Blog Post

Brexit and its potential impact on international data transfers

If the UK exits the EU and the EEA, it will have to go to considerable lengths to enable continued data transfers from the EU. Without an agreement on data transfers and data protection, business in the UK and the EU will be disrupted.

By: and Date: August 4, 2016 Innovation & Competition Policy Tags & Topics

Data transfers among different jurisdictions can help multinational enterprises to maximise the benefits generated from data, and to harmonise their operations around the globe.

But the Brexit referendum could have a serious impact on data transfers between EU and UK, if the UK indeed exits the EU. To avoid disrupting businesses that operate in both the UK and the EU, post-Brexit agreements in regard to data transfers and data protection would be needed . The Privacy Shield between the EU and the US may provide an example to be followed between the EU and the UK.

To better understand the potential impact of Brexit on firms, consider a multinational business with its headquarters in London, and subsidiaries in Paris, Frankfurt, and other European capitals. The headquarters in London would usually have personnel management responsibilities for the employees located on the Continent. This would be possible only if personnel records for those employees can be freely shared between the company’s locations. In a post-Brexit world, data transfers such as these might become subject to a different regulatory regime, affecting the operations of the firm.

The impact of Brexit could be even greater for banks headquartered in London, and digital platforms that require data transfers from their employees and their clients located in the EU.

The impact of Brexit on the legal regime

The exact impacts of Brexit depend on many factors, including the form of association that the UK and the EU establish with one another going forward; however, the broad outlines of the problem can already be inferred. There are four main possibilities:

  1. The UK may somehow continue to be an EU Member State, in spite of the 23 June vote.
  2. The UK may apply for and be granted membership in the European Economic Area (EEA), like Norway, Iceland and Liechtenstein.
  3. The UK and the EU may enact wide-ranging bilateral agreements, as is the case with Switzerland.
  4. The UK may have few or no agreements with the EU, as is the case with most other countries throughout the world.

In all four cases, the newly enacted General Data Protection Regulation (GDPR) would govern data transfers from the EU to the UK. The GDPR takes effect from 25 May 2018 (repealing the previous EU privacy framework, Directive 95/46/EC), when the UK will probably still be an EU Member State.

In the first two instances (call them collectively the EU/EEA scenario), one would expect little or nothing to change, beyond the change from the old privacy framework to the new in 2018. Whether the UK is a member of the EU or the EEA, it would be required to fully implement the GDPR (in the absence of a specific agreement to the contrary). Data transfers between the EU and the UK would presumably not be impacted.

The EU/EEA scenario has its merits, but it seems unlikely, since either EU or EEA membership would oblige the UK to continue to adhere to nearly all EU regulations. The British public would likely view either option as a repudiation of the results of the 23 June referendum.

It is more likely that the UK will instead become fully independent of the EU and EEA, but possibly subject to bilateral agreements (call it the go it alone scenario). This corresponds to the third and fourth possible cases in the numbered list that appeared earlier.

In all instances, the potential irritant is the electronic surveillance that the UK government conducts in the interest of national security. Post-Snowden, it is widely believed that the UK intelligence service GCHQ participates in mass surveillance that is as widespread and as indiscriminate as that in the US, and moreover that GCHQ freely shares this intelligence with the Americans.

Side note: As the ECJ’s press release notes, “United States public authorities are not themselves subject to [the safe harbour agreement]. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. … ” An additional concern was that “the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and … rectified or erased.”

In a case brought by Austrian privacy activist Maximilian Schrems, a European Court of Justice (ECJ) ruling on 6 October 2015 invalidated data transfers from the EU to the US under a Safe Harbour agreement that had existed since July 2000. The finding was that the personal data of EU users is not adequately protected when it is transferred to the US from the EU because US firms makes the data available to the U.S. National Security Agency (NSA), for which the Safe Harbour protections were either unavailable or irrelevant (see Marcus & Petropoulos 2016). The EU-US Privacy Shield agreement that has just come into effect addresses these concerns by providing stronger safeguards.

