GDPR/Brexit - The lack of a post Brexit Data Protection arrangement could damage UK-EU trade
It is clear to most that Brexit will impact the UK’s trade with the EU in a number of ways, such as; regulation of medicines and goods, movement of goods, increased costs, and the relocation of industry to name a few. However, potential restrictions on the movement of data could have equally severe consequences if not addressed. The flow of data plays an increasingly important role in international trade. It is estimated that data flows from the UK to the EU represents nearly three-quarters of all data from the UK.
Post Brexit, the UK will become a 'third country' under GDPR. This was made clear last January when the European Commission released a notice to stakeholders entitled “Withdrawal of the United Kingdom from the Union and EU rules in the field of data protection.”
The notice says, “The United Kingdom submitted on 29 March 2017 the notification of its intention to withdraw from the Union pursuant to Article 50 of the Treaty on European Union. This means that unless a ratified withdrawal agreement establishes another date, all Union primary and secondary law will cease to apply to the United Kingdom from 30 March 2019, 00:00h (CET) ('the withdrawal date'). The United Kingdom will then become a 'third country.'”
What is a ‘third country?’
A ‘third country’ is seen as any country that is outside the EEA. In a globalised economy where so much information is digitised, sometimes this information/data is stored on servers in many different countries. GDPR aims to protect the personal data of EU citizens by controlling how and where this data is stored. Regardless of where this data is located the laws and rules of GDPR will apply. Under article 45 of the GDPR, third countries can apply for an 'adequacy decision' from the European Commission in order to continue with legitimate data transfers.
Article 45 - ‘Adequacy decision’
When data flows from the EU to a third country there must be an ‘adequacy decision’ by the European Commission. The Commission must decide whether or not the third country’s data protection laws are acceptable to meet the objectives of the GDPR. When the Commission is evaluating the adequacy of protection of a third country they focus on the rile of law, respect for human rights, relevant legislation regarding defence, public and national security, criminal law, and the access of public authorities to personal data.
The approval of an adequacy decision involves the following:
- a proposal from the European Commission
- an opinion of the of the European Data Protection Board
- an approval from representatives of EU countries
- the adoption of the decision by the European Commissioners
In the event that an adequacy decision cannot be reached, the Commission can engage Article 46, allowing the transfer of personal data to a third country or international organization under the condition that they have implemented legally binding and appropriate safeguards.
To put it in context:
You're an Irish company planning on selling its services to the South American market. You’re focusing on three countries; Uruguay, Argentina and Brazil. Before you do anything, you will need to check which countries have an adequacy decision. In this instance, both Argentina and Uruguay both have an adequacy decision. However, Brazil does not have an adequacy decision. Therefore, you will have to satisfy the Commission by providing appropriate safeguards.
What can the UK do?
In order for the UK to maintain its data flows with the EU, it would appear that the UK must achieve an adequacy decision, or alternatively, they (and/or UK based organisations) must implement legally binding and appropriate safeguards.
However, due to its long-running relationship with the EU, the UK sees itself in a different position to that of other third countries. Based on this outlook, the UK is seeking a legally binding agreement, that cannot be changed unilaterally by the EU, which would allow for EU-UK data flows. The UK believes that such an agreement would provide an improved legal certainty, stability and transparency, as well as more efficient processes and reduced costs for business in both the UK and the EU.
The UK is looking for a bespoke arrangement on data transfers with the EU. However, the EU has said that the UK needs to apply for an adequacy decision post Brexit. Until an adequacy decision has been reached, the use of standard contractual clauses will be required, otherwise, any transfers of personal data to and from the UK will not be legitimate under GDPR.
Companies based in the UK are advised to document their EU-UK data transfers in the event that the UK does not achieve adequacy. They are also advised to map their personal data flows, review all contracts and data protection policies, and put in to place the appropriate mechanism for transfers of personal data. Faced with the uncertainty around a post Brexit Data Protection arrangement, coupled with the other uncertainties surrounding the movement of trade created by a potential ‘no deal’ Brexit, it is unsurprising to see companies relocating to other EU member states.
If you are interested in setting up a company in Ireland you can contact us using the form below: