Data protection: what happens after Brexit?

Dr Aysem Diker Vanberg

How will data flow between the EU and a post-Brexit UK? According to Dr Aysem Diker Vanberg, data protection is a vital but often overlooked aspect of the Brexit negotiations.

“At this point, the only certainty is uncertainty,” says Dr Aysem Diker Vanberg, a Senior Lecturer in our Law School.

The topic of conversation is, unsurprisingly, Brexit. In May 2018, a comprehensive new data protection regime, known as GDPR, came into force across the EU. But how might regulations around data protection change after the UK has left the European Union?

As we spend more of our lives online, and we move into a world of internet-connected devices, it’s only natural that we should ask what data is being collected about us and what is being done with it. The recent scandal surrounding Cambridge Analytica and Facebook highlights the importance of a strong data protection regime.

The European Union claims to have some of the strongest data protection laws in the world, and the GDPR is meant to make those laws even stronger. However, for many governments, there is a balance to be struck between questions of personal privacy and national security – an issue which has caused tensions between the UK and the EU. Data protection might not be the most high-profile issue in the Brexit negotiations, but it raises some problematic issues for UK business.

"Should the UK’s data protection laws drift away from those of the EU, the impact on UK businesses [could be substantial]."

Aysem is an expert on data protection and EU law and has analysed the potential implications that different post-Brexit trade models will have on data protection in the UK.

Depending on what kind of trade deal the UK can achieve during the Brexit negotiations, the implications on data protection could be substantial. And should the UK’s data protection laws drift away from those of the EU, so could the impact on UK businesses.

Close to three-quarters of the UK’s economy is service-based, making the flow of data, and therefore data protection, vital to the UK’s international trade relationships. In 2015, the digital sector contributed £118 billion to the economy and employed over 1.4 million people. Without an effective data protection framework that allows data exchanges with the EU post-Brexit, UK businesses will struggle, and some may choose to leave the country.

Aysem has examined the possible implications on data protection if the UK chooses the EEA or Norway model, the Swiss model, the Canadian model, or the World Trade Organisation (WTO) model for its future trading relationship with the EU.

“The best option from a data protection point of view would be for the UK to remain part of the Single Market as a member of the European Economic Area, like Norway. This would mean staying compliant with the GDPR,” she says. “However, Single Market membership and other forms of soft Brexit don’t seem like viable options for the UK Government at the moment.”

Should the Government pursue a hard Brexit, the future of our data protection law is unclear. No matter which type of trade deal the UK ends up with, it’s going to need a decision from the European Commission, known as an adequacy decision, stating that our data protection laws are sufficiently robust to enable data sharing with the EU. EU regulators and EU courts have increasingly adopted a strict approach towards what constitutes 'adequate' data protection.

"Data protection is a great example of the significant complexity and consequences of Brexit relating to a just one area of law."

According to Aysem, any significant deviation from the GDPR will make the likelihood of achieving an adequacy decision far less likely. Even if the UK does secure an adequacy decision, it is under constant review and could be revoked at any time by the European Commission.

“If the EU Commission decides that the UK’s data protection laws post-Brexit are not up to the same standard as GDPR, it could be highly damaging for UK businesses trading with the EU, because they will be subject to two different sets of data protection regulations, putting them at a disadvantage against any other European company,” says Aysem. In this scenario, transfers of data from the EU Member States to the UK would require use of EU Standard Clauses, Binding Corporate Rules, relying on the businesses in the UK complying with approved Codes of Conduct or finally through certification mechanisms in conjunction with binding and enforceable commitments . These arrangements are likely to lead to costs and complexity for UK businesses. “The costs will be passed along to consumers,” Aysem adds.

Data protection is just one of the many complex issues raised by Brexit. “Everything around Brexit is unclear – no one can say with clarity what the future holds for data protection in the UK,” says Aysem. “It’s a great example of the significant complexity and consequences of Brexit relating to a just one area of law – there are solutions to these problems, but it will require a massive effort.”