×

Data flows post-Brexit: The next big headache for business?

Forget Brexit's much discussed impact on the free movement of people. Leaving the EU could impede the U.K.'s free movement of data to and from the continent, negatively impacting businesses.

This stems from the U.K. and EU's potential divergence in data protection laws post-Brexit. Chris Jeffery, Head of UK IT, Telecoms and Competition at law firm Taylor Wessing, says: "The uncertainty as to whether the U.K. will be considered safe for data flows relating to citizens from the rest of Europe is causing concern, and making some companies consider whether data center capacity in mainland Europe is the safer bet."

An employee looks at financial data on computer screens, in front of a view of The Shard building, on the trading floor at Bats Europe, the European arm of Bats Global Markets Inc., in London, U.K.
Jason Alden | Bloomberg | Getty Images
An employee looks at financial data on computer screens, in front of a view of The Shard building, on the trading floor at Bats Europe, the European arm of Bats Global Markets Inc., in London, U.K.

Antony Walker, deputy CEO of industry body techUK explains why this is significant, saying, "The U.K.'s service-based economy means that the transfer of data across borders is fundamental, affecting industries from automotives – which includes the development of driverless cars – to financial services."

As it stands, the U.K. has agreed to implement the EU's General Data Protection Regulation (GDPR), which will come into effect in May 2018. The primary goals of the GDPR are to allow citizens to regain control of their personal data, and cut red tape for international businesses by making rules uniform within the 28-nation bloc. Whilst businesses are currently preparing for GDPR, their work may be undone in the future. Eduardo Ustaran, a partner in global privacy and cybersecurity at Hogan Lovells, says: "EU data protection law is all about the individual's control of their own personal data. The U.K. sits somewhere between this viewpoint and that of the U.S., which is more focused on the accountability of businesses and government. I suspect that the U.K. will continue in this vein, though possibly leaning towards the U.S.' approach."

Silicon Valley's technology giants like Facebook and Google must comply with GDPR and any further changes to U.K. law, though this may be less of an issue considering that these companies are likely to have the legal resources to deal with change more efficiently than their smaller counterparts.

"But, there are several nuances to compliance with the new regulations, one of which is technical," explained Martin Garner of analysis firm CCS Insight.

"Technology companies sometimes employ the technique of 'sharding,' which means that bits of data are spread in little slices over several data centers, possibly across regions, so that it exists both everywhere and nowhere at the same time."

Garner adds: "I'm sure that the big industry players have worked out how to do this, while also complying with EU data laws – but this may be less true for some of the smaller players."

Brexit's threat to cross-border data transfer will have a wider-reaching impact than it may initially appear, as Ustaran explains, "EU law has an extraterritorial effect, so if a U.K. business is targeting people in the EU or tracking them on the internet, it will still be subject to EU data protection law, even if the U.K. is no longer a member."

A data sharing option for a post-Brexit U.K. could resemble Privacy Shield, a pact struck between the EU and the U.S. earlier this year intended to protect European citizens from mass surveillance. This might mean that amendments may be made to the U.K.'s Investigatory Powers Bill – also known as the Snoopers' Charter – which regulates the role of British security services and police in accessing domestic citizens' data. Chatham House, in a report published this March, cast doubt on the likelihood of such a compromise, saying: "A post-Brexit U.K. would be unlikely to meet the standards required for Privacy Shield status. This would prohibit cross border data transfers between U.K. and EU."

It has been argued that Brexit, in bringing about a reduction of EU red tape concerning data transfer, could provide a more business-friendly environment in the U.K. Jeffery highlights the example of the U.S., whose "largely self-regulatory approach in the online world is often cited as an element in the success of its track record in creating global social media and online businesses." But, this might not be the case. By not complying with the EU, the U.K. will inhibit its access to a primary data stream.

An American tourist stands near the Houses of Parliament the day after the majority of the British public voted to leave the European Union on June 25, 2016 in London, England.
Getty Images
An American tourist stands near the Houses of Parliament the day after the majority of the British public voted to leave the European Union on June 25, 2016 in London, England.

"To secure the U.K.'s role in global data flows and as a place to start and grow digital businesses, most people expect that the country will need to align itself closely with the EU's GDPR. Even U.K.-only businesses will need to raise the bar significantly in terms of privacy compliance," Jeffery added.

In the meantime, Brexit's current lack of conclusions means that businesses will have to sit tight. Ustaran advises that "common sense suggests that businesses should continue to focus on ensuring compliance with the EU data protection framework, not least because it will still be applicable in the U.K. for the foreseeable future." Jeffery speculates on the U.K.'s future position, suggesting that potential legislation post-Brexit reflects EU standards, enabling the free movement of data either by "being part of the European Economic Area in a Norway-style deal … or being declared an 'adequate' country for the purposes of the transfer of personal data like Switzerland, Canada and Israel."

Follow CNBC International on Twitter and Facebook.