#privacy: EU-UK data transfers could be severely disrupted post-Brexit, UCL study says


A new study by University College London (UCL) has concluded that a no-deal Brexit would seriously disrupt the free flow of business data between the EU and the UK.

Companies would be left footing “immense” extra costs across industries including hospitality, finance, manufacturing and technology, reports reveal.

The recently published report focuses on the lack of attention that post-Brexit data transfers have received amid the ongoing debate around the UK’s extraction from the EU. Experts fear that data transfers could be as serious an issue to the UK economy as more tangible challenges concerning cross-border commerce.

According to the study, rules regarding the transfer of data between organisations in the EU and UK could be very difficult to establish bilaterally. A no-deal scenario could have a major impact on the immediate outlook of the British economy.

“No transitional period would entail significant legal, economic, political and social disruption in the UK. The UK would immediately become a third country in EU law, and instant disruption to EU-UK data flows would ensue,” the study warns.

Oliver Patel of UCL’s European Institute is one of the report’s authors. By way of example, Mr Patel said that challenges could arise for a British hotel company which can currently receive data from Europe about customers using its hotels on the continent.

Giving a further example of how disruption could occur, the Confederation of British Industry described how a UK conference venue could miss out on EU company bookings because sending attendee data beyond EU borders could constitute a breach of data law unless contractual safeguards are in place.

Without an adequacy agreement, UK companies receiving data from the EU could face huge expenses to ensure they fall within the lines of GDPR compliance. It would call on companies to “direct immense costs and resources towards enabling [previously unrestricted] data transfers,” the UCL study says.

According to those behind the study, doubts linger over whether or not an “adequacy agreement” could be hammered out owing to worries about a lack of data protection rights in the UK following Brexit. The risk of “unprotected onward data transfers” to the US would be a particular concern in this regard.

Until October 31st, when the UK is due to formally leave the EU with or without a deal, data can freely flow to and from all other EU member states.

“UK economic activity is dependent on these flows. But disruption would place immense compliance burdens on individual organisations which would have to invest in legal and administrative fees to ensure EU-UK data transfers remained lawful,” the report states.

“In the long-term it could also lead to the UK being less attractive to investors and thus generate knock-on effects for the economy at large,” it continues.

As reported by the Guardian, the CBI’s director of digital and innovation, Felicity Burch, said:

“A no-deal Brexit endangers UK’s position as a global hub for data flows. From day one, the free flow of data that underpins every sector from automotive to logistics will be hit.

“Businesses have already undertaken costly legal processes and some are investing in EU data centres. An adequacy agreement must remain a priority for government or the UK’s £174bn data economy is at risk.”

Commenting on the findings, iSTORM solutions Principal Consultant and Data Protection Officer, Richard Merrygold, said:

“This has been a concern for a while with many established data protection commentators expressing concerns about the likelihood of an adequacy decision, mainly due to the far-reaching nature of our surveillance laws.

“It is important to note that organisations can, for the time being at least, still rely on the EU standard contractual clauses or ‘model clauses’ for any transfers of data from within the EU to the UK,” Mr Merrygold told PrivSec Report.

“Businesses within the UK, transferring data into Europe can be assured that the data will be treated with the same level of scrutiny as the rest of the EU as the safeguards are already in place.

“Larger, multinational organisations can look to Binding Corporate Rules as a solution although this is costly and time consuming,” Mr Merrygold advised.

“In the first instance, UK businesses should start to understand where their data flows originate from and if they are receiving data from within the EU, they need to look at what controls they can put in place to protect the rights and freedoms of all parties in the event of a no deal,” he continued.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.