How data is managed and shared illustrates even more clearly than geopolitics and trade the catastrophic loss of control that Brexit has brought. If we were still a full and engaged Member State, we would not only be benefiting from a disproportionate share of research funding in the data field but playing a formative role in shaping future EU regulation. Through the “Brussels effect” we would in turn be shaping regulation across the world – truly punching above our weight.
The desperate search for the unicorn of a Brexit dividend imposes its own logic, however. The former Culture Secretary Oliver Dowden ominously revived (during the fall of Kabul) long-standing plans to introduce a new data regime for “global Britain.” With the passage of the Data Protection Act in 2018 the UK incorporated the GDPR lock, stock and barrel into British law. This means that for data purposes the UK is effectively a member of the European Economic Area, critically protecting the UK data sector for now. Dowden was seeking to explore new options and these will be familiar to all students of Brexit: the pointless and the catastrophic. His successor, Nadine Dorries, may prove equally self-harming.
Which way will the government lurch?
The distinction between pointlessness and catastrophe will decide whether we retain the present system of “data adequacy” with the EU and thus access to the EU market. On a pointless approach, cosmetic political changes to the regulations could be made without substantive effect. There is obvious potential for this in getting rid of cookie boxes. These are effectively obsolescent anyway, but the government could remove them without changing the duties of data processors and controllers and claim this as a triumph for “British common sense”.
The issue is already being addressed by the EU through the ePrivacy Directive, but that need not be too much of a concern for this government. The Dowden interview appears to suggest that pointlessness, together with some alleviation for smaller entities, may be what he had in mind. His appointment of the New Zealand information commissioner John Edwards as the replacement for Elizabeth Denham is a mildly encouraging sign.
There is bandwidth between the current full British compliance with the GDPR and loss of adequacy arrangements with the EU, bandwidth that is occupied by our new “data partners” Japan and New Zealand. It is nevertheless narrow. It is hard to see that any regulatory innovation within it will justify its cost in time and effort. We must also remember that the decision to terminate “adequacy” is entirely at EU discretion with no effective right of appeal. The EU has already once excluded the Americans, who immediately began discussions to restore access.
EU refusal of “adequacy”?
If we do indeed lose adequacy and, with it, full access to the EU market, the effect would be at least comparable to the halving of euro equity trading in London, but this ugly scenario itself comes in two flavours: outright deregulation and “smart regulation”. Straight deregulation would run entirely contrary to the prevailing trend in global data governance (outside China) and would almost certainly lead to the blackhole of the UK as a data haven, only competitive by taking in data that no other serious jurisdiction would touch. That would probably trigger a brain drain of tsunami proportions.
Even the government is at least not yet admitting to such a possibility and, as usual, arguing that smart regulation is an option. There is indeed scope for improving the GDPR or any other existing data regimes. The burgeoning activity of regulatory science, usually in conjunction with some form of behavioural science (BS), is evidently investigating all sorts of potentially promising avenues.
It may well be that the excellent UK regulators might be able to make significant progress in the art of data regulation. However, even on the best case, it is very hard to see how this will lead to a competitive edge, rather than simply the loss of British data to other, less secure processing regimes. Unless adequacy is preserved, it will never be attractive for non-dark data processors to prefer setting up in the UK. Even if, by some chance, it proved to be the case, then the advantageous regulation could and would be cloned by the EU. You cannot patent a regulatory regime.
From a broader perspective, the truth is that any form of Brexit is deleterious to the attempt to establish Europe as a significant third force in data to the US and China. It is indeed unlikely that the EU can rise to being an equal partner with these two in the short term, but it is very reasonable to hope that a kind of Data West will emerge, in which the US and EU agree on a reasonable balance of commercial interests and personal rights. Such a force could counter the risk of (Russo-) Chinese data dominance. And then, what goes for data today will go for AI tomorrow.
Limiting the damage
So, let’s hope that any tinkering with the regulations is peripheral. We should not, for instance, go down the road of US-style corporation-favouring data partnerships on lines alarmingly floated in the Far East. Even less should we engage in any desperate flirtation with the People’s Republic.
The worst case harbours the risk of Britain’s dramatic decline as a significant data player. But Brexiters might argue that there is perhaps a silver lining. A hard data Brexit will deprive the bright young products of the likes of Imperial and UCL of the careers they might have hoped for in dynamic hip start-ups or emerging tech giants.
But the end of free movement after Brexit will at least guarantee bright employment prospects in fruit picking, burger flipping, sanitary services and truck driving. Levelling down with a vengeance!
Data protection ‘shake-up’ takes aim at cookie pop-ups
The UK thinks it can fix GDPR. It’s wrong