12 March 2019
Both the Island’s Information Commissioner and the UK’s Information Commissioner’s Office have put in considerable work in preparing for Brexit and their respective websites contain a lot of useful information.
The starting point is the EU Commission’s Notice of January 2018 pointing out that following Brexit the UK will be a third country and will no longer benefit from the freedom to transfer data within EU and EEA member states.
Of course the UK provides legislative and administrative resources at least comparable to those of EU and EEA member states. It can be expected, therefore, that the UK will in due course benefit from an “adequacy decision” of the EU Commission which will facilitate the transfer of personal data from EU and EEA data controllers to their counterparts in UK.
As between the Isle of Man and the UK, the current position is complicated by the fact that the Island (unlike the UK) benefits from an ”adequacy decision”, although its status will be subject to review in the light of the Island’s implementation of the General Data Protection Regulation.
Accordingly, with regard to transfers of personal data from EU and EEA data controllers to data controllers in the Isle of Man, no steps need to be taken in view of the Island’s current adequacy status.
However, until the UK benefits from an “adequacy decision” Manx entities wishing to transfer personal data to data controllers in UK will need to do so on the basis that the latter is a third country. This issue is likely to be particularly relevant in the banking and insurance sectors and may also affect internet gaming and associated activities.
It can be expected that many, particularly larger, organisations will have devoted significant resources in terms both of time and cost to ensure their data protection compliance. The matter is likely to be more acute for smaller businesses.
As previously, a significant number of transfers of data are already permitted, particularly where they are the subject of the data subject’s consent or the transfer is necessary for the performance of a contract between the data subject and the data controller.
In other cases, in relation to transfers of personal data from Manx entities to non- EU and non- EEA data controllers (including those in UK), it will be advisable to adopt the “standard data protection clauses” published by the EU Commission covering transfers from an EU controller to (i) a non-EU or non-EEA controller or (ii) a non-EU or non-EEA processor.
In some cases, certain group entities may have put in place “binding corporate rules” (BCRs) approved by EU supervisory authorities to facilitate transfers of personal data between group members, including group data controllers outside the EU and EEA. However, with regard to BCRs which (i) cover the transfer of personal data between Manx and UK entities and (ii) in relation to which the supervisory authority is the UK’s Information Commissioner’s Office, the position post Brexit may be open to question. In these circumstances it may be desirable for Manx entities to adopt the Commission’s “standard data protection clauses” to facilitate transfers of personal data to UK data controllers.
Other scenarios can also be envisaged. For example, personal data may be transferred from a controller in France to a controller in the Isle of Man (the former in the EU and the latter the subject of an “adequacy decision”) via a server in UK. Provided there is no intention that the personal data will be accessed or manipulated while it is in UK, the transfer should be regarded as only to the Isle of Man.
Author: Adam Kelly