Post-Brexit data protection policy could be national "self-harm", warns Microsoft

When Sajid Javid – then Chancellor of the Exchequer – told the Financial Times last month that the UK would be diverging from European rules and regulations, he was playing to the gallery. Javid has since consigned himself to the back benches of history, but Prime Minister Boris Johnson and Foreign Secretary Dominic Raab have been echoing his line about Britain now being a “rule maker, not a rule taker”.

It’s a great soundbite, but the UK was a rule maker and modifier throughout its 47-year membership of the EU. Post-Brexit, it may find itself becoming rather more of a taker than it would like, once Brussels begins erasing the half century of concessions it made to British Parliamentary sovereignty. That process is just beginning. 

But there is another challenge in all the political grandstanding over trade and immigration, one that can be expressed in a single word: data. No deal on trade would also mean no deal on data transfer, hosting, storage, and processing. And regulatory divergence could mean breaking EU rules on data governance, privacy, and protection, which would be the same as no deal. With an estimated 80% of UK organisations having data in the EU at least some of the time, that would be a massive problem.

As the Information Commissioner’s Office (ICO) made clear last year, crashing out of the EU with no deal or no regulatory equivalence could mean enterprises, charities, and public sector organisations sending their data to the EU, but not getting it back. Because in 2020, trade isn’t only about fish and computer chips, it’s also about bits and bytes. And it isn’t just about money, but also a free exchange of information, ideas, and research.

It became apparent that some of the speakers at that 2019 eForum event - banks, charities, government departments, and the NHS among them - had no idea where in the world their data actually was, owing to the ever-shifting mix of contracts, services, mirror sites, departmental silos, and responsible owners that typifies any large organisation – such as the NHS, not to mention their infrastructure, platform, and Software as a Service (SaaS) suppliers. I know, because I asked them.

Arguably, all this was the result of 20 years of brilliant messaging by Californian hippies and billionaires. I refer, of course, to ‘the cloud’ – that inspired marketing confection that somehow convinced otherwise intelligent people that their data was floating in the sky, free of tedious obstacles like borders and local politics.

But the reality of the cloud is data centers built on land under national and regional laws. Put simply, your data isn’t somewhere over the rainbow, but it may be in Kansas – unless you’re a UK organisation, in which case it’s probably in an industrial park in Krakow. Hence no deal on trade, no regulatory equivalence, and no data adequacy agreement really do mean no deal on data. It’s not ‘Project Fear’.

This may be why Google upped bits last week and moved its UK customers to the US without warning – rather than to, say, Ireland, where its accountants are probably laughing and propping up a bar. It will now seek your consent for what happened last night, in business terms, which is a bit like a disgraced movie mogul asking what you want for breakfast.

It was an intriguing move, one that shifted UK customers away from a trading bloc that has long taken a dim view of Google’s antitrust behaviour and monetising of citizens’ data, and into the more welcoming arms of the US regulatory regime.

But it would be wrong to see that from a purely Trumpian perspective; US data protection and privacy are themselves in turmoil, with more and more states (California, Washington, et al) and Big Tech companies now seeing GDPR has something to emulate rather than to avoid. But a Federal approach isn’t coming anytime soon, unless the President decides to screw over Amazon.

Where now? 

So where is the UK now on data regulation – other than paddling into Dover in a skip called Liberty? For the answer to that, policy advisors and data protection experts from every government department filed into a church hall near Parliament as delegates at 2020’s Westminster eForum on the subject. Once upon a time, these were the people who would tell you what was happening, but nowadays they sit in marbled halls looking baffled.

So it was ironic that one of the few beacons of clarity at the event was an American lawyer from a US software giant: Patricia Christias, Head of Legal at Microsoft (UK). She told delegates:

Superficially, it makes a ton of political sense why it's an attractive proposition for ministers to present the post-Brexit Britain as this low-regulation, ‘rule-making not rule-taking’, light-touch environment. We get that.

But there are several reasons why it’s not a good idea to divert from the strict data protection rules in Europe. The first is economic. The modern UK economy has revolved around the provision of data-intensive services as manufacturing has declined.

Service sectors such as banking, retail, and hospitality accounted for 81% of total UK economic output in 2018, so to develop the regulatory structure around that economy in a way that disregards, or worse, damages services would be an act of economic self-harm. It would be like Britain in the Industrial Revolution turning its back on the manufacturing sector.

The service sectors are particularly reliant on data flows and have thrived on free movement. The 2016 McKinsey report on global data found that the UK was the third most connected country in the world by the volume of cross-border data flows. For a country of less than 70 million people, that is staggering and indicative of the extent to which the UK services economy has been supercharged by the flow of data.

She warned: 

It is essential to continue to allow the free flow of data between the UK and the EU, because 75% of the UK’s international data flows are actually with the EU, so it is impossible not to say that the economic logic is clearly in favour of alignment.

The UK data regime diverting from the EU would also place immense compliance burdens on organisations, and they would have to invest in legal and administrative fees to ensure that EU-UK data transfers remain lawful.

Companies like Microsoft have broad shoulders and adequate resources, so can put in place alternative measures like standard contractual clauses that most others do not have. But if no deal has been reached by the end of the transition period, many organisations will not have made the necessary alternative arrangements, and so may face enforcement action and large fines from EU regulators.

Another point I'd make in favour of alignment and data adequacy is the harm, otherwise, to international trade. It's simply wrong to suggest that lighter privacy and data protection requirements would be beneficial to UK PLC.

