Commission officials led by Martin Selmayr talked Brexit with German lobbyists. Behind closed doors, the Commission says they will not take emergency measures to protect UK businesses from data protection trouble following a no-deal exit. Rights campaigners see a no-deal Brexit as an opening to fight surveillance.

The European Union will take „no special contingency measures“ for cross-border data flows in case of a no-deal Brexit, European Commission officials told visitors in December. The remarks were made at a meeting of the Commission’s Secretary-General Martin Selmayr and a member of President Jean Claude Juncker’s cabinet with representatives of Vodafone days before Christmas, as minutes released under Freedom of Information laws on request of netzpolitik.org show.

„The Commission representatives made clear that, in case of a no deal, no special contingency measures for data flows would be taken“, the minutes state. Selmayr and his staff met Roland Koch, who was a senior politician with Germany’s ruling Christian Democrats before joining the board of Vodafone, alongside Vodafone’s External Affairs Director Joakim Reiter.

A spokesperson for the European Commission did not reply to our request for comment.

Legal grey areas ahead

As the March 29 Brexit deadline draws closer, authorities on both sides of the Channel prepare for the UK to leave without a deal in place. Currently data flows are regulated within the EU’s single market. But a no-deal Brexit exposes UK businesses and public authorities that store data in the EU to legal trouble.

A business association recently warned that uncertainty around a no-deal Brexit could „potentially bring EU-to-UK data flows to a halt“. Members of the UK Parliament said the issue is a ’significant‘ concern for business.

After exiting the EU, the United Kingdom can seek an adequacy decision for the exchange of personal data. Such arrangements are in place with several countries, including Argentina and New Zealand. However, EU authorities have said such a deal can only be put in place after Brexit, as the UK Information Comissioner’s Office pointed out in a blog post in December. This potentially leaves a regulatory vacuum for weeks of even months.

Meanwhile, companies storing data of EU customers in the UK could find themselves in violation of Europe’s General Data Protection Regulation. A study by the European Parliament notes that, in the absence of an agreement, standard contractual clauses would have to be added to every business deal. This could be a „hurdle“ to business, the study notes.

The European Data Protection Board, which decides cross-border cases, debated a no-deal Brexit at a meeting this week. However, a German representative made clear after the meeting that there will be no grace period where data protection rules won’t be enforced.

Activists spot an opportunity

Also, an adequacy decision for EU-UK data flows is not a foregone conclusion. Rights activists see a no-deal Brexit as chance to put surveillance of communications data by UK intelligence services on trial.

„The fact that the UK is – or, [soon], used to be – a member state of the EU does not mean that the adequacy process would be a formality, far from it“, says Estelle Masse, Senior Policy Analyst at the advocacy group Access Now. „The EU would have to look into the processing of data conducted by UK public authorities, including by intelligence and law enforcements agencies. Given the number of mass surveillance programmes in place in the UK, it may be virtually impossible for the UK to qualify for an adequacy status unless comprehensive reforms are conducted.“

Concerns around surveillance caused the European Court of Justice to squash the data transfer agreement Safe Harbor with the US in 2015. Privacy Shield, a follow-up agreement, contains some safeguards against undue eavesdropping, but is challenged by privacy advocates nonetheless. The UK could soon face similar scrutiny.