The European Union (EU) is preparing to treat the United Kingdom (UK) as a third country after its withdrawal from the bloc, commonly known as Brexit. Unless a deal is agreed before 29 March 2019, the UK’s trade with the EU will be heavily impacted by regulatory restrictions, increased costs, and lengthier procedures applicable to the movements of people, goods and services. Less obvious is the impact on trade of the “no deal” scenario from potentially restricted data flows. With only eight months left until Brexit Day, the UK and EU have yet to start talks on a data protection agreement.
Data flows play an increasingly important part in international trade and are estimated to contribute up to 2.8 trillion USD to the world economy. In 2016 alone, EU services reliant on data exported to the UK, such as finance, telecoms and entertainment, were worth approximately 36 billion EUR. Data flows from the UK to the EU constitute as much as three-quarters of all data from the UK. Under the EU’s General Data Protection Regulation (GDPR), however, personal data included in such data flows must be protected. For companies, this can include employee data (e.g. payroll information, biographical information, etc.) and customer data (e.g., contact information, transaction information, biographical information, social media profiles, etc.). Data flows from the EU to a third country are permitted if there is an adequacy decision by the European Commission that the third country’s data protection laws are adequate to meet the objectives of the GDPR or through another adequacy mechanism approved by the European Commission (e.g., EU-approved Binding Corporate Rules, use of Standard Contractual Clauses, etc.).