Have we just had a big clue dropped about where UK data protection policy will head following a Brexit from the European Union (EU)?
Since the Brexit vote three weeks ago, one of the questions that has been raised most frequently in tech and business circles has focused on what a UK outside of the EU would do about data protection.
As any Brexit negotiations are likely to extend past that date, the UK will, at least for a time, inevitably be subject to GDPR, which, as a regulation rather than a directive, must be implemented in full.
After that however, all bets are off. If the UK wants to trade with the EU in a data-driven economy, which it clearly will, it will need to find some way to meet GDPR standards through some form of equivalency, or try to convince the 27 remaining EU states that some form of UK data-protection- plus approach will work as well.
As US cloud services providers will have to meet GDPR standards when dealing with EU countries, it’s not likely in the best interests of the UK to introduce another set of different requirements that need to be met.
WIth Prime Minister Theresa May still on day one of her new government, the administration that will have to negotiate a Brexit deal with the EU, the party line in the UK to date has been to keep the national powder dry as no such negotiations can formally begin until Article 50 is triggered, which could well not happen until next year.
But last night one of the UK ministers responsible for digital economy policy appeared to let slip a major indicator as to what comes next, clearly to the surprise of his French counterpart who was sitting next to him.
Ed Vaizey, Minister of State at the Department for Culture, Media and Sport (DCMS) and the Department for Business, Innovation and Skills (BIS), was appearing alongside France’s Deputy Minister for Digital Affairs, Axelle Lemaire, at an Open Data Institute event in London to launch the recommendations of The UK-French Data Taskforce. This was set up last year to examine ways the two nations could collaborate and lead on open data sharing.
Now, it needs to stated at this point, that the fast-moving nature of UK politics this week means that by the time you’re reading this, Vaizey’s role may have changed. Indeed, as of time of writing, the scuttlebutt out of Westminster is that the BIS and DCMS may no longer exist in current forms by the end of the day (Thursday).
That said, someone will still be in charge of digital policy as it relates to open data and data protection and that person will presumably reflect the current thinking around this matter. According to Vaizey, who was still Minister for the Digital Economy last night, that means that the starting point for the UK is that the country wants to be part of the EU data protection regime and by implication that this will be top priority in the Brexit negotiations. He said:
It’s very high on our agenda, probably one of the top three issues that we’re thinking about in terms of the tech community We want, in principle, for the UK to be part of the European data protection regulations. Obviously that’s where we’ll start from.
Clearly we want a bridge between the European Union and the UK and the US. Privacy Shield has must been negotiated. A huge amount of effort has gone into that. So in principle, we very much want to be part of that US/European partnership on data. You can rest assured that there’s no doubt in the UK government about how important getting this right will be in the next couple of years.
Vous dites quoi?
This was something that Lemaire clearly wasn’t expecting to be told. She responded:
That’s good to hear since we didn’t have that discussion since the Brexit referendum happened. The question is also a priority for the French government.
But she warned that things aren’t necessarily going to be straightforward, as the UK's status will have changed:
It is important to mention that there is no free flow of data within the European Union yet. That’s part of the agenda of the Digital Single Market, to address that question. So it will be important before we start negotiating any agreement with third parties that - and a month ago, third parties would have meant the United States, but the question now is what about the UK? - that we find common understanding on these questions between the 27 member states.
However, she concluded:
I’m sure that the UK will be very actively involved in the discussions and the regulation on data protection was conducted before Brexit. That will be a key strategic priority, not only in the context of Brexit, but also in the multi-lateral and bi-lateral discussions that will happen between states in the years to come.
One interesting side note, Vaizey did raise the prospect that the UK might come up with some equivalency of GDPR that avoided stuff that the UK government isn’t so keen on. In the negotiations leading up to GDPR’s sign-off, the UK government was outspoken in its opposition to the Right to be Forgotten clauses, for example.
Vaizey wasn’t specific about what he had in mind here, but said:
There is also, to a certain extent, also an opportunity, both for the European Union and the UK, in the sense that there may be , in the future, an element of competition in how we put together our regulations. The UK government was concerned about how bureaucratic the GDPR might become.
An unexpected commentary from a UK minister, lost in the tidal wave of ministerial changes happening over the past 24 hours. It’s probably not a surprising starting-point for discussion in anybody’s books, but it’s the first real confirmation of the probable direction of travel UK data protection policy is likely to take.