A move to withdraw Britain from the European Convention on Human Rights could cease data transfers between the UK and Europe, an expert has warned.
Theresa May has said she may seek further opt-outs from the convention to bring in more stringent anti-terror laws following a spate of attacks.
But critics have predicted that such a move might not be enough for Mrs May to achieve her aims, prompting a full withdrawal at a later date.
Guy Cohen, policy chief at Privitar, told NS Tech: “If this happens, it will be harder for the UK to demonstrate that there is sufficient oversight of the Investigatory Powers Act.
“Just as with Max Schrems and Safe Harbour, European citizens could claim that the UK does not provide adequate protection of their personal data.”
Mr Cohen said this could become problematic when the UK leaves the EU: “Following Brexit, the UK will have to appeal for an adequacy decision for companies to be allowed to transfer EU data subjects’ data in and out of the UK.
“This may not be possible because of concerns in the EU about the UK’s Investigatory Powers Act, which, some argue, by collecting data indiscriminately breaches Article 8 of the ECHR and Article 7 of the EU Charter, meaning data transferred to the UK do not receive equivalent protection to the EU.”
In the event that the UK leaves the EU without an adequacy decision, Mr Cohen said officials would attempt to create a Privacy Shield equivalent for the UK.
It would require businesses to agree to a level of certification to demonstrate data was being kept in a compliant way, said Mr Cohen.
“If this was not considered sufficient to ensure adequacy, then organisations would have to rely on binding corporate rules, standard contractual clauses or explicit consent for the international transfer of data,” added Mr Cohen.
He warned that this would increase costs and be particularly challenging for smaller businesses such as artificial intelligence startups, making it harder for them to operate across borders and grow internationally.