Why has the flow of data become increasingly important for British business and what will happen to it after we leave the EU?
Data has dominated the headlines in 2018. Through the introduction of GDPR and the revelations surrounding Facebook/Cambridge Analytica, we are all paying a lot more attention to who can see our data, what they do with it and what steps we must take to protect it.
So, with an impeccable sense of timing, the IoD recently hosted an event at 116 Pall Mall that brought together six experts in the field of data as part of our Navigating Brexit series.
They provided unique and fascinating insights into what Britain’s exit from the EU could mean for the flow of data to and from the UK and the knock-on effect for British businesses from SMES to large organisations.
In this summary, the panel explain why this is a subject that warrants significant attention and tackle the key issues around the UK’s best options that will allow businesses to exchange data with trading partners around the world after we cease to be part of the European Union…
Vicky Ford - Member of Parliament (MP) for Chelmsford
Vicky is also a member of the Science and Technology Select Committee, Chair of the All-Party Parliamentary Group for Information Communication and Technology, Chair of the Conservative Backbench Policy Committee on Brexit
Hosuk Lee-Makiyama - Director, European Centre for International Political Economy
Hosuk is a leading author on trade diplomacy, EU-Far East relations and the digital economy.
Giles Derrington - Head of Policy: Brexit, International and Economics, techUK
Giles is the Brexit lead at techUK, the association for tech companies in Britain. He works with members and policy makers across Whitehall.
Dominic Hallas - Executive Director, Coadec (The Coalition for a Digital Economy)
Coadec is an independent advocacy group that serves as the policy voice for Britain’s tech-led startups and scale-ups. Dominic previously worked in the Department for Exiting the European Union (DExEU) in the area of Diplomatic Strategy and managed Britain’s relationships with seven southern European states.
Rebecca Cousin - Partner, Slaughter and May
Rebecca advises on a broad range of corporate and commercial matters. Her corporate practice consists of advising clients on M&A transactions, both public and private, joint ventures, equity issues and long term commercial contracts.
Victoria Hewson - Institute of Economic Affairs
Victoria joined the IEA’s International Trade and Competition Unit in Spring 2018. She is a lawyer and practiced for 12 years in the fields of technology and financial services.
Panel Chair: Allie Renison - Head of Europe and Trade, IoD
Allie represents the voice of IoD members on EU reform matters and helps to provide the link between business and Government on increasing international trade.
The Key Issues
What are data flows and why are they important?
Vicky Ford: Data is the oil behind the wheels of modern digital technology and keeping those data flows going backwards and forwards is key. The UK is home to 11.5% of the world’s data flows and three-quarters of that is between the UK and the rest of Europe. So, it’s vital for the rest of Europe that we maintain these flows.
Giles Derrington: The UK has traditionally been a very important place in international data flows. This is largely because we occupy this nice place between the US and the EU and most of the fibre optic cables that come into the EU from the US come in through the UK and we house data (from the EU) before it goes to the US. Some of the big
American banks, for example, suck their data from the EU into the UK.
Rebecca Cousin: It’s important to understand your data flows. What data do you have, what you do with it and where you transfer it to. So, do you have employees in other countries? Do they have access to data? Are there third parties in other countries and where are they transferring to?
Dominic Hallas: I don’t know if data is the new oil, but it does drive the digital economy. So, it’s critical that we get a data deal right. But it’s also about being able to export to new markets. According to the latest DCMS figures, there are 220,000 digital businesses in the UK and every one of them relies on this data to drive their business.
Hosuk Lee-Makiyama: The internet allows people to trade across borders. The global e-commerce trade is equivalent to the GDP of the United Kingdom.
If the digital economy was a country, everyone would be trying to do a free trade deal with it and if they refused we would probably have to invade it!
Victoria Hewson: Data flows is an opportunity for the UK, particularly given the EU’s piecemeal approach to the Single Market. Restrictions on the flow of data are an increasingly important trade barrier.
What are the preferred circumstances that will allow UK businesses to continue transferring data without any disruption after we leave the EU?
