Introduction

In a previous blog post I outlined the contribution made by these sectors to the UK’s economy and discussed how the loss of passporting rights, access to the single market, and free movement of workers from EU member states could negatively impact these sectors and lead to an economically ruinous exit from the European Union.

This post considers the data protection implications of Brexit for the UK’s economy as many businesses and organisations generate and rely upon huge volumes of personal data in their operations (e.g. in the form of customer records, behavioural, profile and transactional data).  The personal data generated, and analysed is a hugely valuable economic asset – European Citizens’ data is predicted to be worth €1 trillion annually by 2020 by
the European Commission.’  Much of this personal data is transferred across national boundaries for processing and storage on servers in data centres, and, as a result, the UK hosts the largest data centre market in Europe, and the third largest in the world. 

History of UK Data Protection laws

The UK first introduced data protection legislation in 1984 in response to claims by the business community that the UK was losing cross border trade in personal data because it was a ‘data haven.’  For instance, in 1974, the Swedish Data Inspection Board blocked the export of personal data to the UK for the preparation of embossed health identity cards, citing the UK’s lack of legal protection as justification for the restrictions. (M. Adams, ‘Sweden prohibits sending data to UK,’ New Scientist, 17 April 1975, 133.) The politics and economic impact of such personal data transfer disputes led to calls for a supra-national data protection law to facilitate and manage cross-border data flows, and eventually led to the introduction of Directive 95/46/EC (hereafter ‘the Directive’). Each Member state has implemented the Directive’s provisions through the domestic implementing laws. In the UK, the Directive was implemented through the Data Protection Act 1998 (DPA 1998). However, although each member state transposed the Directive’s provisions into national laws, they did not do so uniformly, and this led to fragmented application and enforcement.  Indeed, the failure of member states to properly transpose the Directive was a key factor in the decision to replace it with a Regulation (as well as a concern that it was no longer fit for purpose due to changes in personal data processing technologies).  

The GDPR 2016/679

Regulation (EU) 2016/679  (hereafter ‘the GDPR 2016/679’) is scheduled to come into effect on 25th May 2018.  It will repeal and replace Directive 95/46/EC and will be directly applicable in the UK without the need for implementing domestic UK legislation.  Since it is highly likely that the UK will not have completed the ‘exit process’ by 25th May 2018, the UK Government will initially be obligated to amend the DPA 1998 to bring UK law in line with the requirements in the GDPR 2016/679.

However, withdrawal from the EU will afford the UK an opportunity to pause and reflect on the implications of seeking a trading relationship in which the UK would either be obliged to continue to give effect to the GDPR 2016/679, choose to do so voluntarily, or opt to
devise and implement their own data protection law. 

If the UK were to withdraw from the EU but join the European Free Trade Association (EFTA) whose current members, Iceland, Liechtenstein and Norway, and trade with the EU via the European Economic Area (EEA), then it would be obliged to continue to give effect to the GDPR 2016/679 as data protection has been harmonized within the internal market and is part of the EEA agreement (for further discussion see blog post by Olivia Tambou: Brexit or not Brexit: how the GDPR will apply to the UK).  However, the Government indicated in its White Paper that: “We will not be seeking membership of the Single Market, but will pursue instead a new strategic partnership with the EU, including an ambitious and comprehensive Free Trade Agreement and a new customs agreement,” so, at first glance, it appears that the UK will not be obliged to continue to give effect to the GDPR 2016/679
once it withdraws from the EU.  

Continuing compliance with the GDPR 2016/679?

Some (Including the Federation of Small Businesses) have suggested that the UK Government might introduce a data protection law that is less burdensome for small businesses,
and is more business-friendly in general.  Indeed, the Government has indicated an intention to “look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public,” suggesting that it might depart from the provisions in the GDPR 2016/679 in the future.  One might think that the introduction of less stringent data protection rules would make the UK more
attractive as a trading partner.  However, that would not necessarily be the case for the reasons set out below.

