Mr. John O'Dwyer:

I thank the Chairman. I am thankful for the invitation to meet with the Seanad Special Select Committee on the Withdrawal of the United Kingdom from the European Union to discuss the implications for transfers of personal data to the UK. I am deputy commissioner and head of regulatory activity. One of the areas under my responsibility is international data transfers.

I am accompanied by Ms Nicola Coogan, assistant commissioner and head of unit of the international transfers unit.

As all present are aware, flows of personal data to and from the European Union are necessary for international trade and co-operation. However, the transfer of such personal data from entities in the EU to entities located in third countries outside the Union should not undermine the level of protection afforded to those data by chapter 5 of the general data protection regulation, GDPR, and chapter V of the law enforcement directive, LED. A "third country" is defined as a country outside the European Economic Area. Transfers of personal data to third countries or international organisations, including onward transfers to another third country or another international organisation, must be carried out in full compliance with chapter 5 of the GDPR and chapter V of the LED.

Although the UK left the EU officially on 31 January 2020, there has been no disruption to data free flows up to this point, first arising from the terms of the transition under the withdrawal agreement and, more latterly or subsequently, under the terms of the EU-UK trade and co-operation agreement which was agreed, as members are aware, on 24 December 2020. It contains an interim provision relating to data transfers in one of its articles. The immediate impact of this provision is that, for a specified period up to 30 April 2021, which can be extended up to 30 June 2021 unless either party objects, transfers of personal data to the UK will not be deemed transfers to a third country for the purposes of EU law so long as the UK does not materially alter its data protection law regime during that period. As a result, for this specified period personal data can continue to be freely transferred from the EU to UK-based data importers and the UK law enforcement authorities without any requirement to implement additional safeguards that would otherwise be mandated under chapter 5 of the GDPR and chapter V of the LED. This specified period in the trade agreement can end on an earlier date if the adequacy decisions relating to the UK are adopted by the European Commission.

What are adequacy decisions? Article 45 of the GDPR provides that a transfer of personal data can take place to a third country or an international organisation where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country or the international organisation in question ensures an adequate level of protection. Such transfers shall not require any special specific authorisation. Similarly, Article 36 of the LED provides for transfers between law enforcement authorities in EU member states and law enforcement authorities in a third country deemed to have an adequate level of protection. In practice, an adequacy decision means the European Commission has decided that a third country or an international organisation ensures an adequate level of protection for data transfers.

When assessing the adequacy of the level of protection, the European Commission takes into account elements such as the laws, respect for human rights and freedoms, national security, data protection rules, the existence of a data protection authority and binding commitments entered into by the country in respect of data protection. The effect of such a decision is that personal data can flow from the EU to that third country without any further safeguard being necessary. In other words, the transfer is the same as if it was carried out within the EU.

On 19 February 2021, the European Commission published its draft adequacy decisions relating to the UK under the GDPR and the LED. In accordance with Article 70 of the GDPR, the Commission has requested the European Data Protection Board, EDPB, to provide an opinion on the draft adequacy decisions. The opinion of the EDPB is non-binding but will be considered by the European Commission. After taking into account the opinion of the EDPB, the Commission will submit the draft to the member states under the so-called comitology procedure.

This is where a committee composed of representatives from all EU countries provides a formal opinion, usually in the form of a vote, on the Commission's proposed measures. If the member states give the green light to the proposals, the Commission will formally adopt the adequacy decisions. It is understood that the European Commission intends to have the two decisions adopted before the end of June 2021.

If the adequacy decisions are not adopted by the European Commission in the next three months, any organisation in Ireland transferring personal data, whether in the form of using a cloud storage provider in the UK or outsourcing payroll processing to a Northern Ireland-based service provider, for example, will have to themselves implement additional safeguards to their personal data transfer operations. These may be in the form of EU-approved standard contractual clauses or, for public bodies, may involve the conclusion of a binding administrative arrangement between authorities in Ireland and the UK. Given the amount of trade and movement between Ireland and Northern Ireland and Ireland and Great Britain, the volume of personal data transfers between the jurisdictions is estimated to be significant. As a result, the administrative and cost burden for all Irish organisations required to create their own compliance arrangements in accordance with chapter 5 of the GDPR, regarding commercial transfers, would be considerable.

The aforementioned points illustrate that the impact of the withdrawal of the UK from the EU on data protection would be much more significant without the interim provision in the EU–UK Trade and Cooperation Agreement and without the possibility of an adequacy decision proposed for adoption by the end of June by the European Commission.

That is all I have to say. We are happy to take questions about any issues of concern to the committee.