Four years ago, UK companies were struggling to overhaul the way they collected workers’ personal information before new data protection rules came into force in May 2018.

Now business leaders are wondering whether they will have to tear up the rules again, following the UK government’s plans for a post-Brexit independent data regime.

“Companies have paid the price for the implementation of the GDPR [General Data Protection Regulation] compliance,” says Adam Rose, partner at Mishcon de Reya attorneys. “If the government turns around and says you didn’t need to bother doing anything, or you’ll have to jump through new hoops, that’s going to piss them off.”

The volume of data produced on a global scale is difficult to grasp. According to the World Economic Forum, the estimated number of bytes in the digital universe in 2020 was 40 times greater than the number of stars in the observable universe.

And while the creation and transfer of this data across the globe may seem seamless, a complex architecture of rules and regulations governs what companies must do to keep it all safe.

“If you asked most people, they’d be surprised to know that information can’t flow freely around the world,” says Ross McKenzie, partner at Addleshaw Goddard Lawyers. “But there are laws in the UK and Europe that prevent companies from sharing data internationally.”

In the UK and EU, GDPR rules govern how data can be stored and transferred internationally. The UK, however, plans to relax its data protection rules and strike deals with non-EU countries – such as Australia and the US – as part of a massive overhaul. of its data regime, post-Brexit.

UK Culture Secretary Oliver Dowden calls the plan a “Brexit dividend” for the economy. However, critics fear it will end the free flow of information between Britain and the EU, which would harm businesses and citizens.

“Data is a big part of UK plc’s value,” says Rose. “We are a stable place to do business with strong laws, good data centers, good data scientists. The UK is a major center for the data-driven industry and there is a risk of drifting away from our main trading partner, which is Europe.

In a consultation unveiled in September, the UK government outlined plans to roll back key parts of EU data protection rules it had enshrined in its own lawbook during Brexit.

These plans include removing or rewriting Article 22 of the GDPR, which guarantees human checks on decisions made by computer algorithms and, according to activists, provides protection against machine bias.

Such measures put the UK on a collision course with the EU. The latter has warned that it will scrap its data-sharing agreement with the UK if the privacy of its citizens is threatened.

The EU allows data to flow freely from the EU to the UK following a so-called adequacy decision. This means that the European Commission has ruled that Britain adequately protects personal information and can trust the data of its citizens.

But if Brussels decides the UK is no longer adhering to sufficient data standards, it could revoke the decision, halting the free flow of information across the Channel.

“Every legislation reviewed that creates a significant divergence from the way things are done in the EU carries the risk that it will be more difficult to trade with the EU,” says James Mullock, partner at lawyers Bird & Bird.

“We have an adequacy decision which allows data to flow to the UK from Europe. Any deviation [in rules] potentially jeopardizes this adequacy decision.

To avoid falling foul of regulation, companies must already carefully monitor how they process data.

“Because of Brexit, the UK has a completely separate approach” to data sharing, says McKenzie at Addleshaw Goddard. Multinational companies with pan-European operations “have to deal with both UK regulators and European regulators. It’s a huge compliance burden.

Companies, he adds, “are crying out for data protection lawyers and compliance specialists.”

In July 2020, a European ruling, prompted by an activist’s battle with Facebook, created a roadblock for companies transferring data between the EU and the US. The Court of Justice of the European Union (CJEU) has struck down an agreement the companies relied on to easily move data, due to concerns about US state surveillance.

Prior to the CJEU’s ruling, companies relied on the so-called Privacy Shield to transatlantic trade. Now, EU companies must carry out individual assessments of each transfer of data to a non-EU country to ensure compliance.

The €50 million fine imposed by France on Google in 2019 remains the largest case, the 10 highest individual GDPR fines (value of fines, in millions of euros)

Any data breach now carries the risk of financial penalties for European businesses, following the introduction of GDPR and Brexit rules. Organizations can be subject to fines from the Information Commissioner’s Office in the UK and regulators in Brussels.

UK-based companies, meanwhile, have an even more complex landscape to negotiate, following Brexit, Mullock adds. Companies fall under “two regulatory regimes,” he points out. With the fines that come with GDPR breaches, “this is a real concern and could create double jeopardy for businesses.”