(1) Territorial reach of GDPR 2016/679

Firstly, irrespective of the trade deal negotiated, Article 3(1) of the GDPR 2016/679 will apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.  Furthermore, Art 3 (2) stipulates that it will apply to the processing of personal data by controllers and processors established outside the EU ‘if their processing is related to offering goods or services, including those provided free of charge, to EU individuals or to the monitoring of individuals’ behaviour within the EU/EEA countries.’ Given the extra-territorial reach of the GDPR 2016/679, having to comply with a separate UK data protection framework would represent an additional legal compliance burden for businesses operating on a transnational basis – one that would add to the cost of doing business in the UK and put UK businesses at an economic disadvantage.

(2) Minimisation of compliance costs

Secondly, the EU data protection framework (both Directive 95/46/EC and the forthcoming GDPR 2016/679) is regarded as “gold standard.” Indeed, ‘over half the countries in the world now have a data protection and/or privacy law, and most are strongly influenced by the European approach.’

Consequently, although the UK could adopt a different (lower) standard of data protection for internal UK and non-EU established business it is likely that the UK business
community would exert pressure on the UK government to implement data protection laws in the UK that provide an equivalent level of protection since complying with a separate, different, UK data protection framework would present an unwelcome additional compliance burden for businesses operating on a transnational basis.  A failure to do so could result in data transfers to the UK being blocked due to privacy and data protection
concerns (e.g. the Swedish health ID cards).  Indeed, countries such as Canada, Switzerland, have actively sought to implement ‘equivalent’ level of data protection law in their jurisdictions to facilitate personal data transfers and processing.

The Investigatory Powers Act 2016 – bar on an adequacy determination?  

This prompts the question whether, if the UK withdraws from the EU and EEA, but voluntarily chooses to align its data protection laws with those of the EU e.g. by retaining the provisions enacted in compliance with the GDPR 2016/679 prior to withdrawal, it will be successful in obtaining an ‘adequacy’ determination from the European Commission, thereby allowing it to process the personal data of EU and EEA citizens?

A positive adequacy determination cannot be predicted with certainty at this stage, as when assessing adequacy, the European Commission will no doubt consider provisions in the recently enacted Investigatory Powers Act 2016.  This legislation requires internet service providers to retain 12 months of subscriber and users browsing data and make it available to numerous Government bodies including the Food Standards Agency and Her Majesty’s Revenue & Customs (HMRC) for the purpose of fighting crime, with few opportunities for judicial oversight.  However, the preliminary reference ruling in the Joined cases cases Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Tom Watson, Peter Brice, Geoffrey Lewis (hereafter Tele 2 & Watson) determined that national legislation (in the UK, the Data Retention and Investigatory Powers Act (DRIPA) 2014) that contained substantially similar powers was illegal because EU law precludes ‘national
legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent
administrative authority’ (para 134).

Although the Tele 2 & Watson decision was issued too late to influence the passage into law of the Investigatory Powers Act (IPA) 2016  – the successor to DRIPA 2014 (which lapsed at
the end of December 2016), it is clear from this ruling that aspects of the Investigatory Powers Act 2016 (such as the extension of data retention powers to internet connection records (i.e. site-level web browsing histories), the absence of a requirement to inform affected individuals of any orders made, and the absence of a requirement to keep the retained data within the European Union are likely to be challenged. Civil Liberties campaign groups, Liberty and Open Right Group (ORG) have both indicated an intention to bring legal
proceedings.  Pending revision (e.g. confining access to retained personal data to what is ‘strictly necessary’ for the purposes of combatting ‘serious crime’ and subject to appropriate privacy safeguards, including prior authorisation by a judge or other independent body), could bar the granting of an adequacy decision.

