BRUSSELS (Reuters) - If Britain leaves the EU, trade and travel across the English Channel may get trickier and there are also concerns that Brexit might disrupt the sensitive data traffic that is an integral part of international businesses.
Experts advising firms concerned about costly changes, such as changing storage sites for customer data, re-routing flows or rewriting documentation, say little should change. In or out, British companies will go on having to meet the strict rules the EU imposes on anyone taking data from consumers in the bloc.
However, suspicions in Europe that London tolerates more intrusion by security agencies into privacy than, say, Germany, might mean a post-Brexit Britain facing demands from Brussels for even tighter guarantees for handling EU citizens’ data, such as the United States has been confronted with this year.
Much will hinge on the relationship Britain negotiates with what would now be a 27-nation EU after a Brexit, which would likely take effect some two years after the referendum on June 23. It would probably follow a similar pattern set by other non-EU European countries.
Emulating Norway would, broadly speaking, mean that EU data regulations still apply directly to Britain. Choosing the Swiss model, on the other hand, would give Britain the freedom to choose its own data protection law — but firms trading with the EU would have to comply with the EU rules anyway.
“All roads lead to probably having to comply with the (EU) General Data Protection Regulation in one form or another,” said Dan Tench, a partner at London law firm Olswang.
U.S. companies such as Google (GOOGL.O) and Facebook (FB.O) have not been able to escape the reach of European privacy law just because they are not European companies, as their recent run-ins with EU regulators show.
Brussels makes it hard for companies working in the EU to store the personal data of EU citizens on servers outside the bloc in any country other than 11 non-EU states whose protection standards EU regulators have approved as “adequate”.
These 11 include Switzerland, New Zealand and Israel. To hold Europeans’ data in an unapproved state, firms and customers must set up special legal structures.
So the closer British data protection rules remain to the EU ones, the likelier the European Commission is to add Britain to its shortlist of safe countries in terms of privacy.
“Even if we were to leave the EU entirely, if we were to secure safe harbor designation from the EU, which would seem essential, one imagines that we would have to be more or less compliant with the (EU) regulation,” Tench said in London.
While retaining close trade ties with the EU would be a good argument for keeping the data relationship simple, Britain’s surveillance laws could come under EU scrutiny before granting “adequacy”.
Edward Snowden’s revelations of sweeping U.S. state surveillance led eventually to EU judges striking down the Safe Harbor data-sharing agreement with the United States last year.
And, said Peter Church of London law firm Linklaters: “There is a reasonable amount of concern in some quarters of the EU about the surveillance regime in the UK.”
Yet, data flows would not grind to a halt if Brussels kept Britain off its list of adequate non-EU jurisdictions.
Companies can use contracts pre-approved by the European Commission — known as model clauses — to give EU customers privacy guarantees. These add costs, especially for small firms.
But, Church said, that would not be “the end of the world”.
Looking at the other uncertainties businesses face in the case of Brexit, data issues are not the most pressing and advisers say few companies appear to be making firm contingency plans for an event that, if it happens, will not be sudden.
“In some ways data protection is the least of their issues arising from any potential Brexit,” Tench of Olswang said. “Because in fact it’s all going to stay pretty much the same.”
($1 = 0.6906 pounds)
Editing by Alastair Macdonald and Robin Pomeroy