Reviewed in November 2020. Content will be updated as negotiations develop.
Data protection rules regulate how businesses and organisations deal with information that relates to individuals. In effect, it protects their privacy. See the FAQ section in relation to data protection rules.
Detailed guidance on the current EU wide rules on data protection, the GDPR, is available at the Irish Data Protection Commission’s website.
From 1 January 2021, the existing EU wide data protection rules in the GDPR will be replaced by almost identical UK based rules. For businesses which handle personal data most rules will remain the same except that transfers data in and out of the UK will be treated in the same way as transfers in and out of the EU at present.
The Information Commissioner, the UK regulator, has published guidance on the new UK data protection system which is intended to replicate EU GDPR from 1 January 2021. It is available here.
If your business transfers or receives personal data, which moves between Ireland and the UK (including Northern Ireland) in either direction, you may need to take action so that you can continue to do so lawfully after 1 January 2021.
In parallel with the EU UK negotiations for a new trade agreement, the EU and UK are reviewing the adequacy of each other’s data protection rules. The adequacy decision, if there is one, will not be made until later this year. If an adequacy decision is made by each of the EU and UK, this will allow the continued free flow of information protected by data protection rules between businesses based in the UK and Ireland in both directions.
Strictly speaking, this process is separate to the trade negotiations, but its outcome is also uncertain at present. The process normally takes a number of months. Although most of the EU and new UK rules are identical, there are some issues concerning the protections around the potential use of data for policing and security purposes, which the EU authorities have indicated may be problematical.
If the EU Commission does not make an adequacy decision (see FAQ) before the end of 2020 on the UK’s data protection rules, then if your business or organisations transfers personal data out of Ireland to the UK (including Northern Ireland) after 1 January 2021, you will need to put in place additional safeguards to protect the rights of the persons to whom the data relates.
The Data Protection Commission, the Irish regulator, has published guidance about the transfer of personal data in the event of a no-deal exit. It includes FAQs and the required clauses for the transfer of data that need to be inserted into contracts between an Irish based sender and UK based recipient in the event of no adequacy decision.
The EU Commission has published update guidance on data protection on 6 July 2020, dealing with the transfer of personal data to the UK after 1 January 2021 in circumstances where there has been no adequacy decision by the EU on the UK data protection rules. It is available for download here. If there is no adequacy decision by the EU Commission in relation to the UK’s data protection rules, businesses and organisations in Ireland or elsewhere in the EU will need to put in place alternative safeguards, which would include in most cases, additional clauses in the agreement between the EU based sender and the UK based recipient.
The UK Government has published guidance on data flows for UK businesses and other organisations that receive data from organisations abroad including those in the EU and those which operate in the EU. The guidance is available here.
It appears that the UK Government will allow free transfer of data out of the UK to the EU regardless of whether or not the EU makes an adequacy decision in related to the UK’s data rules. The UK regulator, the Information Commissioner’s Office, FAQs states: Can we still transfer data to and from Europe if we leave without a deal?
“The Government has said that transfers of data from the UK to the European Economic Area (EEA) will not be restricted. However, from the end of the transition period, unless the EU Commission makes an adequacy decision, GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what GDPR safeguards you can put in place to ensure that data can continue to flow into the UK.”
This position many change. Businesses which transfer personal data out of the UK or those that receive personal data from the UK should follow the UK Government’s and Information Commissioner’s Office guidance during the remaining months of 2020.
If your business is already transferring data covered by data protection rules to and from states outside the EU about which the EU has already made an adequacy decision, the position will remain unchanged in most cases. The Information Commissioner’s Office website indicates:
“To date, 12 out of the 13 third countries deemed adequate by the EU have informed us they will maintain unrestricted personal data flows within the UK.”
Businesses and organisations affected should follow guidance and updates on the ICO’s website.
Businesses established outside the EU (including the UK after 1 January 2021), without a base within the EU, are obliged to appoint an EU representative if they offer goods and services to individuals in the EU or monitor their behaviour. The European Data Protection Board has issued guidance in relation to when this obligation applies. For more information, click here.
The UK Government has indicated that businesses and organisations based outside the UK will need to appoint a UK representative if they offer goods and services to individuals in the UK or monitor their behaviour. The UK Information Commissioner’s Office indicates that:
“The UK Government intends that after the transition period ends, the UK version of the GDPR will say that a controller or processor located outside the UK – but which must still comply with the UK GDPR – must appoint a UK representative.”
The representative would act on behalf of the non-UK business concerned in dealings with the authorities and with persons to whom the data relates.
The UK Government’s guidance is available here.