Consumers

The Data and Marketing Association – which was present at the eForum – published research earlier this year showing that consumers in developed economies value secure data practices: 86% of respondents said that they wanted more control over their own data, not less. Meanwhile, KPMG found that businesses’ ethical practices and respect for consumer rights and personal data are now profound influencers of purchasing choices.

In many ways, GDPR – cast into UK law under the Data Protection Act 2018 – has been at the core of this process, with many organisations getting to grips with the basics of data protection for the first time, despite having had responsibilities under the 1998 Act. Christias continued:

With the advent of AI, people especially want technology they can trust, and trust includes knowing their data is private and under their control. Reducing standards here would actually put British business at a competitive disadvantage, because people will move to platforms that they trust, including EU platforms that maintain the standards they expect.

This is even before you consider the fact that lower standards would not simplify anything for businesses. Despite having fewer domestic restrictions to worry about, they would be faced with significant cost implications of compliance in a global economy.

European standards on data protection are now being adopted in Switzerland, Argentina, Japan, Australia, New Zealand, Canada, and, in a qualified way, a number of US states. So it would be like a rugby match, with everyone running towards the ball on one side of the pitch, and the UK running away from it on the other.

Finally, there are real implications for national security. The UK is one of the leading actors in national security in the EU and has shaped strategic policy across the continent for decades.

On the latter point, consider this:  as an EU member, the UK did not have to share the inner workings of its security services with other member states; but as a third country, it will have to open up those processes to regulatory scrutiny. More, it will still need to offer equivalent privacy and data protection rules in order to continue handling EU intelligence on security, terrorism, and organised crime. Slamming the door on that would be madness.

So what did the government have to say about all this? It fell to the young, quiet, and studious figure of Harry Lee, Deputy Director of Domestic Data Protection Policy at the Department of Digital, Culture, Media and Sport to tell his assembled colleagues from DCMS, BEIS, DIT, HMRC, DfE, DfT, DWP, the Home Office, the Cabinet Office, and others, what the hell is going on.

At this point all Lee needed to do was provide focus, clarity, and a simple message of reassurance about the future, so delegates could head back to their desks whistling Jerusalem. But instead, he launched into an eloquent soliloquy about theoretical physics – evidence of his own interests, perhaps, or conceivably something cut and pasted from Dominic Cummings’ blog. Lee said:

Theoretical physics from Einstein onwards has taught us many things. [...] One is that nothing is still, or more precisely, nothing is still unless everything is at rest. Motion is relative. So if anything is moving, then anything fixed we must define as an origin.

This went on for several minutes, replete with vague allusions to the US, navel-gazing, and observing change in a fast-moving world. The problem, of course, is that in quantum physics something can be on and off at the same time, or in two places at once, or both a particle and a wave. While that may be an accurate (if tragic) description of the UK’s on/off future at this point in history, that level of ambiguity on policy matters helps no one – least of all businesses.

Circling the topic without engaging with specifics (a pay rise and promotion must be in the bag), Lee added:

For anyone surveying data policy today, one thing is obviously true: nothing is still. Most things are moving and they’re often moving very quickly. We need to understand what is driving a lot of activity and change, because these are the forces as policymakers in the UK that we need to respond to in the coming years, and technological change is one very important driving force.

Yes, Mr Lee, we know that. But delegates came to the eForum for answers, not to have the questions explained to them alongside Heisenberg’s Uncertainty Principle. Wearing an education conspicuously on your sleeve while saying nothing of substance or practical benefit typifies the government of Johnson, Cummings, Rees Mogg, et al. There’s even a word for it: obfuscation.

But there were glimpses of policy objectives through the endless quantum foam:

The gap between theory and day-to-day best practice cannot be allowed to grow too large. If understanding and complying with data protection is too difficult and burdensome for the average business, our framework cannot be effective in practice. We will not realise its benefits either as individuals or for our economy.

This may have been a coded message that the government aims to slash some of that supposed red tape. But while simplifying the Data Protection Act 2018 for SMEs might be an option, for example, trying to amend EU regulations themselves is impossible from the outside. Indeed, Europe may decide to impose the strictest interpretations of GDPR on the UK in a political battle of wills.

At no point did Lee’s speech address the questions that everyone wanted answered, namely: will the UK diverge from GDPR, will there be a data adequacy agreement, and does Whitehall even want one? At least, until co-chair Charles Courtenay, 19th Earl of Devon (and partner at law firm Michelmores), pulled rank in the most British way possible and demanded clarity.

With a social pecking order handed down from the Fifteenth Century, in this case, the hapless Lee felt he had little choice but to respond when ordered to do so by an aristocrat. He said:

I think we have a very clear commitment as a country to seek an adequacy deal with the EU as a priority before the end of the transition period, so it is in place by next year. We think that is practical. And we're optimistic.

My take

Finally! Whatever else may be changing in the UK, it still takes an Earl to get a simple answer to a question, it seems; everyone else has to make do with the patronising erudition of policy wonks or Cummings’ passive aggressive posturing. Anything but fill the vacuum of English politics with substance or verifiable facts.

So data adequacy is the ambition, but the politics of getting to that point by 31 December are an entirely different matter. They will largely be driven from the front by a Downing Street that has scant interest in details, zero practical understanding of technology, and which sees the big picture purely in terms of personalities and populism.

So will there be data adequacy come 1 January 2021? We can only hope so – and try, collectively, to force it to happen. But don’t hold your breath; not while a EU trade agreement is nowhere near the table.