News

Brexit: Goodbye to EU Data Rules?

MSPs
By Daniel Castro

The decision by the United Kingdom to leave the European Union will soon launch one of the largest policy undertakings ever, as British leaders and diplomats race against a two-year deadline to negotiate new arrangements with the European Union and new treaties with other countries previously governed by agreements made through the EU. While the first order of business will be ensuring British citizens can travel abroad and British companies can access foreign markets, in today’s digital economy there should also be a significant focus on how the UK will ensure the free movement of data both internally and across borders. Fortunately, this is one of the bright spots for the British economy as the UK will now have an opportunity to replace the stringent EU data protection regulations with a more forward-looking set of rules that enable data-driven innovation and in so doing cement the country’s leadership in the digital economy.

The UK has long been a lonely voice of reason in the EU, arguing for light-touch regulation of the digital economy even as countries such as France and Germany have overruled it. The result has been that while the digital economy is stagnant in the EU, it is thriving in the UK. Indeed, as a share of GDP, the Internet economy in 2016 is expected to reach 12 percent in the UK, far above the 3 percent or 4 percent in France and Germany respectively. Yet some in the UK want to continue to bind the British economy to EU-style data regulations out of fear that failing to do so would create a regulatory headache for British companies doing business in the EU. The UK’s Information Commissioner’s Office even released a statement immediately following the results of the referendum calling for “international consistency around data protection laws.” While it is true that British companies need to be able to process personal data of employees and customers in the EU, there are multiple paths to achieve that goal, and mirroring EU rules is not the best option.

First, the EU’s General Data Protection Regulation (GDPR), set to come into effect in 2018, will likely further limit digital innovation in EU member nations. The GDPR establishes strict rules on how companies can collect and use personal information. For example, the rules mandate that companies specify how they will use data before they collect it, a requirement that by definition limits the type of experimentation and innovation that has become the hallmark of the data economy. In addition, the regulations allow for penalties of up to 4 percent of a company’s global revenue, which means that the private sector will be investing heavily in compliance to avoid violations. These expenses will not only divert funds from more useful product development and raise costs for consumers, but they will also force companies to become risk averse. The UK would be wise to protects its companies from the restrictions and penalties resulting from these types of heavy-handed, innovation-limiting regulations.

Second, even if the UK were to fully implement the GDPR, there is no guarantee that the EU would determine its data protection laws meet its adequacy standard—a necessary precondition for companies in the UK to continue processing European data as they do today. After all, the biggest hurdle in negotiating the successor to the U.S.-EU Safe Harbor agreement was not that the United States had a different style of data regulation, but rather that U.S. government surveillance programs purportedly put EU citizen privacy at risk. Yet, some European countries have passed more intrusive surveillance laws than those in the United States, such as those passed by France following the Charlie Hebdo terrorists attacks in Paris. However, the EU has not held its member states to the same standard as it does non-EU countries. The UK, which is set to pass its own controversial surveillance legislation, should not expect to receive a pass even if it adopts measures equivalent to the GDPR.

Rather than seeking an adequacy determination, the UK should take the approach pursued by most non-European countries and use other legal mechanisms, such as model contracts and binding corporate rules, to enable lawful transfers of personal data between the UK and EU member states. Or it could negotiate something akin to the Privacy Shield agreement which was established to allow for the exchange of data between the United States and the EU. Any of these approaches would allow UK policymakers to establish their own data protection rules that balance the right to privacy with other competing interests such as national security, economic prosperity, innovation, and public health while still maintaining free trade with Europe.

If the purpose of Brexit was to allow the UK to reassert core British values through its policies, then it should seize this opportunity to define a uniquely British solution to data protection rather than continuing down the stultifying path laid out by Brussels. Doing so would not only free British companies from the heavy compliance cost of the GDPR and allow them to better compete in the global market, but it would also establish confidence with investors that the UK is in fact emerging hub for the growing data economy.