The impact of the UK leaving the European Union under the New Withdrawal Agreement by January 31st 2020
Brexit reminder. Given that the Conservatives are forming a majority Government which, with the Fixed Term Parliament legislation in the UK will likely last for the next five years, it is now reasonably clear that the UK will leave the European Union and implement the New Withdrawal Agreement by January 31st 2020.
Irish companies transferring personal data to the UK will be massively impacted from the 31st January 2020.
How do you ascertain ways you might be transferring data to a UK-based company?
- Are you outsourcing your HR, IT or Payroll function to a UK based organisation?
- Be aware that online tools you use may well be sited in the UK,
- Are you using a UK based marketing company to send marketing communications to your customer database?
- Is your pension scheme based in the UK?
- Are you using a UK based company to analyse data on visitors to your website?
- Are you storing data in the UK on a server or in the cloud?
You will need to put extra measures in place to legally transfer this data once the UK leave now as now looks certain on January 31st next.
EU based data controllers are not permitted to transfer personal data outside the EU/EEA unless certain standards are maintained. Although the transition arrangements to 31 December 2020 (which date can, but probably won’t be extended) provide that EU data protection law applies to processing of data of data subjects based in the EU where processing takes place in the UK, this is for the protection of data subjects’ rights, and does not necessarily absolve EU companies from their responsibilities when sending personal data outside of the EU.
In a Brexit scenario, the UK will no longer be a member of the EU; instead, it will become a ‘Third Country’. It will have to look for a so called ‘Adequacy Ruling’ from the European Commission. The Commission have already indicated that this will take a considerable time period, if granted at all time.
This means that transfer of personal data from Ireland to the UK will be treated in the same way as transfers of personal data to countries like Russia or India etc.
In practice, in order to comply with GDPR rules, an Irish company intending to transfer personal data to the UK will need to put in place specific safeguards to protect the data in the context of its transfer and subsequent processing.
This can be done in a number of different ways, depending on the circumstances in which the data is to be transferred. One such way is the use of “Standard Contractual Clauses” or “SCCs” or” Model Clause Agreements “and this is likely to be the most utilised method for most Irish businesses that transfer personal data to the UK.
The Model Clause Agreements consist of standard or template sets of contractual terms and conditions that the Irish-based controller and the UK-based recipient both sign up to. The basic idea is that each of the parties to the contract gives contractually binding commitments to protect personal data in the context of its transfer from the EU/EEA to the Third Country. Importantly, the data subject is also given certain specific rights under the SCCs even though he or she is not party to the relevant contract.
After much delay, Irish businesses sending data relating to individuals to the UK will now have to act to regularise their situation within the next six weeks.
Time is short.