The people of the UK have spoken and our collective choice is to leave the European Union. Some are dreading the likely tsunami of economic hardship. Others are excited about what may lie ahead. Most of us are shocked. But as numbing as the verdict of the UK electorate may be, there are crucial political, legal and economic decisions to be made. The ‘To Do’ list of the UK government will be overwhelming, not least because of the dramatic implications that each of the items on the list will have for the future of the country and indeed the world. Steering the economy will be a number one priority and with that, the direction of travel of the digital economy – which, at the end of the day, is one of the pillars of prosperity in the UK and everywhere else.
Regulating the digital economy to maximise its potential, safeguard consumers, and turn it into a much needed catalyst for growth will require careful thinking beyond the obvious. It would not be inconceivable for a Brexit government to try and make its mark by rejecting anything that is seen as Brussels-born red tape and business-constraining. A temptation may be to apply this thinking to anything to do with data protection law – an area which has mistakenly been seen as an impediment in the past. But in doing so, there is a real risk that a regulation-free oriented government may throw the data protection baby out with the bathwater.
Data protection may be obscure, difficult to understand and comply with, and a tad nerdy. Data protection may not be recognised as a direct contributor to growth. Instead, some may regard it as the brainchild of out of touch bureaucrats and softies. But yet, data protection law is a vital element of the regulatory framework of any progressive jurisdiction that wishes to support its businesses, protect its citizens and maximise the value of personal information. Many countries from around the world with different societal values and legal cultures are actively adopting data protection laws and anyone who has seen the evolution of this area of law will have witnessed a growing convergence of approaches.
Common sense and practical needs dictate that the UK should not try too hard to distance itself from this trend. It is well known that the European Union has recently concluded an arduous process of legislative reform of its data protection framework which would have resulted in the UK adopting the General Data Protection Regulation (GDPR) as its own law from May 2018 alongside the other 27 EU Member States. Should the UK carry on with such plans on the basis that huge collective efforts were devoted to crafting the GDPR or should it ignore it altogether? Or should it do something in between? This is a crucial public policy decision that the government should make without interference from its own Eurosceptic instinct because otherwise it is bound to get it wrong.
There is a very simple practical reason for the UK not to shun the GDPR: the risk of becoming an ‘inadequate’ jurisdiction for data originating from the EU. Some may see that as an honour that would be worth paying the price for, but judging by the herculean efforts of countries such as the US and Japan to show their data protection adequacy credentials, it would be childish and a very unwise political move. For guidance on whether to align itself with European data protection standards, the UK government should look at UK plc and be prepared to listen to those businesses that have sought success in our inherently interconnected world by upping their privacy and data protection practices to gain the trust of their customers in a global marketplace.
There is another dimension to data protection law that may be less visible but is probably even more important. Data protection law exists to give us all a degree of control over our own personal information. The aim behind that is to ensure that any intrusions into our privacy and digital lives are reasonable and tolerable within a democratic and free society. In other words, data protection is a necessary ingredient of our freedom. Our information is us and without protection for it, our privacy will be exposed and our freedom seriously compromised. It is a primary duty of any democratic country not only to respect that, but to ferociously guard it for everyone’s benefit.
So what’s the way forward for data protection in the UK? The government must find a responsible and effective form of regulation, bearing in mind that information is global and precious. Businesses will be best advised to carry on with their plans to comply with the GDPR because either the UK will still adopt it as its framework or UK companies will need to meet EU standards in order to receive data originating from the EU. Ultimately, citizens should expect their information to be protected and respected with democratic rigour. Being deprived of this would be one of the worst possible outcomes of Brexit.
This article was first published in Data Protection Law & Policy in June 2016.