Brexit data transfer gaps a risk for UK startups, MPs told
The uncertainty facing digital businesses as a result of Brexit was front and center during a committee session in the UK parliament today, with experts including the UK’s information commissioner responding to MPs’ questions about how and even whether data will continue to flow between the UK and the European Union once the country has departed the bloc — in just under a year’s time, per the current schedule.
The risks for UK startups vs tech giants were also flagged, with concerns voiced that larger businesses are better placed to weather Brexit-based uncertainty thanks to greater resources at their disposal to plug data transfer gaps resulting from the political upheaval.
Information commissioner Elizabeth Denham emphasized the overriding importance of the UK data protection bill being passed. Though that’s really just the baby step where the Brexit negotiations are concerned.
Parliamentarians have another vote on the bill this afternoon, during its third reading, and the legislative timetable is tight, given that the pan-EU General Data Protection Act (GDPR) takes direct effect on May 25 — and many provisions in the UK bill are intended to bring domestic law into line with that regulation, and complete implementation ahead of the EU deadline.
Despite the UK referendum vote to pull the country out of the EU, the government has committed to complying with GDPR — which ministers hope will lay a strong foundation for it to secure a future agreement with the EU that allows data to continue flowing, as is critical for business. Although what exactly that future data regime might be remains to be seen — and various scenarios were discussed during today’s hearing — hence there’s further operational uncertainty for businesses in the years ahead.
“Getting the data policy right is of critical importance both on the commercial side but also on the security and law enforcement side,” said Denham. “We need data to continue to flow and if we’re not part of the unified framework in the EU then we have to make sure that we’re focused and we’re robust about putting in place measures to ensure that data continues to flow appropriately, that it’s safeguarded and also that there is business certainty in advance of our exit from the EU.
“Data underpins everything that we do and it’s critically important.”
Another witness to the committee, James Mullock, a partner at law firm Bird & Bird, warned that the Brexit-shaped threat to UK-EU data flows could result in a situation akin to what happened after the long-standing Safe Harbor arrangement between the EU and the US was struck down in 2015 — leaving thousands of companies scrambling to put in place alternative data transfer mechanisms.
“If we have anything like that it would be extremely disruptive,” warned Mullock. “And it will, I think, be extremely off-putting in terms of businesses looking at where they will headquarter themselves in Europe. And therefore the long term prospects of attracting businesses from many of the sectors that this country supports so well.”
“Essentially what you’re doing is you’re putting the burden on business to find a legal agreement or a legal mechanism to agree data protection standards on an overseas recipient so all UK businesses that receive data from Europe will be having to sign these agreements or put in place these mechanisms to receive data from the European Union which is obviously one of our very major senders of data to this country,” he added of the alternative legal mechanisms fall-back scenario.
Another witness, Giles Derrington, head of Brexit policy for UK technology advocacy organization, TechUK, explained how the collapse of Safe Harbor had saddled businesses with major amounts of bureaucracy — and went on to suggest that a similar scenario befalling the UK as a result of Brexit could put domestic startups at a big disadvantage vs tech giants.
“We had a member company who had to put in place two million Standard Contractual Clauses over the space of a month or so [after Safe Harbor was struck down],” he told the committee. “The amount of cost, time, effort that took was very, very significant. That’s for a very large company.
“The other side of this is the alternatives are highly exclusionary — or could be highly exclusionary to smaller businesses. If you look at India for example, who have been trying to get an adequacy agreement with the EU for about ten years, what you’ve actually found now is a gap between those large multinationals, who can put in place binding corporate rules, standard contractual clauses, have the kind of capital to be able to do that — and it gives them an access to the European market which frankly most smaller businesses don’t have from India.
“We obviously wouldn’t want to see that in a UK tech sector which is an awful lot of startups, scale-ups, and is a key part of the ecosystem which makes the UK a tech hub within Europe.”
Denham made a similar point. “Binding corporate rules… might work for multinational companies [as an alternative data transfer mechanism] that have the ability to invest in that process,” she noted. “Codes of conduct and certification are other transfer mechanisms that could be used but there are very few codes of practice and certification mechanisms in place at this time. So, although that could be a future transfer mechanism… we don’t have codes and certifications that have been approved by authorities at this time.”
“I think it would be easier for multinational companies and large companies, rather than small businesses and certainly microbusinesses, that make up the lion’s share of business in the UK, especially in tech,” she added of the fall-back scenarios.
Giving another example of the scale of the potential bureaucracy nightmare, Stephen Hurley, head of Brexit planning and policy for UK ISP British Telecom, told the committee it has more than 18,000 suppliers. “If we were to put in place Standard Contractual Clauses it would be a subset of those suppliers but we’d have to identify where the flows of data would be coming from — in particular from the EU to the UK — and put in place those contractual clauses,” he said.
“The other problem with the contractual clauses is they’re a set form, they’re a precedent form that the Commission issues. And again that isn’t necessarily designed to deal with the modern ways of doing business — the way flows of data occurs in practice. So it’s quite a cumbersome process. And… [there’s] uncertainty as well, given they are currently under challenge before the European courts, a lot of companies now are already doing a sort of ‘belt and braces’ where even if you rely on Privacy Shield you’ll also put in place an alternative transfer mechanism to allow you to have a fall back in case one gets temporarily removed.”
A better post-Brexit scenario than every UK business having to do the bureaucratic and legal leg-work themselves would be the UK government securing a new data flow arrangement with the EU. Not least because, as Hurley mentioned, Standard Contractual Clauses are subject to a legal challenge, with legal question marks now extended to Privacy Shield too.
