9 August 2017 | 0
As political upheavals go, it is undoubtedly going to go down in history. On 23 June 2016, David Cameron held a referendum on the issue of the UK withdrawing from the European Union and a ‘modest majority’ of the electorate opted to go.
What has followed since then has been the greatest period of political instability in this part of Europe since the Second World War. Just how will Brexit play out? Will there be a soft exit in which the UK will benefit from some sort of preferential deal with the EU or will there be a hard exit in which there’s no deal at all and the UK is left to fend for itself?
As of now, that is still a great unknown. Negotiations started on 19 June of this year but with just two years to disentangle the UK from a relationship that started in 1969, not to mention a spider’s web of legal and commercial issues, it’s anyone’s guess what will happen.
The consequences of the Brexit vote are enormous, creating headaches in the area of immigration, the economy and academic research, creating uncertainty about Scotland (which didn’t vote to leave the EU) and about the reintroduction of a hard border between Ireland and Northern Ireland.
In the meantime, companies with connections to the UK are left in the position of having to best decide what to do to prepare themselves for Brexit. How will this affect companies that do business with the UK, store data there or routinely shares information digitally with the UK?
For companies in the IT sector, a simultaneous concern is how best to prepare for the advent of the General Data Protection Regulation (GDPR), due to come into enforceable law on 25 May 2018. Many observers are looking to the GDPR to offer some promise of stability in the market in the run up to Brexit—it will apply in the UK for a period of around a year before the country formally exits the EU.
Could it offer some reassurance for companies engaged in planning at the moment?
“The way we look at it is this—the UK is still going to have to comply with GDPR from May 2018 through to March 2019 when it has committed to leaving. So, there’s going to be a 12-month period there where it will be in effect,” said Richard Howard, head of technology, media and telecommunications for Deloitte.
“The question then becomes what happens afterwards? There’s UK legislation in place called the Great Repeal Act whereby it can repeal any EU laws that have been put into UK legislation. The question you’d have is why would any person with common sense repeal legislation or look to change it, because from a UK perspective, any companies looking to export into the EU are going to have to comply with the same data standards.”
As the GDPR represents something like ‘best practice’ when it comes to data regulation, it stands to reason according to Howard, that the UK would want to remain compliant with it. The consequences of not doing so would be to slow up the free flow of data between the EU and the UK, because a result of non-compliance would be that data standards in the UK wouldn’t be high enough.
“There’s no reason why you wouldn’t follow it (GDPR) and from a business perspective it makes perfect sense. Paradoxically, the fear is that the UK might subsequently raise the bar even higher in terms of some of its legislation post Brexit, and that would actually affect European and Irish companies looking to export services there,” said Howard.
“If you look at it from a UK nationalistic perspective, the terror threat in the UK is likely to be higher than, say, Ireland going forward so you could end up with legislation in the UK allowing its’ government to have more access to personal data, to telephone records, to different pieces of data. All that might actually be seen as an invasion of privacy within the EU.”
“That’s probably a risk for Irish companies exporting data or services into the UK.”
For companies that have dealings with the UK, store data in data centres there or have branches there accessing data in Ireland, for a year there will be a GDPR window in which both Ireland and the UK will be operating under the same legal framework when it comes to data monitoring. During that time, it will be safe to transfer personal data to the UK under the provisions of the GDPR.
Once that window closes, Irish companies worried about this issue will have to find some other legal basis for transferring personal data. According to Fintan Swanton, managing director of Cygnus Consulting, one way of doing this is for the European Commission to assess the data protection and privacy standards of a given country and make an official designation, stating that it is an adequate country for data protection purposes.
Swinton is on the executive committee of the Association of Data Protection Officers.
“What that means is that once a country is designated in that way, businesses and other organisations can freely transfer data to it and from any other European Union country or a European Economic Area (EEA) country,” he said.
The EEA is made up of the EU member states plus Norway, Iceland and Lichtenstein.
“So we can freely transfer data to all those countries and any countries which are designated as adequate. If the UK does not get that designation then that’s a different story and as of now it seems likely that it will, at least temporarily,” said Swanton.
The reason is down to things like recent UK legislation on mass surveillance—the Investigatory Powers Act – that legalised many aspects of surveillance in the UK. It allows for intrusive mass surveillance in a way which the Court of Justice of the European Union has had problems with in the past.
