Laws of Unintended Consequence
There are many and varied reasons to be worried about Brexit: exiting the single market, inflaming tensions at the Irish border, and sacrificing hard-won international prestige for short-lived, punch-drunk national pride, to name a few. But one of the less discussed but just as potentially damaging consequences of leaving the EU concerns the impact on the cross-border sharing of personal data, as a report from the House of Lords European Union Committee, released yesterday, makes clear.
It’s an issue with far-reaching implications which will affect just about all of us — if you’ve scoured Facebook for gossip or Amazon for deals recently then, this includes you. Although the positive case for staying in the EU was under-emphasised in the referendum campaign — even by the Remain campaign — beyond bendy-banana tabloid fodder, the EU has been pursuing admirable causes for European consumers, from outlawing exorbitant roaming charges to tackling opaque pricing tactics. Another, more ambitious initiative that the EU has been pursuing is better protecting citizens’ rights when it comes to the sharing of personal data.
This effort has crystallised in the form of two documents: the General Data Protection Regulation (GDPR) and the Police and Criminal Justice Directive. Roughly speaking, these two instruments are designed to respectively protect against overreach by industry — in the context of commerce — and by government — in the context of criminal investigations. The GDPR, due to come into effect in May 2018 while Britain is still in the EU, will “enable people to better control their personal data” by ensuring that individuals have access to information about how their data is used (but not, as my colleagues have explained, a right to explanation as to how specific data-driven decisions were arrived at), and by fiercely penalising any violations of data protection safeguards.
Notably, the GDPR is also explicit about the “extra-territorial” application of its rules, asserting that they apply not merely to European organisations, but to organisations anywhere which collect, use or share data on European citizens.When Britain leaves the EU in March 2019, it will become an extra-territorial jurisdiction — which might have the unintended consequence of making it harder for British companies to participate in the data-driven global economy. This is because after the GDPR has come into force the UK will have to demonstrate the “adequacy” of its national laws and regulations in relation to data protection. Leaving the EU doesn’t relieve the UK of any regulatory or legislative burdens — on the contrary, it imposes new ones.
This process is likely to prove a challenge for (at least) two reasons. First, there is major concern over timing: with the UK’s withdrawal date fixed under the terms of Article 50, this leaves little wiggle room for the EU to determine the “adequacy” of the UK’s data protection framework, which is far more onerous than a simple rubber stamp. Second, while the UK is in the EU, national security considerations allow the country a degree of latitude in dealing with data relating to national security as a member state “competence”; post-Brexit, however, national security concerns might serve as a pretext for determining that the UK’s data protection framework is inadequate.
Given that three-quarters of the UK’s cross-border data flows are with the EU, the consequences of even a temporary suspension of large-scale “data trade” between the UK and the continent could prove disastrous; as the report notes, this “could present a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage”.
In this sense, the issue symbolises the wider challenges for the UK economy and society that Brexit has unleashed. Whether we like it or not (and many of those who voted to leave clearly didn’t), the UK is fundamentally interwoven in the world economy. By exiting the continental bloc, the UK will be subject to the fiercer restrictions and standards that the EU reserves for non-member states, and have much less say or sway over their development. A witness to the Lords Committee noted that as part of the EU, the UK had promoted its interests effectively, including in the area of national security — something that is unlikely to continue after an acrimonious divorce.
Though the report offers several possible paths to securing the maintenance of the data flows that increasingly undergird the UK economy, none of them are without risk or uncertainty. Much is made of the “four freedoms” — the unimpeded movement of goods, capital, services and labour — which are the hallmarks of EU (or single market) membership. To these, we might a fifth: data. Much like oil, the extraction and large-scale use of data generates serious negative externalities — something that protocols like the GDPR were set up to mitigate. But there is no denying the importance of its free flow to a modern economy — as the UK may be about to discover.