When all the votes were counted and it became clear that the citizens of the United Kingdom no longer wished to be part of the European Union, it set in motion a media frenzy. For many prominent journals this was the ideal time to announce the reappearance of the four modern horsemen of the apocalypse; recession, devaluation, terrorism and unemployment. However, the media driven panic seems to have died down, allowing more rational analysis of exactly what Brexit means to the global economy and what it means for those organisations across the globe that have a data driven business relationship with companies in the United Kingdom.
Why worry about Brexit?
A lot of the news reporting around Brexit focused on the human cost of the move by the United Kingdom – including the free movement of people, however there may be a more interesting, and potentially costly issue – the free movement of data and how data will be secured and treated in a post Brexit Europe.
For European companies and companies in Asia that have their head offices in the United Kingdom, as well as those companies that do business with organisations, based in the United Kingdom the divergence of that country in terms of data protection laws would have far reaching consequences.
Many experts have expressed some concern about the impact of Brexit as far as data security is concerned.
Chris Jeffery, Head of United Kingdom based IT, Telecoms and Competition at law firm Taylor Wessing, says: “The uncertainty as to whether the [United Kingdom] will be considered safe for data flows relating to citizens from the rest of Europe is causing concern, and making some companies consider whether data centre capacity in mainland Europe is the safer bet.”1
However, according to some industry pundits it’s not just European companies that should be concerned.
“As a part of the European Union, there is a general directive that all nations abide by a guide,” says Geeman Yip, CEO of cloud consultancy BitTitan. “Now that the [United kingdom] is not a part of the EU, the previous baseline directives that were adopted will change.”2
The potential for disruption is clear. The service-based industry in the United Kingdom means that anything from information technology development, to financial services would be affected by the United Kingdom moving away from the EU norms and procedures governing data protection and security.
The current situation
At the moment the United Kingdom has agreed to implement the recommendations of the EU’s GDPR (the General Data Protection Regulation) which will become reality for signatories in May of 2018.
So, why is Brexit a problem?
No Pan European Approach
The United Kingdom’s vote for exit may not eventually be a problem, however some experts believe that the country’s stance might signal challenges in the future. Eduardo Ustaran, a partner in global privacy and cybersecurity at Hogan Lovells is one of those who believes that Brexit could disrupt the smooth transition to a pan European approach to data security. “EU data protection law is all about the individual’s control of their own personal data. The United Kingdom sits somewhere between this viewpoint and that of the U.S., which is more focused on the accountability of businesses and government. I suspect that the U.K. will continue in this vein, though possibly leaning towards the U.S.’
The ‘Extraterritorial’ Effect
The challenge for companies doing business with the United Kingdom, or using data sourced from that country is the fact that EU rules are extraterritorial meaning that they will apply to the United Kingdom, as well as any other countries that want to do business with the countries in the EU. The effect of this on larger companies such as Microsoft or Google may not be that pronounced. Companies of this size have vast legal resources that will help them comply with parallel requirements if British regulation governing the use of data were to change. The challenge (if this is the case) will be for small businesses to comply, while still limiting the additional costs that would accompany such compliance.
So What Now?
The current situation is fluid to say the least, however there is simply no reason for companies doing business with the United Kingdom to panic (at least not yet).
There are two possible scenarios for the treatment of data by the United Kingdom regulators post Brexit. The first is that the United kingdom adopts a more laissez faire approach to privacy and data security – i.e. allowing businesses to be more self-regulating, as is the case in the United States. This might go some way to appeasing those who want to eliminate the masses of red tape that characterise the approach of the EU regulators in Brussels. The second scenario would see Britain continue to adhere to the GDPR, in which case companies from Asia to America will continue business as usual and everyone will breathe a sigh of relief.
Whatever path the United Kingdom takes it’s going to take some time to become completely clear and if there are new regulations they will take a significant amount of time to be drawn up, unveiled and the appropriate regulatory environment set in place. For this reason, the consensus seems to be that organisations across the globe should continue to ply their trade and treat data as if it was just another business day. What that means is that business should be concentrating in compliance with the EU data protection framework. It is extremely unlikely that the regulatory and legislative framework in the United Kingdom would (if it changes at all) stray too far from that which is being enforced in the EU.
That at least is the opinion of Geeman Yip from BitTitan who is on record as saying that “I anticipate [the United Kingdom will] structure their privacy and regulatory laws in a fashion similar to the EU.”
Rather than wholesale change it’s far more likely that the United Kingdom will become part of the European Economic Area (a la Norway) or have any new regulation and legislation declared ‘adequate’ in terms of the transfer of personal data – a classification that the European Union has extended to countries such as Switzerland and Canada. Once again in these two scenarios it’ll be business as usual.
The only impact that Brexit is having at the moment seems to be on the slowdown of data centre construction by U.S. companies in the United Kingdom as they adopt a ‘wait and see’ attitude. Given the centrality of the United Kingdom in the processing of data from the U.S. this is not surprising. For those in Asia and elsewhere – it’s just another day of preparation to comply with the requirements of the GDPR.
1 CNBC, ‘Data flows post-Brexit: The next big headache for business?’ 7 Jul 2016.
2 http://bankitasia.com/, ‘Why Brexit could cause data privacy headaches for US companies’, 29 June 2016.