Rebecca Cousin: The best way to transfer data outside of the EU is if the other country - which, in our case after Brexit, will be the UK - is considered to be an ‘EU-adequate privacy regime’ and it is the Commission who makes that determination. This applies to countries such as Switzerland and New Zealand. The US has a partial adequacy decision in place.
The UK government has said it is keen to have an adequacy decision and businesses have also said they are keen to have that decision because it takes away any requirement for them to do anything differently.
The government has also come up with an alternative known as ‘adequacy plus’. Currently, the ICO (Information Commissioner’s Office) has a seat at the table in Europe with the other regulators in formulating guidance and making decisions. Adequacy plus would see the ICO taking a greater role.
These things will fall away unless there is some bespoke agreement in place which is why the government has been keen to come up with something more than adequacy.
Dominic Hallas: We’re pleased that the Prime Minister has placed data flows high on the agenda. She said it was among the five pillars that are most important during the negotiations (with the EU). Broadly speaking we’re in agreement with adequacy. Let’s get this right and take it from there.
Hosuk Lee-Makiyama: Adequacy stands or falls with the service industry and the service industry stands or falls with the deep integration they have with the single market. Will the UK have adequacy? My answer is I don’t know but I can tell you what to look for.
What you are really looking for is equivalence. Adequate means okay. Equivalence is a mirror what you are creating. You need to agree more than basic concepts.
What happens if we don’t get an adequacy agreement and how could it affect British businesses?
Rebecca Cousin: Other options include Model Clauses, which provide an adequate level of protection because you’ve agreed contractually to look after that data securely. This is the alternative option favoured by most businesses.
A further option is known as Binding Corporate Rules. There are limitations around this. This is where you have agreed contractually within a group of companies to provide protection for data transferred anywhere around the world.
These alternatives must be approved by privacy regulators and haven’t had much take up, especially when it comes to SMEs.You can ask for consent from the other business but, even if you manage that, it can be withdrawn. We advise against it because often it doesn’t work and it’s not a reliable system.
Giles Derrington: Bigger companies will have to use Binding Corporate Rules which are very expensive, very time-intensive and used solely intra-company. Frankly. these aren’t an option for most mid-tier companies.
Another alternative is Standard Contractual Clauses, which is currently subject to a legal challenge. This option doesn’t necessarily provide absolute certainty going forward either. Adequacy is the only game in town.
What are the possible barriers to securing an adequacy agreement?
Rebecca Cousin: You need a regime that is equivalent to the protection around the data in the rest of the EU. We’ve got GDPR and the government has been clear they will keep that legislation, so we will be starting at a point of complete alignment on privacy legislation.
This is a real plus. The UK also needs to decide if the EU is adequate. I can’t imagine any scenario where the UK is going to refuse that because we’d be cutting off our nose to spite our face. But this does cut both ways.
There are other countries that have adequacy decisions including Jersey, Guernsey and the Isle of Man. It would a bit perverse if they get to have them and we don’t.
Where it becomes challenging from a UK perspective is that we have quite broad powers for the intelligence services. Nobody currently gets to question each other’s intelligence service rules but once you’re outside of the EU that comes into play.
Also, these decisions can take a long time. So, for the transition period, what we need is a temporary adequacy decision, so that there is time to work through a formal agreement.
Giles Derrington: It can take time to secure an adequacy agreement. India has been trying to get an adequacy agreement for ten years.
How much 'contingency planning' can be done at this stage by SMEs?
Rebecca Cousin: The problem is we don’t want to start doing stuff that we don’t have to do. We’ve told companies to keep a watching brief.
Dominic Hallas: The reality for start-ups is that contingency planning happens a week in advance. You can see in GDPR compliance people are flailing around to try and deal with that which is precisely why we need an adequacy agreement.
How do we access our data if we are using third parties?
Rebecca Cousin: You need to ask the outsourcers, they should know, and they should tell you. Most of them will have stock answers ready now. Work out what questions you need to ask and chase them up for the answers.
