Debt Recovery Update: Debt Collection Data – Is “No Deal” Brexit Really a Big Deal?
06 February 2019
The dramatic political developments in Westminster in recent weeks have brought the prospect and potentially far-reaching effects of a 'hard' Brexit into sharp focus.
Indeed, as 29 March 2019 draws closer, the lack of certainty surrounding any withdrawal deal, or the now-expected 'no deal' Brexit, is causing increased concern among Irish entities and the wider EU business community.
One key area where uncertainty remains is that of transfers of personal data to and from the United Kingdom.
Debt collection is an activity that is very much reliant on the transfer of third party personal data, either borrower or debtor. This is the case regardless of the economic sector within which the debt arises, be it financial services, governmental or general business debt. If your organisation uses any UK entities to collect debt, it is almost certain that there is a transfer of personal data to that UK entity. It is therefore essential to have a robust plan in place on how to deal with this in the event of a no deal scenario.
Flows of personal data
Under EU data protection law, free movement of personal data is guaranteed between EU member states. It is possible to transfer personal data to countries within the European Economic Area (the EEA) with no additional restrictions.
Where cross border transfers of debt data are made to a recipient outside the EEA, these are considered to be a transfer to a “third country”. Such data transfers generally require additional safeguards to be put in place in order to ensure continued application of the EU’s data protection standards and to ensure their legitimacy.
“No Deal” Brexit
In the event of a ‘no-deal’ Brexit, in which no withdrawal deal is agreed, and the UK leaves the EU on 29 March 2019 with no transition arrangements in place, the UK will become a ‘third country’ for the purposes of EU personal data transfers. This will result in restrictions on data transfers to the UK.
Consequently, the rules applicable to data transfers to third countries as set out in Chapter V of the General Data Protection Regulation (GDPR) will apply to transfers of personal data from Ireland to the UK and one of the transfer mechanisms or one of the additional safeguards must be implemented.
Both the Irish Data Protection Commissioner (DPC) and the UK Information Commissioner (ICO) are aware of the situation and both have issued recent guidance on data transfers post 29 March 2019.
The most straightforward way to transfer personal data to a ‘third country’ is where the third country has been recognised by the EU as having an “adequate” data protection regime. Indeed, the political declaration on the framework for the future relationship between the EU and the UK, which was previously approved by EU leaders, provided that future data transfers to the UK should take place on the basis of an adequacy decision post any transition period. However, not surprisingly, the DPC has confirmed in its preliminary guidance that no adequacy decision, incorporating such recognition of the UK data protection regime will be in place before the end of March 2019.
While Irish creditor organisations may view this as having significant implications on transfers of personal data from Ireland to the UK including Northern Ireland, provided they take action now, any implications or restrictions on data transfers are manageable.
For many Irish companies, any additional legal safeguards required will likely be the inclusion of Standard Contractual Clauses (SSCs) into contracts with their counterparties and/or suppliers in the UK. SSCs are model contracts approved by the Commission, which implement contractual safeguards between a data exporter and a data importer. Indeed, they are already the most commonly used mechanism for the transfer of data, including debt collection data, outside of the EEA.
In the midst of all of the uncertainty surrounding the UK’s withdrawal from the European Union, Irish creditors should not simply await further clarity on whether the anticipated ‘no deal’ Brexit will occur, as the Westminster position seems to shift by the day.
Echoing DPC guidance, our recommendations for Irish creditor entities are as follows:
- Identify and map existing data flows to and from the UK, which may include the onward processing of personal data sent to a UK collector e.g. onward to a UK tracing agent.
- Review and decide whether to update agreements to include standard contractual clauses to legitimise data transfers to the UK.. Ensure that UK data importers have arrangements with their sub-processors that incorporate the protections afforded to data subjects by SSCs.
- Review where personal data is being stored, including third-party hosting facilities. Identify all UK-based locations and look towards risk mitigation strategies in the absence of EU regulations or their equivalent being in place when Brexit takes complete effect and the UK leaves the EU.
To learn more about successfully recovering debt, contact a member of our Debt Recovery team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.