Transfers of Personal Data to the UK and Gibraltar from the Isle of Man when (if?) the UK leaves the EU
At the time of writing, there is still no clarity on if, when or how the United Kingdom (UK) will leave the European Union (EU) and many potential scenarios ranging from an extension to the deadline for leaving, a second referendum, a general election to a withdrawal of Article 50 are all still possible. Accordingly, there appears a real risk that the UK could leave the EU with no transitional deal. If there is a "no deal Brexit", then the UK will neither be treated as a member of the EU, nor will it have an adequacy decision. The same is true of Gibraltar and both will therefore be caught by the general prohibition within the Island's adoption of the EU General Data Protection Regulation (GDPR) into domestic law, prohibiting the transfer of personal data to so-called "third countries", unless there are adequate safeguards in place. Whilst there are mechanisms to facilitate such transfers, this would create a significant administrative and cost burden for businesses. For all the talk of queues at ferry terminals and delays in the importing of goods, if the free flow of personal data to and from the UK was affected in this way, it could have a far greater impact on businesses, especially in the financial services and online gambling sectors.
The Data Protection Act 2018 (Act) is the principal piece of Isle of Man primary legislation addressing data protection. The Act allows for the GDPR and the EU Law Enforcement Directive (LED) to be applied to the Island by way of Order and Regulations. The Data Protection (Application of GDPR) Order 2018 implemented GDPR into domestic Isle of Man law (Order) and is supplemented by the GDPR and LED Implementing Regulations 2018, as amended (Implementing Regulations). The Act, Order and Implementing Regulations constitute the Island's data protection law.
The Order provides that the GDPR applies as part of the law of the Island subject to certain modifications as set out in Schedule 1 of the Order. The GDPR and the modifications are referred to in the Order as the "Applied GDPR" (i.e. the GDPR as amended and as it applies to the Isle of Man).
The GDPR allows the uninterrupted transfer of personal data between countries in the European Economic Area (i.e. the EU, Iceland, Liechtenstein and Norway). Such transfers are also allowed to countries that the European Commission has deemed to have adequate data protection legislation i.e. a so called "adequacy finding". In 2004, the European Commission formally recognised that the Isle of Man's data protection legislation offered an adequate level of protection thereby aiding the transfer of personal data in and out of the Island. The UK's withdrawal from the EU will have an impact on the Island's constitutional relationship with the EU however, it will have no bearing on the Island's adequacy finding from the European Commission.
If a country is not in the EEA and does not have an adequacy finding then additional safeguards are required to be put into place to allow transfers of personal data.
New Isle of Man Regulations
In view of the above, Tynwald approved the Data Protection (Withdrawal from the EU) (UK and Gibraltar) Regulations 2019 on the 20 March 2019 (2019 Regulations). The 2019 Regulations will come into force on the day that the UK (and by extension Gibraltar) ceases to be a member of the EU. Interestingly, the Explanatory Memorandum to the 2019 Regulations makes the point that even if the Withdrawal Agreement is approved in the UK and the UK is therefore still treated as a member state during the transition period, it will not actually be a member state for the purposes of EU law. The Explanatory Memorandum states that "[t]he fact that the UK would be treated as if it were a member state for the purposes of EU law does not automatically mean that references to member states in Isle of Man law can be read as if those references include the UK." Accordingly, even if the Withdrawal Agreement is passed and the UK has a transition period then it was not clear that in the Island's legislation references to the term "member state" would have included the UK.
When the UK leaves the EU it will become a third country, for the purposes of the Island's data protection legislation and the GDPR, without an assessment of adequacy from the European Commission. It should be noted that the finding of adequacy for the UK is far from guaranteed and could take months if not years to be obtained. Accordingly, without new regulations, those wishing to transfer personal data from the Island to the UK or Gibraltar would be required to undertake additional steps as set out in the Implementing Regulations.
The Effect of the 2019 Regulations
The effect of the Regulations is to treat both the UK and Gibraltar as if they were still member states of the EU for data protection purposes after departure day until they are granted an adequacy finding. What would happen if either the UK or Gibraltar is not granted an adequacy finding is not clear. Likewise, how such legislation may impact on the Island's own adequacy finding is also not clear. The Brexit saga continues...
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.