Will data sovereignty become a Brexit negotiating point and obstacle for M&A integrations?
UK Organisations are at risk from GDPR and the Brexit negotiating teams may use this bargaining chip over the next 18 months.
GDPR, comes into effect 25th May 2018, before Brexit divorce in 2019. The Government has also stated its intention to implement GDPR in the Queen’s speech. This will align obligations and standards to GDPR in our pre-Brexit world but does not mean all is well.
Once the UK leaves the EU, then for the rest of the EU to be able to share data with the UK, there will need to be a “gateway” allowing that to happen. At the moment there are really two gateways that might be commonly used.
The EU might designate the UK as having adequate protection for data to allow transfers. These Adequacy Decisions have been granted in the past to a few countries such as Canada, Argentina, New Zealand and Switzerland. There is no guarantee that this will happen however and it might be a political decision tied up with Brexit negotiations.
The second gateway is Model Clauses. These are standard provisions dropped into the contract between the transferring organisation and the receiving organisation that are designed to impose sufficient protections to the data through the contract. However, the validity of this mechanism is currently under challenge at the moment in a case being brought in Ireland by privacy activist, Max Schrems.
However, there is a bigger issue lurking in the background with all of this – National Security. The EU does not like mass surveillance for National Security purposes. This has caused problems in the past with data transfers from the EU to America. The Court of Justice recently ruled that mass surveillance can never be justified (this was the Tele2Sverige/Tom Watson case).
The provisions of the UK Investigatory Powers Act 2016 could leave the UK with no gateway to transfer EU data to the UK
This presents a problem for the UK because of the provisions in the UK Investigatory Powers Act 2016, which seek to allow mass surveillance. If the UK uses those powers after Brexit then this may mean that the EU refuses to grant or revokes an Adequacy Decision or a challenge is made to Model Clauses which purport to allow EU/UK transfers of data. This could leave the UK with no gateway through which EU data can be transferred to the UK. The position though is not so straightforward as the EU needs UK security data. There might be some compromise from the EU around this for that reason.
Who is affected?
The impact to UK organisations is clear - Comply with GDPR or risk falling foul of the regulation. The impact to M&A planning may be less obvious however. While M&A transactions have fallen since Brexit (-15%) there remain, on average, 350 M&A deals every month and those that involve UK and EU parties will need to think carefully about how they look at their technology integrations.
EU/UK M&A transactions will need to consider their to-be state during or very soon after deal completion
Where partial acquisitions are concerned, the acquiring company will need to look at the implications of the gateway scenarios. Some may need to look at the divestment plan to ensure a second data and application migration exercise isn’t needed shortly after deal completion where gateway provisions are not acceptable or impractical.
Those companies progressing their cloud strategies may want to consider the certainty of knowing where their data is located as well as who has access. Cloud operators should provide transparency about the physical location of their hosting, the controls and the access they grant to their service organisation. Local cloud providers using outsourced service providers from outside the EU may make the company that owns the data no-compliant.
UK organisations are at risk because of these real and implied uncertainties. The expert advice is to
Be prepared for some noise surrounding data sovereignty during the Brexit discussions as part of the negotiation posturing.
Plan to cater for some ambiguity and cater for it in the contract with the organisation transferring the data. Seek legal support to ensure the contracts say that once the UK leaves the EU then the parties to the contract will put in place a mechanism which continues to allow the transfer of data from the EU to the UK, such as Model Clauses or any equivalent. This helps hedge the position a little. For expert legal opinion on GDPR, gateway approaches and data sovereignty please contact Farrer and Co.
Organisations looking to leverage cloud platforms should carefully compare their cloud providers to ensure they have transparency over where their data is stored and who has access to it. We suggest you look at Clover Index for cloud provider evaluation on this and a wider range of comparative points.
With thanks to the following contributors: