Impact of Brexit on Data Protection and Data Flows between the UK and the EU: Discussion

The witnesses for today's meeting are from the Data Protection Commission, DPC. The agenda is as follows: the impact of Brexit on data flows between the UK and the EU and, more broadly, on data protection; dealing with a potential future divergence in data protection law between the EU and the UK; the impact of Brexit on companies and organisations transferring or storing data between the UK and the EU; and the data protection implications which arise from the increased customs paperwork.

The evidence of witnesses who are physically present or who give evidence from within the parliamentary precincts is protected pursuant to the Constitution and statute by absolute privilege. However, witnesses who are to give evidence from a location outside the parliamentary precincts are asked to note that they may not benefit from the same level of immunity from legal proceedings as witnesses giving evidence from within the parliamentary precincts do and may consider it appropriate to take legal advice on this matter. Witnesses are also asked to note that only evidence connected with the subject matter of the proceedings should be given. They should respect directions given by the Chair and the parliamentary practice to the effect that, where possible, they should neither criticise nor make charges against any person or entity by name or in such a way as to make him, her or it identifiable or otherwise engage in speech that might be regarded as damaging to the person or entity's good name.

Members are reminded of the long-standing parliamentary practice to the effect that they should not commit or make charges against a person outside the Houses, or an official, either by name or in such a way as to make him or her identifiable. I remind members that they are only allowed to participate in this meeting if they are physically located on the Leinster House campus. In this regard, I ask all members, prior to making their initial contributions, to confirm that they are on the grounds of the Leinster House campus. Participants in the committee meeting from a location outside the parliamentary precincts are asked to note that the constitutional protection afforded to those participating within the parliamentary precincts does not extend to them. No clear guidance can be given on whether, and to what extent, such participation is covered by absolute privilege of a statutory nature. I also remind members that there may be times throughout the meeting where there may be technical difficulties or glitches but we will work through those. I ask all participants to mute their devices when not contributing in order to avoid any feedback in the system.

On behalf of the committee, I welcome Mr. John O'Dwyer, deputy commissioner, and Ms Nicola Coogan, assistant commissioner, from the DPC. I thank them both for making the time to attend our meeting to make statements and take questions from members. It is much appreciated. I call on Mr. O'Dwyer to make his opening statement.

Mr. John O'Dwyer

I thank the Chairman. I am thankful for the invitation to meet with the Seanad Special Select Committee on the Withdrawal of the United Kingdom from the European Union to discuss the implications for transfers of personal data to the UK. I am deputy commissioner and head of regulatory activity. One of the areas under my responsibility is international data transfers.

I am accompanied by Ms Nicola Coogan, assistant commissioner and head of unit of the international transfers unit.

As all present are aware, flows of personal data to and from the European Union are necessary for international trade and co-operation. However, the transfer of such personal data from entities in the EU to entities located in third countries outside the Union should not undermine the level of protection afforded to those data by chapter 5 of the general data protection regulation, GDPR, and chapter V of the law enforcement directive, LED. A "third country" is defined as a country outside the European Economic Area. Transfers of personal data to third countries or international organisations, including onward transfers to another third country or another international organisation, must be carried out in full compliance with chapter 5 of the GDPR and chapter V of the LED.

Although the UK left the EU officially on 31 January 2020, there has been no disruption to data free flows up to this point, first arising from the terms of the transition under the withdrawal agreement and, more latterly or subsequently, under the terms of the EU-UK trade and co-operation agreement which was agreed, as members are aware, on 24 December 2020. It contains an interim provision relating to data transfers in one of its articles. The immediate impact of this provision is that, for a specified period up to 30 April 2021, which can be extended up to 30 June 2021 unless either party objects, transfers of personal data to the UK will not be deemed transfers to a third country for the purposes of EU law so long as the UK does not materially alter its data protection law regime during that period. As a result, for this specified period personal data can continue to be freely transferred from the EU to UK-based data importers and the UK law enforcement authorities without any requirement to implement additional safeguards that would otherwise be mandated under chapter 5 of the GDPR and chapter V of the LED. This specified period in the trade agreement can end on an earlier date if the adequacy decisions relating to the UK are adopted by the European Commission.