“Data protection is, in essence, a human rights matter. Data protection, for example, is detailed in Article 8 of the European Union charter of fundamental rights as one of our fundamental rights. We all have the right to have our personal data protected and processed fairly,” said Swanton.
“That doesn’t mean that there won’t be personal data transfers to the UK post-Brexit, but the question will be what will the alternative means of transferring data be? At the moment, there isn’t an arrangement in place, and while there may be one by March 2019, at the moment I haven’t heard any mention of the possibility of an arrangement like the Privacy Shield that exists between the European Union and the United States.”
Reluctance and fear
In the face of so much uncertainty, many industry observers are slow to give definitive statements on exactly how companies should best prepare themselves. From a legal point of view in particular, much depends on how the UK’s exit negotiations play out over the next two years.
“A lot depends on how the UK extricates itself and whether there are any concessions given. A big question is to what extent is it going to continue to apply rules which are equivalent to EU rules? What I will say is that the GDPR is coming into effect next May and the approach the UK is taking, sometimes called the Great Repeal Bill, is that it will continue to apply most of the existing EU rules in UK law on day one of Brexit,” said Anne-Marie Bohan, a partner with law firm Matheson.
“Under EU data protection law, you cannot transfer data from the EU to a non-EEA country unless you fall within one of a limited number of exemptions. One of those is if the jurisdiction to which you are transferring it has essential equivalence. The EU commission decides if this is the case, and you’d have to assume that day one after Brexit, because the GDPR will have been in effect for a year, that the EU will decide they have essential equivalence.”
“However, over time this might change. New UK case law will emerge and as the UK courts will no longer be subject to the decisions of the court of justice of the EU–factors like this may make it more difficult to transfer data to the UK,” said Bohan.
The essential message from Matheson is that if companies are looking at where they locate their data now, they need to take into account that things are likely to change in coming years. However, a good decision now could save a lot of hassle later on, and leave companies that make them better positioned in future.
“To future proof things, it might be better to locate data in Ireland rather than in the UK, but it’s not going to be an immediate problem post Brexit–there will still be some data flow between here and the UK. And there will also be other ways to do it, it just will become more challenging,” said Bohan.
“At the moment, we’re getting a lot of general enquiries around Brexit, and data protection is most definitely a factor in those enquiries. Ireland has quite a rich data industry and a lot of data centres are already based here. So that’s helpful already but data protection is definitely a factor in the Brexit planning that many companies, particularly data-rich companies, are doing.”
One company that has operations in both the UK and Ireland that is concerned about just how this situation will play out is Trilogy Technologies. For Edel Creely, group managing director, Brexit is an issue very much on her mind.
“Anything that impacts the economy impacts our business, so obviously we want the softest Brexit possible with the least amount of challenges. The big issue at the moment is the uncertainty, because we really don’t know what the outcome will be,” she said.
“In the meantime, we’re still driving forward with our businesses here in Ireland and in the UK and would hope to be able to continue to do that. Interestingly we’ve seen some UK companies we deal with actually expanding their footprint here in Dublin as a result of Brexit and the fact that we’re both here and in London is actually an advantage.”
According to Creely, GDPR is one anchor point in the middle of the uncertainty surrounding Brexit.
“When it comes into force in May 2018, the UK is going to have to abide by those standards and they’re good standards one way or another. It’s very important for all of us that once the UK exits that there are very good levels of clarity around data protection.”
“Because there are restrictions on the movement of personal data outside the EEA, it’s going to mean that while the EU rules will no longer directly apply to the UK, there will still be questions over the governance of these issues in the future in the UK. Again, we’re back to the fact of uncertainty – we just don’t know how this will shake down.”
Labour and travel
Another aspect of the Brexit process that has been slightly overlooked but which is causing concern for Irish technology companies, according to Creely, are potential restrictions on travel and the labour market between Ireland and the UK.
“The UK and Ireland have probably taken the most advantage of all countries in the EU of free and open travel, and maintaining that into the future is going to be hugely important. There are many Irish people working in the UK and many UK people working here and a lot of travel back and forth,” she said.
“We want our people to continue being able to go over and do work on UK client sites and there are concerns that this might become more difficult post-Brexit if restrictions come in.”