If an adequacy finding was not forthcoming, it would likely prejudice the UK from receiving
business from EU member states as UK established businesses would have to put arrangements in place in order to send personal data to the UK as a ‘third country’ such as reliance upon unambiguous consent, model clauses or binding corporate rules to effect data transfers (for more information see blog post by Olivia Tambou: How the GDPR rules will apply to the UK after the Brexit, part. 2). This would increase the regulatory burden and costs
of UK established businesses that process personal data of EU citizens since these approved mechanisms for lawfully transferring data add an additional administrative layer and vary between jurisdictions.

Conclusions

Irrespective of the trade deal the UK Government negotiates upon exit of the European Union, personal data is, and will remain, a key economic asset, and cross-border transfers of personal data will continue to underpin the UK’s economy. So, if the UK is to avoid
an economically ruinous Brexit strategy it will have to ensure that adequate data protection measures are in place to protect the personal data of European citizens.  

The easiest way to achieve this is to ensure that UK data protection law is fully compliant with provisions in the GDPR 2016/679.  Also, the UK Government should revise provisions in the Investigatory Powers Act 2016 to ensure compliance with the preliminary reference ruling in Tele 2 & Watson, since the absence of an adequate or equivalent level of data protection would impede cross-border personal data transfers, cause global business established in the UK to relocate and prompt them to reconsider future investment in the country; the antithesis of the White Paper’s objectives. 

Note: This blog post is adapted from a roundtable presentation “Data protection after Brexit” by Dr Karen Mc Cullagh at the Computers, Privacy and Data Protection Conference 2017.  For an in-depth critical evaluation of the various types of trade deals the UK might negotiate upon exit (with a particular focus on financial, digital and Fintech services) and the data protection implications of each trade model, see: Mc Cullagh, K. “Brexit: Potential Implications for Digital and ‘Fintech’ industries,” International Data Privacy Law, (2017) Vol 7, Iss.1. 

Following the outcome of the historic ‘Brexit’ referendum on 23rd June 2016 in which a majority of eligible voters in the UK voted to ‘Leave’ the European Union and the passage by both House of Parliament on 13th March 2017 of the EU (Notification of Withdrawal) Bill giving prime minister Theresa May the authority to trigger Article 50 of the Treaty of Lisbon, the United Kingdom is potentially on course to leave the European Union.

This blog post considers aspects of the Government’s White Paper with a particular focus on the potential implications for the financial services, digital technology, and Fintech sectors of the UK economy, and sets out factors that must be borne in mind if the Government is to avoid implementing an economically ruinous Brexit strategy.

Contribution of Financial Services, Digital and Fintech industries to the UK economy

The UK will undoubtedly want to maintain a trading relationship with the European Union upon exit as the European Union is the world’s largest trading bloc and the world’s largest trader of manufactured goods and services - in 2015, the UK exported £223 billion of goods and services to other EU member states, compared to £95.1 billion to the US

and £15.9 billion  to China.  Indeed, the service industries account for approximately 78% of the UK’s Gross Domestic Product (GDP), and within the services sector, financial services are key - accounting for circa 8% of the UK’s economic output and approximately

3.5% of employment, said Mark Carney, Governor of the Bank of England in a speech.  Relatedly, half of the world’s largest financial firms have their European headquarters in the UK and more foreign banks operate in the UK than any other country.

The financial services sector is supported by ‘Fintech’ industries, that is, companies that use technology to disrupt or make financial services more efficient.  The Fintech industries are a subsector of digital technology businesses which represent a further 10% of the UK’s services sector, the highest percentage of any G20 member; and employs 1.56million people. The sector had a turnover of £161bn in 2014 and is continuing to grow, with more than a third of European ‘unicorns,’ that is, privately owned ‘start-up’ technology firms worth over $1bn (including Asos, Hoopla, and Fintechs such as Transferwise and Funding Circle) currently based in the UK. London is home to 18 unicorns – more than double the number of the next closest country, Sweden, which is home to seven.

The UK’s ability to develop and sustain economic growth in the financial and digital technology sectors of the economy and allied Fintech industries will hinge on a number of inter-related factors outlined below.

