In the weeks leading up to the UK’s EU referendum, experts clamored to have their opinions heard regarding the ramifications of the potential departure of the UK from the EU, alternately dubbed, “Brexit”. The doom and gloom speculation from experts in various fields was rampant and left many overwhelmed and bewildered. One of the primary problems with wrapping your head around the maelstrom of information presented before and after the vote is the absence of recent historical precedent for such an event. Even if there was any recent historical precedent, it would need to have been extremely recent since the proliferation of technology in the last ten years has resulted in an economic and political landscape vastly different from any other period of time. This fact is never more evident than when considering the future of data regulation in the soon-to-be-independent UK.
Background on Data Protection
When the internet rose to prominence in the 90’s it was a completely unregulated wild west where white hats sharing muffin recipes and pictures of small animals existed alongside black hats illegally streaming movies and occasionally co-opting someone else’s identity for profit. It didn’t take too long before those using the internet got tired of worrying about strangers snooping around their private files and collectively rose up to demand government intervention. In the EU this manifested in the Data Protection Directive which outlined the processing of personal data within EU countries. Shortly after, the UK drafted their own internal legislation regarding the same topic of personal data protection in order to bring British law up to date with that of the EU. The point of both pieces of legislation was to define the manner in which an individual’s personal data can be handled and bring about legal means to stem the tide of data theft and fraud. This was all well and good, especially at the time, but now in 2016 it becomes disconcerting to realize that these laws were passed in 1995 and 1998, respectively. The internet is a completely different animal now than it was in those dusty dial-up days which undoubtedly leaves some legal grey area within which modern day black hats can work. Luckily, this potential problem was realized by EU officials who called for a refresh of the regulations, titled the General Data Protection Regulation (GDPR), which will take effect on May 25th, 2018.
Data Protection & Brexit
This is where things get really interesting. As you may know, once Article 50 is filed, the UK will separate from the EU in a maximum of two years. The only way it would take less than two years to separate would be if there was unanimous agreement on both sides settling on a reduced time frame which, at this point, doesn’t seem likely. This puts the UK in the precarious predicament of being in the EU during the period in which the GDPR takes effect. Regardless of how brief the overlap of the GDPR and the UK’s EU membership, any UK businesses that have a base of operations in the EU will be forced to comply with the GDPR’s provisions if they wish to continue exchanging data freely. For instance, if a company’s headquarters and data center reside in the UK but it maintains satellite offices in France, Italy, and Germany, it would be unable to transfer certain data in and out of its data center if the UK did not comply, halting a large portion of business dealings in the UK, most notably the tech industry.
Although there doesn’t seem to be much of a choice during the overlap, after the final Brexit split the UK is left with a few options on how to deal with the data protection issue.
The Norwegian Model
If the UK were to take the route of the Norwegian Model, they would actively remain in the European Economic Area (EEA) which includes all 28 current members of the EU as well as Liechtenstein, Norway, and Iceland. This means that the UK would have access to the EU single market but as a result would have to pay a contribution to the EU budget and comply to the GDPR, the latter of which might not be a problem since they will most likely have already adopted the GDPR before the split.
The Swiss Model
This option puts the UK within the European Free Trade Association (EFTA) but not the EEA. Switzerland has access to the EU single market through a regularly renewed bilateral agreement and keeps its own data protection laws that are in essence similar to those of current EU Data Protection Directive. Switzerland is allowed free exchange of data in the EU because their data protection laws have been deemed “adequate” by the European Commission (EC). The status of “adequate” is achieved when the EC decides that the laws you have in place will sufficiently protect the rights of EU citizens and their data upon transfer. In order to pursue the Swiss Model, the UK would either have to maintain its GDPR compliance or simply adopt a similar set of standards which the EC must rule as “adequate”.
The UK Model (AKA winging it)
In this scenario the UK would continue to blaze new trails in the sociopolitical landscape of Europe by attempting to pursue deals independently with the EU. One possible recourse would be to utilize the World Trade Organization to mediate negotiations, much like the United States and Canada. This would allow the UK to adopt their own data privacy laws but, again, they would inevitably need come close to the types of personal data protections offered by the GDPR if they expect the EU to even consider the negotiations.
Regardless of what the choice eventually is, Prime Minister-to-be Theresa May seems determined to make the Brexit a successful endeavor despite the wave of concern and criticism in the days following the controversial decision. There are so many issues swirling around the referendum that often important topics, like data exchange, get overlooked. Despite the overwhelming uncertainty, it seems likely that when all is said and done, the UK will either choose to adopt the GDPR to appease the EU, or adopt their own data protection laws that bear a strong resemblance to those of the EU. Either way, since both entities rely so much on each other’s economies, there is no doubt an amicable agreement will be settled upon.