Brexit has happened: the UK is no longer a part of the EU. But while trade deals have been struck, one issue still looms on the horizon: data flows with Europe.
The UK has the third-highest level of cross-border data flows in the world (after the US and China), 75% of which pass between the UK and the EU. The EU has yet to decide whether the UK’s data protection regime is sufficient to allow the free flow of data continue – a condition known as ‘data adequacy’. And the boss of a network that represents UK technology businesses has warned that the sector is completely unprepared for the eventuality that no agreement is reached.
“We’re getting close to a really tricky situation for a digital and technology sector if we don’t get this in place,” says Russ Shaw, CEO of Tech London Advocates, which represents more than 9,000 tech leaders and entrepreneurs across the UK and another 50 countries.
A six-month bridging period was set out in the EU-UK Trade and Cooperation Agreement (TCA), signed at the end of last year. If no data adequacy agreement is secured within this time, UK businesses may instead be forced to rely on standard contractual clauses (SCCs) – bespoke data agreements that companies must set up on an individual basis. But Shaw says that at this point, it’s not even clear whether such SCCs would be accepted by the EU.
Several factors are complicating the EU and UK’s ability to agree to a data adequacy deal. For the EU to grant data adequacy status, it has to be convinced that the country in question has the same data security standards as the bloc. The UK has argued for equivalence on the basis that the Data Protection Act 2018 and UK GDPR were developed in tandem with the EU.
The fly in the ointment is the UK’s state surveillance practices, which include the bulk collection of internet and communications data. Prominent figures advising on the EU’s decision, such as the Hamburg commissioner for data protection Johannes Caspar, have argued that unless the UK agrees to halt these practices, it is doubtful that a data adequacy agreement can be struck.
If a data adequacy deal can’t be reached, the second most likely possibility would be setting up a bespoke data agreement that covers the whole of the UK, similar to the US and EU’s Privacy Shield agreement. But matters are complicated by the fact that last summer the Privacy Shield was invalidated by the EU Court of Justice, due to the US’s inadequately secure data practices. This throws doubt upon the ease with which the UK could be expected to secure such a bespoke data agreement.
What this means in practical terms is that customer and client data flowing from European countries to UK businesses could conceivably be blocked by the EU. Shaw says that this would represent a significant disruption for digital start-ups and other businesses that rely heavily on data. “We’ve talked a lot about trade and goods and services, and what would happen if goods were blocked from the EU coming into the UK,” says Shaw. “Bits and bytes have to go through that same process.”
There was an assumption that a data adequacy agreement would have been covered in the December TCA agreement. Some businesses are only just realising that hasn’t been done.
What’s worse, says Shaw, is that many businesses are unaware of this impending crisis. “I think there was an assumption that a data adequacy agreement would have been covered in the December TCA agreement,” he says. “Some businesses are only just realising that that hasn’t been done.”
For large businesses, setting up SCCs would not be too onerous, but as with GDPR, the cost of compliance would be considerable for smaller businesses Shaw says. He suspects the many small businesses will be totally unprepared for the possibility that a data adequacy agreement is not secured. “By then it could be too late for some of these businesses.” And businesses that continue to funnel data from the continent regardless could be sanctioned or fined.
This will particularly hit start-ups and scale-ups, for whom “data inflows is their bread and butter”. “If you’re preventing the inflow of EU data for say, three months, six months or nine months until some type of agreement is in place, some of these businesses will go under,” says Shaw.
He suspects if the issue isn’t swiftly remedied, it could result in businesses relocating their headquarters to the EU in the long term. The vibrant fintech market in the UK could be especially undermined. Shaw says there is already a growing trend for UK fintech businesses to open up offices in the EU, in countries such as Estonia, Latvia or Lithuania. Without sufficient assurance that UK-EU data flows will continue unimpeded, this trend will merely be expedited.