Add Data Sharing to List of Brexit Bumps for EU, U.K.

(Bloomberg) -- The smooth transfer of personal data between the European Union and the U.K. — from bank details to your Uber bill — is vital for almost every British business. The U.K. is intent on maintaining that relationship after Brexit, but the EU is making no promises that data-privacy rules will remain as they are.

1. What are the current data-privacy rules?

The EU demands a fundamental right to privacy, including the protection of personal data and the “right to be forgotten” from search engines. The EU offers “adequacy agreements” to countries that conform to these rules, so that their data can be transferred across borders. Some countries, like New Zealand and Argentina, have been deemed as providing fully adequate data protection; the U.S. is only partially adequate and has a separate agreement with the EU. As long as it’s an EU member, the U.K. doesn’t have to prove its adequacy. But that’s about to change.

2. What happens after Brexit?

Any adequacy talks cannot get started until after the U.K. has left the EU, currently scheduled to happen on March 29. Unless the two sides can agree before then on a formal withdrawal agreement that specifies that personal data can continue to flow uninterrupted, the "two-way free flow of personal information" will be affected, according to the U.K. Information Commissioner’s Office. To prepare, the regulator advised companies in December to hunt down all data transfers coming into the U.K. from the EU and make sure they have the "appropriate safeguards" in place. Essentially this means a lot of paperwork, such as signing codes of conduct and promising to adhere to rules on transferring data.

3. Are data flows at risk?

Not really. In the 21st century, stopping data flows would be tantamount to war. But there will continue to be a lot of uncertainty. The U.K. has been consistent in saying it is aiming for an adequacy agreement with the EU. But this could take years. There has been little advice on what to do if no long-term agreements are made on data privacy. What may worry businesses will be the threat of an activist spotting an improper data transfer from one multinational company to another. Companies will be readying themselves for potential lawsuits.

4. What could stop the U.K. getting an adequacy agreement?

The EU warned the U.K. last year not to make assumptions that it will be granted an adequacy decision due to “considerable uncertainties” around its pending departure. The notice wasn’t specific on what the uncertainties are. Two months later, EU chief negotiator Michel Barnier said that “in the absence of EU law that can override national law, in the absence of common supervision and a common court, there can be no mutual recognition of standards.”

5. Isn’t the U.K. already in line with EU data standards?

Mostly, but there have been some conflicts. In January 2018, the U.K. Court of Appeals ruled that a 2014 U.K. law allowing mass data surveillance for security reasons violated EU privacy laws. The 2016 law that superseded it was also found to be in violation. The U.K. shares intelligence with Australia, Canada, New Zealand and the U.S. as part of the “Five Eyes” agreement; the EU has long been concerned about its citizens’ data being accessed by U.S. spies. The EU’s newest privacy law should make any agreement simpler.

6. What’s the new law?

The General Data Protection Regulation went into effect on May 25 last year. All businesses that collect data from EU citizens have to follow its rules, which range from informing consumers about how their data is used to deleting data that’s no longer needed. Businesses that don’t comply will risk fines of as much as 4 percent of worldwide annual revenue. Since the U.K. was part of the EU when GDPR was introduced, its firms now operate under its rules. The U.K. argues this should qualify it for an “adequacy” badge after Brexit.

7. What might a U.K.-EU privacy conflict look like?

Let’s imagine if it all goes wrong. Post-Brexit, during a national-security investigation, U.K. intelligence services demand access to an EU citizen’s personal data, such as encrypted chat messages or payments. The provider hands over the data. The citizen complains to a European regulator, which concludes that this transfer was a human-rights violation. The provider could then be fined by the EU. Needless to say, this could prompt all companies that have been cooperating with the U.K. to stop transferring data without clear approval from the EU.

The Reference Shelf

• The U.K. Information Commissioner’s Office’s advice on data protection and Brexit.
• QuickTake explainers on GDPR and Brexit.
• Banks fleeing post-Brexit Britain are facing fresh regulatory scrutiny in Europe.

To contact the reporter on this story: Giles Turner in London at gturner35@bloomberg.net

To contact the editors responsible for this story: Tom Giles at tgiles5@bloomberg.net, Giles Turner, Laurence Arnold

©2019 Bloomberg L.P.