British firms face a bill of up to £1.6 billion if Boris Johnson’s government fails to convince the EU to grant an adequacy decision allowing dataflows to continue, according to a new report published on Monday (23 November).
The economic modelling used in the report by the New Economics Foundation thinktank and University College London estimates that the additional compliance cost for firms wanting to continue transferring data will range from an average £3,000 for a micro business to almost £163,000 for a large company.
The report was based on interviews with 60 legal professionals, data protection officers, business representatives, and academics, from the UK and EU.
In total, the cost to UK firms of no adequacy decision would likely be between £1 billion and £1.6 billion. This extra cost stems from the additional compliance obligations – such as setting up standard contractual clauses (SCCs).
The report estimates that, in UCL’s case, the university would have to amend and update more than 5,000 contracts.
The report also contends that the new compliance requirements will leave the UK exposed to an increased risk of GDPR [General Data Protection Regulation] fines, reduced investment and the relocation of business functions, infrastructure, and personnel outside the UK.
With less than six weeks until the transition period ends and the UK leaves the EU’s single market, talks on an EU-UK trade pact are on the brink of conclusion.
However, even if the UK agrees and ratifies a post-Brexit trade agreement with the EU by the end of 2020, a data adequacy decision will still be required from the European Commission for cross-border data flows to continue.
The UK has already applied the EU’s GDPR into its national law, but as a ‘third country’ outside the EU, it needs an adequacy decision – which determines that a third country has an adequate data protection regime and that European personal data can be processed there.
Digital and tech account for 14.5% of all UK service exports, more than £30 billion, making the UK the largest digital market in Europe.
The EU executive is currently conducting an assessment of the UK’s data protection landscape and discussions between the EU executive and the UK government on data adequacy have been taking place since March.
But the decision is far from a certainty, primarily because of EU and civil society concerns about the UK’s surveillance regime and membership of the ‘Five Eyes’ intelligence alliance with Australia, Canada, New Zealand, and the United States.
“We do not know whether or not the UK will introduce some changes in their national legislation which might deviate from the general line of the general data protection regulation,” EU Commissioner for Values and Transparency, Věra Jourová, said earlier this year.
The NEF/UCL report warns that “potential EU concerns with UK national security, surveillance and human rights frameworks, as well as a future trade deal with the US, render adequacy uncertain”.
Earlier this year, Prime Minister Boris Johnson suggested that the UK would seek to diverge from EU data protection law and opt for lighter-touch regulation, a path set out in his government’s National Data Strategy.
[Edited by Zoran Radosavljevic]