Brexit and privacy law: Why are Facebook and Google investing in London now?

By on

Reasons to be concerned


One of the many legal struggles Brexit, if it happens, will lead to will take place on the privacy law battlefield.

It regards how domestic privacy law be shaped after we leave the European Union. Although the upcoming EU GDPR (the General Data Protection Regulation, which will upgrade the legal discipline on how personal data can be handled in Europe and transferred to extra-EU countries. This stems from the same legal trend that brought the privacy shield to the United States) will be applicable at least for a short period before we actually leaves the Union, will the United Kingdom retain European laws? Will it draft its own privacy legal discipline from scratch? Will it be considered a country providing “adequate safety measures” — a status granted to countries deemed to offer adequate protection and to which transfers of personal data is much easier and faster — once outside EU?

Far from this quagmire, some Brexiteers have recently feasted to the news that two giant US multinationals, Google and Facebook, decided to expand their presence in London, despite the current lack of clarity on the city’s future.

It’s been reported that the former recently announced a £1 billion investment plan, plus an additional 650,000 sq ft headquarter in King’s Cross and a spike in the workforce from the current 4,000 employees to 7,000 in three years. Undoubtedly a hefty effort, one that will mean London will receive Google’s biggest investment in Europe, putting even the paramount Dublin in second order. All of this in the name of “talents’ future in technology”, “passion for innovation”, “London as the technological hub” — and by tucking the current tax issues with the HMRC under the carpet for a day.

Facebook too is adopting a similar expansion strategy: a 50% increase in presence and 500 new employees by 2017 (instead of the current 1,000), reaching — if not overtaking — Dublin in terms of importance. Sadiq Khan, London Mayor, intervened once again at the public ceremony, claiming London is “the best city in Europe for digital startups”, “open to talent, innovation and entrepreneurship” and also dubbing it “the envy of Europe”.

Apple and Amazon too have announced expansion plans in London with, respectively, 1,400 and 1,000 additional employees being hired. Once again, the tones are similar to those seen at the Google event, highlighting UK innovation and attitude towards technology.

But why have such giants increased their financial efforts in a less-than-stable city like London?

If there is one thing that should be clear from my previous Legal Cheek Journal article, it’s that nothing comes for free and without strings attached, especially from big US media multinationals.

Yes, Facebook and Google are media companies, well outside the IT industry, whose “tech-company” label is a more appealing term that brings certain advantages when resorting to shareholders and investors and dealing with regulators.

Want to write for the Legal Cheek Journal?

Find out more

Media companies’ main profits still come from advertising and, jointly, reach a sum higher than $23 billion (£18 billion) in the first half of 2016. Not bad for two companies which are taking over the advertising market with growth of 60% (Google) and 43% (Facebook) over the first half of 2015, thus accounting for 85% of every new expense in this market.

So, as the saying goes, when there is muck, there is money — but what could possibly turn on media companies and incentivise this spending in London specifically?

The proposal to reduce corporate tax exposure to 15% is an interesting countermeasure to avoid companies breaking out of UK, but that may not be the whole picture.

In fact, if there is one thing that media companies crave it is personal data. Both Facebook and Google (not to mention Apple and Amazon) deploy criticised techniques to collect personal information: instill cookies on devices, bolster network of acquaintances, rake up tastes, political inclinations and sell such information to advertisers.

Now, we all know that Brexit will involve a lot of complications, issues and novelties when it comes to privacy law, but what does it change exactly for media companies, like Google and Facebook, in the UK?

Can companies in the UK still exchange personal data without cumbersome red tape after the UK has left the EU?

Post-Brexit, it is likely the UK will be labelled a country offering “adequate guarantees” when it comes to privacy safety of personal data according to many sources, and probability will only rise if it ratifies the upcoming EU GDPR before leaving the Union.

Will this happen? Times are tight and the deadline to implement the GDPR (25 May 2018) may come well sooner than the finalisations of the Brexit negotiations. That said, on 24 October Karen Bradley MP confirmed that the UK is going to opt-in to the GDPR.

Will companies in the UK be subject to the EU GDPR after Brexit?