What are adequacy decisions? Article 45 of the GDPR provides that a transfer of personal data can take place to a third country or an international organisation where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country or the international organisation in question ensures an adequate level of protection. Such transfers shall not require any special specific authorisation. Similarly, Article 36 of the LED provides for transfers between law enforcement authorities in EU member states and law enforcement authorities in a third country deemed to have an adequate level of protection. In practice, an adequacy decision means the European Commission has decided that a third country or an international organisation ensures an adequate level of protection for data transfers.

When assessing the adequacy of the level of protection, the European Commission takes into account elements such as the laws, respect for human rights and freedoms, national security, data protection rules, the existence of a data protection authority and binding commitments entered into by the country in respect of data protection. The effect of such a decision is that personal data can flow from the EU to that third country without any further safeguard being necessary. In other words, the transfer is the same as if it was carried out within the EU.

On 19 February 2021, the European Commission published its draft adequacy decisions relating to the UK under the GDPR and the LED. In accordance with Article 70 of the GDPR, the Commission has requested the European Data Protection Board, EDPB, to provide an opinion on the draft adequacy decisions. The opinion of the EDPB is non-binding but will be considered by the European Commission. After taking into account the opinion of the EDPB, the Commission will submit the draft to the member states under the so-called comitology procedure.

This is where a committee composed of representatives from all EU countries provides a formal opinion, usually in the form of a vote, on the Commission's proposed measures. If the member states give the green light to the proposals, the Commission will formally adopt the adequacy decisions. It is understood that the European Commission intends to have the two decisions adopted before the end of June 2021.

If the adequacy decisions are not adopted by the European Commission in the next three months, any organisation in Ireland transferring personal data, whether in the form of using a cloud storage provider in the UK or outsourcing payroll processing to a Northern Ireland-based service provider, for example, will have to themselves implement additional safeguards to their personal data transfer operations. These may be in the form of EU-approved standard contractual clauses or, for public bodies, may involve the conclusion of a binding administrative arrangement between authorities in Ireland and the UK. Given the amount of trade and movement between Ireland and Northern Ireland and Ireland and Great Britain, the volume of personal data transfers between the jurisdictions is estimated to be significant. As a result, the administrative and cost burden for all Irish organisations required to create their own compliance arrangements in accordance with chapter 5 of the GDPR, regarding commercial transfers, would be considerable.

The aforementioned points illustrate that the impact of the withdrawal of the UK from the EU on data protection would be much more significant without the interim provision in the EU–UK Trade and Cooperation Agreement and without the possibility of an adequacy decision proposed for adoption by the end of June by the European Commission.

That is all I have to say. We are happy to take questions about any issues of concern to the committee.

I thank the witnesses for their presentation. This is an area that has not received sufficient public attention in all the discussion about Brexit. It is, as the witnesses imply, potentially quite serious. I might ask two or three questions first and then follow with another two or three which are related.

Mr. O'Dwyer made the point that if the adequacy decisions are not adopted, the administrative and cost burdens that will be required for Irish businesses and organisations to make their own compliant arrangements will be considerable. Has the Data Protection Commission quantified that in any way? I ask Mr. O'Dwyer to answer that first, then I will come back with other questions, because that is quite serious.

Mr. John O'Dwyer

It would be considerable. We ourselves have not quantified because we would not be aware of the extent of the transfers taking place daily. I have seen figures mentioned in the media of approximately €1.6 billion. I do not know if there is any basis to that but we have not carried out that work. Thousands of transfers happen every day of the week that we are not aware of and do not need to be aware of.

Mr. O'Dwyer mentioned EU approved standards and contractual clauses. He will be aware, in light of the Schrems II judgment, that companies are still required to perform their own due diligence to ensure that whatever data transfer and storage they have is safe. In light of that requirement of due diligence and the previous question that I asked about compliance arrangements, what measures does Mr. O'Dwyer believe that Irish companies and organisations should be taking to prepare for these possibilities?

