Businesses race to keep data flowing under a no-deal Brexit
(Bloomberg) -- Brexit might mean the U.K. is no longer a member of the European Union, but that doesn’t mean it will escape the long arm of the bloc’s data protection rules.
Under a deal previously negotiated between the EU and the U.K., Britain had two years to clinch a decision from the EU that would allow organizations to freely move data to and from the continent without breaking the bloc’s General Data Protection Regulation rules and facing fines of as much as 4% of their annual sales as a result.
But heightening fears of a hard Brexit on Oct. 31 now have companies racing to implement back-up mechanisms that some industry experts say they probably never counted on needing.
In Britain, government departments, including some in the National Health Service, are repatriating their data -- such as personal data about citizens -- to the U.K. from places such as Ireland, according to a person familiar with the matter.
“It’s not really an option just to ignore this and hope transfers to the U.K. go unnoticed,” said Clare Sellars, a counsel on law firm Ropes & Gray’s data protection team. "I suspect the regulators won’t be that lenient -- there’s been a fairly long lead time to prepare.”
Alternative arrangements include implementing binding corporate rules or signing contracts that include EU-approved clauses. Sellars said the latter option of implementing standard contractual clauses is for now “the simplest way to go, especially for most small and medium-sized enterprises.”
However, for large organizations, they can be costly to implement, said Tanguy Van Overstraeten, partner and head of the data protection practice at law firm Linklaters LLP.
"Some large companies must put in place thousands of those clauses,” he said. “Smaller or medium-sized enterprises are likely to have fewer transfer needs.”
This solution would also still be subject to legal uncertainty. While it’s one of the most efficient alternatives to transferring commercial data outside of the EU, standard contractual clauses also face a legal challenge in a court case that could invalidate them as a transfer mechanism.
Instead, companies might continue to wait and see what happens with Brexit and hope that European regulators don’t pursue the issue before they spend what could amount to “hundreds of thousands of dollars on very expensive legal solutions,” said Omer Tene, Vice President and Chief Knowledge Officer at the International Association of Privacy Professionals.
“Companies entering into agreements relating to data with vendors in the U.K., or vice versa, are already weighing the additional friction and cost of getting data in and out post Brexit,” he said.
As a result, a French company may opt to partner with an EU area firm instead of a U.K.-based company in order to avoid legal turmoil, Tene said.
Even in the case of a hard Brexit, the EU will nevertheless eventually explore a so-called "adequacy" decision for the U.K. This would add the nation to an European whitelist of countries between the EU and which data can flow freely because their privacy laws are accepted as in line with Europe’s.
While the U.K. currently implements the EU’s GDPR rules, the adequacy decision process could still take years, with Britain’s data-collection practices as part of its national security regime likely to come under heavy scrutiny.
“That issue will be undoubtedly emerge as a bone of contention and something which will be difficult to iron out," the IAPP’s Tene said.