Data flows and Brexit: Whatâs going to happen?

How will we be able to access and use data about EU citizens? Will EU companies be able to buy and sell with UK companies with the same freedom as they do now?

The particulars of the Brexit deal change the answers to these questions markedly.

For example, if the UK were to leave the EEA, we would need an adequacy agreement in order to be able to trade in keeping with GDPR regulations. This would potentially take some time to engineer – the US agreement took over five years and the Singapore agreement took 18 months, despite being a smaller market and relatively compliant in the first place.

It would be dangerous to assume, therefore, that the UK would walk into an adequacy deal which would allow the continuation of trade in the same manner that it has enjoyed thus far.

If an agreement is not reached, there could be harmful effects on businesses. Take for example the UK tech sector. It plays a huge role in the EU tech market, taking advantage of free data flows. Estimates suggest that around 43%of all large EU digital companies are started in the UK and that 75% of the UK’s cross-border data flows are with EU countries.

The DMA has worked with the government to advocate a deep adequacy agreement with the EU and will continue to advance this position in Brussels and Westminster. Nonetheless, this position was rejected by the EU when it was proposed by Theresa May in March.

Case study: UK-based cloud computing service provider

Let’s say cloud computing service provider A is a UK-based company. They store a multitude of data for a number of large corporations throughout the world.

Insurance company B is based in Germany and has used provider A to store data about their customers for 5 years. For this contract to be legal, both organisations must be compliant with GDPR rules in regards to processing personal data of European citizens.

If the UK were to leave the EU, at the very least, an adequacy agreement would be required to ensure the UK conformed to regulation under GDPR. The UK would need to be deemed to be a safe place to store data by European regulators.

If there was no immediate adequacy agreement, it would be illegal for Insurance company B to store the data of their clients on the UK-based servers of provider A.

The insurance company would be obligated to store the data safely, and thus have to move their data to a provider which complied with GDPR laws.

The insurance company then face the complicated task of moving their entire database from one country to another, coupled with the associated costs. While provider A would lose a client.

Case study: UK-based creative agency

EU-based creative agency Z provides services in marketing and advertising for a range of clients in the UK and the EU.

Companies employ agency Z to work on ad campaigns or marketing strategy. To deliver their advertising and marketing strategy, agency Z accesses companies’ customer databases. This involves processing personal information, which is regulated by GDPR.

The ICO states that “Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.”

As we saw in example one, an adequacy agreement would need to be in place before the Brexit date (29^th March 2019) if UK companies were to be able to process data of EU citizens. This cannot be assumed and it is as likely as not that a deal will not be reached before that deadline, meaning UK companies will be cut off from working with EU countries.

Furthermore, to advertise their services throughout the EU, the UK will need to ensure it remains part of the Digital Single Market. The DSM removes cross-border blocks to access to goods or services. If the UK did not retain access to the DSM, companies would likely face limitations in accessing markets and customers from the EU.

In sum, if adequacy agreements are not reached prior to the UK’s exit from the EU, there will unavoidably be detrimental effects on UK businesses who seek to access and use data from EU nations.

What would the impact be on your business if you were unable to transfer personal data between the UK and EU member states?

The hypothetical example above is a rough example. A case study with facts and figures would help bolster our lobbying efforts in favour of maintaining the free flow of data between the UK and EU after Brexit. If you think you can help us shape this example, get in touch with Zach or Michael from the External Affairs team by the 13th of June.