This BEERG Brexit Blog is a special issue looking at critical data issues that have been recently highlighted, but which were also forecast here many months ago:

Speaking at the 28th Congress of the International Federation for European Law (FIDE) in Lisbon last weekend, the EU’s chief negotiator Michel Barnier devoted a considerable section of his Lisbon speech to the impact of Brexit on data transfers between the EU and UK post Brexit, saying: “the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision”.

Here is that portion of M. Barnier’s speech – the BEERG analysis appears after it.

“The United Kingdom wants to leave. That is its decision. Not ours. And that has consequences. Allow me to give an example. The General Data Protection Regulation – GDPR – came into force yesterday. According to the United Kingdom’s position first presented – and published – this week on data protection:

The United Kingdom would like its supervisor to remain on the European Data Protection Board, created by the GDPR.

It wants to remain in the one-stop-shop.

It believes that this is in the interest of EU businesses.

But let’s be clear: Brexit is not, and never will be, in the interest of EU businesses. And it will especially run counter to the interests of our businesses if we abandon our decision-making autonomy. This autonomy allows us to set standards for the whole of the EU, but also to see these standards being replicated around the world.

This is the normative power of the Union, or what is often called “the Brussels effect.” And we cannot, and will not, share this decision-making autonomy with a third country, including a former Member State who does not want to be part of the same legal ecosystem as us. You are EU law experts, and you can see how the UK’s ideas pose real problems:

Who would launch an infringement against the United Kingdom in the case of misapplication of GDPR?

Who would ensure that the United Kingdom would update its data legislation every time the EU updates GDPR?

How can we ensure the uniform interpretation of the rules on data protection on both sides of the Channel?

The United Kingdom needs to face up to the reality of the European Union. It also needs to face up to the reality of Brexit. The United Kingdom decided to leave our harmonised system of decision-making and enforcement. It must respect the fact that the European Union will continue to work on the basis of this system, which has allowed us to build a single market, and which allows us to deepen our single market in response to new challenges.

And, as indicated in the European Council guidelines, the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision. It is one thing to be inside the Union, and another to be outside.”

——

In the week before Barnier delivered the above speech the UK had made a submission to the EU (here) asking for a deep and comprehensive UK/EU data protection agreement. The UK proposals can be summed up, as we did in our last BEERG Brexit Briefing (here), as follows:

Can we all pretend, and act, as if the UK has not left the EU? Can we have exactly the same arrangement on data flows as we have now? After Brexit, we won’t really be a third country, you know, not really, so can our data protection person still turn up at meetings of the European Data Protection Board? But, of course, we will be outside the jurisdiction of the European Court and so we will need our own procedures to resolve disputes.

The intent behind the UK’s proposals was made clear this week when, according to the Financial Times, UK chancellor, Philip Hammond told Silicon Valley executives that after the UK leaves the EU it was going to have to remain “closely aligned” with the rules, which came into force last week, to ensure that companies can still use the UK as a “lily pad” to serve the European market and exchanging data freely with the EU.

That’s what Hammond may hope, but, as we make clear in this article, we don’t think this will happen. Or, at least, not as smoothly and frictionless as he hopes. While there has been a lot of attention focused on how the lack of agreement on a customs arrangement could see trucks backed up for kilometres on both sides of the Channel, the pile-up on the digital highway could be even more disruptive.

Why might Hammond be disappointed?

Because the above remarks of Michael Barnier, the EU’s chief Brexit negotiator, leaves the reader in no doubt that there will be no special deal for the UK on data transfers after Brexit. As far as the EU is concerned, the UK will be just another third country, with no special entitlements just because it is a former member.

As Ivan Rodgers, the UK’s former ambassador to the EU, said in his Dundee speech some weeks back:

There is no legal status of “being a third country which used to be a member and therefore can be treated radically better than other third countries”. There is no legal “half way in, half way out” option for either the Single Market or the Customs Union.

