Data protection and data transfers on the island of Ireland after the post-Brexit transition period
The data protection regime in the United Kingdom, including Northern Ireland, will almost certainly change at the end of the post-Brexit transition period, from 1 January 2021. Specifically, on that date the “UK General Data Protection Regulation” (UK GDPR) will come into force – which is based on the currently applicable EU GDPR, but with some differences, and with the crucial caveat that it is the express intention of the UK Government to further diverge from the EU regime over time (which is why Ian Brown and I have concluded that the UK should not be granted a positive “adequacy” decision by the EU, that would allow free transfers from the EU/EEA to the UK).[1]
This short blog provides some initial thoughts on what this will entail – in short: legal mayhem! I am working on a more elaborate paper.
At some stage, I thought that because we were told that Northern Ireland was effectively staying in the EU Single Market, it would also remain in the EU data protection regime, in particular (for most businesses and many public bodies) in the EU GDPR – because the GDPR is a Single Market measure.[2]
However, while the Revised Northern Ireland Protocol to the EU – UK Withdrawal Agreement[3] indeed clarifies that many Single Market rules and regulations will continue to apply to Northern Ireland (such as the rules on customs duties and movement of goods), there are no references to “data” in the Protocol, let alone to “personal data” or “data protection — except for a reference to scientific data for the working group that will monitor the implementation of the Protocol (Art. 15(7)), and to “access to any network, information system or database established on the basis of [European] Union law” (Article 13(5)). The latter is relevant to Justice and Home Affairs (JHA) databases but not to the GDPR.
It therefore appears that indeed the “UK GDPR” will apply to all of the UK including NI from 1 January 2021. And the EU GDPR (what I call the “real” GDPR) will of course continue to apply to and in the Republic of Ireland (RoI) – meaning that there will be a data border between NI and the RoI: while personal data can probably be freely transferred from the UK (including NI) to the RoI (or any EU country) because the UK intends to declare that the EU provides adequate protection in UK GDPR terms, the reverse is not true: personal data will no longer be freely transferrable from the RoI (or any EU MS) to the UK including NI if the UK is not granted a positive adequacy decision by the EU.
Worse, since the UK indulges in mass surveillance just like (and hand in glove with) the USA, the UK (again including NI) will, from 1 January, have to be treated just like the USA after the-Schrems-II judgment.[4] In that case, the Court of Justice of the EU held that the USA does not ensure “adequate” protection of personal data because its security agencies have insufficiently-limited access to EU personal data transferred to the USA, and does not provide EU persons with appropriate remedies against such sweeping access, on a par with the effective judicial remedy provided for in Article 47 of the EU Charter of Fundamental Rights. Ian Brown and I argue that UK law also does not protect data sufficiently from undue access, and also does not provide for appropriate remedies.
If the UK is not granted a positive adequacy decision between now and the end of the year (for the reasons Ian and I provide), then new, onerous duties and liabilities will rest on any EU-based (including RoI-based) exporter of personal data to the UK including NI.
For a start, all RoI (or other EU MS-based) businesses that regularly exchange personal data with NI businesses (and many state agencies that are subject to the GDPR) will have to use standard [data transfer] contract clauses (SCCs) (or BCRs if they are in a group with the other business, or for data transfers between public entities, administrative agreements) PLUS “supplementary measures” as just clarified by the EDPB.[5] Those supplementary measures must effectively prevent the UK security agencies from unduly accessing the transferred data.
What is more, if the RoI (or other EU MS-based) business concludes that there are no “supplementary measures” available that will actually prevent access to the personal data in NI (or the rest of the UK) by the UK security and intelligence agencies, then they are legally barred from transferring the data.
If in spite of this conclusion, they nevertheless still want to transfer the data, they are legally obliged to consult the relevant national data protection supervisory authority (i.e., in the RoI, the Irish Data Protection Commissioner) – and the supervisory authority is obliged to prohibit the transfer if indeed the data cannot be protected after transfer against undue access by the UK authorities.
It gets worse still: the EU GDPR also applies to non-EU/EEA controllers or processors who “offer goods or services” to individuals in the EU/EEA (in some targeted way)[6] – so NI businesses that after 1 January (also) offer their goods or services across the border will still be subject to the EU GDPR, as well as to the UK GDPR. The same applies if they “monitor the behaviour” of individuals in the EU (including in the RoI), e.g., by using tracking tools on their website.[7]
That also means that such businesses are prohibited, under Article 48 GDPR, from complying with any UK court judgment, or any decision of any UK administrative authority, in respect of the personal data that they process in relation to the offering of goods or services to EU (including RoI) persons, or in relation to the monitoring of the behaviour of such persons.
Failure to abide by these requirements constitutes violations of the EU GDPR (that applies to them) and leaves the RoI businesses (and public bodies) open to very large fines and other sanctions.
These matters can really only be properly resolved if the UK is willing to amend its surveillance laws — and its hand-in-glove operations with the USA. All that can be said for now is that without major changes in those regards, the above will lead to serious complications.
[1] Douwe Korff & Ian Brown, The inadequacy of UK data protection law in general and in view of UK surveillance laws, October 2020, Part One on general inadequacy, submitted on 9 October 2020. (The second part, addressing UK surveillance law, will be submitted at the end of November.)
[2] Cf. Recitals 2, 5, 7, 13 GDPR.
[3] Protocol on Ireland/Northern Ireland.
[4] CJEU Grand Chamber judgment in case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”), 16 July 2020.
[5] European Data Protection Board (EDPB), Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (draft open for consultation), 11 November 2020. Non-regular, incidental transfers may take place on the basis of the derogation clause in Article 49 GDPR – but the EDPB has stressed that these derogations cannot be used for regular transfers and must be interpreted narrowly, see EDPB, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, 25 May 2018.
[6] See EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), version 2.0 (final), 12 November 2019.
[7] In my later paper I will discuss whether this means that, arguably, the UK intelligence agencies will therefore also become subject to the GDPR – an interesting thought!