But what shape any such future UK-EU data transfer arrangement could take remains tbc.
The panel of witnesses agreed that personal data flows would be very unlikely to be housed within any future trade treaty between the UK and the EU. Rather data would need to live within a separate treaty or bespoke agreement, if indeed such a deal can be achieved.
Another possibility is for the UK to receive an adequacy decision from the EC — such as the Commission has granted to other third countries (like the US). But there was consensus on the panel that some form of bespoke data arrangement would be a superior outcome — for legal reasons but also for reciprocity and more.
Mullock’s view is a treaty would be preferable as it would be at lesser risk of a legal challenge. “I’m saying a treaty is preferable to a decision but we should take what we can get,” he said. “But a treaty is the ultimate standard to aim for.”
Denham agreed, underlining how an adequacy decision would be much more limiting. “I would say that a bespoke agreement or a treaty is preferable because that implies mutual recognition of each of our data protection frameworks,” she said. “It contains obligations on both sides, it would contain dispute mechanisms. If we look at an adequacy decision by the Commission that is a one-way decision judging the standard of UK law and the framework of UK law to be adequate according to the Commission and according to the Council. So an agreement would be preferable but it would have to be a standalone treaty or a standalone agreement that’s about data — and not integrate it into a trade agreement because of the fundamental rights element of data protection.”
Such a bespoke arrangement could also offer a route for the UK to negotiate and retain some role for her office within EU data protection regulation after Brexit.
Because as it stands, with the UK set to exit the EU next year — and even if an adequacy decision was secured — the ICO will lose its seat at the table at a time when EU privacy laws are setting the new global standard, thanks to GDPR.
“Unless a role for the ICO was negotiated through a bespoke agreement or a treaty there’s no way in law at present that we could participate in the one-stop shop [element of GDPR, which allows for EU DPAs to co-ordinate regulatory actions] — which would bring huge advantages to both sides and also to British businesses,” said Denham.
“At this time when the GDPR is in its infancy, participating in shaping and interpreting the law I think is really important. And the group of regulators that sit around the table at the EU are the most influential blocs of regulators — and if we’re outside of that group and we’re an observer we’re not going to have the kind of effect that we need to have with big tech companies. Because that’s all going to be decided by that group of regulators.”
“The European Data Protection Board will set the weather when it comes to standards for artificial intelligence, for technologies, for regulating big tech. So we will be a less influential regulator, we will continue to regulate the law and protect UK citizens as we do now, but we won’t be at the leading edge of interpreting the GDPR — and we won’t be bringing British values to that table if we’re not at the table,” she added.
Hurley also made the point that if the ICO is not inside the GDPR one-stop shop mechanism then UK companies will have to choose another data protection agency within the EU to act as their lead regulator — describing this as “again another burden which we want to avoid”.
The panel was asked about opportunities for domestic divergence on elements of GDPR once the UK is outside the EU. But no one saw much advantage to be eked out outside a regulatory regime that is now responsible for the de facto global standard for data protection.
“GDPR is by no means perfect and there are a number of issues that we have with it. Having said that because GDPR has global reach it is now effectively being seen as we have to comply with this at an international level by a number of our largest members, who are rolling it out worldwide — not just Europe-wide — so the opportunities for divergence are quite limited,” said Derrington. “Particularly actually in areas like AI. AI requires massive amounts of data sets. So you can’t do that just from a UK only data-set of 60 million people if you took everyone. You need more data than that.
“If you were to use European data, which most of them would, then that will require you to comply with GDPR. So actually even if you could do things which would make it easier for some of the AI processes to happen by doing so you’d be closing off your access to the data-sets — and so most of the companies I’ve spoken to… see GDPR as that’s what we’re going to have to comply with. We’d much rather it be one rule… and to be able to maintain access to [EU] data-sets rather than just applying dual standards when they’re going to have to meet GDPR anyway.”
He also noted that about two-thirds of TechUK members are small and medium sized businesses, adding: “A small business working in AI still needs massive amounts of data.
“From a tech sector perspective, considering whether data protection sits in the public consciousness now, actually don’t see there being much opportunity to change GDPR. I don’t think that’s necessarily where the centre of gravity amongst the public is — if you look at the data protection bill, as it went through both houses, most of the amendments to the bill were to go further, to strengthen data protection. So actually we don’t necessarily see this is idea that we will significantly walk back GDPR. And bear in mind that any company which are doing any work with the EU would have to comply with GDPR anyway.”
The possibility for legal challenges to any future UK-EU data arrangement were also discussed during the hearing, with Denham saying that scrutiny of the UK’s surveillance regime once it is outside the EU is inevitable — though she suggested the government will be able to win over critics if it can fully articulate its oversight regime.
“Whether the UK proceeds with an adequacy assessment or whether we go down the road of looking at a bespoke agreement or a treaty we know, as we’ve seen with the Privacy Shield, that there will be scrutiny of our intelligence services and the collection, use and retention of data. So we can expect that,” she said, before arguing the UK has a “good story” to tell on that front — having recently reworked its domestic surveillance framework and included accepting the need to make amendments to the law following legal challenges.
“Accountability, transparency and oversight of our intelligence service needs to be explained and discussed to our [EU] colleagues but there is no doubt that it will come under scrutiny — and my office was part of the most recent assessment of the Privacy Shield. And looking at the US regime. So we’re well aware of the kind of questions that are going to be asked — including our arrangement with the Five Eyes, so we have to be ready for that,” she added.