When the UK leaves the EU, the legal basis for transferring personal data between the two goes too.
In theory, on March 30 next year any Irish consumer-facing organisation working with Northern Ireland or the rest of the UK must stop sending people's information there or risk significant fines. Will that really happen? Maybe, though not straight away.
EU citizens' data cannot legally be sent to "third countries" which lack our level of data protection. One way to keep the data flowing is if foreign states apply for an "adequacy finding" from the EU, which tests if the receiving country's data protection laws are up to scratch.
Click here to READ MORE
It takes months and involves the European Commission and a process of "comitology", which is just as painful as it sounds. It also needs deep legislative and regulatory groundwork to be laid by the applicant, something the UK does not currently excel at. Also, it cannot even begin until after the UK leaves the EU. By contrast, Japan is just about to secure an adequacy finding as part of its long-prepared EU trade deal.
You might think that as the UK has just enacted its General Data Protection Regulation (GDPR) law, it would easily pass the adequacy test. Unfortunately, the 2018 Data Protection Act is no guarantee of success. It is stuffed to the gills with carve-outs, including one that says the UK government won't fully protect the data of non-UK citizens in the country. Hardly the stuff to endear it to the EU Commission officials needed to kick the adequacy process off. (To guess how a government might like to treat citizens tomorrow, it's always revealing to see how it treats immigrants today.)
The other way to transfer EU citizens' data to third countries is for each organisation to put standard contractual clauses agreeing to uphold EU rules into customer contracts. The EU Data Protection Supervisor's office prefers this approach over adequacy, as it makes companies work on compliance. The UK's official advice, published on September 13, is for UK organisations to adopt model clauses.
After Brexit, the big tech firms whose business models are built on international data transfers will do just fine. They already have the operational systems and in-house lawyers to make it work.
A conservative estimate is that it costs a UK company about £10,000 (€11,000) to apply its own EU-acceptable contract clauses.
If you are an Irish company that sells, say, custom T-shirts to people in Northern Ireland, then you may experience what the UK government euphemistically calls "turbulence".
Read Full Article: Brexit: Where will you be when the data stops flowing out of the EU?