Mr. John O'Dwyer

I will address this first and then hand over to my colleague, Ms Coogan, who is more familiar with the detail. In general, since the European Court of Justice judgment of last July, the European Data Protection Board, EDPB, which we are a member of as the data protection authority in Ireland, has issued some guidance about this. We have issued preliminary guidelines about supplementary safeguards. Those guidelines are now being finalised by the EDPB, having undergone public consultation. Ms Coogan will address the measures that can be put in place to help companies.

I want to be clear that we are talking only about cases where there is not an adequacy decision. If the adequacy position is adopted, there will not be any need for these measures.

Ms Nicola Coogan

I will deal specifically with companies that need to continue transfers in the event of there being no adequacy or some kind of delay in adequacy measures such as the standard contractual clauses which we mentioned. In theory, standard contractual clauses are an off-the-shelf arrangement that can be appended to the data protection contracts that companies should have in place as processes, for example. However, the judgment of the court has made that slightly more complex because that assessment has to be done and the companies have to decide if there is a gap in the level of protection within the UK, if we are talking about the Brexit scenario, that they need to put in place supplementary measures.

As Mr. O'Dwyer stated, the EDPB has published guidance on supplementary measures. There is quite a lot of detail. There was a huge level of interest in the public consultation and we have been going through the submissions and assessing if more needs to be done. If I was advising a company on what to do in the first instance, I would say to look at the transfer and see if it needs to continue to the UK. If that is the case, they need to look at whether standard contractual clauses are appropriate or if any of the derogations apply. It is unlikely in a commercial transfer that they could apply, for example, in an ongoing arrangement such as a payroll scenario. The companies would need to do an assessment to determine if there was an issue regarding access to data by law enforcement and what kind of additional measures to employ such as encryption, anonymisation or whatever else. Some examples were given in the original supplementary measures guidelines which might be of assistance in the first instance.

I have two other questions that I will put quickly. We hope there will be a continued smooth transition and that effectively we have the same data protection and data privacy regimes in the EU and the UK. I know some of this is political, but views have been expressed by the British Prime Minister and some of his advisers that they want to move away from GDPR. We saw that the US had concerns about the privacy shield for reasons of surveillance purposes, cybersecurity and counterterrorism. What would be the implications if the UK adopted a similar type approach to the privacy shield as the US and decided to introduce measures that would effectively amount to surveillance of data? What should we do here to prepare for that?

My final question relates to a concern I have expressed publicly. Given the scale of the work the Data Protection Commission has on a variety of issues and the ever-growing demands on it, do the witnesses believe the DPC is sufficiently resourced to be able to address the potential range of concerns that could arise as a result of the adequacy decisions not being adopted or if we start to see the data protection regimes between the EU and the UK diverge?

I again thank the witnesses for their presentation.

Mr. John O'Dwyer

To address Senator Byrne's first question about divergence, this is built into the adequacy decision. I will go back a little in the sense that we are starting from a very good place as the UK has implemented the GDPR in full in its national legislation. It is probably the closest we will ever have to a third country that has a good data protection regime.

It has the legislation and the redress mechanism in the sense that people can bring cases to the Information Commissioner's Office, ICO, which is the equivalent of our organisation in the UK. The UK has a full complaints and judicial procedure in that regard. That is all built in so it is starting from a good place. If it does start to diverge and if the UK Government decides to change the legislation or to dispense with the ICO for some reason, mechanisms are built into the adequacy decision that allow the European Commission to suspend that decision in whole or in part. Those kinds of protections are built in. In addition, there is a sunset clause. The adequacy decision will expire after four years unless renewed. It will not continue in force after those four years but, because of that sunset clause, must be proactively renewed. This allows a review to take place in four years' time which will see what the situation in the UK and in UK law is at that time. There are also measures that may be taken in the interim if the UK begins to diverge.

