The impact of Brexit on transfers of data by UK and European businesses
November 2017 | SPECIAL REPORT: PREPARING FOR BREXIT
Financier Worldwide Magazine
November 2017 Issue
One of the primary goals of the European Union and the single market is the harmonisation of national laws. The regulation and protection of personal data in the UK is mainly set out in the Data Protection Act 1998. These rules, like their Irish equivalent, derive from EU law. In the wake of Brexit, the paths taken by the UK and EU in relation to data protection law may diverge significantly.
The fact that the UK is set to leave the EU and therefore may not be subject to the incoming European-wide General Data Protection Regulation (GDPR) post Brexit is a cause of worry for many financial services and technology businesses based in the UK. But are these concerns justified? And how is data protection regulation in the UK and the rest of Europe likely to pan out post Brexit?
Two key data protection issues arise for financial services and technology businesses as a result of Brexit: (i) it is likely that, despite Brexit, the UK will need to comply with EU data protection laws; and (ii) the transfer of data from EU Member States to the UK will potentially become more complicated.
No longer in the club
If the UK does not join the European Economic Area, major challenges will arise with respect to the free flow of data between the EU and the UK. EU data protection law prohibits transfers to countries that do not provide an “adequate” level of protection for personal data. This means that transfers of personal data between the EU and the UK could be presumptively unlawful and may only take place if certain derogations apply. The UK government has stressed that it is keen to secure the unhindered flow of data between the EU and the UK post Brexit.
EU businesses that in the ordinary course of business transfer data to the UK face a problem if the UK no longer has the necessary protections required by EU law. The reality, however, is that the UK is likely to be significantly more constrained in its options, particularly if it hopes to remain a hub of financial and technology activity. If the UK’s goal is to maintain substantial access to the single market, it will come under pressure to ‘sing from the same hymn sheet’ as the EU lawmakers.
The post Brexit options for the UK
First, the UK could join the European Economic Area (EEA), which would facilitate the transfer of data from EU to the UK, without the need to put in place specific data transfer arrangements. If the UK wants to join the EEA, it will need to adopt the GDPR.
Second, if the UK does not join the EEA, it may ask the European Commission (EC) to issue a decision finding that UK law is “adequate” for the purposes of international data transfers. Only a handful of countries are recognised as meeting this standard today, including Argentina, Israel and New Zealand. Such an adequacy decision could only be forthcoming if UK law was ‘essentially equivalent’ to EU data protection law. This means that the UK would likely have to adopt the GDPR.
Third, if the UK does not join the EEA, transfers of personal data between the EU and the UK could take place through, for example, the use of EC approved model contractual clauses. However, international data transfers are a fraught area at present, and the Irish data protection commissioner recently commenced proceedings in the High Court seeking a referral to the Court of Justice of the European Union (CJEU) and a declaration that model contractual clauses are themselves in breach of EU law, at least where used for transfers to the US. Litigation of this sort may make it more challenging to address data transfers between the EU and the UK in future.
The UK’s options – burn the bridge or get behind the GDPR
As an added complication, the EU laws on data protection are radically changing before Brexit will be finalised. The GDPR comes into force across the EU on 25 May 2018. Unlike its predecessor, the GDPR will, in general, apply directly to all EU Member States. In other words, the same obligations and restrictions will be imposed on all EU Member States.
The GDPR obligations represent a significant toughening of EU data protection rules. The UK government’s stance was initially to take advantage of Brexit by proposing its own data protection rules and not adopting the GDPR. Some stakeholders in the UK may see the Brexit negotiations as an opportunity to promote an agenda where they UK data protection laws post Brexit contain less restrictive data control requirements than the current EU laws. There are varied reasons for arguing this – from giving UK businesses a competitive edge over their European-based competitors to progressing their own company’s agenda. However, this agenda would be difficult to achieve if the UK wants to stay in the single market. The GDPR is a ‘text with EEA relevance’ so, if the UK wants to join the EEA, it will need to adopt the GDPR. It is also the case that UK businesses that deal with other EU countries will still need to comply with the GDPR. This is because of the GDPR’s expansive scope which applies to companies based outside the EU that offer goods or services to individuals located in the EU.
The EC recently released a paper which suggested that Britain needs to either abide by the European Union data protection laws in respect of personal data gathered prior to Brexit or destroy that data. Importantly, the paper argues that the UK will only be able to continue to use and process data or information obtained prior to Brexit in accordance with the new rules being brought in by the GDPR.
But after prime minister Theresa May’s speech in August 2017, it appears that the UK intends to introduce rules that retain the high standards of data protection contained in the GDPR and not diverge substantially from EU data protection law.
From the commercial perspective of UK businesses, three-quarters of all the UK’s cross-border data flow currently occurs within or through the EU. The main aim of the UK’s new rules should therefore aim to ensure that data can continue to flow freely between EU countries and the UK. The UK government has indicated, however, that British data protection legislation will differ from the GDPR in certain areas. A number of exemptions are planned which the UK government says will provide added protection for journalists, scientific and historical researchers and sport anti-doping agencies.
Considerations for financial services and tech companies
If the UK does not join the EEA, serious issues will arise with respect to the free flow of data between the EU and the UK. For example, if there is a material divergence between UK data protection law and the GDPR once it is introduced, businesses that have operations in both the UK, and in Ireland or other EU countries, will be subject to different data protection regimes simultaneously, which in itself will add complexity for data protection compliance. This will likely cause administrative difficulties and internal discrepancies within businesses. For businesses located in other EU countries to transfer data to their UK counterparts, the UK recipients would be required to have protections in line with those set out in the GDPR. Having two data protection systems in place between two or more companies within a group could create unnecessary tension and an increased risk of breaching data protection laws.
Over the past few months, multinational businesses have been following the UK’s data protection proposals closely. The fallout from any division in data protection rules is, justifiably, being weighed as a major consideration in a company deciding to locate an office outside the UK, especially if the company’s business is heavily dependent on the transfer of data. Having a presence may allow that company to benefit from ‘one-stop-shop’ regulation that reduces the risk of re-regulation of the same set of data processing activities by multiple EU data protection regulators.
When the dust settles?
Nothing is certain in the world of Brexit and new developments seem to appear on a weekly basis. For the time being, it looks likely that Brexit will have a significant impact on the UK in relation to data protection. It is likely that, despite Brexit, UK businesses that deal with other EU countries will still need to comply with the GDPR in some form as the new law applies to companies based outside the EU that offer goods or services to individuals located in the EU.
In addition, even though the UK may enact similar legislation to the GDPR, the transfer of data from EU Member States to the UK will potentially become more complicated. In such a climate, businesses that deal in large volumes of data, such as those in the financial or technology industries, may look to neighbouring countries like Ireland as a potential base for their EU operations.
Mark Adair is a partner and David Mallon is a trainee at Mason Hayes & Curran. Mr Adair can be contacted on +353 1 614 5000 or by email: firstname.lastname@example.org.
© Financier Worldwide
Mark Adair and David Mallon
Mason Hayes & Curran