Mr. Cathal Ryan:

Brexit is on everyone's mind and that is certainly the case in our office. We are receiving the legislation or administrative arrangements that follow Brexit. It is an ongoing consultation on the different arrangements being put in place. On the policing side of things, the framework is there in the Data Protection Act. Sections 96 to 100, inclusive, set out the parameters within which one can share data. Without getting into the specific provisions, there is first of all no adequacy decision in place, which is something the commission can approve. That is something that may come later. The big thing in relation to the sharing of data is to ensure the same safeguards and rules apply when one shares data to a third country. Standard contractual clauses do this. However, administrative arrangements can also be put in place which, provided they are appropriately specified, can actually act as another way to ensure appropriate safeguards are implemented. They can ensure there is a similar level of protection for the data in the third country as is provided for in this country. For example, we are currently analysing whether those safeguards are put in place. Rather than just one line, it gets into a very detailed level of what data is being shared and how and what oversight there is of that data. Provided these safeguards, of which there are many more, are implemented, we take a practical view of Brexit.

We have a long-standing relationship with the UK. Mutual assistance has been in place for quite some time, albeit it will fall by the wayside in Brexit. It is very important to note, however, that there is a data protection office in the UK, namely the ICO, which has been a leader in the field of data protection. The ICO is heavily involved in data protection at an EDPB level but it will have to leave the board on foot of Brexit. The ICO has nevertheless been at the forefront in implementing a law which brings all of the provisions of the GDPR over into English legislation. Obviously, there will be some divergences due to sovereignty if Brexit happens, but the core elements of the protection of data are there. There is oversight and there is a regulator in the ICO. As such, we have to be very pragmatic and understand that these structures are already in place. It is really a matter now of deciding what level of data is being shared, how it is being shared and what level of oversight there will be of the sharing arrangements.

Something else one will note, especially when one looks at which provision they go for, whether it is section 98 or 99, there will be a function for the DPC in terms of ensuring that reporting requirements are fulfilled. We could inspect whether the documentation that is being shared is appropriate, in line with the administrative arrangements or whatever arrangements are put in place. There will be a proactive involvement of the DPC in terms of monitoring those sharing arrangements.

I go back to the fact that our friends, the data protection officer unit of the AGS will be well aware of these provisions. They will be trying to figure out which is most appropriate to them, in terms of their everyday work and in terms of their interaction with the UK. Clearly, they are the ones who will make the decision and we will help them in that decision in terms of what is required, what level of data needs to be shared, and the date and time of the transfer. Retention is also a big issue. I refer to ensuring that if one shares it to a third country, it is not then shared beyond that third country, and if it is, how is it being shared beyond that third country, etc. There is a level of transparency required which is appropriate to the function of the AGS and we would be the body that would reflect and review those data-sharing arrangements under section 98 or 99 of the Data Protection Act.

It is very possible. We have to be pragmatic, given Brexit. The Commission, the EDPB itself, from a general data protection regulation standpoint, has effectively stated that we need to look at how derogations would be used. Ultimately, if we are looking at some form of derogation, it is never the solution. We should be looking for a more permanent solution. Obviously, the Commission and the UK may in the future look at an adequacy decision which would clear this matter up. In the interim, we should not be relying on a derogation for the next four or five years until something like that happens. We would need to probably set in motion some more permanent solution rather than simply relying on a derogation for every data-sharing arrangement.