The Impact of Brexit on the Technology Sector
We see two key issues that arise for technology and internet services companies as a result of Brexit:
- It is likely that, despite Brexit, the UK will need to comply with EU data protection laws; and
- The transfer of data from EU member states to the UK will likely become more complicated.
Likely need for continuing compliance with the EU data protection laws by the UK
The UK’s data protection laws, which are primarily set out in the UK Data Protection Act 1998, derive from EU law. It is possible that the UK may seek to use Brexit as an opportunity to repeal or significantly amend the UK Data Protection Act. This agenda may get additional impetus from the recently adopted General Data Protection Regulation (“GDPR”). The GDPR will come into force on 25 May 2018 and will significantly toughen data protection rules in the EU.
The UK may consider taking advantage of Brexit to loosen data protection standards, and not to adopt the GDPR, so as to place UK businesses at a competitive advantage compared to companies located in other EU member states. However, on balance, we think it is most likely that the UK will retain EU data protection law, including the high standards contained in the GDPR. This is primarily because:
- The GDPR is a “text with EEA relevance” so, if the UK wants to join the European Economic Area, it will need to adopt the GDPR.
- UK businesses that deal with other EU countries will still need to comply with the GDPR. This stems from the GDPR’s expansive scope. The GDPR will apply to companies based outside the EU that offer goods or services to individuals located in the EU.
- If the UK seeks an EU Commission adequacy decision to get over the data transfer issues discussed below, it will need to comply with the GDPR.
Data transfer complications
If the UK does not join the European Economic Area, serious issues will arise with respect to the free flow of data between the EU and the UK.
EU data protection law prohibits transfers to countries that do not provide an “adequate” level of protection for personal data. Only a handful of countries are recognised as meeting this standard - Canada, New Zealand and Israel among them. This means that transfers of personal data between the EU and the UK could be presumptively unlawful and may only take place if certain derogations apply. This could include, for example, the use of EU Commission approved model contractual clauses.
However, international data transfers are a fraught area at present, and the Irish Data Protection Commissioner recently commenced proceedings in the High Court seeking a referral to the CJEU and a declaration that model contractual clauses are themselves in breach of EU law, at least where used for transfers to the US. Litigation of this sort may make it more challenging to addresses data transfers between the EU and the UK.
If the UK does not join the EEA, it may ask the Commission to issue a decision finding that UK law is “adequate” for the purposes of international data transfers. However, this could give rise to three sets of difficulties.
- First, such an adequacy decision could only be forthcoming if UK law was “essentially equivalent” to EU data protection law. This means that the UK would have to adopt the GDPR.
- Second, it is far from clear that there would be a political will to issue such an adequacy decision, which must be approved by member state representatives via qualified majority voting).
- Third, certain MEPs have already come out and said that they will campaign against the UK getting an adequacy decision as a result of its national security laws and online surveillance practices.
If you have any questions on the impact of Brexit on the Technology Sector, please contact Philip Nolan, who leads our leads our Technology, Media and Communications Team and the Privacy and Data Security Team, or our Managing Partner, Declan Black.