Factors to consider: loss of access to the single market and highly skilled workers

The first factor is access to the internal (aka single) market in services.  At present, once a UK-based financial services provider such as a bank or insurance company is capitalised and regulated in the UK in accordance with EU-wide ‘passporting’ rules they can provide their services in any other EU or EEA country directly or through a branch without setting up a further capitalised and regulated subsidiary, allowing them to offer their services to
a population circa 500m instead of being limited to the UK population of circa 68m. On a positive note, the White paper contains a commitment by the Government to “prioritise securing the freest and most frictionless trade possible in goods and services between the UK and the EU.”  Passporting rights will be lost upon exit of the single market, so if the UK does not secure ‘mutual recognition’ or ‘extended equivalency’ rights during exit negotiations then it will be classed as a ‘third country’ with the effect that UK financial services
providers will have to set up a capitalised subsidiary within an EU or EEA country (as is the case with Swiss financial service providers) in order to provide services directly or through branches in the whole of the EU.  If that happens then banks and financial service providers might choose to move their place of establishment and associated jobs outside the UK (between 10,000 and 232,000 are reportedly under threat), thereby negatively impacting on the UK’s economy.

Another statement in the White paper that will undoubtedly concern the Digital and Fintech industries is: “We will not be seeking membership of the Single Market, but will pursue instead a new strategic partnership with the EU, including an ambitious and comprehensive Free Trade Agreement and a new customs agreement.” Opting for a ‘hard Brexit’ i.e. foregoing access to the single market will create uncertainty for the Digital and Fintech sectors – it will take time to negotiate the terms of a Free Trade Agreement and a customs union agreement.  It remains to be seen whether transitional arrangements will be agreed. It is likely that digital and Fintech industries will find it difficult to secure investment if they are unable to advise potential investors of the size of the market they will be permitted operate in. If these industries find that their ability to ‘scale up’ i.e. expand their customer base in other European member states is impeded or uncertain they may decide to relocate to other EU member states, removing jobs (approximately 60,000) and a growth revenue stream from the UK’s economy – indeed many are already exploring relocation opportunities.

A second factor is the ability of these industries to continue to recruit suitably skilled personnel as the UK suffers from a digital skills shortage - over 30% of the UK’s Fintech human capital drawn is from EU countries and beyond. At present, most (20.7%) are drawn from EU countries (with fewer (13.3%) being recruited from non-EU countries) because of the free movement of people within EU member states.  However, in the White Paper, the Government outlined an intention to curb immigration, and in particular, to end free movement of European Union nationals, opting instead to “…design our immigration system to ensure that we are able to control the numbers of people who come here from the EU.”(p 25)  Significantly, the government has not proposed a total ban on EU migration, pledging to “…understand the impacts on the different sectors of the economy and the labour market”(p.27). It remains to be seen what steps the UK government will take to ‘control’ immigration from EU countries. Evidently, if overly burdensome (i.e. costly and time consuming) visa requirements are imposed in respect of workers from EU member states it could negatively impact on firms’ ability to recruit suitably skilled workers.  If so, they may opt to relocate from the UK to EU member states where they would have greater freedom to grow their workforce to meet their agile expansion business models.

To sum up: Given their economic importance, avoiding major disruption of and job losses in the financial services, digital technology and Fintech industries should be a high priority in the Government’s negotiations on leaving the European Union.  Pursuing a ‘hard Brexit’ strategy that sacrifices access to the single market and freedom of movement of workers undoubtedly carries considerable economic risk.  The Government will have to tread a careful path to ensure that delivering the will of the people does not lead to an economically ruinous outcome, as the electorate will be quick to complain if it does.   

