With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and EU and European Economic Area (EEA) countries is at risk. Should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data transfers, EU/EEA businesses that are currently retaining UK service providers or data centres to handle or store personal data, or are planning to do so, would have to carefully re-evaluate this decision.
With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and the EU and European Economic Area (EEA) countries is at risk. Should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data transfers, EU/EEA businesses that are currently retaining UK service providers or data centres to handle or store personal data, or are planning to do so, would have to carefully re-evaluate this decision.
While Brexit will likely have the biggest impact on the financial sector, it will also affect businesses in the United Kingdom that rely on the free flow of personal data to and from EU nations. This is not only the case for businesses engaging in some sort of data processing, such as cloud service providers, outsourcing service providers or data centre operators, but may also apply to the handling of personal data within a group that has branches in both the United Kingdom and EU/EEA countries.
The actual consequences of Brexit will, of course, depend on the status that the United Kingdom will have after it leaves the European Union.
Scenario 1: The United Kingdom Remains Part of The EEA
If the United Kingdom remains in the European Economic Area, opting for the same status as Iceland, Norway and Liechtenstein, not much would change in relation to data protection.
Both the current Directive 95/46/EC and the future Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) are (or will be) annexed to the EEA Agreement, and would therefore also apply in the United Kingdom. For the purposes of data protection laws, the United Kingdom would continue to be considered part of the “Union” and could thus benefit from the free flow of data within the European Union/European Economic Area.
There is a possibility that European businesses looking for a third-party provider to handle or store their personal data might still not be fully comfortable with the United Kingdom’s status as an EEA country and prefer to take their business to an EU Member State. Consequently, even if the United Kingdom remains in the European Economic Area, UK service providers may be at a competitive disadvantage.
While the competition from EU countries is less of an issue for intra-group data transfers, multinational companies may prefer to keep the personal data of EU employees and customers within the European Union.
Scenario 2: The United Kingdom Becomes a Third Country
If the United Kingdom also leaves the European Economic Area, it would become a third country, even if it gained access to the Common Market through bilateral agreements such as those held with Switzerland.
Initially, data transfers to the United Kingdom could very likely be based on an adequacy decision of the European Commission under Article 25 of Directive 95/46/EC or, respectively, Article 45 of the GDPR, establishing that the level of data protection in United Kingdom is adequate. UK data protection laws are currently not only adequate, but are fully compliant with European laws, and Brexit would not immediately change that.
Nonetheless, data controllers and processors in the United Kingdom could not benefit from the single market with respect to personal data and the uniform law under the future GDPR. They would, for example, be required to appoint a legal representative in the European Union under Article 27 of the GDPR, and could not turn to the Information Commissioner’s Office, the UK data protection authority, to take the lead under the new “one-stop shop” scheme set forth in Article 56.
Furthermore, the United Kingdom’s adequacy standing could be revoked or nullified if its privacy standards were ruled to be inadequate in the future. This recently became a problem for data transfers to the United States when the European Court of Justice nullified the adequacy decision regarding the US–EU Safe Harborframework (Schrems, C-362/14, ECLI:EU:C:2015:650). If the adequacy decision for the United Kingdom suffers a similar fate, data transfers in the context of data processing arrangements would have to be based on appropriate safeguards, such as the standard contractual clauses (model contracts) (Article 46 GDPR) or binding corporate rules (Article 47 GDPR).
In this scenario, multinational groups might consider restructuring their internal data flows to avoid the red tape added by data exports to the United Kingdom. UK service providers that do business with EU/EEA customers would face the same challenges as service providers in other third countries, such as the United States, and would lose their competitive advantage.
Because of the current lack of certainty, it would be unwise to make any rash decisions. The United Kingdom is still part of the European Union and the formal process to withdraw under Article 50 of the Treaty on European Union has not been initiated. Once the European Union has been notified of the United Kingdom’s intention to leave, there is still a two year negotiation period. It will therefore be some time before Brexit is actually implemented.
Nevertheless, EU/EEA businesses that are currently transferring data to UK service providers or data centres, or are planning to do so, should take into account the potential consequences of the United Kingdom exiting the European Economic Area when determining their mid and long term strategy. For long-running business transactions, it may be wise to include appropriate safeguards in the contracts that will ensure compliance under either scenario.
Should it become clearer that the United Kingdom will not remain in the European Economic Area, businesses that have chosen a UK entity to handle or store personal data may have to carefully review their decision, and evaluate whether keeping the data in the European Union/European Economic Area is an absolute necessity. The same is true for companies from third countries, such as the United States, which are handling personal data moving to and from the European Union and have chosen the United Kingdom as the basis for these activities.