DCMS’s post-Brexit data protection intentions would leave Einstein confused

As the UK government today outlines its vision of what a future trade deal with the EU looks like, what attention will data adequacy get amid the prospect of fishing wars and ‘level playing fields’?

When Sajid Javid – then Chancellor of the Exchequer – told the Financial Times last month that the UK would be diverging from European rules and regulations, he was playing to the gallery. Javid has since consigned himself to the back benches of history, but Prime Minister Boris Johnson and Foreign Secretary Dominic Raab have been echoing his line about Britain now being a “rule maker, not a rule taker”.

It’s a great soundbite, but the UK was a rule maker and modifier throughout its 47-year membership of the EU. Post Brexit, it may find itself becoming rather more of a taker than it would like, once Brussels begins erasing the half century of concessions it made to British Parliamentary sovereignty. That process is just beginning.

But there is another challenge in all the political grandstanding over trade and immigration, one that can be expressed in a single word: data. No deal on trade would also mean no deal on data transfer, hosting, storage, and processing. And regulatory divergence could mean breaking EU rules on data governance, privacy, and protection, which would be the same as no deal. With an estimated 80 percent of UK organisations having data in the EU at least some of the time, that would be a massive problem.

As the Information Commissioner’s Office (ICO) put it at a Westminster conference on GDPR last year, crashing out of the EU with no deal or no regulatory equivalence could mean enterprises, charities, and public sector organisations sending their data to the EU but not getting it back. Because in 2020, trade isn’t only about fish and computer chips, it’s also about bits and bytes. And it isn’t just about money, but also a free exchange of information, ideas, and research.

It became apparent that some of the speakers at that 2019 eForum event (banks, charities, government departments, and the NHS among them) had no idea where in the world their data actually was, owing to the ever-shifting mix of contracts, services, mirror sites, departmental silos, and responsible owners that typifies any large organisation – such as the NHS, not to mention their infrastructure, platform, and Software as a Service (SaaS) suppliers. I know, because I asked them

‘Nothing is still’

So what does government have to say about all this? At a Westminster eForum conference on data protection this week, it fell to the young, quiet, and studious figure of Harry Lee, Deputy Director of Domestic Data Protection Policy at the Department of Digital, Culture, Media and Sport to tell his assembled colleagues from DCMS, BEIS, DIT, HMRC, DfE, DfT, DWP, the Home Office, the Cabinet Office, and others, what the hell is going on.

At this point all Lee needed to do was provide focus, clarity, and a simple message of reassurance about the future, so delegates could head back to their desks whistling Jerusalem. But instead, he launched into an eloquent soliloquy about theoretical physics – evidence of his own interests, perhaps, or conceivably something cut and pasted from Dominic Cummings’ blog.

Lee said:

Theoretical physics from Einstein onwards has taught us many things. [...] One is that nothing is still, or more precisely, nothing is still unless everything is at rest. Motion is relative. So if anything is moving, then anything fixed we must define as an origin.

This went on for several minutes, replete with vague allusions to the US, navel-gazing, and observing change in a fast-moving world. The problem, of course, is that in quantum physics something can be on and off at the same time, or in two places at once, or both a particle and a wave. While that may be an accurate (if tragic) description of the UK’s on/off future at this point in history, that level of ambiguity on policy matters helps no one – least of all businesses.

Circling the topic without engaging with specifics (a pay rise and promotion must be in the bag), Lee added:

For anyone surveying data policy today, one thing is obviously true: nothing is still. Most things are moving and they’re often moving very quickly. We need to understand what is driving a lot of activity and change, because these are the forces as policymakers in the UK that we need to respond to in the coming years, and technological change is one very important driving force.

Yes, Mr Lee, we know that. But delegates came to the eForum for answers, not to have the questions explained to them alongside Heisenberg’s Uncertainty Principle. Wearing an education conspicuously on your sleeve while saying nothing of substance or practical benefit typifies the government of Johnson, Cummings, Rees Mogg, et al. There’s even a word for it: obfuscation.

But there were glimpses of policy objectives through the endless quantum foam:

The gap between theory and day-to-day best practice cannot be allowed to grow too large. If understanding and complying with data protection is too difficult and burdensome for the average business, our framework cannot be effective in practice. We will not realise its benefits either as individuals or for our economy.

This may have been a coded message that the government aims to slash some of that supposed red tape. But while simplifying the Data Protection Act 2018 for SMEs might be an option, for example, trying to amend EU regulations themselves is impossible from the outside. Indeed, Europe may decide to impose the strictest interpretations of GDPR on the UK in a political battle of wills.

At no point did Lee’s speech address the questions that everyone wanted answered, namely: will the UK diverge from GDPR, will there be a data adequacy agreement, and does Whitehall even want one? At least, until co-chair Charles Courtenay, 19th Earl of Devon (and partner at law firm Michelmores), pulled rank in the most British way possible and demanded clarity.

With a social pecking order handed down from the Fifteenth Century, in this case, the hapless Lee felt he had little choice but to respond when ordered to do so by an aristocrat. He said:

I think we have a very clear commitment as a country to seek an adequacy deal with the EU as a priority before the end of the transition period, so it is in place by next year. We think that is practical. And we're optimistic.

My take

Finally! Whatever else may be changing in the UK, it still takes an Earl to get a simple answer to a question, it seems; everyone else has to make do with the patronising erudition of policy wonks or Cummings’ passive aggressive posturing. Anything but fill the vacuum of English politics with substance or verifiable facts.

So data adequacy is the ambition, but the politics of getting to that point by 31 December are an entirely different matter. They will largely be driven from the front by a Downing Street that has scant interest in details, zero practical understanding of technology, and which sees the big picture purely in terms of personalities and populism.

So will there be data adequacy come 1 January 2021? We can only hope so – and try, collectively, to force it to happen. But don’t hold your breath; not while a EU trade agreement is nowhere near the table.