The EU has notoriously strict data privacy rules – email, pictures, health records – under the law all must be transferred within the trading bloc itself or with counties that promise “adequate” levels of protection.
Should Britain ever get around to actually departing from the EU, U.K. businesses lose that ease of movement through the EU as the U.K. becomes just another foreign nation.
Which is something of a problem for Britain, given that the connected future of everything – from fintech, to connected cars, to AI, to the IoT to the cyber security mechanisms built to protect all of that information – is all dependent on the storage, distribution and fast analysis of massive data sets.
“Urgent consideration should be given to the relative merits of maintaining, adapting or completely re-legislating the U.K.’s data protection laws,” notes Julian David, chief executive of techUK, an industry lobby group.
This is not to say the U.K. doesn’t have options. Post Brexit, the nation could simply implement the EU’s rules on general data protection, which are set to go into effect in 2018. That would allow regulators to fine up to 4 percent of global turnover in the event of a breach. The U.K. (and its pro-business stance on these issues) was a critical player in the drafting of said rules.
However, that simple solution isn’t so simple considering it is also the type of regulation that – to some – represents the reason the Brexit was necessary in the first place, to get away from cumbersome EU rules.
Which leaves plan #2 – the U.K. could devise its own data protection rules sketched on the EU’s and hope that the EU agrees they are sufficient to the task. This method of course runs the risk that Brussels will not find said regulations up to snuff.
And sometimes they don’t – a data transfer agreement between the EU and U.S. was struck down last year after EU judges found that U.S. spies were overzealously snooping on EU citizens. Two years have elapsed as a second pass at an agreement is worked on – but it’s not in place yet, and some lawyers think it is doomed to fall in a legal challenge.
Britain could encounter the same legal objections faced by the U.S. if it decides to go it alone on data protection, especially considering the breadth of its GCHQ spying network.
“Due to GCHQ blanket surveillance [programmes] and less safeguards for intelligence services than in the U.S. I doubt it,” noted Jan Philipp Albrecht, a German MEP who worked on the EU’s data protection rules, on the possibility of U.K. rules being deemed adequate by the European Commission.