If Britain hasn’t secured a deal to leave the European Union as the clock ticks past 11 p.m. on Oct. 31, billions of data transfers could be thrown into legal limbo.
Though not as visible as lines of trucks backing up at ports, disruption to data would affect more of Britain’s economy, four-fifths of which is services, not goods.
To avoid heavy fines and lawsuits for breaching the bloc’s strict privacy laws, the majority of U.K. companies that rely on data flows from the EU must submit a mountain of compliance paperwork. Those efforts have accelerated in recent months as the risk of a chaotic departure grew.
The exercise spans everything from customer information for holiday bookings to human resources files and insurance claims moved between subsidiaries of multinationals. The EU has some of the toughest rules in the world for protecting personal data, including the “right to be forgotten” from search engines. The emergence of cloud computing means packets of data are constantly on the move, making it far harder to keep track.
Companies can compile sets of rules governing the information that flows across borders within their organization, and then have them approved by a data protection authority. This can cost as much as 250,000 pounds ($305,000) and take years to draft. Instead, many have opted to copy and paste “standard contractual clauses” covering every cross-border data transfer they can find.
Smaller firms may not be able to afford or implement the safeguards, or even be aware of the issues.
State of Readiness
A study published in August by academics at University College London said it’s likely that many firms won’t be prepared for no-deal. When an accord on data protection between the U.S. and EU was struck down by the European Court of Justice in 2015, one single company was forced to apply 2 million standard contractual clauses, they said. Anti-money laundering and terror financing checks by banks could also fall outside the law in a no-deal, industry lobby group U.K. Finance has warned.
“I don’t think the work is done,” said Andrew Solomon, a senior associate at law firm Kingsley Napley. “Most companies are aware they need to do it but they’ve been hoping common sense would prevail and they wouldn’t have to do it in the end.”
In a no-deal Brexit, people will probably print off the standard contractual clauses from the European Commission website and sign them just to have something in place, said Miriam Everett, a partner at law firm Herbert Smith Freehills. However, this just puts a band-aid on the problem and “in an ideal world there should be due diligence and impact assessments,” she said.
Some companies have gone a step further and relocated their servers so their EU data doesn’t pass through the U.K. One of Britain’s biggest gambling companies, GVC Holdings Plc, is moving servers hosting its online betting platforms to Ireland and ensuring parts of the business that handle EU online gambling are covered by Maltese licenses.
Banks face the same problem. “Firms may need to move data processing activities between countries, consider the relocation of their data centers and/or implement other procedures to avoid problematic cross-border transfers of personal data,” said a spokesman for U.K. Finance.
Brexit means the U.K. will be ejected from the European Data Protection Board of regulators. For its data protection arrangements to be deemed “adequate” by the club it’s just left, it will have to prove it meets strict requirements imposed by the EU’s General Data Protection Regulation, which it had a key role in drafting.
The U.K. has said it will recognize the EU’s rules, but the EU has warned Britain not to assume it will quickly reciprocate due to the uncertainty around the terms of its pending departure.
That accreditation process has never taken less than 18 months and Britain’s national security powers — allowing the government to monitor some private data communications — could draw detailed scrutiny, leading to longer delays. So businesses are hoping Britain can make the switch under the protection of an agreed transition period, not the legal vacuum of no-deal.
Many big corporations operating in both the U.K. and EU, such as former state phone monopoly BT Group Plc, have moved to register with continental data protection watchdogs to make sure they’ll still comply with EU data law.
Movement of data generates 174 billion pounds ($216 billion) of value in the U.K., according to the Confederation of British Industry. Part of that activity flows inside U.S. and Asian multinationals that chose the country as a hub for their European operations. Consultancy Frontier Economics says three-quarters of Britain’s international data flows are with the EU.
A no-deal Brexit endangers the country’s position as a global hub for data flows, said Felicity Burch, the CBI’s director of digital and innovation.
“From day one, the free flow of data that underpins every sector from automotive to logistics will be hit,” said Burch. “Businesses have already undertaken costly legal processes and some are investing in EU data centers. An adequacy agreement on data must remain a priority for government.”
–With assistance from Giles Turner.