The smooth transfer of personal data between the European Union and the U.K. — from bank details to your Uber bill — is vital for almost every British business. A no-deal Brexit threatens to disrupt that relationship and leave companies at risk of fines and lawsuits for breaching the EU’s strict data protection rules.

1. What are the current data-privacy rules?

The EU has established a fundamental right to privacy, including the protection of personal data and the “right to be forgotten” from search engines. It offers “adequacy agreements” to countries that conform to these rules, so that their data can be transferred across borders. Some countries, like New Zealand and Argentina, have been deemed as providing fully adequate data protection; the U.S. is only partially adequate and has a separate agreement with the EU. As long as it’s an EU member, the U.K. doesn’t have to prove its adequacy. But that’s about to change.

AD
AD

2. What happens after Brexit?

Any adequacy talks cannot get started until after the U.K. has left the EU, currently scheduled to happen on Oct. 31. Without a withdrawal agreement that allows personal data to continue flowing uninterrupted, two-way transfers of personal information will be affected, according to the U.K. Information Commissioner’s Office. To prepare, the regulator advised companies in December last year to hunt down all data transfers coming into the U.K. from the EU and make sure they have the “appropriate safeguards” in place. Essentially that’s meant a lot of paperwork, such as signing codes of conduct and promising to adhere to rules on transferring data.

3. Are data flows at risk?

AD

Not really. In the 21st century, stopping data flows would be tantamount to war. But a no-deal would tip companies into a legal limbo and prompt a last-minute flurry of costly compliance work. A study published in August by academics at University College London said it’s likely that many firms won’t be prepared for a no-deal rupture. The uncertainty may only end once Britain and the EU have hammered out an adequacy agreement, a process that could take years. In the meantime, businesses could worry about the threat of an activist spotting an improper data transfer from one multinational company to another. Companies will be readying themselves for potential lawsuits.

AD

4. What could stop the U.K. getting an adequacy agreement?

The EU warned the U.K. last year not to make assumptions that it will be granted an adequacy decision due to “considerable uncertainties” around its departure. The notice wasn’t specific on what the uncertainties are. EU chief negotiator Michel Barnier said that “in the absence of EU law that can override national law, in the absence of common supervision and a common court, there can be no mutual recognition of standards.”

AD

5. Isn’t the U.K. already in line with EU data standards?

Mostly, but there have been some conflicts. In January 2018, the U.K. Court of Appeals ruled that a 2014 U.K. law allowing mass data surveillance for security reasons violated EU privacy laws. The 2016 law that superseded it was also found to be in violation. The U.K. shares intelligence with Australia, Canada, New Zealand and the U.S. as part of the “Five Eyes” agreement; the EU has long been concerned about its citizens’ data being accessed by U.S. spies. The EU’s newest privacy law should make any agreement simpler.

AD

6. What’s the new law?

The General Data Protection Regulation went into effect on May 25 last year. All businesses that collect data from EU citizens have to follow its rules, which range from informing consumers about how their data is used to deleting data that’s no longer needed. Businesses that don’t comply risk fines of as much as 4% of worldwide annual revenue. Since the U.K. was part of the EU when GDPR was introduced, its firms have been operating under its rules. The U.K. has argued this should qualify it for an “adequacy” badge after Brexit.

AD

7. What might a U.K.-EU privacy conflict look like?

Let’s imagine if it all goes wrong. Post-Brexit, during a national-security investigation, U.K. intelligence services demand access to an EU citizen’s personal data, such as encrypted chat messages or payments. The provider hands over the data. The citizen complains to a European regulator, which concludes that this transfer was a human-rights violation. The provider could then be fined by the EU. This could prompt companies that have been cooperating with the U.K. to stop transferring data without clear approval from the EU.

--With assistance from Thomas Pfeiffer and Thomas Seal.

To contact the reporter on this story: Giles Turner in London at gturner35@bloomberg.net

To contact the editors responsible for this story: Tom Giles at tgiles5@bloomberg.net, Thomas Pfeiffer, Andy Reinhardt

©2019 Bloomberg L.P.

AD
AD