Notwithstanding, Theresa May promised a “Great Repeal Bill” to erase the European Communities Act 1972 in order to be able to carve out EU law from the UK legal system.

As confirmed by Stewart Room — global head of cyber security and data protection legal services at PwC — upon the execution of Brexit, “the UK would technically be free to abandon [the law]” (what a great chance to cherry-pick EU legislation).

This will mean the UK — according to Elizabeth Denham, head of the information commissioner’s office (ICO) — will rely on its own privacy laws in order to enjoy “adequate or essentially equivalent” status. This means that no matter the legal relationship personal data’s protection can be still guaranteed. She claimed the ingredients of the next UK privacy law will be a “progressive regulatory regime”, subject to “scrutiny”, that won’t cause “UK having rocks thrown at it by other regimes” and which bears “consistency and adequacy to Europe”.

Can the UK enjoy the “adequate” status albeit repelling the EU GDPR?

“Out is out” but can a UK out of Europe — exempt from European Court of Justice and with a Data Privacy Authority outside Article 29 Working Party network (a group of representatives from Data Privacy Authorities of each Member State) be able to retain the freedom of the other members when it comes to transferring personal data?

The odds are that the UK will apply to the European Commission to obtain a decision granting this “adequate” status, a request for which may well be hampered by the super tight surveillance law just approved by the parliament.

It seems like a steep path, but could this be the first step in having the UK become the new EU headquarter of such big multinationals, exempt from a big burden like the privacy shield and therefore allowed to transfer personal data from the EU to the US more freely and with lesser legal accountability? Perhaps also a good ground in order to reduce exposure to Vestager’s claws when it comes to anti-competitive behaviours too?

Marco De Roni is a law graduate and paralegal in Amsterdam.

Want to write for the Legal Cheek Journal?

Find out more

Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.


Not Amused

The reason to invest in the UK is that we don’t have stupidly high corporation tax.


Hi, thanks for your comment.
The following are some of the countries with the same or lower Corporate tax rate (and perhaps better living standards):
Croatia, Cyprus, Czech Republic, E-stonia, Hungary, Ireland, Litchenstein, the Netherlands, Poland, Slovenia and Switzerland (not mentioning Isle of Man and similar locations).
Aka, corporate tax alone cannot justify such huge moves.

Not Amused

Right. I’m not quite sure where to begin with your rather ill thought out reply.

I said: “The reason to invest in the UK is that we don’t have stupidly high corporation tax.” It is implicit in my comment that there are more reasons than mere rates of corporation tax to invest, but that our low corporation tax is one of those reasons. There are of course, many good reasons to invest in the UK.

You list several countries. It is not right really to compare many of the to the UK – as they are so fundamentally different and some of those you cite are tiny little tax havens.

However it is also not right to say that the Netherlands has lower corporation tax – they don’t. Theirs is higher (25% to our 23%).

Again it is also not right to simply look at headline rates. The UK offers discounts and relief for certain things. A lot of those discounts are available to global tech companies.

However you appear to further ignore the fact that UK corporation tax is scheduled to go down to 17% while EU wide corporation tax is planned to be harmonised at 28%. Companies like to plan ahead.

So lots of reasons to invest in Britain – no need for conspiracy theories. Our prudent levels of corporation tax is one of those reasons.


UK Corporation tax is 20%


If you write “the reason for A is B” in order to refute an argument that the reason for A is C, it is not implicit in your statement that you think that there are also other reasons for B. In fact, the implication is the opposite, otherwise the saying that the reason is B wouldn’t be an argument against the idea that the reason is C.

Also, the author’s reply was not “ill-thought out” – you raised the issue of corporation tax and he responded directly and politely to that. No idea if he’s right about this issue, but he’s put forward a reasonable thesis, not a conspiracy theory.


NA, please at least try to make some sense in your comments.


After the implementation of the Investigatory Powers Bill it’s highly unlikely the EC is going to find the UK having an adequate data protection regime. And even if it puts into place a national data protection law that copies the GDPR ad verbatim, the very fact that the UK is outside the EU is highly likely to mean that the UK won’t form part of the one stop shop regulatory mechanism and the ICO will be unable to be the lead supervisory authority for a company’s EU operations. That seriously impedes the UK’s ability to promote itself as a potential hub jurisdiction for Europe in respect of personal data.


