If Brexit or GDPR weren’t complex enough, many organisations are wondering whether Brexit will complicate GDPR. The short answer appears to be yes. Brexit will certainly add another level of unknowns and complexities.
At present, businesses can freely transfer personal data between Britain and Ireland as both countries are EU members. When personal data leaves the EU, including post-Brexit UK, the information is considered to have been sent to a "third country". The EU has strict legal controls imposed to ensure the safety of the data when sent to a “third country”.
GDPR will be law of the land in the UK and the rest of the European Union from 25 May 2018. It will remain so, at least until the UK leaves the EU. This will make the UK, including Northern Ireland, a "third country'', the same as Canada, the US or Australia. The UK is addressing this issue by drafting a copy and paste of the GDPR in the Data Protection Bill 2017 which will align British Data Protection policy with GDPR, and hopefully reduce many of the compliancy threats to EU/UK data transfer.
Aligning policy is only part of the solution. It also depends on how Brexit negotiations play out and the deal agreed by both parties. Following Brexit, the European Commission may decide to do a whole review of the UK's data protection law, as it has done with 12 other states so far. If the UK Data Protection Bill 2017 accepts all the terms of GDPR it is likely that the EU would determine that the UK will protect personal data of EU citizens to the same level as EU law. This approach would be based on adequacy findings and is the most likely route for policy alignment. However, it is not guaranteed that this would mean the GDPR/Brexit transition would be seamless as this ratification may have to begin after the UK leaves the EU. This could leave an undetermined period between the alignments of policy.
If the UK would join EFTA the GDPR would be built into a trade agreement. Norway has taken this approach meaning that GDPR is part of Norway’s EFTA agreement. The UK could choose the same approach.
Other countries like Switzerland have adopted GDPR wholesale which also seems a model to maintain a level of adequacy for GDPR within the EU.
It's most likely that the adequacy findings route will be adopted but there is no definitive confirmation of this yet.
The four-year adequacy findings review may become an issue because of the UK Investigatory Powers Act 2016 (nicknamed the Snooper's Charter). This legislation requires internet service providers and mobile phone companies to maintain records of each user's internet browsing activity (including social media), email correspondence, voice calls, internet gaming, and mobile phone messaging services and store the records for 12 months. The anticipated cost of the Bill to phone and internet companies is £1.8 billion.
The Act grants vast surveillance powers for British law enforcement to use personal data. The EU doesn't share the same requirement to store personal data so this may affect the UK’s ability to maintain adequacy and GDPR compliancy.
In the meantime as Brexit is still in progress, there are options for Irish businesses. They can look into standard contractual clauses, which have data protection provisions built in allowing transfers to "third countries". This approach does come with a drawback: organisations could still be subject to a challenge in the Irish High Court by the Irish Data Protection Commissioner. This could create a lot of work in defending any challenge. Organisations would also need to change internal corporate rules and codes of practice to create commission-approved practices allowing data transfers to third countries.
At a government level, bilateral agreements may be created but such agreements take time, money and negotiation. This may work for the UK with countries such as the US but no individual bilateral agreements will be allowed between the UK and individual EU member states.
As with most Brexit related topics, the future is unclear but it does seem unlikely that GDPR will be something the UK will have any objection to adopting in a post-Brexit world and whatever the solution it is likely that the UK will adopt GDPR either as a mirrored policy or as a policy retained post-Brexit.