Data-Privacy: Where should Irish companies host their HR and Payroll data?  

We explore some of the data-privacy issues to consider when choosing US cloud-hosting providers and where the UK stands post-Brexit. 

Issues around US Headquartered Providers 

There have been issues between the European Union and The United States over the protection of the rights of EU data subjects since the beginning of the millennium. Principal amongst these issues is that the US does not necessarily provide the same level of data protection rights to non-US citizens as it does to US citizens. The US government does not necessarily provide the same level of data protection as the EU and its agencies have a broader policy on the collection of communication data and the use of mass surveillance technology.  

Instead, a series of agreements, Safe Harbour and Privacy Shield allowed certain US companies to make data transfers. Both Safe Harbor and Privacy Shield have been successfully challenged in the ECJ by Max Schrems. It will become significantly more onerous for US companies to hold data on EU residents, even in EU based environments. In these circumstances, there would be risk in any long-term new arrangement with a US provider. 

The Cloud Act of 2018 requires US Headquartered companies to provide data on request to the US government, in much the same way as Chinese companies are under the Security Act, regardless of where the data is stored in the world and regardless of who the data is about. From the point of view of a government client, this means that US officials would potentially have access to information about Irish matters that the Irish government could not access and allowing this type of access to any foreign power is regarded as a national security risk. 

Now the question is will data transfer to and from the UK will become more complicated. RTE, amongst others have cited concern around the uncertainty of the UK’s position post-Brexit. 

The UK as a Third Country in the wake of Brexit 

After Brexit, the UK is now categorized as a “third country” by the EU under the GPDR. However, an interim period of six months (lasting until June 2021) ensures the unrestricted flow of data between the UK and EU, until an adequacy decision has been made by the EU. 

This may complicate things slightly for the Irish companies although an adequacy decision is currently being developed to facilitate the flow of data between Ireland and the UK. Certain ‘third countries,’ such as Japan, Israel, or New Zealand, have received these decisions from the European Commission. This allows a cross-border personal data transfer from the EU to that country because it has been determined to have an adequate level of data protection safeguards compared to the EU. However, whatever the result from this ruling,  

As a result, many companies may begin considering choosing to host their sensitive data in Ireland or elsewhere in the EU as the most straight forward option. Furthermore, the outlook the Commission has indicated, it will be reviewed every 4 years should the UK government decide to move away from GDPR. 

If you are an Irish company which is storing or processing data in the UK currently there are several mechanisms to consider: 

  1. Standard Contractual Clauses (SCCs): One common mechanism for ensuring the protection of personal data transferred outside of the EU is the use of ‘standard contractual clauses’ (SCCs). This is likely to be relevant to most Irish-based controllers that transfer personal data to the UK or any other country outside of the EEA. 
  2. Binding Corporate Rules (BCRs): One mechanism which might be relied upon by larger multinationals or a group of enterprises engaged in a joint economic activity are ‘binding corporate rules’ (BCRs). BCRs involve a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group's EEA entities to the group’s non-EEA entities. However, establishing these are resource intensive to establish and involves a review from the Irish Data Commissioner.  

This is still an evolving situation with the transition period due to end in June 2021. Irish companies should already be planning for how they are going to deal with these changes.  

Local Irish Data Centres from MHR 

At MHR, our response to these issues has been to offer Irish organisations a full choice of how to proceed. Eamon Rheinisch, General Manager for MHR in Ireland, recently announced the launch of fully local Irish Data Centres, giving Irish customers the option of having all their data stored and backed up locally in Ireland. Hosting data locally with industry leaders in data hosting, Equinix, means that public and private organisations can avoid the complications of the UK’s changing status and the US’ ambiguous protection for non-US citizens should that be the best option for them. 

With over 35 years of experience in the HR and payroll industry and protecting some of our customers most sensitive information, we are ideally positioned to advice you on these issues. Get in touch to arrange a conversation with one of our HR and payroll experts today to see how we could help you address these concerns. 

Looking for something specific?