Privacy & Information Security Law Blog

On December 21, 2018, the Irish Data Protection Commission (the “DPC”) published preliminary guidance on data transfers to and from the UK in the event of a “no deal” Brexit (the “Guidance”). The Guidance is relevant for any Irish entities that transfer personal data to the UK, including Northern Ireland.

The Guidance notes that if the UK leaves the European Union at 00:00 CET on March 30, 2019, without a withdrawal agreement in place, the UK will be deemed a third country for the purposes of EU data transfers and will require Irish-based organizations and bodies to implement legal safeguards in order to continue transferring data to the UK or Northern Ireland.

The Guidance provides several examples of data transfers that may be affected and includes a list of next steps for organizations to consider in the run up to the withdrawal date. These measures include:

• Mapping the personal data the organization currently transfers to the UK and Northern Ireland;
• Determining whether such transfers will need to continue beyond March 30, 2019; and
• Assessing the different transfer mechanisms available to see which one will be most appropriate for the organization to continue transferring their data and working to have it in place before the UK departs from the EU.

The Guidance concludes by noting that more information will be available from the DPC as the withdrawal date nears.

As we previously reported, the UK House of Commons rejected the draft Brexit withdrawal agreement on January 15, 2019, making the prospect of “no deal” Brexit still a possibility.