An analysis of the total cost to UK businesses if the country fails to gain an adequacy agreement from the European Commission once it leaves the bloc at the end of the year — creating barriers to inbound data flows from the EU — suggests the price in pure compliance terms could be between £1BN and £1.6BN.
The assessment of the economic impacts if the UK is deemed a third country under EU data rules has been carried out by the New Economics Foundation (NEF) think tank and UCL’s European Institute research hub — with the researchers conducting interviews with over 60 legal professionals, data protection officers, business representatives, and academics, from the UK and EU.
They are estimating that the average compliance cost for an affected micro business will be £3,000; or £10,000 for a small business; £19,555 for a medium business; and £162,790 for a large business.
“This extra cost stems from the additional compliance obligations – such as setting up standard contractual clauses (SCCs) – on companies that want to continue transferring data from the EU to the UK,” they write in the report. “We believe our modelling is a relatively conservative estimate as it is underpinned by moderate assumptions about the firm-level cost and number of companies affected.”
An adequacy agreement refers to a status that can be conferred on a country outside the European Economic Area (as the UK will be once the Brexit transition is over) — if the EU’s executive deems the levels of data protection in the country are essentially equivalent to what’s provided by European law.
The UK has said it wants to gain an adequacy agreement with the EU as it works on implementing the 2016 referendum vote to leave the bloc. But there are doubts over its chances of obtaining the coveted status — not least because of surveillance powers enshrined in UK law since the 2013 Snowden disclosures (which revealed the extent of Western governments’ snooping on digital data flows).
Broad powers that sanction UK state agencies’ digital surveillance have faced a number of legal challenges under UK and EU law.
The government has also signalled an intention to ‘liberalize’ domestic data laws as it leaves the EU — writing in a national data strategy published in September that it wants to ensure data is not “inappropriately constrained” by regulations “so that it can be used to its full potential”.
But any moves to denude the UK’s data protection standards risk an ‘inadequate’ finding by the Commission.
Europe’s top court, meanwhile, has set a clear line that governments cannot use national security to bypass general principles of EU law, such as proportionality and respect for privacy.
Another major — and highly pertinent — ruling by the CJEU this summer invalidated an adequacy status the Commission had previously conferred on the US, striking down the EU-US Privacy Shield transatlantic data transfer mechanism. It does not bode well for the UK’s chances of adequacy.
The court also made it clear that the most used alternative for international transfers (a legal tool called Standard Contractual Clauses, aka SCCs) must face proactive scrutiny from EU regulators when data is flowing to third countries where citizens’ information could be at risk.
The thousands of companies that had been relying on Privacy Shield to rubberstamp their EU to US data flows are now scrambling for alternatives on a case by case basis — with vastly inflated legal risk, complexity and administration requirements.
The same may be true in very short order for scores of UK-based data controllers that want to continue being able to receive inbound data flows from users in the EU after the end of the Brexit transition.
Earlier this month the European Data Protection Board (EDPB) put out 38 pages of guidance for those trying to navigate new legal uncertainty around SCCs — in which it warned there may be situations where no supplementary measures will suffice to ensure adequate protection for a specific transfer.
The solution in such a case might require relocation of the data processing to a site within the EU, the EDPB said.
“Although the UK has high standards of data protection via the Data Protection Act 2018, which enacted the General Data Protection Regulation (GDPR) in UK law, an EU adequacy decision is not guaranteed,” the NEF/UCL report warns. “Potential EU concerns with UK national security, surveillance and human rights frameworks, as well as a future trade deal with the US, render adequacy uncertain. Furthermore, EUUK data flows are at the whim of the wider Brexit process and negotiations.”
Per their analysis, if the UK does not get an adequacy decision it will face an increased risk of GDPR fines due to increased compliance requirements.
The General Data Protection Regulation sanctions financial penalties for violations of the framework that can scale up to 4% of an entity’s global annual turnover or €20M, whichever is greater.
The report also predicts a reduction in EU-UK trade, especially digital trade; reduced investment (both domestic and international); and the relocation of business functions, infrastructure, and personnel outside the UK.
The researchers argue that more research is needed to support a wider macroeconomic assessment of the value of data flows and adequacy decisions — saying there’s a paucity of research on “the value of data flows and adequacy decisions in general” — before adding: “EU-UK data flows are a crucial enabler for thousands of businesses. These flows underpin core business operations and activities which add significant value. This is not just a digital tech sector issue – the whole economy relies on data flows.”
The report makes a number of recommendations — including urging the UK government to make “relevant data and modelling tools” available to support empirical research on the social and economic impacts of data protection, digital trade, and the value of data flows to help shape better public policy and debate.
It also calls for the government to set aside funds for struggling UK SMEs to help them with the costs of complying with Brexit’s legal data burden.
“Our report concludes that no adequacy decision has the potential to be a contributing factor which undermines the competitiveness of key UK services and digital technology sectors, which have performed extremely strongly in recent years. Although we do not want to exaggerate the impacts — and no adequacy decision is far from economic armageddon — this outcome would not be ideal,” they add.
You can read the full report here.