There is a danger the UK could be headed for a data sharing cliff edge in the financial services industry in the event of a hard Brexit, the House of Lords European Union financial affairs sub-committee was told today.
Simon Gleeson of Law firm Clifford Chance — who specialises in banking and financial regulation — warned UK financial services companies could struggle to smoothly to move data across borders after the UK quits the EU in a little under a year’s time.
Timeline for Brexit
- September 10, 2019
The UK is currently locked in negotiations with the EU over Brexit but there remain a number of sticking points that could derail the process, including the hard border with Northern Ireland and the UK’s place in the EU’s customs union.
It’s feared by some Tories — including Jacob Rees-Mogg who has emerged as the champion of a hard Brexit — that one of these hurdles could prevent the UK from doing a deal with the EU.
As part of the Brexit negotiations the UK is trying to reach an agreement with the EU in so-called adequacy determination — which allows the flow of personal data from the EU to third countries without further safeguards.
“If there is a breakdown with no adequacy determination then I think it is generally reckoned that it will be somewhere between very difficult and impossible to reconfigure the existing arrangements within that time frame,” he said.
UK Prime Minister Theresa May in March said she wants “more than just an adequacy agreement” when it comes to data sharing with the EU.
Meanwhile, Ian Walden, professor of information and communications law at Queen Mary University, told the House of Lords committee an adequacy agreement would still be dependant on EU member country’s national authorities.
“If you have an aggressive regulator then there could be a problem, but I would hope that if we could remove the political angle then there shouldn’t need to be a cliff edge,” he said.
Walden also said that a potential data sharing crisis between the EU and the US was averted at the last minute, suggesting a deal would be possible.
“That was a potential cliff edge moment but of course we didn’t see that realised,” Walden said.
In 2016 the EU and the US reached an agreement over the framework governing data transfers between the two regions.
The State of Technology This Week
The new agreement was renamed the EU-US Privacy Shield (from Safe Harbour previously) and placed stronger obligations on the US to better protect the data of European citizens.
However, Rosemary Jay of law firm Hunton Andrews Kurth said the incoming GDPR (General Data Protection Regulation) laws could make things more difficult.
“One of the things that the GDPR does is to give individuals significantly increased rights and powers, including a representative action provision and that is not within the gift necessarily of regulators,” she said.
GDPR will come into force this Friday 25 May and companies have been scrambling to make sure their abiding by the rules or they risk hefty fines.
However, the finer points of an adequacy agreement will revolve around the so-called onward transfer of data than can identify someone from the recipient to a third party.
Data that can identify someone being transferred from an organisation in France to the US, for example, would constitute an onward transfer of data.
“A transition to an adequacy agreement without a satisfactory third country onward transmission arrangement by the UK would still be an enormous amount of work and would still place significant stresses on the industry,” said Gleeson.
He warned that without a hard deadline, negotiations could take years to negotiate and that they are “significantly resource consuming within the organisation doing the negotiation”.
Jay added that two years would “not be sufficient”.