As the Government commences EU exit negotiations techUK, in association with Bird & Bird, have developed case studies which demonstrate the importance of a secure and robust legal mechanism for transferring data between the UK and European Union (EU).
In a modern services-orientated economy, businesses of every size and sector rely on the ability to transfer personal data across borders. Once the UK leaves the EU, businesses must be able to continue to transfer data between the UK and EU based on a secure and robust legal mechanism. This mechanism must be in place from the day the UK ceases to be a member of the EU to ensure a seamless transition for businesses and avoid a regulatory cliff-edge. This must be a top priority for Government as negotiations begin.
The UK is a global leader in data flows, accounting for 11.5 per cent of global cross-border transfers, 75 per cent of which are with the EU. That is why techUK has stated that the UK must continue to have a secure and robust legal basis on which to transfer data from day one of the UK’s new relationship with the EU. Achieving an adequacy finding is the preferred option to ensure data can continue to flow between the UK and the EU without excessive burdens on UK businesses.
The industries of tomorrow will be tech-enabled and tech-driven, and a modern and open digital economy, with a global presence, will rely on the ability to seamlessly transfer data across borders. This will also be crucial to achieve the ambitions of the Government’s Industrial and Digital Strategies, aiming to create a Global Britain post-Brexit. The high-level commitment in the Government’s Digital Strategy to ensuring that data flows remain uninterrupted is encouraging. The best way to achieve this is through an adequacy finding.
As these case studies showcase, the ability to transfer data is not only a tech sector issue. It will impact all parts of the UK economy. The failure to achieve a secure legal basis to transfer data, ideally based on adequacy, will have the most profound effect on SMEs. It will affect small and scaling businesses hoping to access the European market. Organisations that employ EU citizens will be implicated. Companies that utilise online services delivered from Europe will all be caught.
While there are other mechanisms to transfer personal data under current and incoming EU data protection law, such as Binding Corporate Rules and Standard Contractual Clauses, the only option which is legally secure and imposes no extra costs or administrative burdens on businesses is adequacy.
These case studies explain the consequences of the UK losing the ability to seamlessly conduct UK-EU data transfers in two very different business scenarios.
While these case studies are only two hypothetical situations in which the UK not having an adequacy finding would affect businesses, this would affect a range of organisations of all size and sector, both in the UK and the EU. For example, any organisation looking to bring European personal data into the UK would be affected. This is vital for data transfers from the UK into the EU, and is, therefore, not an issue only for the UK but also for the EU27.
Below is a brief explanation of the two detailed case studies which can be downloaded below:
- Spot.hole 2.0 – A London-based company have developed an app that helps motorists and local authorities track road conditions by aggregating real time data feeds from the speed and location of drivers. With customers in the UK and Europe, Spot.hole will be affected by the UK not having an adequacy finding post-Brexit. As it is UK-based, with no establishment inside the EU, Spot.hole cannot implement Binding Corporate Rules or Standard Contractual Clauses. It therefore has to rely on obtaining consent to transfer data out of the EU to its UK based data centre. If that consent is deemed invalid, the company would lose the ability to transfer data.
- OfficePlan – A Liverpool-based human resource management and financial management software vendor provides companies with an unparalleled view of their workforce across all branches around the world. Without an adequacy decision OfficePlan decided to implement European Commission-approved Standard Contractual Clauses in what seemed like a simple solution to transfer data from the EU to the UK. However these SCCs are currently under legal challenge and customers had concerns about using OfficePlan’s services in fear that SCCs would be struck down and were unwilling to risk OfficePlan’s services. The only realistic option available to the company was to build data centres in Europe which was hugely expensive and meant moving jobs out of the UK. Whilst making these decisions competitors made moves on customers and the company was forced to down-scale.
Clearly, the lack of an adequacy finding in both of these cases would be detrimental to UK business. In order to support a post-Brexit Global Britain based on modern Industrial and Digital strategies, the Government must ensure that all businesses can continue to seamlessly transfer data to and from the EU. Achieving an adequacy finding that enables this to happen must be a priority as the Government begins negotiations.
For press enquries please contact Alice Jackson