in relation to the data protection legislation of that country. The question of an adequacy decision in relation to the UK, is to be considered by the EU in the course of 2020
Compliance Options for Cross Border Data Movements Hard Brexit
One might that the EU Commission will approve the UK rules as adequate. In the absence of a general consent or determination by the EU Commission in relation to the transfer to the third country concerned the processor may transfer personal data to the country only if there are appropriate safeguards. There must be provision for the enforcement of data rights for the persons concerned and they must have effective legal remedies.
The safeguarding may be provided by
- legally binding instrument between bodies concerned
- binding corporate rules
- standard data protection clauses
- an approved code of conduct which is binding and enforceable with the appropriate safeguards
Subject to authorisation by the supervisory body, the appropriate safeguards may be provided by way of contractual clauses between the controller and processor and the equivalent in the third country
In the absence of an adequacy decision in relation to the country concerned and appropriate safeguards including binding corporate rules, the transfer of personal data to a third country may take place only where there is very explicit consent or and certain other circumstances of narrow necessity. There are a number of other limited exceptions
Contract Required Unless Adequacy Decision
In the absence of an adequacy decison, the below contractual requirements will apply. The EU has published a model contract by which a recipient of data can agree to comply with EU minimum standards. The person transferring the data must ensure that the transfer takes place in accordance with the contract. The data importer must submit their protection facilities for audit by the data exporter by the authorities.
If there is a breach of the requirements, persons affected can recover compensation against the importer and exporter jointly unless both can prove neither is responsible. The data subject is a third-party beneficiary of the agreement which means that the data subject (i.e. the person about whom the data is concerned) can take legal action directly against the importer in the other country. The controller must ensure that the processor has adequate technical and organisational measures to protect the data. The data controller remains liable for the breach regardless of who is at fault.
The implications of all of this are that on a reciprocal basis both under EU and UK law respectively movements of personal data in and out of the UK need to be covered in this manner. This applies both from the perspective of Irish clients and data moved to and stored in the UK and the perspective of UK clients and data moved to and held in Ireland.
The obligations apply to traders in dealings with third parties such as persons maintaining servers and also in terms of their client’s dealings with them. It also makes traders liable to their customer’s clients in relation to breaches of their personal data under the terms of the contract entered by their counterpart.
The transfer of data out of the EU from an EU perspective and out of the UK from a UK perspective may take place only if conditions set out in the GDPR (and UK equivalent) are complied with. They must cover any transfers of personal data from one to the other. The provisions must ensure the equivalent level of protection as the GDPR.
Trader’s Review
Tf traders transfer personal data in and out of the UK, they must ensure that there are sufficient protections in place in the context of the above-mentioned rules. Traders must review their processes to ensure that the terms of contracts, including that with thier data storage company, have at least, the minimum protections under EU law which will also be the post-Brexit UK law.
Standard contractual clauses are most likely those most relevant. This is a standard template of terms and conditions to which traders and the UK based recipient or (the equivalent position in reverse under UK law may sign up to. This may require an addition to existing contracts.Traders may provide other additional clauses to meet the above standards provided that the data subjects’ rights are not reduced.
Irish Data Commission No Deal Notes
21st December 2018
Personal Data Transfers to and from the UK in the event of a ‘no deal’ Brexit – important message for any organisation or body that transfers personal data to the UK, including Northern Ireland
This preliminary guidance is relevant for any Irish entities that have data processing operations that involve transfers of personal data to the UK. In the event of a ‘no deal’ UK exit from the EU; those entities will require a transfer mechanism to be in place from 30 March 2019 in order to continue to lawfully transfer personal data to the UK.
Under EU data protection law, free movement of personal data is guaranteed between EU member states. Where transfers of personal data are made to a recipient outside the European Economic Area, these are considered to be a transfer to a “third country” and require additional safeguards to be put in place in order to ensure the continued application of the EU’s data protection standards.
In the event of a ‘no deal’ Brexit, i.e. where the UK leaves the EU at 00.00am CET on 30 March 2019 without the Withdrawal Agreement, the UK will become a “third country” for the purposes of EU personal data transfers. This will have repercussions for all organisations and bodies trading with or doing any other kind of business or correspondence with entities in the UK, including Northern Ireland. This is because personal data transfers to the UK will require the implementation of legal safeguards by the Irish-based organisations and bodies that are transferring the personal data. For example, if an Irish company currently outsources its payroll to a UK processor, legal safeguards for the personal data transferred to the UK will be required. If an Irish government body uses a cloud provider based in the UK, it will also require similar legal safeguards. The same will apply to a sports organisation with an administrative office in Northern Ireland that adminsters membership details for all members in Ireland and Northern Ireland. Some organisations and bodies in Ireland will already be familiar with the legal transfer mechanisms available for the transfer of personal data to recipients outside of the EU, as they will already be transferring to the USA or India, for example.
UK Hard Brexit Note
Data flows from Ireland to the UK after March 2019 if there is no deal
As of the withdrawal date, the EU rules[1] for transfer of personal data to third countries will apply to the UK.
The EU Commission’s website outlines the legal mechanisms that can be used to underpin transfers from an EU member state to a third country. For some countries, the EU Commission has recognised their data protection regime as “adequate” (such as Israel and Argentina). The effect of such recognition or “adequacy decision” is that personal data can flow from the EEA to that third country without any further safeguard being necessary. However, no such recognition of the UK regime will be in place by the end of March 2019.
The most commonly used alternative mechanism for transfers is standard or model contractual clauses approved by the EU Commission that implement contractual safeguards between the data exporter and importer.
Further information on legal mechanisms for the transfer of personal data to third countries is available on the European Commission’s website:
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en
The Data Protection Commission website also contains further information on the transfer mechanisms and derogations for specific situations at the following link:
https://www.dataprotection.ie/en/organisations/international-transfers
Data flows from the UK to the EU after March 2019
According to the UK Government, the current practice, which permits personal data to flow freely from the UK to the EU member states, will continue in the event of a ‘no deal’ Brexit.
Data flows from the UK to non-EU countries after March 2019
In addition, the UK will implement a legal mechanism akin to standard or model contractual clauses that mirror that of the EU in order to facilitate transfers from the UK to recipients in countries outside the EU. It will also recognise as ‘adequate’ the countries already recognised as adequate by the EU.
Next steps to consider for organisations transferring data to the UK, including Northern Ireland
- Map the personal data being transferred to the UK currently.
- Determine if the transfers will need to continue beyond 30 March 2019.
- If this is the case, then assess the various transfer mechanisms to decide which one best suit the situation and work towards having it in place before 30 March 2019.
Information and guidance from the DPC, the EU Commission, and the UK Government will be updated as the withdrawal date nears, so the relevant websites should be checked regularly.
[1] Chapter V GDPR – This chapter covers transfers of personal data to third counties or international organisations. #
Registration and Fees
There is an obligation to have and register a data protection officer in certain cases. This is the person responsible for data protection compliance. A data protection officer is required in certain circumstances including where there is large-scale and systematic monitoring or certain types of sensitive data is dealt with
Businesses established in the UK may have an obligation to register with the Information Commissioner’s office. Every organisation or business which processes personal information must pay a data protection fee to the ICO unless they are exempt. The level of the fee depends on the size of the business the fee for tier 1 micro-organisations is £40. the tier 2 registration is 40 £60. Tier 1 implies employing less than 10 and turnover less than £632,000. Payment can be made online there is an online Assessment form https://ico.org.uk/for-organisations/data-protection-fee/self-assessment