Tech firms must obey EU data rules post Brexit

by Sam Ashworth-Hayes | 18.07.2017

If you are using Facebook, checking prices on Amazon, or complaining about my other articles on Twitter – in which case please include links to drive up the view count – then you are currently protected by EU rules on how your data is used. Post-Brexit, a new House of Lords report suggests these rules could prove to be a barrier, not a protection, for British tech companies.

EU regulations entering into force before Britain leaves the EU are set to broaden the definition of personal data, and apply rigorous standards on data protection to all companies doing business in the single market. UK tech firms that want to make services available in the EU after Brexit will have to obey the same rules. Moreover, they will have to find a way to put their data transfers on a sound legal footing – incurring potentially significant costs and increasing the complexity of doing business.

To cut to the chase, Brexit is set once again to put us a competitive disadvantage without a tariff in sight. The UK is highly integrated with the EU and three-quarters of our cross-border data flows take place with EU nations. In the view of the Information Commissioner, this degree of integration will require the UK to seek a broad solution: an “adequacy decision” from the European Commission.

Under this arrangement, the UK provides domestic protection “essentially equivalent” to EU standards. We would commit to keeping our laws in line with EU legislation, and updating them to reflect decisions from the European Court of Justice – scarcely taking back control.

Want more InFacts?

Click here to get the newsletter

    Your first name (required)

    Your last name (required)

    Your email (required)

    Choose which newsletters you want to subscribe to (required)
    Daily InFacts NewsletterWeekly InFacts NewsletterBoth the daily and the weekly Newsletter

    By clicking 'Sign up to InFacts' I consent to InFacts's privacy policy and being contacted by InFacts. You can unsubscribe at any time by emailing [email protected]

    While this would alleviate the concerns of tech companies, it might not be that easy to achieve. As a non-EU country, we will no longer benefit from national security exemptions to the rules. Given the UK penchant for mass surveillance – greatly expanded by Theresa May in her time at the Home Office – this might mean an adequacy deal is impossible. May’s unwillingness to sanction oversight by European courts may also rule out such a deal.

    Even if the UK proves willing and able to meet EU requirements, a transitional arrangement may be impossible to agree. Adequacy decisions can only be made for non-EU countries, creating a potential “cliff-edge” for business before a deal can be finalised.

    Business is not the only sector at risk. Brexit also raises concerns for policing. At the moment, says Lord Condon, former Met Police chief, UK police can access EU data “almost instantaneously”. But post-Brexit, “unless our government gets its act together… it will be much, much harder to check those databases”.

    The government says it wants to “maintain the stability of data transfers” between the UK and the EU. In the course of their inquiry, the peers on the EU Home Affairs sub-committee interviewed two government ministers, as well as the Information Commissioner. But their report concludes that they were “struck by the lack of detail on how the government plans to deliver this outcome”. It sounds depressingly familiar.

    Edited by Quentin Peel

    One Response to “Tech firms must obey EU data rules post Brexit”

    • This could actually be one of the biggest issues of Brexit. It doesn’t really matter what the tariffs are for a company wanting to sell into the EU. If they can’t legally enter details of the EU customer into their computer systems then they can’t sell at all.