Personal data issues arising from the UK’s departure from the EU are “broad and deep” – and Irish businesses that ignore these issues do so “at their peril” in the event of a hard-Brexit, Ireland’s Data Protection Commissioner (DPC) has warned.
Speaking at the ‘Brexit and Data Protection’ event – organised by DCU’s Brexit Institute and sponsored by AIB, Arthur Cox, Grand Thornton and Dublin Airport Central – Data Protection Commissioner Helen Dixon said there is a reasonable level of awareness and preparedness amongst Irish businesses now ahead of Brexit.
If there is a ‘No Deal’ Brexit on October 31st, it will immediately affect the free flows of personal data between Ireland and the UK, and north and south on the island and Ireland, as the EU law will immediately recognise the UK as a ‘third party’ country under the EU Data Protection Law.
If it is an orderly Brexit, with the proposed Withdrawal Agreement passed by MPs in the UK’s House of Commons this Saturday, there will be a 14 month ‘breathing space’ or transition period to address some of the issues relating to the transfers of personal data from the UK to the EU and vice versa. However, after this transition period, we will move into an area of uncertainty when it comes to data protection issues, Ms Dixon said.
“The data issues, and in particular, the personal data issues that arise with the UK’s departure from the EU are non-trivial and they’re both broad and deep,” Ms Dixon said.
“Personal data, as you all know, is involved in everyday transactions between the UK and Ireland, including on the island of Ireland, between north and south.
“And it arises in the context of immigration and asylum, law enforcement in particular, security and intelligence, all types of trade and commerce, banking, medicine, sports administration, tax, tourism and so on.
“Up to now, we’ve simply never had to think about the jurisdictional implications, from personal data flows from Ireland to the UK, including Northern Ireland, and vice versa, as the EU Data Protection law guaranteed those free flows of personal data within the EU and in fact the broader European Economic Area.
“While EU Data Protection Law guarantees the free flows of personal data within the EU, it conversely then prohibits transfers of EU personal data outside of the EU and that is unless it can be demonstrably ensured that the level of protection guaranteeing by EU law isn’t undermined,” said.
Since the Brexit referendum, the Office of the DPC have been working with businesses and public sector bodies to prepare for Brexit.
“We’ve been working hard as an office in the last number of months to prepare public sector bodies and SMEs and micro-enterprises, in particular for the new and immediate requirements in the event of a ‘No Deal’,” she said.
Interestingly, Ms Dixon added that several major companies in the UK have made arrangements to allow themselves come under the DPC’s jurisdiction for regulation.
Post Brexit, Ms Dixon warned businesses, who don’t prepare for Brexit and changes to data protection laws and requirements, that individuals can report businesses for non-compliance to the Office of the DPC, and penalties could be heavy. It is worth business’ time to prepare now, ensuring this scenario won’t occur, she told the event.
Ms Dixon also made the observation that the only difference between a deal and no deal Brexit scenarios - in terms of data transfers between the UK and EU – is time. “On the UK side, our UK counterpart, the Information Commissioner’s Office has published very detailed guidance for all types of organisations. It clarifies that a new UK GDPR law once the UK exits will permit data free flows from the UK to the EEA.”
For a full report, check out the DCU Brexit Institute Blog here: http://dcubrexitinstitute.eu/2019/10/4158/