No Post-Brexit Arrangement on Data Protection Will Affect UK-EU Trade

Kelley Drye Client Advisory

The European Union (EU) is preparing to treat the United Kingdom (UK) as a third country after its withdrawal from the bloc, commonly known as Brexit.  Unless a deal is agreed before 29 March 2019, the UK’s trade with the EU will be heavily impacted by regulatory restrictions, increased costs, and lengthier procedures applicable to the movements of people, goods and services.   Less obvious is the impact on trade of the no deal” scenario from potentially restricted data flows.  With only eight months left until Brexit Day, the UK and EU have yet to start talks on a data protection agreement.

Data flows play an increasingly important part in international trade and are estimated to contribute up to 2.8 trillion USD to the world economy.  In 2016 alone, EU services reliant on data exported to the UK, such as finance, telecoms and entertainment, were worth approximately 36 billion EUR.  Data flows from the UK to the EU constitute as much as three-quarters of all data from the UK.  Under the EU’s General Data Protection Regulation (GDPR), however, personal data included in such data flows must be protected.  For companies, this can include employee data (e.g. payroll information, biographical information, etc.) and customer data (e.g., contact information, transaction information, biographical information, social media profiles, etc.). Data flows from the EU to a third country are permitted if there is an adequacy decision by the European Commission that the third country’s data protection laws are adequate to meet the objectives of the GDPR or through another adequacy mechanism approved by the European Commission (e.g., EU-approved Binding Corporate Rules, use of Standard Contractual Clauses, etc.).

The UK, however, is of the view that its historic relationship with the bloc and current regulatory alignment places it in a different position than other third countries vis-à-vis the EU.  The UK recently published a position paper outlining its proposal for a data agreement that goes beyond the unilateral EU adequacy decision.  Instead, the UK seeks a legally binding agreement to allow for EU-UK data flows that cannot be changed unilaterally by the EU.  According to the UK, such an agreement would provide greater legal certainty, stability and transparency, as well as reduced costs and more efficient processes, for both UK and EU businesses.

While the UK strives for special treatment, time may be too short to achieve a bespoke agreement, even if the EU was willing to treat the UK differently than other third countries.  Further, even a standard adequacy decision may be difficult to obtain by the time the UK exits the EU.  Once it is no longer part of the EU, Brussels can demand higher protection of personal data held by government agencies, including intelligence agencies, which are excluded from EU data protection requirements while the UK is part of the bloc.  The same issues arising from a conflict between expectations for the protection of personal data and security interests as were seen during the negotiation of the EU - U.S. Privacy Shield (adequacy mechanism) may surface once data protection negotiations or the procedure to determine the adequacy of UK data protection laws begins.   In the absence of an agreement or adequacy decision, companies trading in the EU27 (the EU minus the UK) that rely on personal data being stored, managed or processed in the UK will have to provide appropriate legal safeguards to continue those operations.  For example, a German based-business using a UK Cloud provider for accounting information would have to implement an appropriate data transfer mechanism for the data-sharing to satisfy the adequacy requirement under GDPR.  Even the flows of personal data within the same company (or group of companies) from the EU to the UK would be subject to this requirement for an appropriate data transfer mechanism.  Given the current uncertainties in the Brexit negotiations, companies urgently need to ensure they have legal mechanisms in place to allow for continuing data flow necessary to support their international trade and business operations.