On the question of the DPC's resources, our resources have been increased substantially over recent years. I joined the DPC in 2013. At that time there were fewer than 30 staff and the commission budget was approximately €2.5 million. We now have almost 150 staff and our budget for 2021 is €19 million. The Government has been quite good in resourcing the commission. In recent years, we have received substantial increases in resources year on year. Like any organisation, if we had more money and more resources, we could do more. There is a lot more we could do because, as I said earlier, thousands and thousands of companies are processing personal data every day of the week. There are lots of them we do not need to go near. There are also the very high-profile companies operating platforms such as Facebook, Google and all of those other companies based in Ireland. They take up a lot of our resources but, more than occasionally, we also get involved with other companies and public sector bodies.

The Senator may have seen our annual report, which was released last week. We were notified of in the region of 6,000 breaches last year. All of those breaches are assessed internally within the DPC, after which we interact with the companies involved. We receive thousands of complaints every year and, again, we interact with the companies against which those complaints are made. There is a lot of activity and, obviously, if we had more resources we could do a lot more but, equally, I do not want to be in any way critical of the Government. It has been very generous in providing the DPC with year-on-year increases. We hope to continue to build on that.

I will follow on from where Senator Byrne finished off. He has a much more in-depth knowledge of these issues than I do but I hope the questions I ask will be of use to us in compiling our report and of use to others because many of those who are listening or watching online would like to ask the same questions since they are fairly fundamental. I join the Chairperson and Senator Byrne in thanking both of our witnesses for being here and for their presentations. Could they please go back to the matter of the adequacy decision and its adoption? In their response, will they explain the process of its adoption? Must it now be adopted by EU member states or by the European Commission? If we judge it to be acceptable, will everything automatically be fine or is the UK to have an input? In responding to Senator Byrne, Mr. O'Dwyer said that the EU had approved a very sophisticated and advanced system in respect of the GDPR, which should help. Will the witnesses explain the process by which the decision is to be adopted?

How will that process work practically? Is there anything our Government could do then to increase the chances of the adequacy agreement being accepted, that we as a committee could recommend in our report? It would be a great outcome for the decision to be accepted. Is there anything our Government is not doing now, for example, such as diplomatic activity which could be stepped up a level to ensure a positive outcome? The Government and the country in general are good at diplomacy and we have proved that right through this Brexit process. I would like Mr. O'Dwyer to comment on those aspects.

The questions raised by Senator Byrne stand as well of course. I refer especially to his query regarding a doomsday scenario whereby the adequacy decision is not accepted and the associated costs if that were to happen. Mr. O'Dwyer's answer was that those costs would be very high. The processes in that regard are interesting too. However, the members of the committee, as well as anyone watching, would be interested to see if we could solve this potential problem at source. I would like an answer on that aspect.

Forgive me if a good bit of this information has been given already, but I certainly missed it. I hope my queries reflect those of others who also may have missed this information. I thank the witnesses.

Mr. John O'Dwyer

That is no problem. I am more than happy to go through the information, and if I do not cover it all the Senator should feel free to come back to me again. My understanding is that the Commission negotiated the draft adequacy decisions with the UK, and then presented those decisions publicly on 19 February, which is about a week and a half ago. Those decisions were sent to the European Data Protection Board, EDPB, which is a group composed of data protection commissioners from across Europe. The process in place allows us to give an opinion, albeit that opinion is not binding on the Commission.

We will therefore be making recommendations to the Commission regarding the adequacy decisions if we feel there are gaps in that agreement that need to be closed. Equally, the member states in a Council context, which effectively means this area will be the responsibility of the Department of Justice, will look at this agreement as well and they will be asked to provide a formal opinion. A vote will then be taken on that formal opinion. The Commission will then decide on whether to adopt the adequacy decisions. The likelihood is that the European Commission will adopt the agreement, and it is in everybody's interests that it does so. Obviously, the situation will continue to be monitored.

