Thursday 21 February 2019

Brexit: Where will you be when the data stops flowing out of the EU?

The EU will have a lot of work to do in relation to data-sharing after Brexit
The EU will have a lot of work to do in relation to data-sharing after Brexit

Maria Farrell

When the UK leaves the EU, the legal basis for transferring personal data between the two goes too.

In theory, on March 30 next year any Irish consumer-facing organisation working with Northern Ireland or the rest of the UK must stop sending people's information there or risk significant fines. Will that really happen? Maybe, though not straight away.

EU citizens' data cannot legally be sent to "third countries" which lack our level of data protection. One way to keep the data flowing is if foreign states apply for an "adequacy finding" from the EU, which tests if the receiving country's data protection laws are up to scratch.

It takes months and involves the European Commission and a process of "comitology", which is just as painful as it sounds. It also needs deep legislative and regulatory groundwork to be laid by the applicant, something the UK does not currently excel at. Also, it cannot even begin until after the UK leaves the EU. By contrast, Japan is just about to secure an adequacy finding as part of its long-prepared EU trade deal.

You might think that as the UK has just enacted its General Data Protection Regulation (GDPR) law, it would easily pass the adequacy test. Unfortunately, the 2018 Data Protection Act is no guarantee of success. It is stuffed to the gills with carve-outs, including one that says the UK government won't fully protect the data of non-UK citizens in the country. Hardly the stuff to endear it to the EU Commission officials needed to kick the adequacy process off. (To guess how a government might like to treat citizens tomorrow, it's always revealing to see how it treats immigrants today.)

The other way to transfer EU citizens' data to third countries is for each organisation to put standard contractual clauses agreeing to uphold EU rules into customer contracts. The EU Data Protection Supervisor's office prefers this approach over adequacy, as it makes companies work on compliance. The UK's official advice, published on September 13, is for UK organisations to adopt model clauses.

After Brexit, the big tech firms whose business models are built on international data transfers will do just fine. They already have the operational systems and in-house lawyers to make it work.

A conservative estimate is that it costs a UK company about £10,000 (€11,000) to apply its own EU-acceptable contract clauses.

If you are an Irish company that sells, say, custom T-shirts to people in Northern Ireland, then you may experience what the UK government euphemistically calls "turbulence".

There is a third way, the 'data harbour' created for US firms to self-accredit as compliant. Max Schrems challenged this regime with an Irish case that went to the European Court of Justice (ECJ). He won. Why? The Snowden revelations showed that US firms freely share our data with their government and we, as customers, have no redress.

The UK is unlikely to be offered a data harbour arrangement, both because the whole idea is in crisis, post-Schrems, and because of the UK's insufficient surveillance oversight.

Which brings us to the contradiction at the heart of data-Brexit. While the UK remains a member of the EU and under the jurisdiction of the European Court of Justice, the EU must grudgingly accept Britain's unusually high level of state surveillance. But when that (fairly homeopathic) oversight goes away, the same practices become illegal, because EU citizens have no redress. That means Irish data transfers into Britain - and onward to the NSA in Maryland - must legally stop.

One of Theresa May's career goals is to bring the UK out of the European Court of Justice. Now she is within sight of achieving this, the cost to business of Britain's surveillance state, May's other great passion, is clear. The UK can "take back control" or it can maintain the data-transfers the digital economy depends on. It can't do both.

Maria Farrell is a tech policy consultant and writer. She is a speaker at Dublin Information Sec 2018, Ireland's cyber-security conference which takes place on October 15 at Dublin's RDS. Dublin Information Sec is an INM event. For tickets and more information, go to https://events.inm.ie/dublin-information-sec-2018

Sunday Indo Business

Also in Business