How can companies that provide digital services or handle data deal with post-Brexit risks, including whether to invest in the EU or the UK?
- Brexit will mean the UK has less influence and experiences fewer benefits from the outcomes of the EU’s flagship Digital Single Market (DSM) strategy.
- There will be greater regulatory burdens for companies in the UK, as with all companies in third countries selling into the EU.
- The loss of national ties to policymakers could mean a harsher treatment of UK companies by enforcement authorities in areas such as data protection, tax, and competition.
- Data transfers, storage and processing between the EU and the UK will only be possible if a mechanism can be agreed to protect the data, e.g. an adequacy decision, binding corporate rules or standard contract clauses.
Brexit remains top of the agenda for companies with plans to expand or invest in the European Union’s digital economy. There continues to be an elevated level of uncertainty about what a company can expect after the two-year Brexit negotiation process. At the same time, the EU’s single market is undergoing a wide range of reforms aimed at harmonising the rules that regulate e-commerce and the Internet.
Companies based in the UK or outside the EU should understand the post-Brexit risks and costs and how to protect their business operations. The right information will be required to develop an e-commerce strategy, to handle customer data or to decide where best to invest in data storage infrastructure.
Presence in the EU will secure access to the digital single market
After the Brexit deal is done, the EU will remain an attractive marketplace with almost 450 million consumers. The UK will also continue to be an important market for the EU, and an ally in facilitating trade with the US. Therefore, it is to be hoped that the politics of protectionism will not prevent a healthy trade agreement between the UK and the EU. Failure to reach agreement would be costly for both sides.
The EU is currently looking to strengthen its international appeal for investors by advancing the Digital Single Market strategy (DSM).
Datalandscape.eu predicts that, if completed successfully, the DSM will increase the size of the data economy to €739 billion by 2020, representing four per cent of the EU’s GDP, double what it is today. The DSM is also expected to create four million new jobs for data professionals in the next three years. On paper, the DSM will harmonise the rules currently regulating the provision of goods and services through online channels, and will build the foundations for the digital economy to generate more data, driven at faster speeds and offered at a lower cost. Such a foundation has the potential to make the EU more competitive globally.
The DSM is also expected to prepare the EU for the advent of technologies such as autonomous vehicles or the Internet of Things.
However, the success of the DSM requires the completion of a 16-point action plan that is still being advanced with a number of proposals currently being negotiated, agreed and implemented in the EU’s co-decision-making procedures.
Several legislative files of the action plan are being fiercely contested by EU Member States, interest groups and the private sector which has caused delays. Several DSM policies will need to be adopted more urgently by the UK before the Brexit deadline on March 2019. Adopted DSM policies will mirror the rules and regulations of the EU and, in theory, facilitate trade more easily.
The race to the finish line
We can likely expect more lobbying to help the successful conclusion of the remaining parts of the DSM, which include geo-blocking, data portability, VAT for cross border e-commerce, copyright directive reforms, the free flow of data initiative, e-privacy regulation, consumer protection reforms (REFIT), telecommunication reforms and the audio visual and media services directive (AVMSD).
To date, the UK has had a strong contribution to the DSM, encouraging other Member States to raise their voices on the DSM and calling for a stronger legislative package on the Free Flow of Data initiative. In fact, the UK has cooperated with other EU Member States in letters to the European Commission promoting more openness and an international outlook on sharing data and driving investment in skills and start-ups.
Several of the policy files involved in DSM are essentially complete, such as content portability to allow EU citizens to access online services such as music, sports events and films when abroad, reducing mobile roaming charges, and geo-blocking which will prevent companies from unjustly denying access to websites and services based on a consumer’s geographic location. Other areas such as defining the investment schemes for funding and rolling out of 5G to offer faster bandwidth speeds by 2025 may not be completed before the end of the two-year Brexit process.
The 5G roll-out is worrying as projected costs for the EU are set at €500 billion euro. The UK to date has benefitted from EU funding that has poured into R&D and has helped pay telecommunication infrastructure costs. It is assumed that the UK will need to look towards the private sector to cover these costs in the future.
REGULATION: The cost of doing business in the EU
Being a member of the EU has its privileges. If your company originates in an EU Member State, you can expect a certain amount of preferential treatment. You can also capitalise on national ties through policymakers to help defend your business interests.
The UK is set to lose these privileges. In the absence of national level influence, UK companies should be looking to build stronger ties directly with both EU and Member State-level policymakers.
Foreign companies today, expect regulation to be the cost of doing business in the EU. Over the past decade, government enforcement authorities across the EU have increased their focus on technology-related issues. This is to be expected as international companies are holding increasingly sensitive data on EU citizens’ health, personal details, consumption patterns and purchasing information, raising concerns around privacy and data protection.
Many US companies have hired lawyers to comply with the rules or resolve a wide variety of tax, data privacy or anti-trust investigations. UK-based companies can expect similar scrutiny as the ‘new normal’ post Brexit. For example, competition authorities are ramping up their activity to keep pace with the disruptive speed of technology and the resulting market distortions that can occur. There have been some well documented cases of proposed international mergers being either blocked or, if passed, requiring negotiated changes to the agreement.