If the UK were to remain an EU/EEA member, data transfers to and from the EU would be governed by Article 23 of the GDPR, which permits Member States to take liberties with data protection and data transfers when doing so “respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard … national security”. It is debatable whether the widespread surveillance in the UK meets this criterion, but as it is a fairly soft criterion it is unlikely to be successfully challenged.

Under the go it alone scenario, the UK would become a third country relative to the GDPR, and transfers of personal data would instead be governed by Articles 45-49 of the GDPR. Our assessment is that the UK will have to go to considerable lengths to enable continued data transfers from the EU.

Article 45 is consistent with the Schrems Decision, but it establishes a much higher threshold for transfers of personal data. In order to establish an adequacy decision (the GDPR equivalent of Safe Harbour), the European Commission would be obliged to take account of “the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data”. In light of GCHQ activities, the UK would be unlikely to get a free ride. It is highly probable that the UK would be obliged to enter into an agreement very similar to the Privacy Shield that was just agreed between the EU and the United States.

Enacting an agreement similar to Privacy Shield would be painful for the UK politically. Moreover, the negotiations to arrive at Privacy Shield were intensive, complex and time-consuming, and the resultant agreement may still be vulnerable to legal challenges.

If no adequacy decision is put in place, some firms might try to circumvent the lack by instead invoking private contract provisions under Article 46 of the GDPR. Since Article 46 largely ignores the Schrems decision, we assume that any such agreements are unlikely to survive judicial appeal to the ECJ, unless provisions similar to those of Privacy Shield are somehow put in place between the UK government and the EU.

Within a corporate group, data transfers may be possible using either the rules of Article 47 of the GDPR, or by obtaining explicit consent to the proposed data transfer from the individual concerned (for example, from the employee).

Other data transfer implications

Under the go it alone scenario, the UK would no longer be subject to EU privacy law, and would need to craft its own. Whether data transfers from the UK might be restricted by the new UK privacy law remains to be seen.

The UK would no longer be a party to the data transfer provisions of Privacy Shield, and would have to negotiate new arrangements with the US, assuming that they are concerned about maintaining data privacy. Likewise, they would no longer be a party to EU data transfer agreements with other third countries, such as Switzerland.

In regard to data transfers to and from the EU and to other countries as well, as in many other areas, the UK is entering a period of considerable uncertainty and complexity.


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

View comments
Read about event More on this topic

Past Event

Past Event

Artificial intelligence: challenges and opportunities

Rob Atkinson, the founder and president of the Information Technology and Innovation Foundation presented his research work on the impact of artificial intelligence on our lives.

Speakers: Robert Atkinson, Anna Byhovskaya, Merja Kyllönen and Georgios Petropoulos Topic: Innovation & Competition Policy Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: March 23, 2017
Read article More by this author

Parliamentary Testimony

House of Lords

Brexit: EU budget

On 25 January 2017 Zsolt Darvas appeared as a witness at the House of Lords Select Committee on the European Union, Financial Affairs Sub-Committee.

By: Zsolt Darvas Topic: European Macroeconomics & Governance, House of Lords, Parliamentary Testimonies Date: March 7, 2017
Read article More on this topic

Blog Post

Schoenmaker pic
Nicolas Véron

Brexit should drive integration of EU capital markets

Brexit offers EU-27 countries a chance to take some of London’s financial services activity. But there is also a risk of market fragmentation, which could lead to less effective supervision and higher borrowing costs. To get the most out of Brexit, the EU financial sector needs a beefed up ESMA.

By: Dirk Schoenmaker and Nicolas Véron Topic: Finance & Financial Regulation Date: February 24, 2017
Read article More on this topic

Blog Post

unnamed
Simone Tagliapietra

Brexit goes nuclear: The consequences of leaving Euratom

The UK Government has confirmed that it will withdraw from Euratom. But what does Euratom actually do? And what will happen when the UK leaves? The authors find major risks, potential costs and open questions.

By: Enrico Nano and Simone Tagliapietra Topic: Energy & Climate Date: February 21, 2017
Read article More on this topic

Blog Post

Zsolt Darvas
DSC_0798
dsc_1000

The Brexit bill: uncertainties in the estimate of EU pension and sickness insurance liabilities

Pension and sickness insurance liabilities for EU staff could be an especially contentious part of negotiations on an EU-UK financial settlement: the “Brexit bill”. This post looks behind the calculation of the alleged cost of pension benefits and concludes that it may be less than half of what it seems.

