Skip to main content

Businesses need to prepare for the consequences of Shrems II and a no-deal Brexit- Seery-Kearney

2nd December 2020 - Mary Seery-Kearney

Businesses need to prepare for the consequences of a no-deal Brexit and also a recent court rule which will have consequences on data protection law, a Fine Gael Senator has said.

Senator Mary Seery-Kearney said, “We have the prospect of a no-deal Brexit ahead of us on top of the recent Court of Justice of the European Union decision in Shrems II case, both of which will bring an onerous burden on businesses in their roles as Data Controllers.

“With the pandemic and Brexit movement and non-movement of goods dominating the public narrative at the moment, the obligations on companies as data controllers under GDPR are getting lost, yet the consequences of non-adherence to data protection standards for EU resident’s data are enormous.

“The Shrems II decision is where Max Shrems successfully challenged the use of standard contractual clauses by Facebook as a mechanism of transferring data out of the EU.  The CJEU considered that this was insufficient and that the country to which the data is transferred must have a standard of data protection consistent with that of the EU.

“A data controller “exporting” data is responsible to ensure that EU standards protections are not diluted by the export – that means that each company must ensure that each data transfer which crosses borders outside of the EU must ensure that the country the data is being exported to has the same standards of data protection as those of the EU.

“Companies dealing with US companies or Irish companies with a US parent for instance must ensure that the company receiving any data is going to preserve EU standards of data protection.  This must be analysed on a case by case basis and applies not just to US companies, but to any company operating in a jurisdiction outside of the EU where the EU has not issued an adequacy decision in relation to that country’s standard of data protection.

From 1st January the UK will be one such country, known as a third country, if no deal is made between the UK and the EU and no adequacy decision is given by the EU.

“This will be a significant cost for Irish companies who engage with UK based clients, customers or suppliers, as they must go through a process of ensuring that UK data standards are consistent with EU standards, and keep on top of any changes in UK law and departures from EU standards.

“This little talked about consequence will be a drain on resources within businesses who are already struggling to manage with Brexit and the pandemic.  It is important that the resources and advices published by our Data Protection Commission are highlighted and broadly advertised to ensure that businesses are assisted as much as possible in adherence to data law,” Senator Seery-Kearney concluded.