Reasons to be concerned
One of the many legal struggles Brexit, if it happens, will lead to will take place on the privacy law battlefield.
It regards how domestic privacy law be shaped after we leave the European Union. Although the upcoming EU GDPR (the General Data Protection Regulation, which will upgrade the legal discipline on how personal data can be handled in Europe and transferred to extra-EU countries. This stems from the same legal trend that brought the privacy shield to the United States) will be applicable at least for a short period before we actually leaves the Union, will the United Kingdom retain European laws? Will it draft its own privacy legal discipline from scratch? Will it be considered a country providing “adequate safety measures” — a status granted to countries deemed to offer adequate protection and to which transfers of personal data is much easier and faster — once outside EU?
Far from this quagmire, some Brexiteers have recently feasted to the news that two giant US multinationals, Google and Facebook, decided to expand their presence in London, despite the current lack of clarity on the city’s future.
It’s been reported that the former recently announced a £1 billion investment plan, plus an additional 650,000 sq ft headquarter in King’s Cross and a spike in the workforce from the current 4,000 employees to 7,000 in three years. Undoubtedly a hefty effort, one that will mean London will receive Google’s biggest investment in Europe, putting even the paramount Dublin in second order. All of this in the name of “talents’ future in technology”, “passion for innovation”, “London as the technological hub” — and by tucking the current tax issues with the HMRC under the carpet for a day.
Facebook too is adopting a similar expansion strategy: a 50% increase in presence and 500 new employees by 2017 (instead of the current 1,000), reaching — if not overtaking — Dublin in terms of importance. Sadiq Khan, London Mayor, intervened once again at the public ceremony, claiming London is “the best city in Europe for digital startups”, “open to talent, innovation and entrepreneurship” and also dubbing it “the envy of Europe”.
Apple and Amazon too have announced expansion plans in London with, respectively, 1,400 and 1,000 additional employees being hired. Once again, the tones are similar to those seen at the Google event, highlighting UK innovation and attitude towards technology.
But why have such giants increased their financial efforts in a less-than-stable city like London?
If there is one thing that should be clear from my previous Legal Cheek Journal article, it’s that nothing comes for free and without strings attached, especially from big US media multinationals.
Yes, Facebook and Google are media companies, well outside the IT industry, whose “tech-company” label is a more appealing term that brings certain advantages when resorting to shareholders and investors and dealing with regulators.
Want to write for the Legal Cheek Journal?
Find out moreMedia companies’ main profits still come from advertising and, jointly, reach a sum higher than $23 billion (£18 billion) in the first half of 2016. Not bad for two companies which are taking over the advertising market with growth of 60% (Google) and 43% (Facebook) over the first half of 2015, thus accounting for 85% of every new expense in this market.
So, as the saying goes, when there is muck, there is money — but what could possibly turn on media companies and incentivise this spending in London specifically?
The proposal to reduce corporate tax exposure to 15% is an interesting countermeasure to avoid companies breaking out of UK, but that may not be the whole picture.
In fact, if there is one thing that media companies crave it is personal data. Both Facebook and Google (not to mention Apple and Amazon) deploy criticised techniques to collect personal information: instill cookies on devices, bolster network of acquaintances, rake up tastes, political inclinations and sell such information to advertisers.
Now, we all know that Brexit will involve a lot of complications, issues and novelties when it comes to privacy law, but what does it change exactly for media companies, like Google and Facebook, in the UK?
Can companies in the UK still exchange personal data without cumbersome red tape after the UK has left the EU?
Post-Brexit, it is likely the UK will be labelled a country offering “adequate guarantees” when it comes to privacy safety of personal data according to many sources, and probability will only rise if it ratifies the upcoming EU GDPR before leaving the Union.
Will this happen? Times are tight and the deadline to implement the GDPR (25 May 2018) may come well sooner than the finalisations of the Brexit negotiations. That said, on 24 October Karen Bradley MP confirmed that the UK is going to opt-in to the GDPR.
Will companies in the UK be subject to the EU GDPR after Brexit?
Notwithstanding, Theresa May promised a “Great Repeal Bill” to erase the European Communities Act 1972 in order to be able to carve out EU law from the UK legal system.
As confirmed by Stewart Room — global head of cyber security and data protection legal services at PwC — upon the execution of Brexit, “the UK would technically be free to abandon [the law]” (what a great chance to cherry-pick EU legislation).
This will mean the UK — according to Elizabeth Denham, head of the information commissioner’s office (ICO) — will rely on its own privacy laws in order to enjoy “adequate or essentially equivalent” status. This means that no matter the legal relationship personal data’s protection can be still guaranteed. She claimed the ingredients of the next UK privacy law will be a “progressive regulatory regime”, subject to “scrutiny”, that won’t cause “UK having rocks thrown at it by other regimes” and which bears “consistency and adequacy to Europe”.
Can the UK enjoy the “adequate” status albeit repelling the EU GDPR?
“Out is out” but can a UK out of Europe — exempt from European Court of Justice and with a Data Privacy Authority outside Article 29 Working Party network (a group of representatives from Data Privacy Authorities of each Member State) be able to retain the freedom of the other members when it comes to transferring personal data?
The odds are that the UK will apply to the European Commission to obtain a decision granting this “adequate” status, a request for which may well be hampered by the super tight surveillance law just approved by the parliament.
It seems like a steep path, but could this be the first step in having the UK become the new EU headquarter of such big multinationals, exempt from a big burden like the privacy shield and therefore allowed to transfer personal data from the EU to the US more freely and with lesser legal accountability? Perhaps also a good ground in order to reduce exposure to Vestager’s claws when it comes to anti-competitive behaviours too?
Marco De Roni is a law graduate and paralegal in Amsterdam.
Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.