In our increasingly interconnected, technological and internet-driven world, personal data has emerged as a form of currency, possessing public and private value. Data is an essential resource for the public and private sectors, aiding in economic development, competitiveness and innovation. In essence, data is a commodity, a commodity growing at an exponential rate. Globally, enormous volumes of personal consumer data are collected, processed and transferred annually. The use of this data has, however, to be balanced by privacy, safety and security standards – this is the importance of data protection.
What is personal data?
Data protection is the legal protection and control of ‘personal data’. Personal data is information relating to an identifiable person – a person distinguishable from others based on personal data – particularly information that is stored online. Examples of personal data include a name and surname, a home address, an email address, an Internet Protocol (IP) address, an identification card number, a credit card number etc.
The purpose of data protection is to prevent the misuse of this personal data by third-party individuals and organisations for the purposes of fraud, identity theft and phishing scams. In general, data protection legislation is designed to protect the rights of individuals and to establish obligations for ‘data controllers’ and ‘data processors’.
An organisation that collects and transfers personal data is a data controller; data controllers decide how personal data is to be processed. Conversely, an organisation that holds and processes data for a data controller is a data processor; data processors process personal data on behalf of data controllers.
Irish organisations have important data protection obligations. Irish-based organisations frequently transfer personal data to the UK through e-commerce transactions, agreements with partner organisations and support services.
Examples of personal data transfers executed by Irish-based organisations include: outsourcing HR, IT or payroll functions to UK-based organisations; using a UK-based marketing company to send marketing communications to customers; using a UK-based marketing company to analyse data on customers; storing data in the UK; and using software provided by a UK-based company (as this often involves the transfer of personal data to a UK server).
Due to the high level of interconnectedness between Ireland and the UK on personal data, it is important to reflect on the way in which data protection will change for the individual consumer and for organisations following Brexit.
Data Protection in the EU
Data protection has a comprehensive history in EU legislation. Data protection is a fundamental right outlined in the Charter of Fundamental Rights of the European Union (CFR) and represents an important development in the rights of the individual. Data protection is closely connected to the right to privacy. Article 8 of the CFR enshrines the right of the individual to the protection of personal data concerning themselves.
In 1995, the EU introduced the European Data Protection Directive (Directive 95/46/EC). Based on recommendations from the OECD, the Directive included provisions on data privacy including access, accountability, consent and disclosure.
In May 2018 an EU-wide framework for data protection, termed the General Data Protection Regulation (GDPR), became law throughout the EU. This Regulation was designed to supersede Directive 95/46/EC, accounting for recent rapid development in technology and in the collecting and processing of personal data.
Under the terms of the 2018 Regulation, data controllers are required to implement measures to ensure that the personal data of the consumer is protected. Rights and measures incorporated in the legislation include; the right to data access, the right to data erasure, the right to data portability, data consent obligations, data protection by design, data breach notifications and, depending on the organisation, the data protection officers.
The rights included in the Regulation afford the individual consumer an increased degree of control over personal data; the right to erasure, for example, provides individuals with the right to have their data erased by a data controller.
Since GDPR and the protections that it guarantees are EU-wide, the transfer of personal data between organisations based in the EU is straightforward – a data processor in France receiving personal data from a data controller in Ireland is subject to common rules and regulations with regards to data protection, ensuring that the rights of the individual are protected. GDPR ‘travels with data’, this means that data controllers are required to ensure that the export or transfer of data upholds GDPR.
On 1 January 2021, the UK ended the application of EU-GDPR to the processing of personal data in the UK and a distinct legal framework for data protection termed UK-GDPR was introduced.
UK Data Protection (UK-GDPR)
UK data protection is governed by the Data Protection Act 2018 (DPA) and the United Kingdom General Data Protection Regulation (UK-GDPR). Introduced in 2018, the DPA is responsible for the implementation of the EU’s General Data Protection Regulation (EU-GDPR), codifying the Regulation’s requirements in UK law. The UK-GDPR is simply the post-Brexit form of EU-GDPR.