Hi, thanks for your comment.

“it’s highly unlikely the EC is going to find the UK having an adequate data protection regime” –> it depends on the guarantees and safety nets deployed by the UK government, on how the UK DPA will react and on lots of further factors.
If Argentina is nowadays considered “adequate”, than why wouldn’t U.K. be a priori able to achieve the same status?

Let’s also consider that the U.K. has a tremendous need to keep the flows of data and, as reported in the footnoted article, the government has all the interest in pursuing that.

Last but not least, Privacy law is such a complicate issue that deceiving EU with the Safe Harbour proved possible for years.
Why can’t the guarantees offered by the UK be considered appealing?


It’s too simplistic to suggest that because the UK (and, let’s be honest, the EU) has an interest in maintaining data flows, that the UK will do all it can to ensure it gets a finding of adequacy. Data flows have worked fine to other third countries using transfer mechanisms such as model clauses. I don’t doubt that the UK government would like adequacy but likewise I don’t think the UK is going to bend over backwards to accommodate legislation in its entirety when it doesn’t agree with parts of it, just so that its organisations don’t have to implement transfer mechanisms.

The key benefits of the GDPR are tied in with EU membership. We can be fairly certain that the ICO won’t be allowed to be a participant in the one stop shop, which instantly wipes out much of the advantage of setting up a main establishment in the UK.

As for the Schrems decision, that emphasized the difference in approach to data protection between the Anglo-Saxon member states and the rest of Europe – few people in the UK agreed with the verdict of the CJEU.

The very fact that we’re already implementing an investigatory powers law that explicitly permits the type of surveillance that was THE key issue in finding Safe Harbor invalid suggests that the UK is not all that bothered about adequacy at all costs. And if you look at the Bill in light of Schrems and recent Article 29 Working Party papers then you’d likely conclude that the UK will not be regarded as adequate even with a privacy law that exactly mirrors the GDPR.


Hi Anonymoys, thanks again for your comment.

– Regarding the Standard Contractual Causes – that’s not easy stuff, and it’s quite a burden , in case your negotiation involves transfer of personal data.
It’s not a coincidence that EU and US (as well as Switzerland and further countries) are working since a long time on legal frameworks to justify transfers and avoid red-tape hassles like the SCC.

– Regarding Europe interest: what would be this in having UK receiving data from inland people? I would expectthe other way around to appeal the most to EU business.

– “We can be fairly certain that the ICO won’t be allowed to be a participant in the one stop shop” –> once UK opts-in to the GDPR and, afterwards, quits the EU, it is still bound by the Directive and I don’t see how other Member States can kick UK out of the deal.

– ” few people in the UK agreed with the verdict of the CJEU” -> same across further Member States (especially within corporate environments), but this doesn’t mean that CIO disagreed when acting within the Article 29 party.

-“(…)suggests that the UK is not all that bothered about adequacy at all costs(…)”–> yes, you may be right; then, I am curious to know which warranties will the UK gvmt give to those multinationals whose business hinges exclusively on transfer of data (which will be enormously burdened by a hard-Brexit).

– “UK will not be regarded as adequate even with a privacy law that exactly mirrors the GDPR.” –> a lot depends on what warranties will UK grant to EU, regarding personal data. If it manages to convince Banks, Insurances, Investment firms & co. that Financial Passport won’t be an issue after a Hard Brexit, then everything is possible.


The major bind with model clauses is working out which of your relevant jurisdictions require registration etc. Putting the clauses together requires some work but once they’re in place, they’re in place. And there are always negotiations between controllers and processors because of the need for Article 17 provisions. The GDPR makes model clauses much easier because it does away with the need for registration.

Sure, it’s understandable that Switzerland and the US etc. are looking for mechanisms that improve the ease at which data can transfer between jurisdictions but there’s a key difference between what they’re looking for and what you’re suggesting the UK does, namely that you are pushing for the UK to capitalize on Brexit to become a data privacy hub.