Could and should we have rejected GDPR?
Victoria Hewson: GDPR makes it tough to transfer data to a third country (one that lies outside of the EU) and that will have the effect of deterring business from using a partner in a third country. It will also deter service providers in a third country from offering their services into the EU because it increases their risk profile.
Given that we have around two-thirds of our services trade and half of our services exports outside of the EU, might we be better off adopting a more liberal approach both for global trading interests and for our domestic businesses who are struggling with GDPR? I’m not talking about an immediate reform or repeal and I’m not suggesting a deregulated free for all. Regulation of the digital economy is important for consumer confidence.
Clinging on to adequacy and aligning completely with the EU to cause as little disruption as possible shows a certain lack of ambition.
We should recognise that GDPR is not perfect - some would argue that it’s not even very good. Some aspects are anti-innovation and anti-competition and the question we should ask ourselves is can we regulate better than this?
Hosuk Lee-Makiyama: You can say every company that has a customer is affected by the GDPR. But will your local newsagent comply with GDPR? The standing joke would be unless your company rhymes with noodle or your e-commerce site is named after a major South America river you could sleep okay unless your customer complained.
Vicky Ford: In a world before Facebook and Cambridge Analytica maybe we could have gone back to the UK consumer and said, ‘maybe this is a bit too over-bearing and maybe we shouldn’t implement it’. But in a world post-Facebook/Cambridge Analytica I don’t think the consumer wants to see a watering down of data protection laws.
What happens next?
Vicky Ford: I spent eight years in the European Parliament and my experience of EU negotiations is that they always look incredibly complicated and difficult and impossible right up to the last minute when it gets to the wire and an agreement is somehow reached.
The (EU) negotiations with Japan are interesting. Adequacy doesn’t mean you have to have identical approaches. The Japanese strongly believe they have their own strong data and privacy protection law. If they can win that argument and if we don’t have to be identical to be adequate that might help with some of our ongoing discussions.
I don’t think we should go around saying we should have a more liberal approach. That could suggest to partners who we are going to do trade deals with that we don’t respect personal data. We need to be careful that we don’t give any concerns to any countries on the issue of data protection.
But it is clear that legislation will continue to evolve. There is a need to keep an eye on standards in the digital age.
Hosuk Lee-Makiyama: Adequacy is purely a political negotiation. It’s about give and take and very often more give than take.
What adequacy can do is allow you to transfer personal data out of your country, but it does not allow you to grab data from other countries. If you look at commercial agreements they’re about the latter and adequacy cannot do anything about that.
The Key Takeaways
Dominic Hallas: One of the cases that I make to the EU, and particularly to members of the European Parliament, is that the EU has set up a data protection regime and the UK has essentially imported it as part of our membership of the European Union. So, to say that we wouldn’t be compliant, and we wouldn’t get adequacy would damage the standing of that regime globally.
Giles Derrington: A lot of the work has been done with the UK government to get them into a place where they understand how important data flows are. But there is still a huge amount of work to be done across the 27 EU states.
One of the interesting things is that you talk to small businesses in the UK, even in the tech sector, who don’t understand how free-flowing data affects them, let alone somebody who is not involved in the Brexit process in somewhere like Estonia and it’s those companies who will have to put pressure on their governments to say ‘you have to look at this as a trade question as much as it is a data protection question.’
If you have business partners in other countries explaining how you trade data and how it flows with them it is incredibly valuable, because it is that which will drive the political discussion even if we get the legal part right.
The IoD View
Allie Renison: One of the things I picked up that was interesting which intersects on how the UK thinks not only about regulating data in the future but also its trade relations with the rest of the world is do we look at this and think everything we’ve signed up to precludes us from doing things in the future?
Does it always have to be black and white as some of the commentary makes it out to be? Will the EU push us into that space even if we don’t want to be? Or is there actually a way for the UK to maintain that nice space between the UK and the US going forward?
Stay tuned to the IoD’s Navigating Brexit hub for the latest Brexit developments as well as updates on our future Europe and trade events.