Note: This blog post originally appeared in Blogdroiteuropeen.  It has been updated and reproduced by permission. This blog post is adapted from a roundtable presentation “Data
protection after Brexit” by Dr Karen Mc Cullagh at the Computers, Privacy and Data Protection Conference 2017. Karen is a Lecturer in IT/IP/Media Law at UEA Law School.  For an in-depth critical evaluation of the various types of trade deals the UK might negotiate upon exit (with a particular focus on financial, digital and Fintech services) see: Mc Cullagh, K. “Brexit: Potential Implications for Digital and ‘Fintech’ industries,” International Data Privacy Law, (2017) Vol 7, Iss.1. 

The House of Lords EU Home Affairs Sub-Committee published its report: Brexit: the EU data protection package on 18th July 2017, having heard evidence from the Rt Hon. Matt Hancock MP (Minister of State for Digital and Culture, Department for Culture, Media and Sport at the time of giving evidence), Elizabeth Denham, UK Information Commissioner, and experts from academia, representatives from the Home Office and representatives from the digital technology sector and legal practice.

The committee heard evidence on four legislative measures, namely the General Data Protection Regulation (GDPR), the Police and Criminal Justice Directive (PCJ), the EU-US
Privacy Shield and the EU-US Umbrella Agreement, in order to advise on the options available to the Government for securing uninterrupted data flows between the UK and EU
after the UK leaves the EU.

The Government had already indicated in its White Paper on The United Kingdom’s exit from and new partnership with the European Union that it would “seek to maintain the stability
of data transfers between the EU, Member States and the UK” and the committee fleshed out a two-fold rationale for ensuring unhindered and uninterrupted cross-border data flows
between the UK and EU after the UK leaves the EU. The first is economic - trade in services accounts for 44% of the UK’s total global exports, and three quarters of the UK’s cross-border data flows are with EU Member States, so any arrangement that resulted in greater friction could present a non-tariff trade barrier that would put the UK at a competitive disadvantage. The second is policing/security - continued access to information and intelligence via cross-border flows of data is vital for UK law enforcement agencies.  

In his evidence, Mr Hancock, MP, testified that the UK will implement the GDPR in full
because the Government considers it a good piece of legislation and also because “we are keen to “secure the unhindered flow of data between the UK and the EU post-Brexit.”   However, the committee was critical of the lack of detail as to how the Government plans to deliver that outcome: “The Government must not only signal its commitment to unhindered and uninterrupted flows of data, but set out clearly, and as soon as possible, how it plans to deliver that outcome. We were struck by the lack of detail in the Government’s assurances thus far.”

The best way forward – an adequacy decision

The committee heard evidence on the merits of two ways in which unhindered data flows could be facilitated, namely: (1) Requiring individual data controllers and processors adopt their own compliant safeguards in the form of model clauses or binding corporate rules, or (2) Seeking an adequacy decision from the European Commission under Article 45 of the General Data Protection Regulation and Article 36 of the Police and Criminal Justice Directive that the UK provides an essentially equivalent standard of protection. The committee determined that the government should seek an adequacy decision from the EU because it would be the most comprehensive and “least burdensome” option for businesses and, in particular, it would offer more stability and certainty for smaller businesses who could not easily absorb the legal costs associated with drafting and obtaining approval for model clauses.

Adequacy hurdle: Investigatory Powers Act 2016

Given that the UK will have implemented the GDPR prior to exit one might expect data to flow unimpeded and uninterrupted post exit.  However, the UK will face a number of hurdles:

(1) Upon exit the UK will become a ‘third country’ for data protection purposes and it will have to seek an adequacy decision from the European Commission.  This will not be immediately forthcoming since it will require a review of the UK’s legal framework by the European Commission – which is a time consuming process.  It has taken other countries e.g. Canada & New Zealand years to obtain an adequacy decision.  Even if an adequacy decision could be issued quickly e.g. within a matter of months, the UK would face a ‘cliff edge’ on the day of exit unless a transitional arrangement is put in place as part of the withdrawal arrangements.