The Luxembourg prime minister Xavier Bettel put it more cuttingly:

“Before they [British] were in with a lot of opt-outs; now they are out and want a lot of opt-ins”.

Now, anyone who tells you how Brexit is going to work out is not to be trusted.

No one can know with any degree of certainty how the process is going to evolve. There are too many moving parts, too many players in the game. Anything can happen, and probably will. Unknown events will have an impact.

But, for the moment, let us work with what Barnier says, that the best the UK can hope for is a “adequacy” decision. Adequacy decisions are made unilaterally by the European Commission. They are not negotiated or agreed with the third country. The process involves:

• a proposal from the European Commission
• an opinion of the of the European Data Protection Board
• an approval from representatives of EU countries
• the adoption of the decision by the European Commissioners

At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation. The effect of an adequacy decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.

Will the UK get an adequacy decision?

The British government will make a big play out of the fact that it has fully implemented the EU’s GDPR and that, therefore, its rules are in line with EU rules. Which is true, but as we have pointed out before, there is a major snag. The Investigatory Powers Act, which came into force at the end of 2016, allows the U.K. government to monitor large batches of data, collect people’s browsing records and hack citizens’ phones and computers for security purposes.

EU law provides for exemptions from general data protection principles in matters of:

• national security and defence;
• the prevention, investigation, detection and prosecution of criminal offences;
• the protection of data subjects and the rights and freedom of others.

But these exemptions only apply to EU and EEA member states. They do not apply to “third countries. There are many people in the EU governance system who regard the powers given to the UK security services, and other agencies, as far more intrusive than even the US services have.

The UK’s position is not made any easier by reports such as this which suggests that the UK “has been illegally copying classified personal information from a database reserved for members of the passport-free Schengen travel zone.”

So, to put it at its most blunt, there is no guarantee that the UK would get an adequacy decision from the EU post-Brexit.

Which is why the UK is so anxious to negotiate an agreement on the issue, rather than being dependent on a unilateral decision from the EU. But Barnier seems to be making it clear that the EU will not go beyond adequacy, will not cut a special deal for the UK. That being the case, businesses need to look at all contingencies, such as binding corporate rules and standard contractual arrangements. These could provide the only way to keep data flowing post Brexit.

These contingencies could be needed sooner rather than later. As of today, the UK has agreed a 21-month transition arrangement with the EU which, as Barnier puts it, will see the UK treated “as if it were a Member State, even if it is no longer part of our institutions, had been requested by the British government. It will give more time to administrations and businesses to prepare for the new relationship.” The proposed transition will end on December 31, 2020, some two and a half years from today.

But we are still very far from a legally-binding Withdrawal Agreement (WA) being signed.

Deal-breaking issues remain to be resolved: the Irish border question, the governance structures the WA will require, and the future trade relationship are nowhere near finalised. Given the political arithmetic in the UK parliament, it could all come crashing down. There might well be no WA and, therefore, no transition. Best to be prepared. While the cost of getting prepared may be high, it will be as nothing compared to the cost of not being prepared.

Whatever about data transfers to the UK post-Brexit, with or without a transition arrangement, one thing is clear from Barnier’s remarks. No matter what the future data deal, if any, the UK will be outside the EU’s legal framework and outside the “one-stop shop” regime.

That means that it will not be possible to have data controllers, as required by the GDPR, based in the UK. How could they be if the UK is outside the jurisdiction of the CJEU? If a business had been planning to run its European data control processes out of the UK, then it needs to think again.

Even if the UK does make it through to the transition arrangement why set up a vital business process in the UK that you know has a maximum shelf life of some two and a half years? Better to decide where you want to be in the long-term, get to know the data protection terrain in the country you choose and start building relationships with the data control authorities.

With each passing day it becomes clearer and clearer. Red lines have consequences. You can’t ask to be in the game if you continually make it clear that you will not respect the authority of the referee.