The smooth transfer of personal data between the European Union and the UK — from bank details to your Uber bill — is vital for almost every British business. A no-deal Brexit threatens to disrupt that relationship and leave companies at risk of fines and lawsuits for breaching the EU’s strict data protection rules.


1. What are the current 
data-privacy rules?
The EU has established a fundamental right to privacy, including the protection of personal data and the “right to be forgotten” from search engines. It offers “adequacy agreements” to countries that conform to these rules, so that their data can be transferred across borders. Some countries, like New Zealand and Argentina, have been deemed as providing fully adequate data protection; the US is only partially adequate and has a separate agreement with the EU. As long as it’s an EU member, the UK doesn’t have to prove its adequacy. But that’s about to change.


2. What happens after Brexit?
Any adequacy talks cannot get started until after the UK has left the EU. Without a withdrawal agreement that allows personal data to continue flowing uninterrupted, two-way transfers of personal information will be affected, according to the UK Information Commissioner’s Office. To prepare, the regulator advised companies in December last year to hunt down all data transfers coming into the UK from the EU and make sure they have the “appropriate safeguards” in place. Essentially that’s meant a lot of paperwork, such as signing codes of conduct and promising to adhere to rules on transferring data.


3. Are data flows at risk?
Not really. In the 21st century, stopping data flows would be tantamount to war. But a no-deal would tip companies into a legal limbo and prompt a last-minute flurry of costly compliance work. A study published in August by academics at University College London said it’s likely that many firms won’t be prepared for a no-deal rupture. The uncertainty may only end once Britain and the EU have hammered out an adequacy agreement, a process that could take years. In the meantime, businesses could worry about the threat of an activist spotting an improper data transfer from one multinational company to another. Companies will be readying themselves for potential lawsuits.


4. What could stop the UK getting an adequacy 
agreement?
The EU warned the UK last year not to make assumptions that it will be granted an adequacy decision due to “considerable uncertainties” around its departure. The notice wasn’t specific on what the uncertainties are. EU chief negotiator Michel Barnier said that “in the absence of EU law that can override national law, in the absence of common supervision and a common court, there can be no mutual recognition of standards.”


5. Isn’t the UK already in line with EU data standards?
Mostly, but there have been some conflicts. In January 2018, the UK Court of Appeals ruled that a 2014 UK law allowing mass data surveillance for security reasons violated EU privacy laws. The 2016 law that superseded it was also found to be in violation. The UK shares intelligence with Australia, Canada, New Zealand and the US as part of the “Five Eyes” agreement; the EU has long been concerned about its citizens’ data being accessed by US spies. The EU’s newest privacy law should make any agreement simpler.


6. What’s the new law?
The General Data Protection Regulation went into effect on May 25 last year. All businesses that collect data from EU citizens have to follow its rules, which range from informing consumers about how their data is used to deleting data that’s no longer needed. Businesses that don’t comply risk fines of as much as 4% of worldwide annual revenue. Since the UK was part of the EU when GDPR was introduced, its firms have been operating under its rules. The UK has argued this should qualify it for an “adequacy” badge after Brexit.


7. What might a UK-EU 
privacy conflict look like?
Let’s imagine if it all goes wrong. Post-Brexit, during a national-security investigation, UK intelligence services demand access to an EU citizen’s personal data, such as encrypted chat messages or payments. The provider hands over the data. The citizen complains to a European regulator, which concludes that this transfer was a human-rights violation. The provider could then be fined by the EU. This could prompt companies that have been cooperating with the UK to stop transferring data without clear approval from the EU.