Of course the EU has an interest in maintaining data flows – and even if they’re one way, that’s irrelevant because the point is that data flows are crucial to commercial relationships that have economic benefits on both sides.

The UK will not adopt EU laws. The UK will not sign up to the 4 freedoms – politically, this just can’t happen because it will involve the UK being bound by everything people voted against without having the benefits of membership. And Regulations, unlike Directives, will fall out of UK law on the day Brexit happens, meaning they will require an Act of parliament to be reinstituted, which will not, strictly speaking, be the same as adopting the GDPR. Look at the Channel Islands as an example – they’ve basically adopted the Data Protection Act, which grants them adequacy (they don’t have issues with government surveillance etc) but they don’t have a seat at the table at WP29 meetings. They don’t really have a voice.

Of course, the UK is far more influential than the Channel Islands, and the ICO is surprisingly influential as a supervisory authority, but if you think Europe would allow the ICO to become the most important regulator when it doesn’t even sit in a Member State, then I think you’re naïve at best.

You make too much of the importance of data privacy to the UK or multinationals. Data protection is always going to be low down on the list of priorities compared to tax breaks etc. In fact, it’s very plausible that the UK could accept to abide by EU data protection laws as a bargaining chip to secure something that’s more important to it. In such a situation though, if you are relying on the UK adopting the GDPR to become a hub for personal data, then what exactly will be advantageous in setting up a hub in the UK?


Hi, anonymous, thanks again for your comment.

I regrettably still don’t get why EU would need to maintain such streams of data. The best outcome for EU would be to keep data of its citizen safe on servers located within its territories and to absorb HQs from UK to aovid resorting to such tunnels of information; hence, where’s the interest of the EU in having an opposite scenario?

Instead, I get your point on ICO’s relevance, but I still disagree by not being naive: if, as May stated, they promised to obtain keeping access to the Single market but opt-out form the basic freedoms, than there are a few things left impossible I can foresee in this world.
I was firstly surprised by hear how sure Brexiters are that quitting EU will keep immigrants and criminals away and financial institutions inside, therefore I wouldn’t be less surprised by acknowledging ICO being still a member.
The EU is that fragmented union where not all countries agree on a same currency, where eastern countries have (still) less rights when it comes to establishing in the western part, where countries can opt out to fundamental treaties and where single MS can singularly have tax agreements with extra-EU countries. So why not including (at least, temporarily) the DPA of a countries who used to be MS?

Finally, on the last paragraph: perhaps Privacy is not the #1 priority, but when it comes to multinationals like WA and Instagram, where data is everything, employees and assets are a tiny bunch and exchange of personal data is key, then I would pay more attention to such complications.


The Investigatory Powers Act is a UK domestic law. The GDPR specifically allows for national governments within the EU to vary obligations within the law for reasons of national security. Provided that it can assure the EU that it will not reach out further than UK residents, and that the data of EU residents are afforded the protections of the GDPR, there shouldn’t be any problem, surely?

After the terrorist actions in Germany, France, the Netherlands and Belgium, I suspect that there are a few EU members who are thinking about similar measures for their own law, in any case.


Hi Andrew, thanks for your comment. You can find a list of authorities that can snoop on you, here
Moreover, as you may know, these will now be authorised to store your date and won’t need a warrant anymore either.
While we can argue about the fairness of the latter, I am sure we can agree on lots of authorities who actually don’t need such right.
I wouldn’t, personally, be surprised if such a law would be caused under the pretext of terror (lots of apps don’t even store data anymore -see WA and telegram-) but actually stem out from the Snowden-gate.


Low corporation tax
Fair labour laws
Major financial centre
Diverse talent pool
Possible low regulation and competition after Brexit

Now, why wouldn’t MNCs move to London?


Possible low regulation and competition after Brexit

These firms don’t want competition, they absolutely want to wipe it out. That’s why they are moving here, in order to soak up the local talent and keep competitors from developing.

Ciaran Goggins

There are no privacy laws, there is no cyber border.


For those interested in this topic, another advantage of companies investing more in UK could also be a lesser exposition to EU Competition Law (see the recent shift of McDonald’s HQ after being targeted by Vestager).

Join the conversation