Brexit and the continued success of the digital economy

Shortly after the result of the EU referendum was announced, I took to social media to share my views on what we as an industry should now be looking to do to shape the new EU data protection reforms. After all, Brexit in its most likely form will mean the UK no longer has to follow European law and so it should stand to reason that we should now look to forge our own regulatory direction in the global data space.

However, I was surprised to see so many colleagues and industry leaders sharing their views that Brexit would in fact make little or no difference to the impact of the General Data Protection Regulation on the UK. Instantly, the cynic in me took over and told me that the last thing the burgeoning GDPR monetisation industry wanted was for their clients’ spending plans to be put on hold whilst the “Brexit effect” was worked through.

But, I continued to reason, were vested interests really at play here?

I understood the argument that the GDPR would still apply to companies outside the EU which monitor and process personal data on EU citizens. But, this cross border point would not apply to UK personal data which, the privacy pundits concluded, still needs to be subject to the same GDPR privacy regime to ensure consistency and adequacy across Europe. This is where their argument faltered for me.

There are currently considerable differences between how countries have interpreted the current Data Protection Directive. We are very used to operating with varying privacy regimes in the EU. So why couldn’t we continue with differences between the UK and EU?

The US is a fantastic example of where two different privacy regimes have been brought together and made to work side by side, with the EU-sanctioned Privacy Shield for EU data and US law for US data; and if that approach can work in the US, why not in the UK too?

In a post-Brexit world the GDPR would not be directly applicable in the UK, but a mirror statute would not guarantee adequacy either as other considerations hinge on that determination. The flip side here is that countries with existing adequacy determinations (such as Argentina and Canada) have not mirrored verbatim the current Data Protection Directive in their domestic laws, so adequacy must be achievable based on a different take of the overarching EU privacy principles. This therefore presents the opportunity to revisit the data protection reforms with a greater degree of autonomy, to ensure a high standard of data protection is balanced with business use in mind.

As well as getting creative with our own data privacy reforms, we should also make the most of not being fettered by EU court decisions - not to mention the EDPB* consistency mechanism driven by privacy regulator fundamentalists.

While some think that privacy reform is not important enough to be high up the Brexit negotiators’ priority list, I vehemently disagree as the continued success of the digital economy depends on workable information rights’ law. What is needed therefore, is a Brexit mind-set change within the privacy community. We should join forces with our famously pragmatic regulator to help her propose alternative, workable positions which further business whilst sticking to the spirit of the data protection reforms. If for the sake of a quick buck we advocate for more of the same, then that is what we are likely to get.

*Powerful new group of EU regulators that decides what the GDPR means.