The high price of Brexit - the £1.6 billion cost of the UK not securing a data adequacy deal with the EU (and it impacts US firms as well)

As Brexit talks go down to the wire, a sobering report from The New Economics Foundation and UCL European Institute has warned that British companies face a bill of up to £1.6 billion if no data adequacy agreement is struck with the European Union in a no deal situation.

The report - The Cost of Data Adequacy: The Economic Impacts Of The UK Failing To Secure An EU Data Adequacy Decision - issues a grim warning:

Unless the UK receives an adequacy decision from the EU, businesses and other organizations will no longer be able to freely transfer data from the EU to the UK, without putting in place their own additional measures. These measures can be costly, bureaucratic, and time-consuming to implement…The combination of a potential no-deal Brexit, coupled with the ongoing Covid-19 pandemic, means that business and the [UK] economy can ill afford more cost, complexity, and risk.

In the run-up to Brexit, the UK government under former Prime Minister Theresa May pledged that data transfers to the European Economic Area will not be restricted by additional regulation or restrictions, but the European Union (EU) has not reciprocated with a similar commitment. If the UK is to enjoy uninterrupted, unrestricted EU-UK data transfers, it needs Brussels to recognise formally that Britain’s data regime offers the same level of protection for personal data that exists in the EU.

While that is the case at present, this is not enough to guarantee a formal data adequacy agreement will be issued by the European Commission. There are those in Brussels who have voiced suspicions that the country’s post-Brexit trade negotiations with the US will see Washington pressure London to turn a blind eye to given its surveillance practices in order to get a data transfer deal, as well as criticising the UK’s own Investigatory Powers Act 2016.

But getting an adequacy deal with the EU is critical. At present, some 75% of the UK’s international data flows are with Europe. It’s estimated that without an agreement in place, average compliance costs for businesses in the UK would be:

• £3,000 for a micro business.
• £10,000 for a small business.
• £19,555 for a medium business.
• £162,790 for a large business.

Those numbers are pitched as “a relatively conservative estimate”, but could cost UK plc up to £1.6 billion in money that could otherwise have been invested in resourcing, growth and innovation.

Threat level

Further threats to Brexit Britain from not securing an adequacy deal include:

• Increased risk of GDPR fines, due to the new compliance requirements and the UK no longer being part of the one-stop-shop arrangement that means businesses operating in more than one EU country only have to report to one Data Protection Authority (DPA).
• Reduction in EU-UK trade, especially digital trade, particularly if EU firms no longer want to work with UK counterparts and choose to stick with EU rivals, while EU firms may increase their costs to cover increased compliance costs and risk in dealing with UK customers.
• Reduced investment, domestic and international if regulations increase the cost of doing business with the UK and making it a less attractive investment destination. Many US firms may choose a continental EU location, such as the Netherlands, to open up headquarters or new data centers etc.
• Relocation of business functions, infrastructure, and personnel outside the UK, including US tech firms. UK-based cloud service providers with EU enterprise customers would need to update contracts with each customer to meet compliance regulations and might decide it’s simpler to move operations physically inside the EU data regime.

The report notes that in the absence of an adequacy agreement, UK-based firms on 31 December this year can legally transfer data from the EU, but 24 hours later will be open to hefty fines for doing exactly the same thing. In practice, conclude contributors to the study, that’s unlikely to be enforced…or not immediately, at any rate:

Realistically, if there is no adequacy decision, enforcement will not come instantly. EU DPAs, many of whom are quite pragmatic – and exceptionally under-resourced – will likely give businesses many months, if not years, to adapt to the new legal reality. Although there will be no official grace period if there is no adequacy decision, there will be a de facto grace period, during which enforcement on EU-UK data transfers simply does not happen. As such, do not expect fireworks on 1 January 2021.

But that said, UK-based firms should expect enforcement actions to increase over time. Against that gloomy backdrop, the report’s authors make a series of recommendations that the UK government should action in order to mitigate the situation. These include:

• Make relevant data and modelling tools available to support empirical research on the social and economic impacts of data protection, digital trade, and the value of data flows, in order to improve the quality of public policy and democratic engagement in these areas.
• Update its published ‘Explanatory Framework for Adequacy Discussions’ considering the issues raised by the Schrems II and Privacy International cases, which brought down the US/EU Privacy Shield data transfer framework.
• Explain how changes to the UK’s data protection regime via the National Data Strategy will also strengthen and enhance the rights of UK and EU citizens.
• Consider the impact of future trade agreements on data protection and carefully review the trade-offs involved when liberalising cross-border data flows with different countries.
• Raise awareness of the risks and costs of a lack of adequacy within the business community, both inside the UK and in the EU.
• Provide simple, practical tools, including information on further safeguards, to enable UK organizations to continue to use Standard Contractual Clauses.
• Set aside funds to ensure that struggling UK businesses can afford to comply with the new requirements.

My take

A timely reminder of something that’s not received the mainstream attention it demands, despite the best efforts of bodies like UK trade association techUK to drag it high up the agenda for political negotiators in Westminster. If a rabbit is pulled out of the Brexit hat and some kind of workable deal appears in the coming weeks, as cynics suspect, will data adequacy have been factored in appropriately or will fish quotas be deemed more important to a 21st century digital economy? The clock is ticking.