If Senator Joe O'Reilly is asking me what anyone can do to assist in this process, we have our role and we will carry out that role as regulators. The Department of Justice, as a member of this Council group, has a role as well. If the Department of Justice, therefore, is happy to support this process and to show how happy it is to support it, then maybe it could lobby others to support the agreement in the same way. It will be a matter for the Department of Justice to take a stance on this issue. I am obviously not able to speak on the Department of Justice's behalf, but that Department will have the lead role in this process.

As a supplementary question, and without Mr. O'Dwyer putting himself in a corner or anything like that, what is his sense of what will happen? Will the agreement on adequacy decisions go through? I take his point regarding the role of the Department of Justice. This committee should recommend to the Department that it adopt a high profile when it makes its decision in this regard.

Mr. O'Dwyer has his regulator's hat on, but one assumes that he will also be approaching this matter with the national interest in mind. Subject to what happens ultimately of course, does Mr. O'Dwyer have a sense of whether this agreement will go through? If he does have the sense that it will go through, then the major priority is for our Department of Justice to push the agreement. One assumes that other countries would be fairly neutral about this issue. If the agreement was acceptable for us and the Commission, one would assume in that case that countries like France, Norway or Italy would not have a big problem in this regard.

Mr. John O'Dwyer

Assuming the agreement on the adequacy decisions goes through the various steps, there is a good chance it will be adopted. To reiterate, the process is starting from a good point. The GDPR had already been brought into the UK's national legislation word for word and that country also has a regulatory body in the form of the Information Commissioner's Office, ICO. Up to a couple of months ago, therefore, the UK had exactly the same procedure in place as any EU country concerning legislation on privacy and associated controls. This process is starting from a positive position therefore and for that reason I think there is a good chance that it will be adopted.

I thank Mr. O'Dwyer and the Chair.

I have a couple of questions myself. Is the extension pretty much guaranteed? Is it just a technicality whereby, at the end of April, it will be automatically extended? When will we know for certain that the extension will happen?

Mr. John O'Dwyer

My understanding is it will run to the end of June. I do not think there is any danger about the extension. One side would have to object and it is very unlikely that either will do so. Something would have to go terribly wrong between now and the end of April for it not to be extended. It would take something like the UK Government indicating that it will dispense with the legislation, or something like that. I do not see that happening. I think the extension will continue until the end of June. The timescale the Commission has laid out sets out an expectation of the end of June rather than the end of April, as far as I know.

Turning to the assessment of the adequacy of protection offered by what is now a third country, Mr. O'Dwyer listed out the areas that are considered, such as laws, the protection of human rights and freedoms, national security, data protection rules and others. How in-depth is that assessment? He might excuse my lack of knowledge on this but is that assessment freely available for citizens to view? As has been the case throughout Brexit, we are approaching a cliff edge, so there is considerable pressure to get this over the line. Can we assure citizens that all these elements that are to be assessed will be done to the highest standards, not having any regard to that political pressure to get this over the line?

Mr. John O'Dwyer

Yes, the European Commission carried out the assessment. To be clear, the regulators here have an important, but not huge, role in respect of it. Obviously, we have more of a role later if something arises. The European Commission has been negotiating this adequacy agreement for a number of months, even prior to the end of the year and to the agreement being put in place. Those negotiations were stepped up dramatically from the end of December and it was then able to present the adequacy decisions on 19 February. All that assessment was carried out by the European Commission. The European Data Protection Board - ourselves - will be looking more closely at that and I presume that the member states, such as the Department of Justice, will also be looking at it.

As for how available it is, I am not sure. I do not know how much the European Commission makes available, although Ms Coogan might know a little more about this.

Ms Nicola Coogan

The draft decision itself is public. It contains a good deal of information about what laws were assessed and gives the Commission's opinion on, for example, human rights and surveillance issues. It goes through a number of the laws and practices within the UK and is publicly available for anybody to read. It will give a feel for what work has been done with the Commission on the UK side. The Commission's final judgment was that it is satisfied that there are adequate levels of protection, which is what it has put to us and the EDPB to further assess.

