Is the UK heading toward a Brexit data disaster?

Three-quarters of the UK’s international data flows are with the EU — it will be damaging if that flow is hindered.
6 January 2021

A billboard advertisement by the government informing businesses trading with the EU to act before the end of the Brexit transition period. Source: Shutterstock

  • A Brexit deal was finally agreed, but how data will be transferred across the channel has yet to be agreed
  • The UK is no longer within the realm of GDPR, the clock is now ticking on the UK becoming a ‘third country’ under EU rules
  • This could be a disaster for UK tech companies and businesses dealing with EU citizen’s data  
  • Three-quarters of the UK’s international data flows are with the EU, spanning industries like finance, healthcare, tourism, manufacturing

When we think about the impact of Brexit on the UK and EU’s trade relationship, we might be quicker to imagine backed-up ports and supermarket price hikes, before we consider its impact on digital trade. 

But the UK’s departure from the European Union also means an exit from the General Data Protection Regulation (GDPR), the bloc’s data privacy rules that have served as a model around the world since being introduced in 2018.

The fact is, though, that while the UK and EU finally managed to drag a trade deal over the line after years of negotiating, the transfer of personal data from the continent to the EU is an issue yet to be agreed upon. 

By leaving the Union, the UK has exited the realm of GDPR, wherein data could flow freely between complying members. Of course, in a globalized world of digitally-enabled trade where data truly is the most valuable commodity, it’s in UK companies’ interests to ensure the flow and usability of that data across borders isn’t hindered. 

To allow UK organizations to keep managing EU citizens’ personal data, then, new mechanisms must be set up to regulate data flows. 

Data adequacy

Currently, the EU is conducting a “data adequacy” assessment based on the UK’s data laws, and whether they are sufficiently in-line with the bloc’s own. 

Up until July 1 2021 at the latest, data can be transferred and processed under previous GDPR conditions. 

Source: Shutterstock

If adequacy status is not achieved within six months, however, the UK will become a ‘third country’ under the GDPR, which could be bad news for British tech companies especially, putting them at a disadvantage against global competitors. 

But it would also be challenging for businesses based in the UK, for example, with staff working across the channel. 

In this case, the UK would be forced to engage alternative mechanisms to make sure organizations can still legally process data belonging to EU citizens. 

Businesses have been advised to consider preparing Standard Contract Clauses (SCCs). These are agreements that the European Commission has ruled offer sufficient safeguards, ie. are GDPR-compliant, to data transferred internationally, outside of the European Union.

 

However, SCCs have to be signed by the sender and receiver of data in a specific contract, which adds a significant technical and legal burden. Costs of SCCs at a company-wide scale are high and could cost UK businesses US$2.1 billion if required at a large-scale. 

Stephen Woodford, chief executive of the Advertising Association, said: “There are still many unanswered questions surrounding the future relationship on services, which are key to the success of our economy and make up the largest proportion of UK exports.

“The hard work of navigating these new arrangements in the midst of a global pandemic starts now, with many questions still to be resolved.”

According to research cited by ZDNet, three-quarters of the UK’s international data flows are with the EU, spanning industries like finance, healthcare, tourism, manufacturing — pretty much every industry would be significantly impacted by severance from free-flowing data overseas. 

The UK government has said “we see no reason” why the country shouldn’t be awarded adequacy status, due to its current data laws largely mirroring the EU’s GDPR.

But this has been seen as optimistic, with the UK’s Data Protection Act sat alongside a controversial surveillance law called the Investigatory Powers Act (IPA), which enables the UK government to collect and retain certain citizen data in ways the EU ruled unlawful. 

For UK businesses and the tech industry, a lot rides on the next six months.