Brexit Data Compliance Costs: £1.6bn Impact on UK Firms

An evaluation of the overall expenses for U.K. companies should the nation not secure a data adequacy agreement with the European Commission following its departure from the bloc at year’s end – thereby creating obstacles to data transfers from the EU – indicates that the cost, considering compliance alone, could range from £1 billion to £1.6 billion.

The assessment of the economic consequences if the U.K. is classified as a third country under EU data regulations was conducted by the New Economics Foundation (NEF) think tank and UCL’s European Institute research hub – with the researchers undertaking interviews with over 60 legal experts, data protection officers, business representatives, and academics from both the U.K. and EU.

Their estimations suggest that the typical compliance expense for a micro business will be £3,000; £10,000 for a small business; £19,555 for a medium-sized business; and £162,790 for a large business.

“This additional expense arises from the increased compliance requirements – such as implementing standard contractual clauses (SCCs) – for organizations wishing to continue transferring data from the EU to the U.K.,” the report states. “We consider our modeling to be a fairly conservative estimate, as it is based on moderate assumptions regarding the cost at the firm level and the number of companies affected.”

An adequacy agreement signifies a status that can be granted to a country outside the European Economic Area (which the U.K. will become after the Brexit transition period concludes) – if the EU’s executive body determines that the country’s data protection levels are fundamentally equivalent to those provided by European legislation.

The U.K. has expressed its desire to obtain an adequacy agreement with the EU as it proceeds with the implementation of the 2016 referendum decision to leave the bloc. However, doubts exist regarding its prospects of achieving this desired status – particularly due to surveillance powers established in U.K. law since the 2013 Snowden revelations (which exposed the extent of Western governments’ monitoring of digital data flows).

Extensive powers allowing U.K. state agencies to conduct digital surveillance have been subject to numerous legal challenges under both U.K. and EU law.

The government has also indicated an intention to “liberalize” domestic data laws as it departs from the EU – stating in a national data strategy released in September that it aims to ensure data is not “unduly restricted” by regulations “so that it can be utilized to its fullest extent”.

However, any actions to diminish the U.K.’s data protection standards could result in an “inadequate” determination by the Commission.

Europe’s highest court has established a clear principle that governments cannot utilize national security concerns to circumvent fundamental principles of EU law, such as proportionality and respect for privacy.

Another significant – and highly relevant – ruling by the CJEU this summer invalidated an adequacy status previously granted by the Commission to the U.S., effectively dismantling the EU-U.S. Privacy Shield transatlantic data transfer mechanism. This does not offer a positive outlook for the U.K.’s chances of achieving adequacy.

The court also clarified that the most commonly used alternative for international transfers (a legal instrument known as Standard Contractual Clauses, or SCCs) must undergo proactive examination by EU regulators when data is transferred to third countries where citizens’ information could be at risk.

The numerous companies that had been relying on Privacy Shield to authorize their EU to U.S. data flows are now urgently seeking alternative solutions on a case-by-case basis – facing substantially increased legal risk, complexity, and administrative burdens.

A similar situation may soon arise for a large number of U.K.-based data controllers who wish to continue receiving inbound data flows from users in the EU after the Brexit transition period ends.

Earlier this month, the European Data Protection Board (EDPB) issued 38 pages of guidance for those navigating the new legal uncertainties surrounding SCCs – cautioning that there may be instances where no supplementary measures will be sufficient to guarantee adequate protection for a specific transfer.

In such cases, the EDPB stated, the solution might necessitate relocating the data processing to a location within the EU.

“While the U.K. maintains high standards of data protection through the Data Protection Act 2018, which incorporated the General Data Protection Regulation (GDPR) into U.K. law, an EU adequacy decision is not assured,” the NEF/UCL report cautions. “Potential EU concerns regarding U.K. national security, surveillance, and human rights frameworks, as well as a future trade agreement with the U.S., make adequacy uncertain. Furthermore, EU-U.K. data flows are subject to the broader Brexit process and negotiations.”

According to their analysis, if the U.K. does not receive an adequacy decision, it will encounter a heightened risk of GDPR fines due to increased compliance obligations.

The General Data Protection Regulation allows for financial penalties for violations of the framework, which can reach up to 4% of an entity’s global annual revenue or €20 million, whichever is greater.

The report also forecasts a decline in EU-U.K. trade, particularly in digital trade; reduced investment (both domestic and foreign); and the relocation of business functions, infrastructure, and personnel outside the U.K.

The researchers contend that further research is required to support a more comprehensive macroeconomic assessment of the value of data flows and adequacy decisions – noting a lack of research on “the value of data flows and adequacy decisions in general” – before adding: “EU-U.K. data flows are a vital component for thousands of businesses. These flows support fundamental business operations and activities that generate substantial value. This is not solely a digital technology sector issue – the entire economy depends on data flows.”

The report offers a series of recommendations – including urging the U.K. government to make “relevant data and modeling tools” available to support empirical research on the social and economic impacts of data protection, digital trade, and the value of data flows to inform better public policy and debate.

It also calls for the government to allocate funds to assist struggling U.K. SMEs with the costs of complying with the legal data burdens resulting from Brexit.

“Our report concludes that the absence of an adequacy decision has the potential to negatively impact the competitiveness of key U.K. services and digital technology sectors, which have performed exceptionally well in recent years. Although we do not intend to overstate the impacts – and no adequacy decision is not an economic catastrophe – this outcome would not be desirable,” they add.

You can read the full report here.