The smooth transfer of personal data between the European Union and the U.K. from bank details to your Uber bill is vital for almost every British business. The U.K. is intent on maintaining that relationship following Brexit. The EU isn’t making any promises.
1. What are the current data rules?
An EU directive establishes that citizens have a fundamental right to privacy, including the protection of personal data and the “right to be forgotten” from search engines. For other countries that conform to these rules, the EU currently offers “adequacy agreements” so their data can be transferred across borders. Some countries, like New Zealand and Argentina, have been deemed as providing fully adequate data protection; the U.S. is only partially adequate and has a separate agreement with the EU. As long as it’s an EU member, the U.K. doesn’t have to prove its adequacy.
2. What happens after Brexit?
After the U.K. leaves the EU, it will no longer have to adhere to the union’s Charter of Fundamental Rights. Article 8 of the Charter reads: “Everyone has the right to the protection of personal data” a key tenet of European data protection laws. In a January notice, the EU warned the U.K. not to make assumptions that it will be granted an adequacy decision due to “considerable uncertainties” around its pending departure.
3. What are those ‘uncertainties’?
The notice wasn’t specific. But the EU has been pretty clear all along follow the rules or else. In March, EU chief negotiator Michel Barnier said that “in the absence of EU law that can override national law, in the absence of common supervision and a common court, there can be no mutual recognition of standards.”
4. Isn’t the U.K. already in line with EU data standards?
Mostly, but there have been some conflicts. In January, the U.K. Court of Appeals ruled that a 2014 U.K. law allowing mass data surveillance for security reasons violated EU privacy laws. The 2016 law that superseded it also is likely in violation. Also, the U.K. shares intelligence with Australia, Canada, New Zealand and the U.S. as part of the “Five Eyes” agreement; the EU has long been concerned about its citizens’ data being accessed by U.S. spies. And a new, tighter EU privacy law could complicate things further.
5. What’s the new law?
The General Data Protection Regulation goes into effect May 25. All businesses that collect data from EU citizens will have to follow its rules, which range from informing consumers about how their data will be used to deleting data that’s no longer needed. Businesses that don’t comply will risk fines of as much as 4 percent of worldwide annual revenue. The U.K. will still be part of the EU as the GDPR is introduced, and its firms will operate under the new rules. The U.K. argues this should qualify it for an “adequate” badge after Brexit.
6. What happens if the U.K. isn’t deemed ‘adequate’?
British companies would be allowed to transfer data only if they agreed to additional safeguards, such as regular audits to ensure compliance, and they’d need authorization by the various data protection authorities throughout the EU.
7. What might a U.K.-EU privacy conflict look like?
Post-Brexit, let’s say that in a national security investigation, U.K. intelligence services demand access to an EU citizen’s personal data, such as encrypted chat messages or payments. The provider hands over the data and the citizen complains to a European regulator, which concludes that this transfer goes against her human rights. The provider could then be fined by the EU. Needless to say, this could prompt all companies that have been cooperating with the U.K. to stop transferring data without clear approval from the EU.
8. What’s likely to happen?
The U.K. has done its utmost to reassure businesses that data flows will continue. In mid-February, Prime Minister Theresa May proposed matching EU data-sharing rules after Brexit. An update to the U.K.’s own data-protection laws, currently making its way through Parliament, is one way the U.K. hopes to show that it will go above and beyond meeting EU rules. But the EU hasn’t signaled that any of this will be enough to keep data flowing freely, and it probably won’t determine the U.K.’s adequacy until after the U.K. is officially out of the union.
The Reference Shelf
- U.K. Parliament paper on EU data sharing, including concerns about retaining access to EU data after Brexit.
- Text of the EU’s General Data Protection Regulation.
- Bloomberg Businessweek looked at how much companies will spend to comply with the new data rules.
- Bloomberg QuickTakes on the basics of the GDPR, Brexit and the U.K.’s bid to keep bank access to the EU.