Elsewhere, large US companies are facing new investigations into where they locate their EU headquarters and pay their taxes. Anti-trust authorities claim foreign companies have been unfairly taking advantage of State Aid benefits in some Member States and not paying their fair share of tax in the EU.
Do these investigations unfairly target companies based in non-EU countries? In July, AmChamEU’s letter to the European Competition Commissioner, Margrethe Vestager, admitted that her approach to State Aid and tax may be misinterpreted as ‘primarily targeting US-based companies’. It is now clear that companies based in the UK and outside the EU should look to engage the right individuals in EU political institutions, as well at within Member States
To avoid being a target, companies should openly explain their positions on certain issues that remain politically sensitive. For example, where customer data is stored. There should also be transparency on how the data is used.
Non-EU companies should also look to communicate how they are acting as responsible EU citizens. For example, by defining how their own growth is tied closely to their investments in the EU. This could include communicating where they are making a positive impact; describing hiring practices, investing in building projects, opening data centres or investing in societal or community initiatives.
Be wary of data protectionism
One area that will remain particularly hot in the Brexit discussions is how UK-based companies will comply with data protection and privacy regulation. It will be important to watch carefully as data flowing in and out of the UK has grown significantly since 2005. Data connectivity in the UK made up 11 per cent of all global data flows by 2015, and is foreseen to grow another five times by 2021. Upwards of 75 per cent of the UK’s data flows are from EU Member States. Data protection authorities and activists will be concerned about how the UK will treat the data of EU residents, e.g. whether that data can be shared with other countries like the US.
The Snowden revelations drew attention to the fact that a large amount of EU citizens’ data is being stored in the US, where the respect for privacy may have lower political capital than national security. The idea of some form of ‘data protectionism’ or ‘data nationalism’ by Member States that want to keep data in the EU or in Member States is on the rise.
In addition, the threat of terrorism has given rise to a political demand for national governments to increase their access to electronic communication, including by keeping its citizens’ data within national boundaries. Politically, this creates a conundrum on how to balance a government’s desire to access sensitive data versus the protection of human rights and freedoms.
Data localisation will burden companies
The ever-increasing demand to force the localisation of data will only intensify, imposing more burdens on companies to find solutions to store customer data in specific Member States. It will also limit the success of the Free Flow of Data Initiative where EU countries can share data for commercial or R&D purposes.
Brexit also potentially means that the UK will be required to have an approved legal framework to transfer, store and process data from the EU. For the moment, the UK is implementing the recently ratified General Data Protection Regulation (GDPR). The GDPR requires very high standards and harsh penalties to protect the data of EU citizens. However, the UK passed the Investigatory Powers Act (IPA), nicknamed the Snooper’s Charter, which essentially authorises the surveillance of data on its territory. However, the European Court of Justice said parts of the IPA will need to be changed and indicated that the UK’s attempt to introduce indiscriminate retention of substantial amounts of its citizens’ data should be subject to strict limitations.
Already, data protection activists are keen to watch the UK closely for any abusive use of its justification for national security to bypass fundamental rights.
Max Schrems, a leading data protection activist, told the press that the UK, as an EU Member State, allows it to claim a national security exception. The UK will lose its right to be exempted for purposes of national security once it leaves the EU. On the UK leaving the EU, the GDPR will require that any transfer, storage or processing of EU residents’ data is covered by appropriate legal measures. These may take the form of a declaration of adequacy for the UK entirely or by sector.
Alternatively, companies may make use of other mechanisms such as binding corporate rules or standard contractual clauses, translating into more burdensome compliance measures for companies. Such an adequacy decision will sit outside the Brexit negotiations as it is an unilateral assessment and decision made by the European Commission.
However, the issue of data transfer should be advanced as quickly as possible in order to minimise the impact to businesses of all kinds. It may be possible to negotiate a transitional arrangement in the latter phase of Brexit, to allow a longer-term decision to be made later. But a transitional regime would require the UK to commit to regulatory convergence on data protection matters and to accept the jurisdiction of the European Court of Justice and the decisions of other data protection authorities, which the UK Government may find unpalatable.
Companies that currently deal with data in the UK, whether transferring to, storing or processing, could put in place the standard contractual clauses (external) or binding corporate rules (internal) in the coming months as a way to allow data flows to continue. However, it should be noted that these models are currently subject to challenge in the European Court of Justice so are at this stage not legally watertight.
The challenge to the digital single market
Overall, the withdrawal of the UK from the EU presents several challenges to the DSM strategy. Those who wish to see more data flowing internationally stand to lose against the strong continental shift to localise data within EU borders. UK-based companies should prepare to experience the same level of scrutiny foreign companies face in the EU and consider demonstrating how it continues to invest in Europe and comply with EU rules.
Companies will also need to maintain a close watch on evolving DSM policies most relevant to their business.
They should be prepared to be able to effectively navigate the various parts of the DSM to better prepare senior management on what to expect and how it will impact the business. In some cases, this will mean engaging with the right officials and organisations in different parts of the EU institutional landscape in Brussels and in the Member States.
UK companies that store or process EU residents’ data will have significant obligations under the GDPR, and will have to establish a formal presence and relationship with EU data protection authorities.