DMA at Data Marketing Paris 2019
20 Nov 2019
I'm sure you'd agree, going to a conference in Europe to discuss Brexit and the direction of global data legislation is not the most enviable of tasks.
While it's a pleasure to be situated in the Beautiful French capital, the realities of Brexit mean there are difficulties for businesses on both sides of the channel which exchange data internationally that need to be addressed, depending on how the Brexit saga plays out. Later today I'll be addressing this and the longer-term trends in data legislation in a discussion at Data Marketing Paris 2019.
Regarding Brexit, everything depends on whether there is a deal. If there is a deal, and a data adequacy agreement is approved within the two-year future relationship negotiating period, we can largely rest easy. A recognition that the UK meets EU standards of data protection legislation will allow businesses in the UK and EU to process the personal data of citizens of the other.
This is important for hotels taking bookings of tourists intending to visit the UK from Europe and vice versa; online companies to target advertising at potential customers; agencies to conduct international research; and much more.
In the event of a no-deal or a deal which does not seek an adequacy agreement, the situation changes for the worse.
First, in a no-deal scenario, the UK immediately becomes a 'third country', which legally means it is a country outside the EU's jurisdiction. In this case, the UK is not recognised as having adequate data protection standards, and it becomes illegal for businesses in the UK to perform the functions they currently do when concerning EU citizens (like those on the list above).
I can give good news for my French audience here, though. In this instance, the UK has said it will allow EU businesses to process the personal data of UK citizens as they can do now. This gives a benefit to UK customers who wish to buy goods and services from Europe and for Europeans to market to UK citizens.
However, it still poses problems as it limits access of EU citizens to UK markets, creates administrative divisions for international businesses, and stops UK businesses from accessing customers within the EU.
In this instance, it is best for businesses to implement standard contractual clauses. These contracts allow those engaged in a transaction between the UK and Europe to exchange and process data on the same basis as they do now. Nonetheless, they are required for each new exchange of data and, thus, administratively inhibiting. More information on SCCs and their implications can be found here.
Ultimately, it is more likely that a deal will be reached and an adequacy agreement will be obtained. However, businesses should prepare for all eventualities and familiarise themselves with the alternative options in a no-deal scenario.
Moving on from the short term and of Brexit, there is a bigger conversation to be had about the direction of data protection (This was among the discussions at the FEDMA and GDMA conference in Brussels earlier this week).
In simplified terms, arguably there are three manifestations of data protection in the world today.
1. The Chinese model: in which data protection and privacy does not really exist. Both the Chinese state and the businesses within have nearly uninhibited access to the data of citizens in China. While this creates a plethora of valuable datasets about the lives, habits and preferences of huge numbers of people, it does not give those people the ability to choose what of their data they wish to share.
2. The USA model: in which data protection is decided at a company-based level. In the vast majority of states in the USA (with the notable exception of California, which has particularly stringent data protection laws), there are relatively few protections for people's personal data. As we know, businesses increasingly have to be careful to establish dialogues of trust in order for them to obtain and retain valuable customer bases. This means there are a great number of innovative businesses in the US developing their own high standards of data privacy. However, there is little federal consistency. This creates a mesh of difficulty for customers, with businesses having the power to decide their level of data protection. Equally, the differing laws from state-to-state create a further web of confusion. It also does not prevent businesses from pursuing questionable means to amass huge swathes of customer data in a manner many would consider unethical in modern times. The lack of consistency in this model is its key flaw.
3. The EU model: in which data protection is established at an international level and standardised across all nations. In the world today, this is proving the most successful model. From the off, it eliminates concerns of the Chinese model by allowing rights to privacy to be respected. Similarly, it reduces the confusion of the US model which see variances in data practices across businesses and locations. While there is still much more to do in educating businesses and the public about data laws in the EU, the consistency and clarity of EU data protection legislation allows everyone to operate on a level playing field. It also makes room for innovation through the ability of businesses to use the personal data of citizens who give their consent, and allows consumers to control the level of consent they offer online.
Ultimately, EU model is likely to be that which is successful in the world today. A multitude of countries around the world (including Argentina, Japan, Canada and more) have already agreed adequacy agreements with the EU which mean their data protection laws are 'essentially equivalent' to EU standards, and other countries are queuing up to make similar agreements.
For the UK-EU relationship, it means, to a large extent, businesses in the EU can rest easy (at least after Brexit has been sorted, that is). It also means that the UK will need to replicate standards in order to keep pace with the global trend for data legislation. Nonetheless, the EU would do well to look to the UK on advice for data legislation, too.
Indeed, estimates predict that over 50% of EU data and digital regulation is developed by the UK. The language of the internet is English, after all. Similarly, most large digital businesses in the EU are either started or are based in the UK.
Similarly, the UK and devolved governments continue to strive to make the digital and data economy some of the world’s most successful. The UK and Scottish governments are forging future-thinking data and AI strategies; consulting on a raft of innovative and growth-fostering regulations; are united in the aim of seeking to make Edinburgh the ‘data capital of Europe’ and the UK ‘the safest place in the world to go online’.
Post-Brexit, the UK might occupy the role of showing how effective rules and regulations can work for business. But it will be necessary to do this as a proactive and engaged partner of the EU, rather than a lone figure stretched between the demands of a multitude of external markets.
After all, this is what the UK and EU have done successfully so far and, if both partners want and kind of future relationship, it is how cooperation will be most fruitful—and economic growth most sustainable—in future.
Here's hoping this message of long-term alignment and partnership in spite of short term discomfort will go down well with my Continental audience!