Ms Coogan stated that the judgment has gone to the European Data Protection Board. Do we have a date for when its opinion is due or an indication as to what it might say?

Ms Nicola Coogan

The Commission has asked for the opinion by 19 April. The agreed practice under the GDPR is that it gives us two months. We are working towards that and a number of subgroups of the EDPB are working on drafting the opinion. We held our first meeting only last week, so many discussions and assessments are still taking place and drafting teams are being formed to go through each clause and to determine whether there is anything we need to comment on. The practice, as has happened before, is that the opinion will be expressed and we will have commentary on certain elements whereby we might ask for wording changes or clarifications or suggest different wording where we think it could be clearer. We are happy enough with the wording but we may give a comment on whether we agree with the assessment of the Commission. Without pre-empting what will be said, that is the way it will happen.

The EDBP opinion will probably be published in advance of that deadline of 19 April, if at all possible, and that is what we are working towards. Then it can go on to the next stage, which is comitology with the member states and the Commission. Hopefully, it will all be wrapped up before the end of June.

Fingers crossed. All Brexit processes have involved these tight timelines. I wish to touch upon the next process, that is, the comitology procedure and the process within the member states. Am I correct in stating that the decision will be assessed by a committee within the European Parliament, which will have representatives from each member state? Is that the process? How it is assessed by the Parliament?

Mr. John O'Dwyer

My understanding is that it is not assessed by the European Parliament. There is nothing to stop the Parliament giving an opinion or view on it but my understanding is that it does not have an official role in the process.

Then how does the section of the process wherein members states assess the decision work?

Mr. John O'Dwyer

Unfortunately, we are not party to that so I am not able to give more detail on it but it would be done through one of the committees of the Council. It used to be called DAPIX but I am not quite sure what it is called now. Ms Coogan might know the name. There is a committee under the Council of Ministers that discusses all data protection issues, so that would be the remit of the Department of Justice.

Senator Byrne has already touched on the potential fallout of not passing these adequacy decisions or it not working out the way in which we would like. He also probed the DPC's ability to deal with that because one would think it would increase its workload. What is Mr. O'Dwyer's assessment of the impact on Irish businesses and organisations should that happen? The DPC's opening statement reads: "... the administrative and cost burden for all Irish organisations required to create their own compliance arrangements in accordance with Chapter V GDPR would be considerable." What level of assessment has the DPC carried out on the potential implications of that? Has it been engaging with the Department of Enterprise, Trade and Employment, for example, in that regard? Has there been any other inter-organisational engagement on this island to prepare for that potential outcome?

Mr. John O'Dwyer

We had been preparing quite substantially up to the end of the year on the basis that, if there was not an agreement, this would all happen from 1 January. Ms Coogan and her team had been engaging in a large way with business representatives, SMEs, IBEC and other such organisations. We had also been feeding into the Government's Brexit strategy through making information available on our website and Government websites to ensure that businesses were aware of the implications for them and what they had to do. We have provided a great deal of information on this already but if it looks like there will not be an adequacy decision in place by the end of June, we will restart that process of ensuring businesses are aware of their obligations and what they need to be doing. We get the impression that it is a mixed bag. The big organisations have plenty of resources and can put money into this and employ experts to do it. The biggest problem with much of this, and with Brexit in general, is trying to help the SMEs, particularly if they are not people who deal in data, as they might send to the UK or Northern Ireland for HR or payroll services.

We have met companies in the Border region that say they have been dealing with UK companies in the North for the last 20 years for their payroll and that those companies are only up the road. We say that up the road is still across the Border and that they need to take that into account. They say they have always dealt with those companies, that there has been no problem and that it is just up the road. We are saying to them that if there is no adequacy decision, up the road is across the Border and dealing with those companies will be an international transfer to a third country, with all that goes with that. They need to put the various safeguards, whether standard contractual causes or other mechanisms, in place. A standard contractual clause is probably one of the most obvious mechanisms for most companies. There are serious issues for companies to consider. These are things that they do not normally think of because they do not think they deal in personal data.

