On 25 August 2019 the Guardian newspaper reported that a No-deal Brexit will ‘instantly disrupt’ the UK’s role as £174bn global data hub. The article is based on a “Brexit Insights” paper from University College London’s European Institute.
The GDPR directive protects personal data in a way that protects privacy, security and allows for appropriate economic activity. The GDPR directive has direct effect and has been transposed into UK law by the Data Protection Act 2018. In the UK the directive is enforced by the Information Commissioners Office (IOC). The IOC’s “teeth” bite with heavy and painful fines.
Consequently, the current UK legislation and IOC regulation protects privacy and private data giving effect to the values enshrined in the Charter of Fundamental Rights of the European Union, particularly article 1 which declares that human dignity is inviolable, article 7 requires respect for private and family life and article 8 which gives protection of personal data: (1) Everyone has the right to the protection of personal data concerning him or her. (2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. (3) Compliance with these rules shall be subject to control by an independent authority. In short, data protection is part of the EU constitutional order and the right to protection has been robustly defended by the Court of Justice of the European Union (CJEU).
A huge number of businesses and enterprises depend upon the movement of personal data across international borders in order to function; particularly service industries such as finance, banking, retail and hospitality (Patel and Lea say that 79% of the UK economy is dependent upon services). Digital technology companies are particularly reliant on international free data flow in circumstances whereby the digital technology sector is of pivotal importance to economic growth. Given that the rationale for Brexit is said to be enhanced international trading opportunities, it is ironic that the data-dependent services sector is acutely vulnerable to uncertainty by disruption of their life-blood data circulation post-Brexit.
The effects of Brexit playing out in relation to data protection are, unsurprisingly, dependent upon whether or not the withdrawal agreement negotiated by Mrs May’s government, or a different draft which would have to have been agreed before the end of October by Mr Johnson’s government, is in fact ratified; so-called “soft” Brexit. In the event of ratification of either the May or a Johnson withdrawal agreement, then after the end of October 2019 the UK will no longer be an EU “member state” and will become a “third country”, in the terminology of the EU. If there is ratification of a withdrawal agreement, however, then this will at least create a period of transition which would allow for the UK and EU27 to investigate, negotiate and potentially settle a new UK-EU treaty dealing with data flow and concomitant protection.
In the alternative, if it transpires that there is no ratification of any withdrawal agreement and a “cliff edge” or “hard” Brexit occurs, then the sudden transformation of the UK in the eyes of the EU to third country status will cause significant legal, economic, political and social disturbance and interruption. The current free flow of data is likely to be immediately obstructed, generating all manner of unpredicted knock-on effects which are likely to adversely affect service industries engaged in cross-border activity and trade.
In either the “hard” or “soft” Brexit scenario, the immediate problem will not be data flow interactions moving from the UK to the EU, but in the opposite direction from the 27 EU member states to the UK. Application of EU legal norms will dictate that data can only move to the UK if the UK complies with EU law and with the additional rules applying to third countries.
The mechanisms whereby the EU ensures that data protection standards are respected by third countries include adequacy decisions. Adequacy decisions have been summarised as “the EU’s way of ‘protecting the rights of EU citizens by insisting upon a high standard of data protection in foreign countries where their data will be processed’”. The EU currently has adequacy decisions with 13 third countries and, entirely predictably, the European Commission investigates and assesses whether the third country’s data protection laws are sufficient and acceptable according to EU legal criteria. Thus, the balance of power is with the EU who can determine who can enjoy the economic advantages of unhindered data flows through the vehicle of adequacy decisions. Also entirely predictably, the adequacy assessment process is hugely complicated and inevitably involves significant administrative time and resources.
From the perspective of the EU 27, the most sensitive and difficult element of the adequacy decision process is the enforcement of EU data protection legal standards and controlling onward transfers of data from a third country with whom it has an agreement to other third countries outside its sphere of control. Obviously, the EU cannot enforce its rules in foreign jurisdictions. Once personal data has travelled out of the EU to a third country then the EU loses power over how the data can be controlled and whether it is forwarded across other international borders in onwards transfers. Therefore, the only mechanism that the EU can use to protect the forwarding of EU citizens’ sensitive personal data is by being able to rely upon the agreeing third country’s judicial systems and regulatory bodies to respect and police EU legal norms and standards to preserve the protection afforded to EU citizens.
Immediately after Brexit, the starting point vis a vis the EU is that the UK domestic data regulation system is likely to be considered to be high. However, the EU will be obliged by its own rules to assess particularly how EU citizens’ data is to be dealt with when there is a risk that it will be transferred onwards beyond the UK.
Nonetheless, if, post-Brexit, there is no country-wide adequacy agreement between the UK and the EU, then there is still the possibility of entities in the EU being able to transfer data legally to entities in the UK. However additional safeguards will have to be put in place by the individual organisations involved which will generate an additional administrative burden for that entity. In effect, the UK-based entities risk being forced to “re-invent the wheel” on an individual, case-by-case basis according to the EU’s rules if they want to continue to benefit from receiving EU-origin personal data.
In summary, whether hard or soft, Brexit seems most likely to generate uncertainty, disruption of dataflows and generate additional bureaucratic obstacles. This will be particularly challenging for small and medium-sized enterprises who will find it more difficult to absorb the additional layer of administration.