Post-Brexit EU data sharing in jeopardy over UK privacy concerns

By Lucy Ingham

Data sharing between the UK and the EU is at serious risk post-Brexit as the trading bloc is likely to regard the UK as being as bad as the US when it comes to privacy issues, a law firm has warned.

According to Conexus Law, there is a “strong possibility” that the EU will consider the UK not to have an “adequate data protection regime” required under GDPR, meaning that it will need to develop an alternative data transfer methodology.

However, attempts to do this with the US have repeatedly failed, with its latest approach, Privacy Shield, struck down by the European Court of Justice in July over concerns that it did not adequately protect EU citizens from US government surveillance.

And given the UK’s track record on such matters, similar concerns could plague data sharing with the UK.

“The UK’s use of mass surveillance techniques, our Investigatory Powers Act, and our membership of the Five Eyes intelligence sharing community has raised particular concerns with the EU – especially in relation to the sharing of data with the US, and even more so given the recent Schrems II decision on the Privacy Shield scheme,” said Ed Cooke, founder at Conexus Law.

“What is clear is that once a decision has been made then companies will need to move quickly to ensure they are not severely impacted.”

Companies urged to begin preparing for post-Brexit UK-EU data sharing

Given the uncertainty, made worse by growing fears of a no-deal Brexit, Conexus Law has advised companies to begin preparing for the issue now.

If the UK and EU are unable to reach an agreement, companies may have to reach for options such as Standard Contractual Clauses or binding, company-specific corporate rules. Simply getting consent from users to handle data is not expected to be adequate.

“Each of these options has its challenges with consent generally viewed to be unworkable as it can be revoked at any time,” said Cooke.

“Standard Contractual Clauses were upheld in the ECJ in its judgment on Privacy Shield, but the judges did cast some doubt on whether or not these offer suitable protection in all cases without businesses adopting further practical measures such as encryption, to ensure the protection of personal data.”

Companies are also advised to conduct a full audit of the personal data they collect and how and where it is handled and stored, including back-ups. The proliferation of cloud services adds to this challenge, as many of these servers are located throughout the world.

Read more: Data sharing beyond borders: Could ring-fencing be consigned to history?