The EU and the UK have resumed crucial talks in London this week, in what has been described as the last “major” opportunity to avoid a no deal scenario at the end of December. The bloc’s chief negotiator Michel Barnier is said to be offering to give Britain back 15 to 18 percent of the quota European fleets currently take from British waters. However, Downing Street is believed to want at least 90 percent returned to the UK – something Brussels views as “wholly unacceptable”.
While Brussels refuses to budge on its red lines, Prime Minister Boris Johnson appears to have agreed to keep Britain tied to European human rights rules.
Mr Barnier welcomed the move, announcing Mr Johnson had finally accepted that future police and judicial cooperation must be underpinned by the European Convention of Human Rights.
An agreement has been on the verge of completion for longer than a month since Lord Frost first signalled the UK would soften its stance.
Britain had previously rejected EU demands to implement a commitment to retain membership of the ECHR into domestic law as the price for the internal security pact.
As Brexiteers fear the result of the 2016 referendum could be betrayed, a new study sheds light on an area that has been somewhat overlooked during the talks.
An adequacy agreement for data transfers between the two sides has not been reached yet, meaning British companies could be paying significantly more in compliance costs from 2021 onwards.
The New Economics Foundation and University College London released a report that found UK firms could be forced to pay up to £1.6billion if the UK fails to reach an adequacy agreement with Brussels that would allow data flows to continue as they are now.
Such an agreement would be separate from the ongoing EU-UK trade talks.
The report, based on interviews with more than 60 legal professionals, data protection officers, business representatives and academics, found that if an adequacy agreement is not reached, the average compliance cost for an affected micro business will be £3,000; or £10,000 for a small business; £19,555 for a medium business; and £162,790 for a large business.
The report estimates the total national figure from this could result in a cost of £1.6billion.
It says: “This overall figure of between £1billion and £1.6billion represents money that companies would have been free to spend to meet the requirements of the business by, for instance, investing in new equipment, staff, or processes, but are now required to channel into compliance activities or additional costs for goods and services, due to EU-UK data flows disruption.
“The combination of a potential no deal Brexit, coupled with the ongoing Covid-19 pandemic, means that business and the economy can ill afford more cost, complexity, and risk.
“Although the adequacy decision is in the hands of the European Commission, the UK government still has a large part to play.
“All parties hope that the outcome of the last few years of Brexit negotiations will be a comprehensive partnership agreement.
“This will be an important achievement of huge social and economic significance.
“Without a wider agreement on the future relationship, adequacy will be very hard to attain.”
The economic implications of no adequacy decision could also include increased risks of fines under the General Data Protection Regulation (GDPR), a reduction in EU-UK trade and digital trade, reduced UK business investment or business relocation.
The UK’s 2018 data protection act enacted the EU’s GDPR into UK law, but after the transition period the UK will become a third country.
Euroactiv noted that digital and tech services account for nearly 15 percent of all UK service exports.
The head of Oxford-based think-tank Euro Intelligence Wolfgang Munchau explained why UK security and surveillance laws pose a real problem.
He wrote: “Surveillance and privacy concerns have already seen two data transfer agreements between the US and the EU struck down by the Court of Justice of the European Union.
“Like the US, UK laws give authorities far more scope for privacy and human-rights violations than EU laws. This could be a major sticking point for the Commission.
“In July this year, the CJEU’s Schrems-II decision struck down the EU-US Privacy Shield agreement. This was established in 2016 to replace an earlier agreement, Safe Harbour, which the court had also struck down.
“Privacy advocate Maximilian Schrems brought the cases that invalidated both agreements, with the argument that neither adequately protected EU personal data.
“Privacy Shield did not require the US to change its surveillance laws, and the CJEU ruled that US law-enforcement and national-security powers conflict with EU requirements to ensure citizens’ privacy rights follow their data globally.”
The UK’s departure from the EU charter of fundamental rights, Mr Munchau noted, means the Schrems II decision poses two risks to the UK.
Similar principles could therefore be used to deny an adequacy decision, and more stringent conditions for transfers could complicate any alternative mechanisms.
Furthermore, the UK is a member of the Five Eyes intelligence network – currently negotiating a separate data regime with the US.
Any such agreement could be perceived as a backdoor for onward transfers of EU citizens’ personal data to the US.
Mr Munchau added: “Schrems himself spoke with Thierry Breton, the EU’s Internal Market Commissioner, last week.
“At an event organised by Bruegel, Schrems said he did not plan to challenge any potential adequacy agreement because the UK’s security laws are so intrusive that he expects someone else will do it.”
He concluded for his piece on the EuroIntelligence website: “As with Brexit trade deal negotiations or financial regulatory equivalence, there has been little movement on a data adequacy decision in recent weeks.
“This prompted John Whittingdale, the Minister for Media and Data, to warn on Friday that time is running out.
“Whittingdale urged UK businesses to look for alternative legal mechanisms, meaning costly standard contractual clauses.”
In answer to a written parliamentary question from Scottish National Party (SNP) MP Brendan MacNeil, Mr Whittingale said: “The Government is working constructively with the Commission to secure data adequacy by the end of the transition period [and] we see no reason why we should not be awarded adequacy.
“However, the process is controlled by the Commission.
“And we are realistic about the increasingly challenging timelines for completion.”
He advised UK firms that, even if adequacy cannot be achieved before the end of the year, they can look to “alternative legal mechanisms to continue receiving personal data from the EU”.