In an interesting Article for The Times on 15 January 2020, its Banking Editor, Katherine Griffiths, analysed some of the implications for lenders of the recently reported cyber attack on Travelex, the travel money company. Some lenders had used Travelex as a currency provider to customers  and there is concern amongst them that that they might find themselves exposed to huge fines and penalties under tight EU-inspired data protections laws, such as GDPR (the General Data Protection Regulation).

The writer argues that post-Brexit the UK might be in a position to make data protection laws more business friendly so as to mitigate some of the unpredictable legal consequences for lenders of being caught up in a Travelex-type situation. The title of her Article reads somewhat feistily:-

"Britain should not be afraid of battling EU over data after Brexit."

Ms Griffiths points out that "via a mixture of contracts and a political fudge known as a privacy shield" the USA and the EU have managed to sort out a system that allows data to flow between businesses in their respective jurisdictions.  She believes that the UK should also be able to reach a sensible accommodation with the EU, which would safeguard UK businesses from the strictest consequences of GDPR.

This is a bullish approach from the UK standpoint but should not ignore the EU's insistence on a "level playing field for open and fair competition", as stated and accepted by both the EU and the UK in the draft non-binding Political Declaration (Section XIV) negotiated between them in October 2019. 

The draft Political Declaration addresses digital economy issues and clearly favours the agreement of "provisions to facilitate electronic commerce" between the EU and the UK and to ensure "an open, secure and trustworthy online environment for businesses and consumers" within the EU and the UK. In this context, paragraph 38 of the draft Political Declaration concludes:-

"These provisions should also facilitate cross-border data flows and address unjustified data localisation requirements, noting that this facilitation will not affect the Parties' [ie the EU and UK's] personal data protection rules."

In its briefing slides to the European Council Working party published on 13th January 2020, the EU Commission "Brexit" taskforce includes "data flows" within its "Digital trade" section and appears to recognise the need to satisfy both business and individual concerns where data protection is concerned and it is to be hoped that the battle lines will not be set too harshly on this issue when EU and UK negotiators get into discussions for the new long-term economic relationship between the EU and the UK following Brexit.