What we know, plus potential ways to make that data flow
Feature Restricted imports of medicines and fresh food, panic buying and civil disorder. These are a few potential impacts of the no-deal Brexit in a recent leaked Cabinet Office paper. Transferring personal data from most European countries to the UK possibly becoming illegal at 11pm on 31 October? Didn’t even make the list.
Although some would say the latter lacks the drama of other possibilities a no-deal Brexit might trigger, a no-deal Brexit looks almost certain to block the open flow of personal data between European Economic Area (EEA, the European Union plus the other countries its single market) at least for a while. Keeping flows open would require some kind of deal on data – and as former prime minister Theresa May almost said, no deal Brexit means no deal.
At present, personal data can flow between the UK and the rest of the EEA, and the withdrawal agreement negotiated by the UK and the EU would preserve this until at least 2020. But Parliament has rejected it three times and newish prime minister Boris Johnson has theatrically refused to discuss it with the EU unless it makes big concessions, which it has so far refused to consider.
A poll of economists by Reuters in early August put the chances of a disorderly no-deal Brexit at 35 per cent, the highest level since the company started asking the question two years ago.
Although the respondents are guessing about the future like everyone else, a no-deal Brexit at the end of October at least looks worth preparing for.
What a ‘no-deal’ means, practically, for data flows
No deal means the UK would immediately become a “third country” outside the EU’s General Data Protection Regulation (GDPR) rules. “EU controllers, those who are in charge of data, will be prohibited from transferring data to the UK as a matter of law,” says Kathryn Wynn, a legal director and data protection expert at law firm Pinsent Masons.
Such transfers would only be legal if specific agreements were in place, as is the case for organisations based in India or the United States. The UK might allow personal data to travel to the EEA, although that may be of limited use if similar data cannot flow the other way, and a “no deal” exit would not stop individual Europeans sending their own data to the UK. “When a customer passes their own personal data to a company in the EEA or the UK, it is not considered to be a data transfer and can continue without additional measures,” wrote the UK’s information commissioner Elizabeth Denham in January, which her office says remains current advice.
This means that the thousands of Germans who visit Cornwall each year to check out the settings of Rosamunde Pilcher novels (very popular on German TV) could continue to book rooms directly with Cornish hotels. But if they give their data to a German travel company, that travel company is controlling the tourists’ data and could be blocked from using it to make bookings on their behalf.
A no-deal Brexit could also hit internal transfers, such as those which may take place in a company that employs staff across Europe but runs human resources from a shared service centre in the UK. It could also affect the operations of UK data centres, medical research and data sharing between organisations for financial services, marketing or tackling fraud and other crime, according to “No interruptions”, a 2017 report by trade bodies TechUK and UK Finance and law firm Dentons.
“A no-deal Brexit endangers UK’s position as a global hub for data flows. From day one the free flow of data that underpins every sector from automotive to logistics will be hit,” says Felicity Burch, the Confederation of British Industry’s director of digital and innovation. “These disruptions will affect firms of all sizes and in the worst case scenario could lead to UK companies losing contracts with EU businesses.”
Some involved in running tech companies agree. “There’s going to be a gap in the lawful flow of personal data. In the modern world, that’s madness,” says Adam Hale, a director of several startups. “It’s insane, it’s there and absolutely real,” adds Rune Sovndahl, the Danish chief executive of online domestic services provider Fantastic Services, which has been focusing its expansion overseas since the Brexit vote.
The problem would not arise if the EU agreed that the UK’s data protection regime was adequate to handle European data. This sounds like a formality, given Britain has incorporated GDPR into its law and the EU already has “adequacy decisions” with countries including Canada, Israel, Japan and US organisations that work under the Privacy Shield framework.
But with the EU, formalities can take time. “While we would like the European Commission [the EU’s civil service] to adopt adequacy decisions with respect to the UK as soon as possible, we do not expect adequacy decisions to have been made if we leave the EU with no deal,” reads the government’s most recent advice on personal data and a no-deal Brexit from February.
Asked for an update, the Department for Culture, Media and Sport says: “It is in everyone’s interests that the exchange of personal data between EU member states and the UK continues.” That may be true, but Pinsent Masons’ Wynn reckons it could take two years to get a UK adequacy decision, adding that the commission might look askance at the UK’s use of surveillance under the Investigatory Powers Act or that the process could get dragged into the bigger Brexit row.
Vinous Ali, associate director of policy at TechUK, says the quickest such agreement with Argentina took 18 months to agree.
But what should you do?
However, GDPR provides alternatives for individual organisations, with two most viable at this stage being binding corporate rules (BCRs) and standard contractual clauses. BCRs involve an organisation or group committing to GDPR standards. They are a one-off, flexible solution described as the “high watermark of data protection” by TechUK’s “No interruptions” report. But they are expensive and time-consuming to set up and as a result are used mainly by large multinationals. The Information Commissioner’s Office has approved just 33 BCRs since 2005, most recently for IBM, BT, financial group Marsh and McLennan and Verizon.
That leaves adding standard contractual clauses, approved by the EU, to contracts governing all EEA-UK data flows. This might not be too bad if there are only a few: “On a per-contract basis it’s very straightforward,” says Pinsent Masons’ Wynn. But one very large (and unnamed) TechUK member had to implement two million standard contractual clauses when the EU-US Safe Harbor agreement collapsed in 2015.
Irish Supremes make shock decision to hear Facebook’s appeal in Schrems II
It’s also worth knowing that the Austrian privacy campaigner who caused Safe Harbor’s demise, Max Schrems, is now challenging the use of these clauses as part of his European Court of Justice case against Facebook. For most UK organisations, standard contractual clauses look like the least-bad option.
Wynn says that some clients have been reluctant to spend more on data compliance work soon after GDPR, with senior managers wanting to wait to see if a Brexit deal can be agreed. She suggests mapping the at-risk data flows and asking counterparties if they would be happy to agree clauses, so these can be introduced quickly if no-deal continues to loom.
The Information Commissioner’s Office has published detailed information on what organisations need to do and has a specific tool on standard contractual clauses. TechUK’s Vinous Ali argues the government should go much further in helping smaller businesses by setting up an expert helpline to advise them and in some cases providing direct financial support.
Recalling his days at consultancy Accenture, Adam Hale says: “Whenever timescale is put ahead of quality, that’s when projects go wrong.” But without big changes in the Brexit negotiations – which might happen, but cannot be relied on – British organisations have just a few weeks to try to keep their European data flows legal. As the EU’s chief negotiator Michel Barnier has said on countless occasions, the clock is ticking. ®