The thing about referendums is that the consequences of one outcome or another are likely to be rather disparate. If Brexit turns out to be rejected by the majority of the UK electorate, we will simply carry on as normal – quietly enjoying the benefits of the European Union whilst moaning about the threat that the EU poses to our peculiar way of life. It is a tried and tested state of affairs, all too familiar within the UK and on the Continent. If on the other hand, Brexit wins, it will surely be a jump into the unknown. An unknown seen as a black hole by some and a prosperous new world by others, but an entirely unfamiliar situation nonetheless. The point is that whatever happens in the UK on 23 June, the future will be very different depending on which side wins.
When it comes to data protection law, the same principle would appear to be true. Stay in the EU and in two years, the UK will share a pretty much identical framework with its European neighbours. Sure, there are some areas where Member States have the final say and each national regulator will apply their own way of thinking to the black letter of the law, but by and large, the EU General Data Protection Regulation (GDPR) will lead to much greater harmonisation than what we have today. Opt for leaving the EU and, in principle, the British legislator will have a white canvas on which to paint a picture of its choice with as much or as little colour as desired. In fact, some of the arguments that have been heard from the Brexit camp are precisely that leaving the EU would allow UK businesses to take advantage of the data economy without the constraints imposed by an otherwise cumbersome and untimely law.
But as with some many aspects of the Brexit debate, empty claims often get in the way of seeing what the future will look like. The truth is that whatever the outcome of the EU referendum, the creativity of the UK Parliament is unlikely to be put into practice in an area such as data protection where the EU has long been calling the shots. In reality, EU data protection law will always be closely followed by Britain. The most obvious reason for that is purely practical. And frankly, in the UK we know a thing or two about being practical – this is where you have a two-speed system in the Tube’s escalators and where even drunk people are capable of forming an orderly queue at a taxi rank at 2am in the morning. So when it comes to practicalities, rest assured that an innate national instinct will prevail.
That instinct tells us that unless the UK provides an ‘adequate level’ of data protection a la GDPR, it will become a forbidden territory for European personal data. It is not a coincidence that the first country to receive an adequacy finding from the European Commission was the uber-practical Switzerland. If Brexit happened, it would be inconceivable for the UK not to do the same and immediately knock on the door of the Commission to explain exactly how the GDPR will still make its way into our national law. What is somewhat imaginable is the Commission itself being a tad smug about the prospect of a Brexited UK trying to explain how its data protection law effectively mirrors the one in the rest of Europe.
There is another perhaps even more important reason why EU data protection will remain in the UK even if the UK were to leave the EU. Let us not forget that UK data protection law had already been in operation for more than 10 years by the time the original EU data protection directive was adopted in 1995. In other words, Brussels did not invent modern data protection law. The GDPR may be a yet to be tested ambitious piece of 21st century law but at its core, it is based on the same ideals that inspired the UK and many other progressive jurisdictions to pass laws regulating the use of personal data in the early 80s. Today, the respect for the right to privacy and data protection should be seen as public policy priorities in any sophisticated democracy.
Let me put it this way, if Brexit led to the demise of data protection law in the UK, we would be facing a much more serious problem than just leaving the EU. Data protection law is not an arcane doctrine that exists alongside Napoleonic codes and is nurtured by Brussels’ bureaucracy – it is a need for the digital age. Protecting people’s data and defending our digital privacy in a way that enables the information economy to prosper is not just in the EU’s interest, but in everybody’s, including of course the UK. So Brexit or no Brexit, the UK will be best served by ensuring that European-style data protection remains in our statutory books. Brexit would indeed be a jump into the unknown but in data protection terms, it will never really happen.
This article was first published in Data Protection Law & Policy in May 2016.