Brexit and data governance - where to now?
- As the Brexit aftershock rumbles on, Chris Middleton offers a personal view on the impact of EU withdrawal on data governance.
As the Brexit aftershock rolls on, many commentators have questioned the impact of the UK leaving the European Union (EU) on matters of data protection, data transfer and data sovereignty.
Opponents of the EU’s bureaucratic culture tend to see regulations as an impediment to trade, rather than as trade enablers on mutually agreed terms, offering consumer, business, and data protections.
At best, Brexit leaves the UK’s position on data sovereignty and governance uncertain, and at worst a legislative mess that may take years, even decades, to resolve. The latter is a real possibility: the Leave campaign admits to having no post-Brexit plan. Meanwhile, the Prime Minister has handed his successor the poisoned chalice of implementing Article 50 to formally leave the union. No one knows what happens next.
The British government may decide to change or repeal any UK laws and regulations that originated in Brussels; indeed, that’s the whole point for Leave campaigners. Whether it will do so is another matter. But why is that important?
It’s partly to do with technology.
The cloud isn’t some egalitarian fog of code, floating in the ether and uniting all humanity in a hippy dream world. People are waking up and recognising the sovereign reality: that ‘the cloud’ is about data centers, built on land under national laws, not castles in the air. This is partly because of incoming European data regulations and the ongoing war of words between the EU and the US over data governance.
In 2018, Europe’s General Data Protection Regulation (GDPR) comes into force, bringing with it severe financial penalties for breaches, while the US Safe Harbor agreement was axed last year. Most people, including the EU's own working parties on the subject, agree that its replacement, Privacy Shield, isn’t fit for purpose.
The UK may choose to leave its data governance rules unchanged, along with any others that came from Europe, but this would beg the question as to why the UK complained about EU bureaucracy in the first place. Indeed, a recent survey by Computing magazine [which I authored, and for which I set the questions] found that well over 90% of the UK’s IT strategists actively support Europe’s stringent regulations on data governance, privacy, transfer, and security.
It seems that organizations like that red tape.
But while some analysts have claimed that the UK leaving Europe will have next to no effect on the UK’s data governance regime and digital business environment, that just isn’t true. This is for two simple reasons that were also revealed by the survey.
First, 83% of UK IT leaders said that their data centers are based in Europe. That’s a lot of data sitting – on land – in a community that we’ll no longer belong to.
And second, while a majority of IT leaders said they were aware of GDPR, 49% said they’d done nothing about it. That total includes the 27% of respondents who were ‘vaguely aware of GDPR’ and the 10% who hadn’t even heard of it. A further 26% of organisations knew of GDPR but had only just started taking action.
Now we've decided to leave the EU, we can hardly be confident that businesses will continue to work responsibly towards satisfying data governance rules that may no longer apply to them. But even that isn’t the whole story. GDPR may kick in before the UK has formally left the EU, in which case it will become UK law for a brief period, whether we like it or not. GDPR is a regulation, not a directive, from the EU, which means it must be implemented.
And so on. Years of uncertainty, during which we must try to grow our digital economy.
How can the impact be negligible?
Post-Brexit, businesses may choose to meet European standards voluntarily. But this uncertainty, this fog of unknowns, does little to help the UK trade internationally. Europe agrees, sets, and enforces standards to the benefit of its members and their citizens, so any piecemeal, voluntary uptake elsewhere doesn’t cut it. The government must act to create and enforce clarity, and sooner rather than later.
Another possibility is that the UK moves closer to the American model of data governance. That may make it easier for US businesses to trade with us, but only on their terms; and it will do little for our relationship with the EU, which believes that the US offers insufficient protections to European citizens.
However you look at it, therefore, Brexit lobs a hand grenade into the UK’s digital business marketplace. Where will all that data be located, and under which laws and what penalties for breaches? Where will new UK data centers go, and who will pay for them?
And as we know, the British government also plans to introduce new surveillance powers in the immediate future. These are opposed by most IT and communications companies, not to mention by the EU (in cultural terms, if not in law). This fact will become more significant as we leave the EU.
Post-Brexit, there may be a prolonged period in which it is deeply uncertain whether the UK is a safe place to do digital business at all, both internally and with our trading partners. The very best we can say is that there is no clarity and no roadmap. For these reasons, Whitehall’s surveillance proposals must be put on hold; they put unnecessary stress on the market (as well as being fundamentally misguided).
Whatever happens, there will be a period of at least two years in which the only people benefiting from the Brexit vote – in data governance terms – will be expensive lawyers.
Europe has another function, too: as a market regulator. Recent cases involving Google, Microsoft, Intel, and others, have seen Europe act as an essential multinational brake on antitrust activities and local market dominance. As recently as last month, for example, the EU blocked Three’s takeover of O2. There’s no evidence that the absence of a European perspective on UK market manoeuvres would benefit consumers.
Indeed, the UK might be forced to accept monopolistic moves by some companies in a bid to maintain short-term economic activity, and thus create a narrower, more cutthroat market that favours powerful, established players over new entrants and smaller organisations.
It’s difficult to see how that would benefit the British taxpayer, local innovators, or the British economy.