When people talk about data transfer, they automatically think of the Facebooks, Googles and Twitters of this world but it is happening in thousands of companies every day of the week.

We took that seamless transfer of data and many other things for granted before Brexit. We are only starting to realise what we had now that we have lost it and are hoping we can mitigate some of that loss.

I am coming to the end of my list of questions so I ask the witnesses to bear with me. The tone from both witnesses is fairly positive. They seem reasonably confident that this will go the way we need it to go. Have there been any indications from other member states that they are concerned or unhappy with the process? Are there any banana skins that might pop up from other member states?

Mr. John O'Dwyer

We are not aware of any at the moment. As Ms Coogan said, the discussion at EU level is just starting. They had their initial meeting last week and as that moves on over the next two to three weeks, we will see if there are issues for the EDPB. Reading some of the public commentary on it, people are raising issues around a restriction on or limiting of data protection right for immigrants so we will look at that. Generally the commentary is quite good. I do not want to say it a third time but we came from a very good starting point with the legislation that was in existence in the UK.

Is there a point at which we come back and carry out the assessment process again in terms of divergence? Will that happen in five or ten years and who monitors this? Is it the joint partnership council that implements the overall trade and co-operation agreement or will there be a separate monitoring body that will assess how this is working? How does it work with other third countries? Do we continually assess to determine whether they are still meeting the requirements in law, human rights and freedoms, national security, data protection and all of the things that were initially assessed?

Mr. John O'Dwyer

They continue to be assessed. There are 12 other adequacy decision in existence at the moment with different countries, which are continually assessed. The most recent one that was agreed was with Japan about two years ago and that is currently under review. There are in-built reviews of those decisions. As I said earlier, there is a four-year sunset clause on this one so a review will have to take place before the end of that period. Equally, at any stage if a data protection authority or the ICO in the UK have any concerns about divergence in legislation, they can bring that to the attention of the European Commission and it will then decide whether there needs to be any suspension of the adequacy decision. Ms Coogan may wish to add to that.

Ms Nicola Coogan

The four-year period is very important because while the other decisions are reviewed, they are perpetual decisions. Reviews are built into the GDPR but this is unusual in that it ends after four years and the whole process has to be done again to renew. It is not just simply a case of the European Commission conducting an assessment. It will be brought back to the EDPB and will go through the comitology procedure again. That is dissuasive for divergence in the law. The UK will want this to be renewed. If there is any fear of it not being renewed, that will have huge repercussions for businesses and for public sector bodies as well because it is not just businesses that are transferring data across to the UK. The four-year provision is unusual. The draft decision says that the European Commission has a role in monitoring but it also calls on the supervisory authorities or any body to draw attention to any concerns they may have about something in the law or something in a case, on foot of which the decision can be paused, suspended or completely repealed at any time.

I thank Ms Coogan. It is interesting to note that it is slightly different from other agreements. I agree that it sounds quite persuasive to maintain a certain level of protection to ensure that we continue with that agreement in place. I thank Ms Coogan and Mr O'Dwyer for answering my questions. Senator Malcolm Byrne wishes to come back in.

I thank the witnesses for their comprehensive answers. Following on from them, I wish to deal with practical examples. Mr. O'Dwyer referenced a company whose payroll was done across the Border. I would like to look at a company that has, for example, a division operating in the North and another operating in the South or a division here and another in England or Scotland and is gathering data in both jurisdictions.

Given the potential uncertainty in the coming period, what advice might the Data Protection Commission give to such a company?

My second question is around the nature of the data. Part of the problem is that people often think data amount simply to a case of a person tapping something in on a form, such as name, address, personal public service number and so on. However, increasingly data is around what is gathered on closed-circuit television. Mr. O'Dwyer has been helpful to me with such issues before. Anyway, we are looking at new technologies, including biometrics. This is particularly relevant in the surveillance society. Does the commission have concerns from a security point of view if the UK goes down a different route? I am unsure whether people think about data in those ways.

