There are many businesses which rely on the transfer of personal data across borders.
The UK left the EU on 31 January 2020, and on 1 January 2021 the transition period is scheduled to end. Depending on the outcome of negotiations during the transition period between the UK and EU, new legal restrictions may apply to the transfer of personal data between the countries of the EU/European Economic Area (EU plus Norway, Iceland and Liechtenstein) and the UK
Restrictions may also apply to the transfer of personal data between the UK and: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the USA.
‘Personal data’ includes information that could be used to identify an individual such as name, address, number, IP address or cookie identifier.
What does this mean?
In the event of a non-negotiated outcome, and if a positive data adequacy decision is not achieved, there may be no legal basis for continued transfer of personal data from EEA countries to the UK.
A business based in Northern Ireland may, for example, be legally unable to:
- access payroll data stored in the Republic of Ireland
- receive customer names and addresses from a company in the Netherlands
- access details of employees of subsidiary companies in Germany
The UK Government has indicated that the transfer of personal data from the UK to the EU and wider EEA would still be permitted in this scenario.
Indications of Business Preparedness
In August 2020, the Department for the Economy commissioned an online questionnaire of NI businesses to assess business preparedness for the end of transition period and a scenario where a positive adequacy decision has not been achieved.
The headline results of the 2020 online questionnaire can be seen below. f Of the businesses that responded to the survey:
- 66 per cent advised that EEA data was essential for business functions
- 66 per cent thought no deal EU exit would have a big impact on their business
- 6 per cent have undertaken all actions to prepare for a no deal exit, a further 14 percent have undertaken some action
- Some 80 per cent of respondents had no contingency plans in place for cross border data transfer in a scenario where data adequacy is not achieved.
What can business do?
UK Government advice and guidance can be found:
- gov.uk website - Brexit Transition: how-to-prepare guide for Northern Ireland and personal data flows from the EU
In advance of the end of the transition period on 31 December 2020, businesses can undertake mitigating actions, including agreeing new contractual terms with partners in the EEA.
However, these mitigations may be complex for some businesses, and are subject to some legal uncertainty.
The UK Information Commissioner’s Office has published guidance for business at Information Commissioners Office (ICO) website.
Invest NI also has guidance and provided you meet the criteria you may be eligible for a grant Invest NI Brexit Preparation.
IntertradeIreland has published advice and provided you meet the criteria they have a £2,000 Brexit voucher scheme. Further info is available here - Intertrade Ireland Brexit Voucher.