UK tech worried over post-Brexit data sharing

Since the start of 2017, industry group TechUK has been holding monthly meetings for its members with its 'Brexit advisory panel', which includes former UK civil service chief Gus O'Donnell, and Syed Kamall MEP, leader of the European Conservative and Reformist group in the European Parliament.

Their main immediate concern is that the UK's data laws remain harmonised with the EU's and that free flow of data is part of a future UK-EU trade pact.

In a step towards placating those fears, UK digital affairs minister Matt Hancock introduced a bill to implement the EU's Data Protection Regulation (GDPR) into UK law in September, stating that it would help "ensure unhindered data flows after Brexit".

But putting the GDPR into UK law isn't enough by itself to keep the data flowing.

Outside the single market, the UK will still need an 'adequacy decision' – the European Commission's approval of its data protection and privacy standards.

The main stumbling block is likely to be the UK's Investigatory Powers Act, adopted in 2016, and piloted by Theresa May in her former role as home secretary. Amongst its provisions, this controversial bill allows government agencies to monitor and keep copies of internet browser histories and phone records.

Poacher turned gamekeeper

Ironically, Brexit minister David Davis, then a backbench MP and civil liberties campaigner, was one of the chief opponents, challenging to it all the way to the European Court of Justice.

The European Court of Justice's ruling in the Max Schrems case on the EU-US 'Safe Harbor' agreement in 2015, which stated that the EU must protect its citizens from surveillance, makes the UK act particularly troublesome.

EU insiders say that means the UK would have to provide cast-iron guarantees about the forwarding of personal data, and the UK's role in the 'five eyes' intelligence and surveillance network with Australia, Canada, New Zealand, and the United States.

Even then, without scrapping the Investigatory Powers Act, court challenges to the ECJ would be inevitable, a sizeable problem since Davis and his team insist that after Brexit the UK will not be subject to the Luxembourg court.

"I wouldn't be surprised if the Germans wanted a legal commitment that the UK government will not spy on European citizens," Hosuk Lee-Makiyama, director of European Centre for International Political Economy, told EUobserver.

"The adequacy decision is an assessment based on politics. It will be a negotiation, and you pay for it," said Makiyama.

For its part, UK ministers remain outwardly confident that a data deal can be done.

"I would expect it (an adequacy decision) to be delivered," Steve Baker told the Exiting the EU select committee on October 26. "We want to get a deal on data sharing as part of the negotiated exit agreement," he added.

That suggests that the Commission's responsibility for giving an adequacy decision could be superseded by the Article 50 talks with the EU-27.

However, recent precedent suggests that the prospects of data and e-commerce being part of a speedily agreed UK-EU trade deal are not promising.

The EU's Privacy Shield agreement with the US took two-and-a-half years to negotiate, and France and Germany are opposing attempts to include e-commerce and data flows in EU trade pacts.

France is by far the leading axis on privacy, a Commission official told EUobserver.

So, what's the alternative, or will the UK's £240 billion a year digital sector simply be hit by a 'no deal' Brexit?

Nor does the Exiting the EU department want to publish its assessment of the likely cost of having to replace the EU's agencies, fearing that making this public could harm its negotiating strategy in the Article 50 talks with Michel Barnier.

"We do not want to send signals that we are considering alternatives," said Baker. "The work is being done".

That suggests that the government is not prepared or preparing for a 'no deal'.