Small businesses face substantial costs for legal compliance and major blow to its operations unless the UK is able to achieve adequacy decision from the EU regarding the nation’s level of data protection.
As the UK reaches the end of its Brexit transition on 31st December 2020, the legal basis for transferring data across from the EU changes. Businesses are predicted to experience a significant loss if the UK does not receive an adequacy decision from the EU. An adequacy agreement is not guaranteed and would mean that companies do not have to comply with additional administrative and regulatory obligations and the costs associated with it. To be granted an adequacy decision, the UK would have to prove that it possesses adequate levels of data protection, particularly regarding national security, surveillance, and human rights frameworks, and finalise a comprehensive partnership agreement with the EU.
The cost is rooted in the additional legal obligations imposed on companies that wish to continue transferring data from the EU to the UK. In the event of a no adequacy decision, the average cost for compliance is estimated between £3,000 and £162,790, depending on the size of the business. Data adequacy decisions are granted where the EU certifies that a country has sufficient levels of data protection, which are essential enablers for business operations, including e-commerce activities.
With the combination of a potential no-deal Brexit to the current COVID-19 pandemic, businesses and the economy can barely afford the additional cost and risks that follow. The UK government has expressed its disapproval in imposing additional regulations or administrative burdens on data transfer from the UK to the EU, but has indicated their intention to depart from the General Data Protection Regulation (GDPR) and sign a free trade agreement (FTA) with the US, which could commit the UK to unrestricted data transfers between the two nations. This has caused some doubt of the UK’s dedication to EU data policies, particularly following the judgement given in the Court of Justice of the European Union (CJEU) invalidating data-sharing arrangements between the EU and the US and outlining rigorous prerequisites for future adequacy decisions and data transfer procedures.
The European Commission tends to be pragmatic in maintaining a free flow of data with key economic partners. It has granted two partial adequacy decisions for the US, despite their lack of federal data protection legislation. The UK’s Information Commissioner’s Office (ICO) is also well respected in the EU, and it is not within the EU’s desire to disrupt the economy for EU companies in the UK merely due to a lack of an adequacy decision. Despite all of this, if granted adequacy, there is a possibility the decision will be challenged in court. UCL’s European Institute iterates the need for an adequacy decision, particularly in the midst of a global pandemic, as businesses will suffer additional costs of legal compliance, depriving them of essential resources and investments in technology, staff, and research required during this critical time.
Several UK government decisions have raised issues regarding the adequacy decision. Mainly the UK’s Investigatory Powers Act 2016, which permits a broad interception of communications and equipment interference. The Act may conflict with the EU Charter of Fundamental Rights, and according to a recent ruling in the CJEU, elements of the surveillance regulations of EU member states must comply with EU fundamental rights. Although this does not deem the UK unlawful, it raises the bar for an adequacy decision to be granted and may be used in the assessment of the UK’s standards.
Boris Johnson has also confirmed to Parliament that the UK will seek to develop independent policies regarding data protection and their desire to depart from the GDPR, causing further doubt of the UK’s future relationship with the EU. The European Data Protection Supervisor noted that any substantial departure from the EU’s legal framework surrounding data protection that would lead to lower levels of protection is considered a vital aspect in the adequacy assessment. The wider political process of Brexit has a major role in the adequacy decision. If negotiations do not go well, adequacy is highly unlikely.
The probability of an adequacy decision is likely to be undermined by the UK’s potential unrestricted data agreement with the US. If the UK government decides to substantially liberalise the transfer of data in any future trade agreement, it will likely be taken into consideration in the overall assessment of the UK’s standards of protection, according to the European Data Protection Supervisor. The UK risks achieving an adequacy decision if its perceived to be a centre for unrestricted ‘onward transfers’ to the US, as the EU is particularly sceptical about the UK’s ability to ensure continuity of protection from onward transfers of data to third countries. The CJEU judgment in Schrems II provides that the US state surveillance powers did not comply with EU law, and combined with the lack of legal reparations for affected individuals; the Privacy Shield was deemed inadequate in protecting the personal data of EU citizens.
A no adequacy decision is undoubtedly going to cause a wider, negative impact on international data transfer between the UK and the EU. Due to the increased compliance costs and risk of GDPR fines, the reduction in digital trade is highly probable. This could, in turn, impact the cost-benefit analysis of investors and businesses’ decisions to relocate business activities, infrastructure, or personnel. The relationship between British firms and EU businesses are likely to be exacerbated as well due to the cost associated with compliance. It is expected that EU firms will have to set up new data transfer mechanisms that comply with data transfer rules. A technology business leader stated, “Over time, EU companies will prefer to keep data in Europe”. EU firms will seek lower costs from British businesses and demand higher prices in the transfer of data, having a negative impact on the UK’s economy and data centre sector.
EU-UK digital trade and data transfer is crucial for the economy, as reports show that personal data-enabled services worth approximately £42 billion were imported to the UK from the EU, and £85 billion were exported from the UK to the EU. Financial services exports are likely be 60% lower, while business services including law, accountancy, and professional services are likely to be 10% lower. Being the second-largest services trading partner with the EU after the US, even a fraction of the exports lost could amount to billions of pounds. It is probable that a substantial part of that would be replaced with trade relationships with the US and other non-EU nations. The UK government has estimated a 0.07%-0.16% increase in the UK’s GDP if the UK succeeds in securing a sufficient free trade agreement with the US. This is equivalent to £1.6 billion, or £3.4 billion compared to 2018.
The impact would, unfortunately, be a major burden on start-up businesses and small-to-medium enterprises that lack adequate resources to combat the difficulties. A survey conducted by Deloitte of Indian businesses shows that a no adequacy decision would cause the outsourcing sector dealing with the EU to concentrate around large companies, as smaller businesses are incapable of handling the costs of compliance.
It is expected that due to the rise in costs and regulatory enforcement, the UK will be a less attractive investment destination, restricting the investment capacity of UK-based firms. Companies most at risk are those looking to use the UK as a hub to provide products and services to the EU. New data centres are estimated to contribute between £397 million and £436 million GVA per year to the British economy. The reason being that the UK has been in high-demand for inward investors, particularly as a gateway to the European market.
It is not too late for the UK to divert its focus on achieving an adequacy decision, to avoid negative repercussions to the economy. While it is desirable that the UK government works towards securing an adequacy decision, the report released by UCL’s European Institute has suggested transparency of relevant data to improve the research on the impacts of data protection and digital trade, supporting and guiding businesses to manage the substantial cost of complying with EU data transfer rules post-Brexit, in the event that an adequacy decision is not granted.