Skip to the content


How would Brexit affect data sharing between the UK and the rest of the EU?


​The UK's upcoming EU referendum is edging ever nearer, sending the predictions of experts and analysts in various sectors into overdrive.

The effect on the UK's economy, trade, border controls and its sovereignty have all been central to the debate, which will reach its climax when the British public go to cast their vote on June 23rd.

Should the UK choose to leave the EU, it is likely to place an increased level of importance on its digital economy, although the path to success may still be somewhat of a blur.

Dealing with data

One of the key challenges for many in the UK's digital economy would not necessarily be how British firms can trade with rest of Europe, but how they will share data with other nations.

The General Data Protection Regulation (GDPR) is due to come into force across the EU in January, but with Brexit by no means beyond the realms of possibility, businesses across the UK are largely feeling like they've been left in a state of limbo, with experts urging firms to prepare for both possible scenarios.

Should the UK leave the EU, it would be required to operate under a different set of rules surrounding the handling of data, although companies dealing with customers in Europe would still need to adhere to GDPR measures.

It could therefore be argued that even in the event of a Brexit, UK firms will still have to deal with the GDPR.

No time for waiting around

But should Britain choose to leave the EU, there may well be some difficulties.

When the European Court of Justice abolished Safe Harbour, large cloud providers in the US quickly began offering guaranteed hosting in the EU, ensuring that measures were in place long before the replacement legislation of Privacy Shield was agreed.

Given that this period was far less uncertain than the potential post-Brexit climate, it is safe to say that providers are likely to move data out of the UK in a similar way.

The issue could become all the more complicated by the fact that the decision to abandon Safe Harbour was mainly due to practices of mass data retention and sharing across the US, as well as the sharing of information with law enforcement.

Experts claim those measures, which were exposed by Edward Snowden, bear striking similarities to the so-called ‘snooper’s charter’ proposed by the UK government, which intends to implement powers to inspect internet connection records.

Should the measures be written into law, there is therefore a chance that a post-Brexit UK is unlikely to reach the standards needed for Privacy Shield status, meaning that cross-border data transfers between the UK and the EU could be prohibited.

Even if a temporary fix was found, British businesses may still come across barriers, potentially giving British citizens fewer protections government intrusion compared to the rest of the EU.

Some experts have suggested that the only way to avoid a period of indecisiveness is for businesses to prepare for implementing GDPR.

In a column for Computer Weekly, GDPR analyst Chiara Rustici wrote: "If you wait for the referendum results, you leave your organisation an unmanageably short timescale for implementation – less than 18 months. Therefore, it pays to become familiar with some of the relevant legal arguments and escalate these to the board. Even in the event of a Brexit, UK businesses offering services to EU citizens – regardless of whether they hold any data in the EU – will have to adopt more stringent rules than the ones currently imposed by the UK Data Protection Act. Otherwise trade – via personal data flows – with Europe is off the table."