A report published by University College London has warned that disruption to EU-UK data flows resulting from a no-deal Brexit could be “unprecedented and extremely damaging” for the economy.
The UK has the largest data centre market in Europe, and this data hub role is crucial for the modern economy. But with 75% of the UK’s data transfers currently going to the EU, the UCL report states that the UK’s economic activity is “dependent” on intra-EU data flows, which are “vital for virtually any business with customers, suppliers or operations in the EU.”
The effects of Brexit on these data transfers will be unprecedented. Since the advent of the digital economy, as an EU member state the UK has been subject to EU law governing data transfers. This has meant that, due to harmonised data protection rules and regulation inside the EU, data has always flown freely. This situation will change no matter how the UK leaves the EU.
But the report states that particularly in the event of a no-deal, “instant disruption to EU-UK data flows would ensue,” as “the UK would immediately become a third country in EU law”. No transition period will result in completely different rules overnight for data transfers between the UK and the EU, posing huge difficulties for companies which increasingly rely on data for commercial success.
Without harmonised regulation, the UK’s role as a data hub, as well as the economy more generally, could be seriously damaged.
As a third country, the UK can negotiate an “adequacy agreement” with the EU to continue transferring data. However, the report suggests that this possibility is in jeopardy, due to concerns over the lack of data protection rights in the UK after Brexit. Key obstacles include issues such as the UK’s membership of the Five Eyes intelligence sharing alliance and the potential for unprotected onward data transfers to countries such as the US, as well as the fact that, with the EU Charter of Fundamental Rights ceasing to apply post-Brexit, there will be no fundamental right to data protection in the UK.
The EU has been a staunch defender of data protection rights, as exemplified by the GDPR legislation which came into effect last year. Transatlantic relations have also frequently been characterised by EU-US disputes over data protection and its link with security policy, as the EU’s notions of data protection and privacy as a fundamental right have come up against the US’s much more lenient data protection rules.
To successfully negotiate an adequacy agreement on data flows with the EU, the UK will have to meet the EU’s high data protection standards. The role of data in UK national security policies becomes a critical potential roadblock to such an agreement. “Unless the UK changes its national security and surveillance practices, it may not meet the threshold for adequacy,” the report adds.
Without an adequacy decision, data cannot flow freely between the EU and a third country. Organisations must then individually set up legal and administrative safeguards to meet the EU’s standards, meaning that post-Brexit, businesses would therefore be subject to “compliance burdens”, having to “invest in legal and administrative fees to ensure EU-UK data transfers remained lawful.” In the event of a no-deal, the report expects that these burdens will take a toll on SMEs and start-ups in particular.
While disruption in the short term seems likely, the lack of harmonised data protection regulation could also pose serious threats to the UK’s economy over the long term, with the report suggesting that “it could also lead to the UK being less attractive to investors and thus generate knock-on effects for the economy at large.”