LONDON — The Irish border, citizens rights, a free-trade agreement — the list of seemingly intractable Brexit issues facing European and British negotiators is neverending.
Heres another headache: data.
As the United Kingdom hurtles toward the EU exit door, both sides have yet to start discussing how to make sure that reams of digital information — everything from social media posts to companies customer details — can continue flowing when London finally leaves the 28-member bloc early next year.
Its a sure-fire bet that no one who voted for Brexit gave two thoughts about how the referendum result would affect their online information. But the risks are real — and wont just be felt by those in the U.K.
Without a new data deal, both British and European companies will find it hard to share even the most basic of information across the Channel — data that underpins trade reaching into the tens of billions of euros each year. (After Brexit, the U.K. loses the automatic right to participate in regionwide data-sharing, potentially leading to lengthy legal disputes in which London could be forced to unilaterally accept EU privacy standards and Brussels may demand greater safeguards from the British than currently exist.)
Officials and legal experts reckon it will take 12 to 18 months, at best, to hammer out an agreement.
Regulators and law enforcement agencies may similarly be hamstrung when trying to quickly share data about ongoing investigations, including terrorist threats and state-backed meddling in national elections.
The rest of us (no matter if youre in Madrid, Manchester or Milan) may also find it increasingly difficult to do even basic things online like sharing our data with companies inside and outside of the EU bloc if more roadblocks are created on the post-Brexit data superhighway.
“A U.K.-EU data agreement is desirable, logical and ideal,” said Eduardo Ustaran, co-director of the global privacy and cybersecurity practice at Hogan Lovells, a law firm in London. “But if it doesnt happen, then companies will need to learn to survive.”
The uncertainty about data transfers is a prime example of the law of unintended consequences two years after the Brexit vote.
* * *
Its understandable why Brexit negotiators have yet to turn to data.
The EU wants big-ticket issues like the role of the European Court of Justice to be addressed first. That means even the U.K.s divorce settlement (and the thorny issues like how to avoid creating a hard border between Northern Ireland and the Republic of Ireland) remains in doubt as the months tick down to Britain leaving the EU at the end of March 2019.
But the fact that London and Brussels are not yet discussing the complexities of a cross-border data agreement shows how hard it is to unpick a 45-year relationship that has woven the U.K. into the heart of EU policymaking.
It doesnt help that both sides cant even agree — insert your own Brexit joke here — on when to sit down.
British officials, many of whom remain relatively relaxed about securing a data deal because London already complies with Europes tough privacy rules, are eager to start talks before the divorce settlement is completed, according to several people with direct knowledge of the matter who spoke on the condition of anonymity because of the sensitivity of the pending negotiations.
For London, the sooner talks get going, the more likely they are to secure as broad a data agreement as possible — a basic requirement if Britain is to maintain its prime spot as first among equals in Europes burgeoning tech scene.
Such efforts have fallen on deaf ears in Brussels.
EU officials outright refuse to discuss data (or the litany of other industry-specific agreements that will be needed) until the U.K. signs off on its divorce agreement. London had originally aimed for a complex data treaty with Brussels, but is now resigned to a so-called adequacy agreement, or a lesser deal that must be reviewed by the European Commission roughly every five years.
When Brits went to the polls in 2016, no one was thinking of how the referendum on leaving the EU would affect the U.K.s transformation into a fully digital society.
Time is running out.
Officials and legal experts reckon it will take 12 to 18 months, at best, to hammer out an agreement, including finding answers to tricky questions like how to impose limitations on British national security agencies access to EU data.
So even if discussions begin the day after Britain leaves the bloc (and thats a big if), theres little room for error before the U.K.s two-year transition ends in 2021. If no agreement is struck, officials may be forced to put together a temporary arrangement to keep digital information flowing, or face shutting down access for British firms.
That countdown is already forcing companies reliant on cross-border data (roughly three-quarters of U.K. international transfers are with other EU countries, according to government statistics) to make tough decisions: Either jump ship from the U.K., at least in terms of where they are regulated for all things privacy, or ride their luck whenever negotiations finally get under way.
* * *
For those thinking this is just Project Fear, its worth remembering the EU has as much to lose as Britain if both sides part company over data in a post-Brexit world.
As part of the regions revamped data protection standards that came into force in May, national privacy regulators were given wide-ranging powers to fine companies up to 4 percent of their global revenue, or €20 million, whichever is higher, if they flout the EU rules.
Such new regulatory muscle — particularly when handling complex international data issues like the recent Cambridge Analytica scandal — inevitably requires collaboration between EU officials. And many still turn to the U.K. and its well-financed regulator, the Information Commissioners Office, for guidance, expertise and resources. (The British regulator was the first agency worldwide to fine Facebook for its role in the Cambridge Analytica case.)
Yet that close relationship is also in jeopardy after Brexit, something that will hurt cash-strapped EU regulators more than their well-resourced British counterparts.
Even before data talks get started, several regulators are resigned to the fact the ICO will lose its voting rights — and ability to help jointly investigate cross-border cases — as part of the pan-EU data protection group, which oversees the Continents new regulatory regime.
A Cambridge Analytica sign at its office in London | Chris J Ratcliffe/Getty Images
Sure, both British and EU officials say that everything is up for grabs in the upcoming data negotiations. They add that the British may still be able to participate in some fashion in the regionwide work, though its role will be severely diminished. (The ICO is estimated to provide roughly one-third of the legal heavy-lifting to the EU group, known as the European Data Protection Board, or EDPB.)
“Full membership is very unlikely,” said Richard Thomas, former head of the British agency and current data protection chief for the British crown dependency of Guernsey. “If we end up in a situation where the ICO is excluded from the EDPB, that would be extremely unfortunate.”
Extremely unfortunate, it may well be.
But with British and EU officials still squabbling over basic aspects of Brexit and far from addressing cross-border data transfers, the signs of securing a U.K.-EU deal in time dont look good.
When Brits went to the polls in 2016, no one was thinking of how the referendum on leaving the EU would affect the U.K.s transformation into a fully digital society.
Now that we are dealing with the complex reality, its hard to see how the pending divorce will benefit either side — at least in terms of data protection — when Britain finally goes its separate way.
Mark Scott is chief technology correspondent at POLITICO.
Read this next: Fear and loathing on the Swedish campaign trail
[contf] [contfnew]