On 31 December 2020 EU-GDPR ceased to apply in the UK, instead an amended form of the Regulation, altered by the Data Protection, Privacy and Electronic Communications (EU Exit) Regulation (DPPEC), entered into force. UK-GDPR closely resembles EU-GDPR, the Regulation was drafted from the original EU legal text and fundamental legal definitions including ‘personal data’, ‘data processor’ and ‘data controller’ remain identical.
Indeed, in practice, fundamental data protection principles, rights and obligations remain in place. The Regulation only deviates from EU-GDPR in order to accommodate areas of domestic UK law including national security, intelligence services and immigration.
EU-UK Trade & Cooperation Agreement (TCA)
Under the terms of the EU – UK Trade and Cooperation Agreement (TCA), the EU will delay the introduction of data transfer restrictions for a period of four months – with the potential for a further two month extension – enabling personal data transfers to flow unimpeded from the EU to the UK.
This provision is essentially an extension of the GDPR terms that governed the transition period. The effect of the extension is that, for the purposes of data protection, the designation of the UK as a third country is delayed.
In terms of governance, the extension is dependent on two conditions: Firstly, the UK is to abstain from altering its domestic data protection law (UK-GDPR). Secondly, the UK is to abstain from approving new transfer mechanisms or Codes of Conduct. A notable exclusion from the Agreement was that of an adequacy decision on data protection.
Adequacy Decision
In terms of GDPR, the priority post-Agreement will be to obtain an adequacy decision on data protection. An adequacy decision recognises that the level of data protection offered in a non-EU country is equal to the level of data protection offered in the EU.
Article 45 of Regulation (EU) 2016/679 provides the European Commission with the unilateral power to determine whether a non-EU country offers an adequate level of data protection. The effect of an adequacy decision is that personal data is enabled to flow from the EU to a non-EU country without further protections. Essentially, data transfers from a non-EU country become assimilated to intra-EU transmissions of data.
Standard Contractual Clauses (SCCs)
In the event that an adequacy decision is delayed and an agreement on data protection is absent, organisations that depend on the transfer of personal data will have to defer to ‘standard contractual clauses’ (SCCs). SCCs are essentially a set of contractual terms and conditions that enable EU data controllers to transfer personal data to non-EU data controllers and non-EU data processors.
In SCCs, the EU party and the non-EU party provide contractually binding commitments to protect personal data in the context of the transfer. SCCs provide the subject of the data transfer, the individual, with specific rights.
In the absence of an adequacy decision, an Irish-based data controller transferring personal data to a UK-based data processor will have to sign a contract consisting of GDPR requirements. The European Commission has issued three sets of SCCs enabling EU data processors to transfer personal data: Decision 2001/497/EC, Decision 2004/915/EC and Decision 2010/87/EU.
Binding Corporate Rules (BCRs)
A further mechanism for data protection open to organisations and enterprises operating post-Agreement relates to the concept of ‘binding corporate rules’ (BCRs). BCRs are data protection policies followed by enterprises established in the EU for transfers of personal data outside of the EU, to entities of that enterprise. BCRs only apply to intra-organisational transfers of personal data. Essentially, an internal code of conduct with respect to personal data is applied, ensuring that intra-corporate or intra-organisational transfers of data between EU and non-EU countries adhere to appropriate levels of data protection. BCRs are legally binding data protection rules with enforceable rights contained in them.
Where We Stand
Data protection is a fundamental right, one which safeguards the privacy and security of the individual. In an increasingly digitised world, this is important. Under the terms of the EU-UK Trade and Cooperation Agreement, the EU will delay the introduction of data transfer restrictions between the EU and the UK, enabling personal data transfers to flow unimpeded. This temporary decision – of considerable importance for enterprises and organisations – is facilitated by the fact that UK-GDPR and EU-GDPR are incredibly close in terms of protections afforded. A concrete agreement on GDPR is expected in the first half of 2021.