Speaking at the launch of DCU Alpha’s new MA in Data Protection and Privacy Law last Thursday, the Commissioner said that if a company in the Republic uses outsourced payroll or cloud services, outside of the jurisdiction, these will all count as personal data transfers, post-Brexit.
The Data Protection Commissioner also warned that technological solutions to customs and people-checks post-Brexit, such as GPS and phone-tracking, come with serious data protection implications.
“We will be watching that with interest and looking to see that those solutions are implemented in a way that complies [with data laws],” she said.
Security risks
Dixon said that she was conscious of the security risks from any loss of UK intelligence-sharing with the wider EU community.
The personal data issues that arise from Brexit are “non-trivial, broad and deep”, Dixon said because, until now, we have never had to think about the jurisdictional issues of personal data flows in every-day transactions from Ireland to the UK and vice versa.
“Personal data arises in the context of immigration, asylum, law enforcement in particular, security and intelligence, all types of trade and commerce, banking, medicine, sports administration, tax, tourism and so on,” she said.
“Up to now, we never had to think of jurisdictional implications,” she said.
The EU can recognise a third country as providing an adequate level of data protection but only 11 countries so far have this recognition from the EU Commission, with partial adequacy findings in respect of Canada and the US.
While the UK will in future recognise EU laws as adequate on data protection, as well as the 11 pre-approved third countries, UK organisations have been warned to make sure that standard contractual clauses (SCCs) are inserted in good time into contracts, to legally underpin data transfers.
Adequacy findings are complex and slow, the DPC said, as well as having a political hue.
They require the EU Commission to make a complete assessment of the laws, practices and international commitments of any third country.
Identical system
A third country doesn’t have to have identical system of protections but there must be essential equivalents.
An adequacy finding can’t be something static and must be kept under review, at least every four years, to ensure there is no material change of circumstances, the DPC said.
So, even in a with-deal Brexit scenario, there is no guarantee of an adequacy finding in respect of the UK, inside the transition period.
The argument for an automatic awarding of adequacy doesn’t reflect the legal or political reality because the UK won’t be subject to the CJEU, once it exits the EU.
So, beyond the transition period, the outlook is very uncertain, Dixon said.
Once the UK departs, SCCs are likely to be the most frequently-used legal mechanism to underpin data transfers.
“These clauses are valid until they are declared invalid,” Dixon said, but significant question marks are still hanging over them.
Decision
“Even if the CJEU does make a strike-down that impacts their use, that bridge will have to be crossed. The Advocate General’s opinion is due to issue on 12 December,” Dixon noted.
However, the DPC said the impending loss of the UK Information Commissioner’s Office (ICO), as part of EU decision-making body the Data Protection Board, was very close to her heart.
“This is a very big part of our daily life. Given our respective common law backgrounds, our daily spoken language of English, in addition to the very pragmatic approach we share on data protection issues, the ICO and the DPC are close colleagues.
“We would feel their absence generally, and the absence of their contribution and expertise around the table,” she said.
The one-stop shop for data protection at EU level will “come asunder” when there is no longer one lead supervisory authority, with the potential for conflicting regulation and enforcement.
Mirror law
“In time, we could end up with contradictory interpretations of the GDPR and the UK GDPR mirror law, as the UK sits outside the EU co-operation and consistency mechanism.”
She warned about the impact for Ireland’s Data Protection Commission (DPC), and for multinational companies, in terms of the UK falling outside the one-stop shop provisions in the GDPR, with the loss of the ICO.
Even with a Brexit deal, the ICO will not be part of the European Data Protection Board during the transition period.
The ICO has acted in a ‘remainer’ fashion so far but the data protection landscape will be quite different if the Brexiteer view dominates.
Difficult process
“It’s been a difficult process to watch,” Dixon said.
Ireland will also lose its main common law colleague, she said.
The EU Commission has wanted to ensure that it’s clear about the rules for any exiting country, she said.
The focus is on being clear that once you’re out, you’re out, she pointed out.
So, it will be a no-go for the DPC to have even informal contact with the ICO, post-Brexit.
But, “on a bi-lateral level … we want to work out ways of co-operating,” she said.
Contradictory rulings
Companies such as Facebook and Google have a very large staff in London, even more so than in Dublin. The ICO and the DPC don’t want to duplicate efforts or make contradictory rulings on the same issue.
“Several large-scale companies headquartered in the UK have in fact moved their EU main establishment and their binding corporate rules, to be supervised by the DPC in Ireland over the last year,” she said.
Scenario
This is to avoid a scenario where they are sitting outside the EU, and represents a significant workload increase for the data transfers team at the DPC, she said.
Dixon’s opening speech at the launch at DCU's Talent Garden was followed by a panel discussion moderated by Susan Daly of Journal Media.
Speakers included Mike Harris of Grant Thornton, Colin Rooney of Author Cox, Tuomas Ojanen, Professor of Constitutional Law, University of Helsinki and John Quinn, School of Law and Government, DCU.
Peter Hustinx, the first European Data Protection supervisor, gave the closing address. He was referred to by Dixon as “the person who drove data protection to the top tier of the EU agenda”.
Dixon also questioned the ultimate effects on innovation for the UK of being outside the constraints of CJEU case law.
“Will there be a measurable difference in attracting data-fuelled innovation?” she asked.
And she warned that there is only a short time left to negotiate an adequacy finding, for instance in the role of intelligence and security agency GCHQ.
There is a certain logic to automatically awarding a finding of adequacy to UK bodies but this does not reflect legal or political reality, the DPC said.
She said there is much speculative bad press that GDPR inhibits EU innovation and strangles fledgling indigenous artificial intelligence start-ups, in connected cars and smart homes-type applications.
It remains to be seen however, the DPC said, whether the UK mirror laws will get watered down and become more flexible, compared to the GDPR.
“Will the lack of CJEU jurisdiction allow different types of application of the law?” she asked.
Innovation
“Will there be a measurable difference in attracting and supporting data-fuelled innovation in the UK versus the EU?” she asked.
The GDPR is simply a set of principles that prescribes the best way to go about lawful and fair use of personal data, she concluded.
Arthur Cox partner Colin Rooney says that client queries have accelerated in relation to GDPR and that while a Brexit deal may solve some problems, the data protection issues will remain.
Firms simply must understand their data flows, the seminar heard, but often don't.
Data incident
Post-Brexit, both the ICO and the DPC may have jurisdiction in some circumstances, with one applying GDPR but the other applying slightly different rules.
So, with the same data incident, two different sets of decisions could present a regulatory problem.
'Imperialist' view of data
DCU assistant law professor John Quinn said that two different views of data protection are emerging, broadly categorised as the ‘imperialist’ versus the ‘sovereign’ positions.
In the 'imperialist' view, the territorial effect of GDPR extends beyond the EU.
In the ‘sovereign’ view, data protection is covered by a country’s own legislation.
But ultimately, commercial entities will make the easiest and most cost-effective decision about where their headquarters should be located, the seminar heard.
Economy
Brexit voters knew they were voting for something that would potentially make them poorer and their economy less buoyant.
And while data protection is a core EU value, Brexiteers may regard it as more of a compliance issue, the seminar heard.