Data Sharing Gets Squeezed by Delays to Brexit Talks
The smooth transfer of personal data between the European Union and the U.K. — everything from bank details to your Uber bill — is vital for business in the region. Officials need to decide whether these transfers are still legal after the Brexit transition period ends on Dec. 31, but companies have yet to be told what the final rules are.
1. What are the current data-privacy rules?
The EU has established a fundamental right to privacy through its General Data Protection Regulation, including the “right to be forgotten” from search engines. It offers “adequacy agreements” to other countries that conform to these rules, so that their data can be transferred across borders. Some of these so-called third countries, like New Zealand and Argentina, have been deemed as providing fully adequate data protection. As of Jan. 1 the U.K. will also be a third country.
2. Isn’t the U.K. already in line with EU data standards?
The U.K. has agreed to uphold GDPR, and has said it will keep data flowing to the EU from Jan. 1. However the EU has yet to finalize an assessment of the adequacy of Britain’s data privacy protection standards. In addition, a surprise decision by the European Court of Justice in July toppled an EU-approved trans-Atlantic data transfer tool over fears citizens’ data isn’t safe once shipped to the U.S. The ruling added pressure on the EU to make sure its adequacy decision for the U.K. can withstand future legal challenges.
3. Are data flows at risk?
Not really. In the 21st century, stopping data flows would be tantamount to war. A good example is what happened right after the July ECJ decision. The judgment offered no grace period, theoretically forcing companies to comply and immediately stop transferring data unless they had another transfer tool in place. But in practice, confusion about what the ruling means has made it hard for companies to know what to change, and regulators have for the most part given them a de facto grace period by allowing them space to figure this out instead of charging them with breaches right away. The scenario for EU-U.K. data flows immediately after Dec. 31 might be a similar one.
4. When will we hear a decision on data adequacy?
The Brexit trade talks and EU efforts to finalize an adequacy decision are two separate processes. We could hear a decision on data adequacy alongside the announcement of a trade deal, but the timing hasn’t been confirmed. If trade negotiators walk away and Britain finishes the transition period without a deal, the Commission hasn’t said what will happen to an adequacy decision. Either way, time has just about run out for companies to prepare.
5. What should companies do?
A common legal work-around is to introduce so-called standard contractual clauses; this would be a matter of a firm updating existing paperwork with new language. The July ECJ ruling means the bloc is taking a much tougher approach, and companies using these clauses may need to include extra privacy measures, such as swapping identifying information with pseudonyms. Official guidance on what firms should do has been criticized by tech industry groups as too rigid and leaving smaller companies struggling to follow a complex analysis.
6. What if companies can’t get this done in time?
GDPR, in effect since May 2018, gives the bloc’s regulators powers to fine companies as much as 4% of annual sales if they violate citizens’ data protection rights. The rules apply to any company that processes EU citizens’ data, regardless of their location. The continued uncertainty around Brexit and the additional pressure from the July ruling means regulators are unlikely to immediately target firms whose data flows are not in line.
The Reference Shelf
©2020 Bloomberg L.P.