(2) When considering an adequacy decision, the European Commission will look at the UK’s data protection framework in the round, including national security legislation.  The UK will no longer be able to rely on the national security exemption in the Treaty on the Functioning of the European Union that is currently engaged when the UK’s data retention and surveillance regime is tested before the Court of Justice of the European Union (CJEU).  Thus, the UK could find itself held to a higher standard as a third country than as a Member
State.  The UK is likely to struggle to obtain an adequacy decision because of provisions in the Investigatory Powers Act 2016 that permit bulk personal data collection and bulk retention of meta data, as in a judgment regarding the UK’s Data Retention and Investigatory Powers Act 2014, (which contained similar provisions to those in its successor, the Investigatory Powers Act), the CJEU ruled that these measures were disproportionate and contravened individuals’ rights to privacy and data protection. Indeed, the UK Information Commissioner expressed concern that  “it seems likely that the UK’s surveillance and data retention regime would be a risk for a positive adequacy finding.” 

(3) Upon exit, the UK will no longer be party to Privacy Shield, which allows for the transfer of data between companies in the EU and US, or to a similar arrangement for law enforcement called the Umbrella Agreement. The UK will have to secure a fresh agreement with US authorities, and the committee warned that any suggestions that the UK would take “a lax approach” to onward data transfers to the US or elsewhere “would put [an] adequacy decision at risk”.

Overall effect: subject to continuing influence
whilst losing ability to influence

Despite prime minister Theresa May’s pronouncements that European courts will cease to
have influence after Brexit, the UK’s data protection laws will have to stay up to date with, and possibly change in response to developments at the EU level in order to ensure dynamic and ongoing adequacy.  The European Court of Justice (CJEU) is therefore going to continue to have an indirect effect on the way the UK’s data protection rules evolve.  Some have speculated that the UK might want, over time, to forge it’s own data protection
path.  The committee speculated that, “In the longer term, it is conceivable that an international treaty on data protection could emerge as the end product of greater coordination between data protection authorities in the world’s largest markets.” However, industry representatives such as Antony Walker of TechUK were quick to point out that digital technology businesses (and any business that processes personal data) operating on a cross-border basis will want legal frameworks to be as harmonized as possible to reduce compliance burdens.  He stressed that in the short-to-medium term the UK government would
do well to “remember the size of the UK market versus the size of the European market”, and the importance of the UK’s trading relationship with the EU to the UK’s economy, and the fact that non-EU countries often establish themselves in the UK for the purpose of trading with EU member states, so that “we will have to do [data protection] very much in partnership with the European Union, rather than simply boldly striking out by ourselves and hoping others will follow.”

Indeed, all those giving evidence to the committee stressed the importance of maintaining a good relationship with the EU and expressed concern that the UK might lose its ability to influence data protection law and policy in the EU when it becomes a third country and ceases to have a place on the European Data Protection Board.  To this end, the committee recommended that the UK government consider how best to replace those structures and platforms that have allowed it to influence EU rules on data protection and retention, and
suggested that “It should start by seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board,” as part of the withdrawal agreement negotiated.

Conclusions: no clean break

Whilst it is not yet clear what the UK’s trading relationship with the EU will look like after exit, it is evident that there is no prospect of a clean break regarding data protection: the
extra-territorial reach of the GDPR means that the legal controls placed by the EU on transfers of personal data outside its territory will continue to apply post-exit when data is transferred from the EU to the UK, affecting UK businesses that process EU data.  The UK will have to ensure that its data protection laws closely mirror those of the EU to ensure uninterrupted and unhindered data flows. Undoubtedly, the need for essentially equivalent data protection and indirect influence by the CJEU will be a difficult and unpopular message for ardent Brexiteers [and Theresa May] to hear given their vociferous calls to restore legislative and judicial sovereignty.  However, it is abundantly clear that to do otherwise would result in interrupted data flows and serious harm to the UK’s economy – a cost it simply could not bear. 

This post was also published on the blog: INTERNATIONAL LAW @ UEA: VIEWS FROM THE BROADS