UK companies could face new costs up to £1.6bn if the EU doesn’t deem the UK’s post-Brexit data protection standards adequate
Without an ‘adequacy decision’ from the EU, smaller businesses will bear the brunt of the costs of new data transfer restrictions, according to new research
23 November 2020
If the UK does not attain an EU ‘adequacy decision’ – where the EU certifies that a country has an adequate level of data protection – post-Brexit, the ensuing disruption to EU-UK data flows could cost UK companies between £1bn and £1.6bn, according to research published today from the New Economics Foundation and UCL European Institute.
The report, which is the first to detail the business and economic impact of the UK not securing an adequacy agreement, finds that micro, small and medium-sized firms would be disproportionately affected by these costs. The average compliance cost is estimated at £3,000 for micro, £10,000 for small, almost £20,000 for medium and about £163,000 for large businesses.
Data adequacy agreements are essential for the operation of thousands of British businesses, from enabling online trade to powering media research collaboration. The UK will need to secure an ‘adequacy decision’ in order for EU-UK data flows to continue after the Brexit transition period ends.
The report highlights that the costs of legal fees and bureaucracy would deprive businesses of vital resources and investment in new technology, staff, and research and development at a time when both businesses and the UK economy are struggling. The impact could be particularly stark for the services sector, especially finance, digital technology and data centres.
The report draws on extensive interviews with legal professionals, business representatives, data protection officers and policy makers, from both the UK and EU. It found that the risk of the UK failing to secure an agreement with the EU is real and serious.
Failure to get approval from the EU would also have a range of other economic implications, including:
- Increased risk of General Data Protection Regulation (GDPR) fines issued to UK companies, due to the new compliance requirements;
- Reduction in EU-UK trade, especially digital trade;
- Reduced business investment (both domestic and international);
- Businesses deciding to relocate their functions, infrastructure and personnel outside the UK.
An anonymous lawyer in the report says that, “UK companies have the main burden as they need to demonstrate compliance if they want EU data.”
Another anonymous business representative in the report said, “It may be easier to just move out of London and open an office in Frankfurt or Dublin like Morgan Stanley and others.” A technology business executive says that, “Over time, EU companies will prefer to keep data in Europe.”
A recent judgement by the European Court of Justice, knowns as Schrems II, has tightened up the EU’s requirements for countries it shares personal data with. The report calls on the government to continue demonstrating to the EU – especially in light of the Schrems II and Privacy International cases – how it meets the EU’s standards for data adequacy. It also calls on the government to put in place support and guidance for businesses to manage the cost of complying with EU data transfer rules in the event that an agreement isn’t reached.
Duncan McCann, senior researcher at the New Economics Foundation, said:
“Failing to secure an adequacy decision will impose additional costs on UK organisations of over £1bn, disproportionality falling on SMEs, at a time when the economy is already severely challenged by the pandemic and trading conditions are difficult.
A positive adequacy decision eliminates these costs, as well as others risks, and ensures that the UK remains an easy and attractive place for EU organisations to share data with, especially in data intensive sectors of the economy.”
Oliver Patel, research associate at the UCL European Institute said:
“In recent years, the European Court of Justice has taken a much tougher approach to restricting data transfers between the EU and other countries, much to the consternation of the business community. Post-Brexit, there is a risk that EU-UK data transfers could be targeted by activists and European courts, seeking to exploit the rigid EU rules in this area”.
Julian David, chief executive of techUK, said:
“The report provides a clear assessment of what we in the industry have known for a long time, that not reaching a data adequacy agreement will be hugely costly for UK business, and in particular SMEs.
“The UK must aim to be a leader in the new data-driven trading world and so achieving an adequacy agreement with our largest export market is key and will help us with our economic recovery from the COVID-19 pandemic.
This, as well as the costs of failing to reach an agreement, underscores the vital importance of a data adequacy agreement and the need for the UK and the EU to work constructively together to achieve this outcome.”
Felicity Burch, director of innovation, Confederation of British Industry (CBI), said:
“From enabling online shopping to powering medical research collaboration, the free flow of data underpins the products and services businesses and consumers rely on. Securing an adequacy decision is essential for the UK to protect its status as a global hub for data flows, avoid a legal quagmire for businesses and support our thriving digital economy.”
Jim Killock, executive director, Open Rights Group said:
“The cost economically and socially of dislocating ourselves from the world’s leading system of privacy protecting data transfers is enormous.
We should all be deeply worried by the push to move to weaker data protection and align with US voluntary standards. Worst of all is that current treaty negotiations aim to weaken protection of data transfers but none of this is being explained to Parliament.”
Notes
The report, The cost of data inadequacy, will be available at https://neweconomics.org/2020/11/the-cost-of-data-inadequacy
The New Economics Foundation is a charitable thinktank. We are wholly independent of political parties and committed to being transparent about how we are funded.
The UCL European Institute is UCL’s hub for research, collaboration, and engagement on Europe. Promoting academic excellence in the study of Europe at UCL, we aim to provide a leading forum for intellectual debate and act as liaison to EU and UK policy-making communities. We offer a diverse programme of public events, provide expert analysis and commentary for media outlets and policymakers, and help coordinate and develop networks of research. https://www.ucl.ac.uk/european-institute/
Schrems II was a landmark decision by the Court of Justice of the European Union which confirmed exactly how EU standards of data protection must travel with the data when it goes overseas. Although the judgement principally concerned the EU-US Privacy Shield agreement, which allowed data to flow from the EU to the US, and its invalidation, it also has much wider implications for all established and future data adequacy agreements.
Privacy International was a decision by the Court of Justice of the European Union that the UK, French and Belgian bulk data collection or retention regimes (often referred to as ‘mass surveillance’) must be brought within EU law.
In order to model this the report used the costings produced by the European Commission when the estimated the cost of doing data protection impact assessments (DPIA) as were required by GDPR. The report uses the broken down cost of the DPIA to derive an amount for the data mapping exercise. In addition to the mapping cost the interviews that the research conducted revealed that there would almost certainly be a legal component to the activity that every company will need to go through. For the model the report estimated, based on interviews with experts, that legal costs would be £2k for a micro business, £5k for a small and £10k for a medium. For large businesses the report estimated legal costs of £100k.
The report then needed to define how many UK businesses would be affected by the lack of an adequacy decision. The first dataset that the report used for a DCMS data on the share of UK businesses making website sales by geographical area from 2016. Within that dataset the report uses the proportion of firms with orders received from EU in order to provide a conservative estimate of the number of firms implicated.
The second was the UK Goods and Services trade statistics. Here the proxy was the proportion of total exports that EU exports account for between 2016 – 18. For these sectors the report then looked at the data intensity of that sector, as reported by the UN to allow us to eliminate ssectors of the economy that have a very low data insensity. It therefore did not include sectors that were in the bottom quartile of data intensity.
Finally the research manually added in financial services and insurance companies which do not appear either in the DCMS data or the UK goods and services statistics. For these sectors the report used two proxies. First, the proportion of economic activities that EU exports account for and second, the proption of service exports that are digitally enabled in 2018.
The report’s assumes that every firm that it has identified will seek to comply with the law. During the interviews that the research conducted the report consistently heard that most of the cost would be pushed onto UK companies. There was however uncertainty from those interviewed and so the report decided to use a range from 50% to 75% as the percentage of the complaince costs that will be borne by UK companies.