Many Irish businesses transfer personal data to the UK as part of their businesses, either to trading partners or to companies within their group.
With the prospect of a hard Brexit increasing, when personal data leaves the European Union (EU), including post-Brexit UK, the information is considered to have been sent to a “third country”. The EU has strict legal controls imposed to ensure the safety of the data when sent to a “third country”.
Following Brexit, the European Commission may determine that the UK will protect personal data of EU citizens to the same level as EU law. This approach would be based on adequacy findings. However, it is not guaranteed and this ratification, if it occurred, would begin after the UK leaves the EU. This would leave an undetermined period between the alignments of policy, should this ever occur.
Article 44 of GDPR provides that personal data shall not be transferred outside the European Economic Area (EEA) unless one of the conditions for transfer set out in GDPR Chapter 5 are complied with. They are broadly:
- Adequacy Decisions;
- Appropriate Safeguards; or
- Specific Derogations.
As stated above, it is likely that an adequacy decision by the Commission will not be in place when Brexit occurs.
A commonly used specific derogation is where the data subject has explicitly consented to transfers of personal data outside the EEA having been informed of the risks. Very often, obtaining those consents would not be practical, and would also be risky as data subjects may argue that they didn’t understand what they consented to.
Article 45 of GDPR sets out the mechanisms which may provide appropriate safeguards. Within groups of companies, it is possible to put in place binding corporate rules which would allow transfers between group companies outside the EEA. However, this has not been used on a widespread scale.
A commonly used mechanism in these circumstances is the standard data protection clauses (“Model Clauses”) adopted by the Commission or supervisory authority.
The Model Clauses have been approved by the European Commission. The clauses contain contractual obligations on the Data Exporter and the Data Importer, and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the Data Importer and the Data Exporter. There are Model Clauses for restricted transfers between a controller and controller, and between a controller and processor. The clauses are now not fully compliant with GDPR and the European Commission has advised that it plans to update the existing standard Model Clauses to ensure that they are GDPR compliant.
In the proceedings taken by Max Schrems, the Irish Data Protection Commission (“DPC”) argued that it had no authority to suspend or restrict transfers based on Safe Harbour because Safe Harbour was a decision by the EU Commission. The European Court of Justice (ECJ) rejected this argument, holding that the Commission cannot restrict a data protection authority’s (“DPA”) ability to suspend or restrict transfers to third countries in individual cases where they find that adequate protection is not present. This aspect of the ECJ’s Schrems decision casts into doubt several provisions contained in further Commission decisions underlying Model Clauses.
Given that the ECJ’s Schrems decision indicated the Commission could not limit DPAs’ authority in this fashion, there was speculation that Model Clauses and existing adequacy decisions would need to be updated to comply with the change in law. Max Schrems, has also filed a complaint to the Irish DPC requesting that the DPC declare that the Model Clauses – both the controller to processor and controller to controller ones – do not provide sufficient protection when personal data are transferred outside the EU to the US. The DPC’s preliminary decision in May 2016 stated that the case was well founded and the DPC commenced proceedings before the Irish High Court. The High Court decided to refer the matter to the ECJ but that decision has been appealed to the Supreme Court. The Supreme Court appeal concluded on 23rd January 2019 and judgment has been reserved. It is possible that if a broad approach is taken, the Model Clauses used regarding data transfers to any non-EEA country might be struck down.
The Irish DPC is of the view that EU-based data controllers can still enter into contracts that include the Model Clauses based on the EU Directives which pre-dated the GDPR. However, this may change in the not too distant future.
A risk for companies in using Model Clauses is that if it is decided (by the ECJ or the Commission) that the use of Model Clauses to non-EEA countries is no longer an appropriate safeguard, then data cannot be lawfully transferred outside the EEA using this method.
Therefore, in future, careful consideration should be taken by companies in transferring data to the UK post-Brexit, and planning for this eventuality should occur now.