A ruling by the EU Court of Justice yesterday deemed the UK’s bulk data collection regime illegal under EU law – a decision that has implications for post-transition data flows.
The UK will lose its automatic status as a ‘safe haven’ for EU data on 1 January and will need to be granted an ‘adequacy decision’ by the bloc.
According to the FT, the court ruled that governments cannot “force internet and phone companies to store information such as location data and metadata in the name of crime prevention or national security”.
No agreement
As a result, the UK is unlikely to obtain an ‘adequacy agreement’ with the EU before the end of the year because UK surveillance measures on data retention are incompatible with EU fundamental rights.
UK companies could face difficulties in exchanging data with their EU subsidiaries, or with customers and suppliers.
The UK government estimates that EU exports to the UK of data-enabled services were worth approximately £31bn in 2017 while UK exports of data-enabled services to the EU were worth around £80bn in 2017.
Divergent approach
However, the UK has indicated it wants to move away from the EU’s approach to data, notably the GDPR regime that governs how companies handle consumer data.
Boris Johnson’s chief adviser, Dominic Cummings, has pinned the UK’s economic future on developing leading technology businesses, and has written that “ one of the many advantages of Brexit is we will soon be able to bin such idiotic laws ”.
Cummings wants the UK to “navigate between America’s poor protection of privacy and the EU’s hostility to technology and entrepreneurs”.
Failure to reach an adequacy agreement would result in significantly increased costs for businesses involved in EU-UK data transfers as they would have to undergo costly legal rewrites of their data policies, organising individual agreements, known as standard contractual clauses.