Predictions about Brexit implications on UK/EU data flows
A hot topic area we are starting to get general questions about from our clients and friends is how will the new Brexit deal affect future alignment of Data Protection regulations between the UK and EU. Specifically, UK clients are asking if they will need to apply any adjustments to their current GDPR data-protection measures that had already been put into place back in 2018.
This is a very difficult topic to aim to be too accurate about considering how dynamic the regulatory landscape is between the UK and EU post the recent Brexit deal. As of 1-Jan-2021, the UK has a grace period to continue operating as normal for data flows pertaining to EU data subjects for the next six months (the bridging period). If a deal on data flows isn’t achieved after the next six months, however, the bridging period will come to an end, and the UK will have to resort to alternative mechanisms to make sure that organisations in the country can still legally process personal information from the EU.
At CyberSolace, we predict there will likely be sufficient divergence between the UK data-protection laws/regulations and the EU’s to the point that the ‘adequacy‘ principle may be revoked at some point within the next two years. There are a variety of reasons for making this prediction but some of those are:
Anticipated new trade links with the US that will further weld the UK economy with the US, which will require more data interchange between the two countries, in turn necessitating more data to be hosted with US based data centres/companies. If this happens then it will not bode well with the EU in terms of data-protection governance, especially under the shadow of the abolished Safe-Harbour-Regulations between EU and US. <Google example here>.
Under the Covid era there has been some pressure on Data Protection regulators to ease the punitive measures on organisations given the already adverse economic conditions companies having to endure. A recent example is the British Airways case where the ICO reduced the fine to £20mil from £183mil <here>. We see this notion as another factor in inducing the UK to water down its Data Protection regulations below the golden standards prescribed by the EU GDPR principles.
Whichever outcome it may be ultimately, we believe that companies should not be too comfortable that the current status will sustain and instead should be proactive in exploring measures to mitigate any risk of the ‘adequacy’ status being revoked by the EU. Such exploratory exercises can be in the form of future scenario modelling which encapsulate each outcome and offer alternative approaches for data processing.
Assuming a no ‘adequacy’ status between the EU and UK, organisations would face a significant administrative hurdle with the handling of EU data-subjects’ data; especially given that three-quarters of the UK’s international data flows are with the EU. All aspects of information processing and transfer that relates to an identified or identifiable individual living in the EU such as names, IP addresses, HR details, or even delivery details, would require examining, and in most cases, it would be necessary to put in place specific contracts called Standard Contractual Clauses (SCCs). SCCs have to be signed by both the sender and the receiver of data in a contract covering the specifics of the data to be transferred, and place significant technical and legal obligations on the receiver. The cost of implementing appropriate data transfer mechanisms like SCCs at a company-wide scale is high: recent reports from the New Economic Foundation estimate that the overall cost to UK businesses could reach £1.6 billion.