The Data Protection Commission (DPC) has recently published preliminary guidance on transfers of personal data to the UK in the event of a 'no deal' Brexit.
Under EU data protection law it is possible to transfer personal data to countries within the EEA with no additional restrictions. However, transfers to countries outside the EEA i.e. to 'third countries' require additional safeguards to be put in place.
In its preliminary guidance, the DPC confirmed that, in the event of a 'no-deal' Brexit on 30 March 2019, the UK will become a 'third country' for the purposes of EU personal data transfers. Accordingly, the rules applicable to transfers to third countries as set out in Chapter V of the General Data Protection Regulation (the "GDPR") will apply to transfers of personal data to the UK and one of the transfer mechanisms or one of the additional safeguards must be implemented.
The most straight forward way to transfer personal data to a 'third country' is where the third country has been recognised by the EU as having an "adequate" data protection regime. However, the DPC has also confirmed in its preliminary guidance that no such recognition of the UK data protection regime will occur before the end of March 2019.
This has significant implications for companies or organisations that transfer personal data out of Ireland to the UK (including Northern Ireland). In the event of a 'no deal' Brexit and before 29 March 2019, Irish entities that wish to continue to transfer personal data to the UK will need to put in place additional legal safeguards to lawfully transfer this...