By: Zsolt Darvas, Konstantinos Efstathiou and Inês Goncalves Raposo Topic: European Macroeconomics & Governance Date: February 17, 2017
Read article More on this topic

Blog Post

Zsolt Darvas
DSC_0798
dsc_1000

The UK’s Brexit bill: could EU assets partially offset liabilities?

The ‘Brexit bill’ is likely to be one of the most contentious aspects of the upcoming negotiations. But estimates so far focus largely on the EU costs and liabilities that the UK will have to buy its way out of. What about the EU’s assets? The UK will surely get a share of those, and they could total €153.7bn.

By: Zsolt Darvas, Konstantinos Efstathiou and Inês Goncalves Raposo Topic: European Macroeconomics & Governance Date: February 14, 2017
Read article More on this topic

Blog Post

MariaDemertzis1 bw
unnamed

The impact of Brexit on UK tertiary education and R&D

In this blog post, we look at the impact of Brexit on UK’s education and research and development sectors in terms of students and staff, as well as funding.

By: Maria Demertzis and Enrico Nano Topic: European Macroeconomics & Governance Date: February 14, 2017
Read article Download PDF More on this topic

Policy Contribution

PC 17 04

Brexit and the European financial system

Brexit will lead to a partial migration of financial firms from London to the EU27. This Policy Contribution provides a comparison between London and four major cities that will host most of the new EU27 wholesale market: Frankfurt, Paris, Dublin and Amsterdam. It gives a detailed picture of the wholesale markets, the largest players in these markets and the underlying clearing infrastructure. It also provides data on professional services and innovation.

By: Uuriintuya Batsaikhan, Robert Kalcik and Dirk Schoenmaker Topic: Finance & Financial Regulation Date: February 9, 2017
Read article More on this topic More by this author

Blog Post

Zsolt Darvas

Questionable immigration claims in the Brexit white paper

The UK government's white paper on Brexit suggested that the EU's "free movement of people" has made it impossible to control immigration. This seems to rest on an assumption that EU citizens can "move and reside freely" in any member state. Zsolt Darvas finds these arguments problematic, and points out that it is difficult to infer public opinion about immigration from the referendum result.

By: Zsolt Darvas Topic: European Macroeconomics & Governance Date: February 8, 2017
Read article Download PDF More on this topic

Policy Brief

PB 17 01

Making the best of Brexit for the EU27 financial system

The EU27 needs to upgrade its financial surveillance architecture to minimise the financial market fragmentation resulting from Brexit and the corresponding increase in borrowing costs for firms.

By: André Sapir, Dirk Schoenmaker and Nicolas Véron Topic: Finance & Financial Regulation Date: February 8, 2017
Read article More on this topic More by this author

Blog Post

Scott Marcus

How good a shield is Privacy Shield?

Privacy Shield was put in place in 2016 to ensure that transfers of personal data from the EU to the US would be in compliance with European Union privacy law, and thus permissible. The institutional framework of Privacy Shield was weak, and depended on the good will of the US administration. Recent actions by the new administration, including the famous executive order forbidding residents from 7 predominantly Muslim countries to enter the US, may have (presumably unintended) effects on Privacy Shield. To preserve the validity of Privacy Shield in European Courts, strong EU-US cooperation and potentially additional agreements may become necessary.

By: J. Scott Marcus Topic: Innovation & Competition Policy Date: February 7, 2017
Read about event

Past Event

Past Event

Brexit and trade: what EU and WTO rules imply

Bruegel in collaboration with Leuven Centre For Global Governance Studies organizes an event at which we will discuss the options for redesigning trade relations in the post-Brexit era.

Speakers: Viktoria Dendrinou, Hosuk Lee-Makiyama, Petros C. Mavroidis, André Sapir and Prof. Jan Wouters Topic: European Macroeconomics & Governance, Global Economics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: February 6, 2017
Load more posts