The EU’s trade negotiator Michel Barnier recently said that a post-Brexit deal seemed unlikely. This supports our view at Securys that the Brexit transition period will close without an adequacy agreement, bringing an end to the unrestricted flow of data between the UK and the European Economic Area (EEA).
Buried in a weekend article came the suggestion that the UK government aims to relax rules around data and finance in the event of a no-deal Brexit. But there is no suggestion that Europe and other nations complying with Europe’s General Data Protection Regulation (GDPR) standards will do the same.
In fact, recent rulings across Europe suggest that local data protection authorities are gearing up to act on potential breaches — I’m thinking of Berlin, Belgium and Italy in particular.
This will be a one-way problem. A multinational will be able to send UK employee and consumer data into the EEA, but sending data into the UK from Europe will be more difficult.
Europe’s concern for our privacy rights, as expressed in GDPR, is genuine. However, it’s also politically expedient for a bloc that aspires to keep the value of digital business inside Europe. Since around 2013, there’s been a move toward a European digital trade barrier, or a form of protectionism. If July’s decision in the European Court of Justice — in the so-called Schrems II case — is combined with a no Adequacy Agreement post-Brexit, useful steps are made toward this outcome.
There’s a great deal of economic value and foreign direct investment to be gained from converting empty office buildings into data centres. (As Covid-19 measures see staff working from home, empty office space will become increasingly available.) All the processing — not just the servers — will need to be done within the EU, creating a good many high value jobs.
Imagine all the data transfers of Apple, Google, Facebook, Amazon and other big players staying inside Europe, including backups. It represents a huge boost to tech sector employment and infrastructure. And it could lead to a real shake up.
In terms of cloud hosting it could even, in theory, see American SaaS firms like Salesforce deciding that it’s not worth keeping operations in the EU and selling out to local operators such as SAP — in a mirror of the proposal for ByteDance to sell the US arm of TikTok to Microsoft.
Conversely, restricted data flow presents an enormous challenge to the UK. The digital economy accounts for 7.7 per cent of the UK’s GDP; it’s worth £400m a day to our economy.
Processing data from outside the UK accounts for perhaps one third of that figure. If we lose just one half of the value of data processing, that amounts to around 1.5 per cent of GDP. We could face losing that overnight on 31 December this year, by the way.
A contraction of 1.5 per cent of GDP is enough to tip us automatically into recession. That’s not taking into consideration the rest of our service sector, which in total is worth 80 per cent of GDP. We’ll see financial services in particular hit if there are barriers to the freeflow of data.
And then there are the job losses we can expect when the internal global shared services hubs for functions like HR and procurement, created by global multinationals as cost-saving measures, move out of London and into the EU.
Others are welcome to provide alternative estimates about the economic impact. I’m unable to find any analysis of this outcome — which I find rather worrying.
As we prepare for this scenario, UK businesses face two years’ worth of work that has to be crammed into three months, before the transition period ends on 31 December.
The finance sector in particular is going to be affected, even if by some miracle a form of passporting is preserved for their core activities. Many have been told, wrongly, that Article 49 derogations under GDPR will protect them from arduous re-configurations of data transfer processes. However, these derogations do not apply if the data transfers are routine, say every week or more, or done in bulk.
So where to start? Regulatory enforcement is inconsistent, there isn’t much time, and political interests are at play. It’s important to take a risk-based approach, looking at which transfers to address first depending on the type of data, the need for the transfer and where it is going.
Unless some other mechanism is agreed, if there is a no-adequacy Brexit, in most cases so-called Standard Contractual Clauses will be needed. These are long and demanding addenda to contracts between participants in an exchange of data. Following the EJC judgement in July, this is more than merely a contractual exercise. Businesses will have to complete due diligence on the party receiving the data to be sure GDPR standards will be respected. But in countries such as the UK and the US, which operate mass surveillance, it will be very difficult to demonstrate this.
Businesses transferring data to the UK from Europe will also have to update their privacy notices and provide appropriate avenues of redress for data subjects. By the same token, UK businesses will have to appoint representatives in the EU to act as their point of contact for EU citizens whose data they process.
In the end, many businesses are going to decide it’s not feasible or economic to conduct transfers of European data into UK-based hubs. They will have to accept the cost and burden of moving those functions into Europe.
But if a company is to continue processing European data in the UK, it’s vital to get started now, to be in a position to show the working by 1 January. This means being prepared to show the regulator in the European country the data is going from, on a case-by-case basis, the actions taken to protect it. With all the challenges businesses face, this is not a naughty list they want to find themselves on this coming festive season.
Main image credit: Getty