From Banks to Uber, Data Flows Are at Risk Without Brexit Pact

(Bloomberg) -- The U.K. government has attempted to reassure businesses that data flows will continue following Brexit, but the risk of an abrupt exit has caused concerns over the free flow of information.

The smooth transfer of personal data between the European Union and the U.K. — from bank details to your Uber bill — is vital for almost every British business. Following a so-called ‘hard Brexit,’ the U.K. faces being classed as a ‘third country,’ meaning transferring information would involve thousands of inter-company contracts rather than international laws.

“If there is a Brexit, then the U.K. would be a third country,” said Patrick Van Eecke, Partner at DLA Piper, “and there is no free flow of data between the U.K. and the EU anymore.”

The risk of the U.K. exiting the EU without a clear agreement increased after the U.K. Parliament on Tuesday rejected the current Brexit deal. If a new agreement cannot be reached, or if the deadline is not extended, the U.K. will crash out of the EU on March 29.

Read More: Add Data Privacy to List of Brexit Bumps for EU, U.K: QuickTake

Outside the EU, countries have to rely on so-called “adequacy agreements” if they want their data to move to and from the bloc. This means conforming to EU standards on data protection and privacy.

The EU has deemed some countries, like New Zealand and Argentina, as providing fully adequate data protection. The U.S. is considered only partially adequate and has a separate agreement with the EU.

The EU could still add the U.K. to such a list, especially given the U.K. already abides by the EU’s General Data Protection Regulation, but negotiations can take years and an adequacy determination wouldn’t be in place by the time the U.K. crashes out of the bloc. A transition period would have provided enough buffer for the U.K. to get an adequacy decision.

“We recognize the need for data flows between the U.K. and other countries to continue unhindered as Britain leaves the EU,” a U.K. government spokesperson said. “We remain in constant dialogue with industry to prepare for a range of possible outcomes and are determined to minimize any disruption to data flows.”

But a hard Brexit creates the risk of regulatory limbo as companies will have to scramble to put in place individual agreements with the EU firms with which they exchange data.

“Entities operating across the Channel will face significant challenges to have legal alternative transfer mechanisms to transfer personal information in and out of the U.K. in place from day one,” Thomas Boué, European head at The Software Alliance, a lobby group, said.

For larger companies, this is not expected to be an issue. Firms can draw up data transfer agreements “within an hour,” based on templates issued by the European Commission, Van Eecke said.

“Quite a few European companies that have a high level of maturity with data protection compliance,” he said. “They already have model contracts with companies outside the EU” and will only need to ensure they now include companies in the U.K. as well.

But companies will need to make sure that agreements are drawn up with all their data counterparties, which can run into the thousands for even mid-sized companies.

"A no-deal Brexit definitely means more bureaucracy, not less," said Eduardo Ustaran, co-director of the global privacy and cybersecurity practice at Hogan Lovells.

To contact the reporter on this story: Natalia Drozdiak in Brussels at ndrozdiak1@bloomberg.net

To contact the editors responsible for this story: Giles Turner at gturner35@bloomberg.net, Jeremy Kahn

©2019 Bloomberg L.P.