Giles Derrington, techUK’s head of Brexit policy, explained to the Committee that whilst the UK has committed to alignment with the EU on data flows under no deal, and will deem it legal to send data to the EU from the UK. The problem is that under GDPR and a no-Brexit scenario, without an adequacy or some other formal agreement in place, the UK will be a third country and sending data from the EU to the UK could be illegal. Derrington explained:
“The problem is that data transfers are two way. The biggest challenge at the moment is how you do the EU side of this. What we want to see happen is for the EU data protection board - so the individual 27 member states data protection authorities - to look towards some kind of moratorium, like they did in the case of the US Safe Harbour agreement.
“So a German business transferring data to the UK is not suddenly in breach of GDPR on the 30th March, when they weren’t on the 29th March. At the moment the Commission and the EU Data Protection Board has been quite reticent to have that conversation. We have been working hard with our sister trade bodies in Europe to try and make this case. But it is a challenge.
“And if you can’t do both [send data both ways], then it will have an impact.”
Derrington added that complications also arise when looking at the Withdrawal Agreement, which has a “big package of questions” around legacy data. In other words, data that has already been transferred to the UK pre-Brexit. This is where techUK has concern that data stored in the UK could be deemed illegal, and depending on its use, unable to be reached. He said:
“It is entirely unclear to us, and we are still waiting for an answer from DCMS, because some of that data is being used in algorithms etc. Theoretically the question could be - that data is no longer here legally, so you have to give it back.
“To give it back you have to understand which bits of data it is. If you try to delete it you have to understand which bits of data it is. Now, both of those things would be processing data, which would then be in breach of GDPR. So we are not sure if you can touch it, or if you have to close it off.
“And ultimately trying to extract individual bits of data from an algorithm is a bit like taking eggs from a cake, it is potentially impossible. And we don’t yet know, and a lot of our members don’t know, how they are supposed to do it. Other than, just warehouse it and leave it forever. That would have quite a significant impact.”
An adequacy agreement
Previously it has been said that the UK is hoping for data adequacy status upon leaving the European Union, which should mitigate data flow risks. Data adequacy is granted when the European Commission feels that a territory that is not part of the EU has data protection laws and practices that are aligned to the EU’s high standards. Currently ten countries have been granted the status, including Israel and New Zealand. The USA and Canada have only been deemed to be partially adequate, and the data sharing with the USA is governed by the 2016 Privacy Shield agreement.
Given the UK will be aligned with the EU up until Brexit day on 29th March, it certainly has an advantage in achieving an adequacy agreement. However, it’s not a quick process, as techUK’s Derrington notes. He told the Committee that the fastest agreement was achieved in 18 months, with Argentina. However, despite the UK’s advantages, it may still not be as quick a process as some may hope. Derrington explained:
“We would anticipate being able to do something slightly quicker than [Argentina]. But it’s worth bearing in mind the problems here - and the questions the Commission are likely to ask in their adequacy processes - are likely not to be entirely focused on businesses. Because businesses complying with GDPR will largely be in line.
“The question is what comes into scope with the EU, which is currently not in scope as a member - that specifically relates to national security data. There are big challenges there. We are relatively confident that the UK government is taking this seriously and working through those processes. We feel like it will be overcome, but it will take technical, slow working through.
“We’ve been saying for a while that we would like the adequacy discussions to start as soon as possible. But the EU, as with everything else, is saying they won’t start the discussions until we are a third country. So, I’d be surprised if a decision could be made in under a year.”
Another impact on data flows once outside of the EU, could be how businesses perceive their use of UK cloud services, according to techUK. For example, if the UK moves away from EU regulation over time - for whatever reason - it may become an easier choice for a business in a European country to choose a cloud hosting provider in a member state country, to reduce friction. Derrington added:
“The disalignment of regulation overtime will be the thing that creates barriers. If you think of something like data flows - were we to leave day 1, we wouldn’t have an adequacy agreement. That just means additional heavy lift for businesses and relying on something less secure - that will have an impact on your ability to get contracts.
“Also, if I’m a German business looking to partner with someone for data flows, do I rely on the standard contractual clause currently under legal challenge in the ECJ, which the UK relies on? Or could I go to a French or Belgium data centre where I know there’s a solid process because we are part of the one GDPR process?
“It’s those challenges that will have an impact.”
It’s clear from the evidence given today that whilst the UK government has made progress in doing what it can to reduce friction in the case of a no-deal Brexit, the EU still holds a number of cards and the scale of the impact that will be felt will largely depend on decisions made by the EU. In other words, the UK government can only do so much, and as such, businesses making decisions will look towards a safer bet - that safer bet, being the EU.