As the prospect of a no deal Brexit becomes more likely, companies are drawing up contingency plans in case it is suddenly much harder to transfer data into and out of the EU. The Financial Times reported that US tech giant Dell was making plans in case the UK was not granted “adequacy” status that would allow data to be moved freely, while the hotel chain Hyatt said it would consider appointing a new lead data protection officer if the UK lost its right to enforce data transfer and protection rules on behalf of Europe.
Telecoms group BT said it was exploring options for a new data protection base in the EU. “We at one level don’t have to worry about it because we have data all over the world,” said Claire Vyvyan, senior vice-president for the UK & Ireland at Dell. “But we want to move data between Europe and the UK . . . we certainly are preparing contingency plans.”
UK banks including Royal Bank of Scotland are also reviewing their data transfer arrangements. RBS is mainly focused on the UK but does have European customers. It said it was “exploring various options to ensure we can continue to serve our customers as normal both here in the UK and on the continent.”
The EU’s data protection rules cover 508m people in 28 member states and are the toughest in the world. Only a handful of countries — including Canada, Switzerland, Israel and Japan— have been granted the “adequacy” status that allows them to move information freely into and out of the bloc. Most other countries are considered to have inadequate data protection and have not won this status.
Instead, local businesses have had to create complex legal structures to transfer data into and out of the bloc. As of 2016, US companies have been able to sign up to a certification system known as Privacy Shield that allows free data transfer from the EU to the US.
Businesses with European data hubs in the UK are anxious they could be forced to adopt the same sort of system. Ireland and the Netherlands have emerged as frontrunners for companies setting up data hubs outside the UK. The Irish government changed planning rules this year to make it easier to establish data centres after Apple scrapped plans for an €850m data hub citing delays. T5, a US data centre operator, chose the country for its first European data hub this year.
Meanwhile First Advantage, a background checking company, and Iron Mountain, an enterprise software company, have recently set up data centres in the Netherlands. Neither company responded to a request for comment. Politicians in both Brussels and London have said the UK is likely to gain adequacy status but in its white paper on Britain’s relationship with the EU post-Brexit, the UK called on Brussels to go beyond adequacy to regulatory co-operation on data protection. This could include a request for the UK’s data protection office, the ICO, to retain its seat on the EU’s data protection board.
A UK government spokesperson said London would “continue to make the case for an ambitious future EU-UK relationship on data protection”. Vera Jourova, the EU commissioner in charge of data protection, told the FT last month there were “positive signs” an agreement will be reached once the UK makes a formal request for an adequacy deal. “We definitely will want, for the sake of business interests the quickest and most efficient legal framework for the exchange of data with the UK,” she said. However, she added that Brussels would be looking for assurances that the UK would not weaken its privacy rules after Brexit.
Before any deal is done, Brussels will have to examine how the UK would protect the personal information of EU citizens. Privacy campaigners have pointed to the record of the UK government spying on its own citizens as a disadvantage: a tribunal found last month that the British government broke the law by allowing intelligence agencies to collect data on its citizens.
But one senior EU official said the case would not threaten adequacy as long as there were safeguards like the independent tribunal. The stakes are high for the UK, with the EU accounting for three-quarters of its cross-border data flows, according to Frontier Economics. “It would be a big political statement for the UK not to get adequacy,” said Ruth Boardman, joint head of international privacy at law firm Bird & Bird. According to Julian David, chief executive of industry trade body TechUK, a no deal Brexit could be disastrous: “Where are we going? Into the hard shoulder? The bank? Into the kerb? Or backwards into the oncoming traffic?”