Out-Law News | 13 Feb 2019 | 3:09 pm | 3 min. read
The guidance was issued by the Data Protection Commission (DPC) in Ireland and highlighted the use of standard contract clauses (SCCs) endorsed by the European Commission as a means of ensuring compliance, but a data protection law experts have warned that the use of SCCs alone may not be sufficient for Irish company to demonstrate compliance.
Currently, data can flow freely to the UK as it is a member of the EU and subject to the General Data Protection Regulation (GDPR).
However, the GDPR places restrictions on the transfer of personal data outside the EEA. Businesses are prohibited from transferring personal data to non-EEA countries unless they have in place one of a number of safeguards to ensure EU data is adequately protected when processed in those 'third' countries. In a 'no deal' Brexit, that will include where personal data is transferred to the UK.
"This means that transfer of personal data from Ireland to the UK will be treated in the same way as transfers of personal data to countries like Australia, India or Brazil," the DPC said in new guidance it has issued.
SCCs are among the legal safeguards available to businesses seeking to facilitate personal data transfers outside of the EEA. The DPC said SCCs are "likely to be relevant to most Irish businesses that transfer personal data to the UK" in a 'no deal' Brexit scenario.
SCCs, also known as model clauses, were developed by the European Commission for use in cross-border contracts. They create a contractual framework for how personal data should be handled when transferred outside of the EU to 'third countries'. The Commission has previously issued decisions that endorse model clauses as tools providing for adequate protection of personal data when used for data transfers, as is required by EU data protection law. The use of model clauses has therefore become widespread among international businesses which many companies have come to rely on for demonstrating compliance.
Irish companies that outsource HR, IT or payroll functions to UK-based businesses, have a UK-based pension scheme, use a cloud provider that stores personal data in the UK, or use a UK-based marketing company to send marketing communications to customers on their behalf are among those who should consider using SCCs to account for a 'no deal' Brexit, the DPC said.
The watchdog said SCCs can be implemented as stand-alone new contracts or added into existing data processing agreements.
Claire Edwards of Pinsent Masons, the law firm behind Out-Law.com, said, though, that SCCs "do not deal with the overseas party’s legal duties", such as where data is required to be onward transferred out of the UK by the processor. Edwards said there is currently no framework within the SCCs or other data transfer mechanism that accounts for this possibility. "Such documents assume the controller is the exporter – but in these circumstances it would be the processor that would be an exporter subject to the UK's implementation of GDPR and the requirements of Article 46," she said.
Because of this, Irish companies might want to review UK law to understand the legal requirements that apply to data once transferred to the UK, Edwards said.
Dublin-based Andreas Carney, also of Pinsent Masons, said: "SCCs are arguably the simplest legal solution available to Irish companies to implement in the period before Brexit to ensure that data transfers to the UK remain compliant after 29 March. As the DPC has said itself, though, businesses implementing SCCs must ensure that the terms of the SCCs are 'discharged in practice' to ensure compliance with the GDPR. This means that the contractual requirements will need to be implemented, not just 'papered'."
"It is also vital that Irish businesses monitor for changes in UK law post-Brexit." he said.
"While SCCs provide a route to compliance in the short-term, Irish businesses should be aware that there is an ongoing legal challenge over their legitimacy for facilitating data transfers - in this case, specifically to the US. Central to that case, which may ultimately fall to be decided by the Court of Justice of the EU (CJEU), is the question of whether data is adequately protected given the powers US authorities have to access the information transferred. Given the existence of similar powers in the UK, it is possible that the case will have a bearing on the legitimacy of using SCCs for Irish-UK data transfers in the future. But for now, SCCs provide a valid means of transferring data internationally," Carney said.