10 Oct 2019
If Britain hasn’t secured a deal to leave the European Union as the clock ticks past 11 p.m. on Oct. 31, billions of data transfers could be thrown into legal limbo.
Though not as visible as lines of trucks backing up at ports, disruption to data would affect more of Britain’s economy, four-fifths of which is services, not goods.
To avoid heavy fines and lawsuits for breaching the bloc’s strict privacy laws, the majority of U.K. companies that rely on data flows from the EU must submit a mountain of compliance paperwork. Those efforts have accelerated in recent months as the risk of a chaotic departure grew.
The exercise spans everything from customer information for holiday bookings to human resources files and insurance claims moved between subsidiaries of multinationals. The EU has some of the toughest rules in the world for protecting personal data, including the “right to be forgotten” from search engines. The emergence of cloud computing means packets of data are constantly on the move, making it far harder to keep track.
Companies can compile sets of rules governing the information that flows across borders within their organization, and then have them approved by a data protection authority. This can cost as much as 250,000 pounds ($305,000) and take years to draft. Instead, many have opted to copy and paste “standard contractual clauses” covering every cross-border data transfer they can find.
Smaller firms may not be able to afford or implement the safeguards, or even be aware of the issues.
State of Readiness
A study published in August by academics at University College London said it’s likely that many firms won’t be prepared for no-deal. When an accord on data protection between the U.S. and EU was struck down by the European Court of Justice in 2015, one single company was forced to apply 2 million standard contractual clauses, they said. Anti-money laundering and terror financing checks by banks could also fall outside the law in a no-deal, industry lobby group U.K. Finance has warned.
“I don’t think the work is done,” said Andrew Solomon, a senior associate at law firm Kingsley Napley. “Most companies are aware they need to do it but they’ve been hoping common sense would prevail and they wouldn’t have to do it in the end.”
In a no-deal Brexit, people will probably print off the standard contractual clauses from the European Commission website and sign them just to have something in place, said Miriam Everett, a partner at law firm Herbert Smith Freehills. However, this just puts a band-aid on the problem and “in an ideal world there should be due diligence and impact assessments,” she said.
By Thomas Pfeiffer and Thomas Seal, Bloomberg, 10 October 2019
Read more at Bloomberg
RiskScreen: Eliminating Financial Crime with Smart Technology
You can claim CPD minutes for this content, by signing up to our CPD WalletFREE CPD Wallet