Finally, another current issue we are considering is around the question of the vaccine certificate. As we know, there are discussions about introducing what is potentially an EU-wide vaccine certificate for the purposes of travel and, more generally, for admission to events or even restaurants or bars. Do the commission representatives have any views on that? Is there divergence in the regimes? What if there is an EU vaccine certificate introduced but the UK decides to operate a separate or different regime concerning vaccine certification?

Mr. John O'Dwyer

There is quite of lot to address there and I will try to cover as much as I can. I will ask Ms Coogan to cover the issue about cross-border transfers between the same entity.

We will have to wait to see how vaccine certification pans out, what exactly will be involved in respect of personal data and how that data will be transferred. A data protection impact assessment may have to be carried out on any data that would be processed as part of the certification and the underlying legislation that would be put in place. Would it be national legislation or EU legislation? There is much to play for yet before we can give an opinion on exactly what data protection issues arise. Anyway, we are available to be consulted. Like any legislation or new project, we are available to give our views on it.

Senator Byrne raised an issue about surveillance and divergence. Obviously, this would be a major issue. One of the issues in the Court of Justice of the European Union ruling was the concern in the USA about mass collection of data. If that were to start happening in the UK there would be major concerns. This is all yet to be seen. The same issues would arise as arose with the US in respect of surveillance if that was to happen. I will ask Ms Coogan to give more detail on the transfer of data from the same entity across a border.

Ms Nicola Coogan

If it is the same entity, it will depend on the legal personality. It may be a branch of an Irish entity operating in the North but it may not be a legal entity in its own right. That is slightly different from a case involving two or three companies within the same group. In a branch scenario, it might not necessarily constitute a data transfer if data was being processed in the branch in question. Anyway, we would still need to have clear and comprehensive processes for what can happen with the data, restriction of access, ensuring there is a basis for this and that only necessary processing takes place. There may be two entities within the same group. Some of the banks have entities in the North or the UK for example. This may mean there would be a transfer. The adequacy decision will cover this if it is in place. If there is no adequacy decision then the banks or a large entity might have binding corporate rules to allow the data to be transferred within the group. Standard contractual clauses would probably be the first port of call.

On the other point about surveillance and things like that, the UK is slightly different in that it is still under the jurisdiction of and submission to the European Court of Human Rights, which means there are certain processes that would be adhered to as regards oversight of surveillance and so on. That is a positive in the adequacy decision on the UK as well, which will help assuage any worries in that regard.

Part of the reason I asked was because, as Ms Coogan knows, we do not know about the eventual political decision but there are certainly some who believe the UK should withdraw from the European Convention on Human Rights.

I do not think Senator Byrne is expecting an answer to that particular-----

I do not but it will obviously become a concern if the UK does withdraw. That is what I am flagging.

I thank the Senator. That brings our meeting to an end. All members who were offering have come in and asked questions. On behalf of the committee, I sincerely thank Mr. O'Dwyer and Ms Cannon for attending today's meeting and engaging with our committee. There was a very wide range of questions put to their office and they have answered all of them with great knowledge and depth. We really appreciate it and it will be extremely helpful to us in the preparation of our final report. It is one of those niche issues that perhaps has not fully grabbed the attention of the public but is really important to the operation of everything in our daily lives. I thank Mr. O'Dwyer and Ms Cannon for all the information they have given the committee this afternoon.

Mr. John O'Dwyer

I wish to thank the committee for the opportunity to meet with it. We are more than happy to come back if there is any particular issue members wish to discuss further, particularly as the adequacy decision progresses through the system.

I thank Mr. O'Dwyer, that is much appreciated. We may very well look for that engagement further down the line once we see what comes out in the next number of months. I thank members and witnesses for their attendance.

The select committee adjourned at 4.02 p.m. until 3 p.m. on Monday, 8 March 2021.