UK seeks to limit Brexit effect on personal data flows

But businesses around the world should also be planning for the effects of Brexit, the British exit from the EU, particularly if they send EU citizens’ personal data to or through the UK for storage or processing.

On 29 March 2019, the UK will cease to be part of the EU and, barring any agreement or arrangements to the contrary, the export of personal data from the EU to or through the UK will be banned.

The UK government is hoping to convince the Commission that UK law post-Brexit will provide sufficient privacy protection, and is seeking an ‘adequacy decision’ that will allow the data transfers to continue unabated.

Late last week the government published a slim discussion paper seeking to play up the importance of data transfers in determining the UK’s future relationship with the EU. It’s light on detail: just 15 pages to address future compliance with all existing EU data protection law and the 260-page GDPR that will replace much of it next year.

The flow of personal information contributed around 2% of EU gross domestic product (GDP) in 2015, and that will rise to 3% in 2020, according to Commission figures cited in the UK document. The government estimates that 75% of the UK’s cross-border data flows are with EU countries.

While the EU is important to the UK’s data economy, the UK also accounts for a disproportionately large chunk of cross-border data flows worldwide – 11.5% in 2015, although it accounts for just 0.9% of the world’s population and generates just 3.9% of its GDP.

Businesses that don’t want to bet on the outcome of the UK’s negotiations with the European Commission have other options to ensure that they can continue moving their customers’ and employees’ personal information through the UK.

They’re essentially the same options that businesses exporting data to the US had in the limbo period between the suspension of the Safe Harbour Agreement and the introduction of the Privacy Shield.

They include the use of model contract clauses on data protection approved by the Commission, the adoption of binding corporate rules for intra-company transfers, and obtaining the informed consent of data subjects to the export of information about them.

With an adequacy decision, the governments reach an agreement that applies to everyone equally. The downside of the alternatives, especially for small businesses, is that the companies have to do all the legal work, drawing up the agreements and demonstrating their compliance.

The UK government hopes to convince the Commission that its laws already provide adequate privacy protection and that, post Brexit, it will ensure they continue to do so even after the introduction of the GDPR and the directive on law enforcement use of personal data.

One sticking point in the negotiations may be the UK’s introduction in November 2016 of the Investigatory Powers Act, nicknamed the Snoopers’ Charter. It opened the way for a thousands of police officers and tens of thousands of tax inspectors to see which websites citizens are visiting, among other personal information that telecommunications operators will be obliged to collect and retain for inspection. The law also grants information access to officials at the government bodies that pay unemployment benefits and old age pensions, and that regulate gambling, farm workers, food health and air safety.

In December the Court of Justice of the European Union ruled that similar powers introduced under an earlier law, the Data Retention and Investigatory Powers Act of 2014, were incompatible with EU law. Although the ruling did not directly address the 2016 act, it clearly shows which way the court would lean if asked its opinion. Whether that will happen before the UK leaves the EU remains to be seen.