Event Report: Brexit and Data Protection (Talent Garden, DCU Alpha, 17.10.19)
Jasmine Faudone (Brexit Institute)
On October 17th 2019 the Brexit Institute hosted the event “Brexit and Data Protection” at the Talent Garden-DCU Alpha, sponsored by Dublin Airport, AIB Ireland, Arthur Cox Law and Grant Thornton. This was also the occasion for the launch of the new MA Program in “Data Protection and Privacy Law”. Professor Federico Fabbrini (Director of the Brexit Institute) opened the discussion, introducing Helen Dixon (Irish Commissioner on Data protection).
The Opening Keynote Speech by Ms Helen Dixon, Irish Commissioner on Data Protection
The Irish Data Protection Commissioner gave the opening keynote speech, underlining that the issues arising from Brexit are broad and deep, since they touch many different areas, from healthcare to finance, and they seriously affect citizens’ life. In the case of a Brexit Deal, the transition period could represent a breathing space for personal data protection, but once it is over, the transfer of data between UK and EU will become uncertain.
In a No Deal scenario, without a 14-months transition period, the UK would become overnight a third country. The Data Protection Commission of Ireland is providing detailed guidelines for organizations to help them implement safeguards of personal data protection, working with the government to push out advice for Irish businesses in order to be ready even in the worst case scenario. In the recent months, she observed that many companies tried to stay under the EU rules, moving from UK to a jurisdiction where they can operate under the rules of the DPC. However, she was confident about the status of awareness of Irish companies, in particular in the public sector.
Ms Dixon also underlined the risks that could arise in case businesses do not follow the new requirements relating to data transfers between Ireland and the UK after Brexit. In fact, individuals could claim that their rights could be adversely impacted by unlawful transfers, seeking damages by going to courts. Citizens may also report non compliance to the DPC and the Commissioner reminded the audience that GDPR penalties can be heavy. Therefore, it is worth preparing businesses now, in order to avoid that a potential scenario of non-compliance actually happens. On a bilateral level, Ireland might find useful to arrange solutions to cooperate with the UK in the area of data protection after Brexit.
In conclusion, the only difference between deal and no deal is time. The EU data going to the UK will probably be fine because the UK will adapt its laws, but the main problem is the flow of UK data to the EU, which will recognize the UK as a “third country”.
The Panel Discussion on “Brexit and Data Protection”
The second panel was introduced by Susan Daly (the Journal), who moderated a vibrant discussion featuring John Quinn (DCU), Mike Harris (Grant Thornton), Colin Rooney (Arthur Cox) and Prof. Tuomas Ojanen (University of Helsinki).
The debate was opened by Colin Rooney, who gave a brief presentation on how his company helps businesses to prepare in the area of data transfers. It cannot be taken for granted that the UK will apply the GDPR, therefore it is necessary to imagine other solutions. A short term solution could be contractual clauses, while a much stable and longer arrangement could be the so-called “binding corporate rules”, even if they take a lot of time to be concluded. Mike Harris, from Grant Thornton, added that at the moment there are two choices for the UK: the “data protection side” is hopeful of a quasi-membership under EU law which would not treat UK as a third country, while the other side wish the opposite, namely no implementation of EU data protection laws. Then, Dr. John Quinn from DCU underlined that it is going to be difficult for the UK to navigate in the area of data protection after Brexit, and that they will find particularly difficult to “take back control” in a globalized world of personal data transfers.
Finally, Tuomas Ojanen, Professor of Constitutional Law from the University of Helsinki, observed that focusing on data protection is reductive and it will be necessary to take into consideration also the UK security and intelligence sharing services. Moreover, he highlighted the fact that the UK will have to respect the minimum standard on privacy as provided by the European Convention of Human Rights, even when the UK will exit the European Union.
The Concluding Keynote Speech by Peter Hustinx, first European Data Protection Supervisor
The event concluded with a keynote speech by Peter Hustinx (first European Data Protection Supervisor). He started with an interesting summary of the constitutionalisation of the rights of privacy and data protection under EU law, stressing also on the fact that there will still be ground of protection after Brexit, since it is included in the ECHR. He also added that there is a substantial qualitative difference between the legal value of the Charter and of ordinary legislation, so taking back data protection laws to the level of national legislation might diminish the level of protection. In the case of Brexit, the UK will leave the EU framework, therefore cooperation will become a key element for future relationship on the protection of personal data. He reminded that UK has been promoting civil and police cooperation in many forms such as Europol and Eurojust, and that there is hope that it will cooperate in the data protection area as well. The impact of the UK departure from EU depends on special future arrangements: they could be more generous in the case of a soft Brexit, and less generous in a No Deal scenario. The Commission will probably suggest to the UK to remain committed to apply the standard of protection enshrined in the GDPR, but Hustinx underlined that – once Brexit has been enforced – taking a similar decision remains in the sole responsibility of the British government.
Jasmine Faudone is a Research Intern at the DCU Brexit Institute. She has a Master Degree in Law from the University of Bologna.