EU court ruling puts free flow of data between UK-EU at risk post Brexit transition period
The free movement of data across international borders underpins the modern economy and impacts every sector. In 2017, the UK government estimated that data-enabled services between the UK and EU were worth approximately £111bn.
The UK will maintain its ‘safe haven’ status for EU data, under the General Data Protection Regulation (GDPR), until the 31st December 2020, when the transition period for Brexit is set to end, but will need to be granted an ‘adequacy decision’ by the bloc for this unhindered data flow to continue.
Data adequacy is a status granted by the European Commission to countries outside the European Economic Area (EEA) as a way to protect the rights of EU citizens by insisting upon a high standard of data protection, comparable to that of European Law.
On the 6th October 2020 the EU Court of Justice dealt a significant blow to reaching an adequacy agreement by deeming mass data retention and collection illegal under EU Privacy law. This means that the powers UK national security and intelligence services have to retain individual’s data under UK legislation is contrary to EU law.
Unless the UK is able to reform its data protection laws to comply with those of the EU, by the end of the transition period, any business with customers, suppliers or operations in the EU could face difficulties exchanging data with their EEA stakeholders. Given that 75% of the UK’s international data flows are with the EU, a lack of agreement would have profound disruptive impacts to the European economy.
No agreement – Implications for business
If there is no adequacy decision, or a no deal Brexit, every data transfer between the EEA and UK would require a legal mechanism to facilitate them. The most relevant legal basis to do this is through Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) which needs to be embedded within contracts. The responsibility to implement this lies with the businesses themselves and would involve complicated and lengthy processes, requiring significant cost and resources at a time when firms are already battling the economic fall-out from COVID-19. This would likely result in many companies, especially on the smaller end of the spectrum, struggling to deal with these new compliance burdens. This is supported by estimations that larger UK companies are spending up to 40% of their GDPR compliance budgets on legal advice alone.
Combine this with the fact that many firms may not have sufficient time to set up the appropriate changes or might be unaware that they have to do anything, suggests there is a considerable risk to UK companies for large fines (up to £18 million or 4% of annual global turnover) due to breaches of GDPR regulation. To get an understanding of how quickly and heavily regulators may clamp-down on breaches following the potential changes we can look back to when GDPR was first introduced on the 25th May 2018. According to publications from the European Data Protection Board (EDPB) penalties totalling circa €56 million were issued within the first nine months of implementation, however almost 90% of this was a single fine of €50 million to Google. With average fines of approximately €66,000 during that period, in addition to the stated 100,000 self-reported breaches and user complaints dealt with, it may be suggested that Data Protection Agencies were conservative when assessing GDPR fines. It should be clear however that past performance of regulators is by no means a reflection of future execution and therefore shouldn’t be used as such.
What happens next?
There are several scenarios that could play out which could impact UK-EU data movement.
Scenario 1: No trade agreement
A no-deal Brexit, and the subsequent end of the transitional period, would be the worst outcome for data flows between the UK and EU. The UK would immediately become a third country in EU law and data would not be able to flow freely without appropriate legal structures being put in place, as mentioned above.
In the event of a no-deal exit, the UK government confirmed that it would allow data to flow freely to mainland Europe in an attempt to minimise the legal, economic, and social disruption it would cause. The European commission have however made it clear that this would not be reciprocal, and this is unmistakably reinforced by the latest court ruling.
Scenario 2: Trade agreement but no adequacy decision
It is possible for the UK and EU to ratify a Trade Agreement but still fail to grant the UK an adequacy decision. This is because the EU considers data adequacy a fundamental right and will therefore not negotiate it as part of the wider trade talks. Whilst not a no-deal for Brexit this is a no-deal for movement of data.
Scenario 3: Extension to transition period
In July 2020 the UK government formally declined the possibility of extending the transition period beyond the 31st December 2020. This begs the question, would it be legally possible to extend now? This really is unchartered territory. The most likely way to secure more preparation time is through a lengthened ‘implementation’ phase, the terms of which will need to be negotiated.
This implementation period would hopefully cover the ‘safe haven’ status for EU data that the UK currently holds, giving more time for an adequacy agreement to be granted.
There is also the remote possibility that the EU could temporarily allow free data flow after the transition period until a data agreement can be made, thereby reversing the standpoint they’re currently taking, as highlighted in scenario 1.
Scenario 4: Adequacy agreement reached
Whilst unlikely given the time restraints, the best-case scenario would be for the UK and EU to resolve the current incompatibilities and subsequently grant the UK an adequacy agreement before the end of the transition period. This would allow the continuation of free-flowing data across the channel without the headache of additional compliance and legal costs for businesses.
Given the economic pressures on both sides of the channel, due to the ongoing fall-out of COVID and fears of making Europe a less attractive base for large tech firms, a hard-data exit, is in neither parties interest and as such we predict either an extension to the transition period or the introduction of temporary adequacy.
It is impossible to foresee what the future will hold but given the complicated and unpredictable nature of the Brexit negotiations to date, it is clear that businesses of all sizes need to carefully consider the impact of all of the potential scenarios. As negotiations continue with an air of uncertainty, no doubt amplified by COVID-19, we all need to remain alert and agile, ready for significant changes at the end of 2020, whatever the final outcome.
For advice on how this will impact your business and how you can best prepare for each scenario, please get in touch and we would be happy to set up a complimentary tailored session.