techUK’s Sue Daley looks at life after Brexit – focusing on impact to data flows.
Whatever the UK’s future relationship with the European Union (EU), Global Britain will be built on an ambitious vision for its services economy with data-driven growth at its heart. A range of huge social and economic advancements will be powered by data: autonomous vehicles and smart urban mobility, advancements in artificial intelligence and the delivery of personalised public services.
The UK’s data-driven economy is interconnected with other markets and complex supply chains that stretch across the globe. Cross-border data flows underpins our success in the digital economy in recent years, with recent research saying that accounts for 11.5 per cent of global cross-border flows (with a staggering three quarters of those between UK & EU countries). That’s a lot of data which needs to be able to continue moving freely across borders.
When the UK leaves the EU, there will need to be a robust legal basis to underpin cross-border data transfers. Ambitions of a Global Britain post-Brexit with new international trade agreements will not be achieved without a watertight strategy in place for data flows.
What might a robust legal basis for data flows look like?
The Prime Minister has indicated that the Government will seek to ensure that “data flows remain uninterrupted” with the EU. This is a welcome recognition of the importance of data flows to Global Britain’s future but the details of how the UK can achieve this within the context of Brexit negotiations are not yet clear.
The EU has an established framework which permits personal data being transferred between member states. When dealing with countries outside of the EU, (also known as ‘third party countries’) transfer of personal data is only permitted if a country has been deemed to have an adequate level of data protection, as assessed by the European Commission (EC). As the UK leaves the EU, there are questions of how the UK would transition to a third party country status and what the robust legal mechanisms available could be.
Many believe the most effective way to achieve a robust legal basis between the UK and EU to be through an adequacy agreement. This is regarded by a number of legal experts as the least burdensome means of guaranteeing international data flows, ensuring minimal disruption for UK and EU companies alike. However, the UK is not guaranteed to receive this status as the UK’s entire legal framework surrounding data protection would need to be evaluated.
There are other mechanisms to transfer personal data across borders to third countries that do not have an adequacy decision from the EC. Additional safeguards to show individual businesses offer a suitable level of protection of personal data are required. These safeguards include mechanisms enabled by the existing Data Protection Directive 1995 (known in the UK as the Data Protection Act 1998) and the incoming General Data Protection Regulation (GDPR) such as Binding Corporate Rules and Standard Contractual Clauses which demonstrate a suitable level of protection.
There are many reasons which prevent these mechanisms looking like a realistic alternative to the UK’s current ability to transfer data.
First, companies are unable to use these mechanisms if they do not have a legal entity or presence in an EU Member State. For example, a UK-based business which offers services directly to European consumers and processes data solely in the UK, with no establishment in the EU, would not be able to use either of these mechanisms.
Secondly, they are incredibly expensive. Large companies may be able to stomach these costs but SMEs and start-ups will find them prohibitive. They also take a significant amount of time to negotiate (sometimes multiple years). The combination of these two points could risk the UK losing out on data-driven innovation.
Thirdly, these mechanisms are subject to considerable legal challenge. There is currently a specific challenge in Ireland on the validity of SCCs, with the Irish Data Protection Authority seeking a referral to the Court of Justice of the European Union. This risks ultimately striking down SCCs as a legal mechanism to transfer data. This is another reason why these alternative mechanisms are not suitable, particularly for SMEs and start-ups.
The UK, therefore, needs a robust and secure legal mechanism which enables data to flow from the EU to the UK and vice versa which does not add administrative and financial burdens. With BCRs and SCCs facing an uncertain future, there is a strong case that agreeing adequacy terms, potentially through a bespoke solution, is the best available known option which also avoids significant burdens being put on companies.
Brexit has to mean data leadership
As the Government prepares to establish new trading agreements around the world this issue will continue to dominate. Trade and data go hand in hand – a comprehensive free trade agreement with the EU will fail to pack a punch if it does not have a robust data agreement to enable it.
From the first day the UK leaves the EU, it is critical we have in place a robust and secure legal basis for the cross-border transfer of data. A data cliff-edge would be crippling for many parts of our thriving services economy. The time is now to show leadership on a Brexit that works for the UK’s data-driven economy.