There have recently been a number of suggestions floated that the UK might want to consider diverging from the EU on data protection post-Brexit.
UK tech companies are clear that this is not a view held by the sector, which sees the UK’s implementation of the General Data Protection Regulation (GDPR) as a key pillar to the future success of the digital economy. This is for three key reasons.
First, the GDPR, which the UK helped to shape as it was negotiated in the EU institutions, whilst not perfect, will help to strengthen a culture of data trust and confidence in the UK. The GDPR, represents the most significant reform of data protection law in Europe in over twenty years. It significantly increases the rights and controls citizens have over the way their personal data is used. Putting citizens at the heart of data protection, as the GDPR does, is the right approach to ensure people have confidence in and take advantage of the opportunities offered by new technology.
Secondly, UK firms, large and small across the entire economy are in the process of implementing these new rules. This is a significant business change project. Businesses have been waiting and expecting GDPR for some time and preparations to become compliant have, and continue to, involve significant effort and resources. There is no appetite among UK businesses to go through that process again. Companies need clarity about the legal framework within which they will be operating. Disrupting GDPR implementation would not be welcomed by businesses. There is no desire for another wholesale revision of data protection rules any time soon.
Thirdly, alignment with EU data protection is fundamental to agreeing a mutual adequacy agreement with the EU post-Brexit. This is a top priority for the tech sector and should be a top priority for Government. Data flows between the UK and the EU are critical to underpinning trade in a global digital economy, with the UK accounting for 11.5 per cent of global data flows, the vast majority of which are with the EU. The Government, through the Department of Digital, Culture, Media & Sport, have done good work in preparing the ground for these all-important adequacy discussions.
It has been suggested that GDPR implementation would prevent the UK from pursuing more ambitious trade deals with other countries post-Brexit. The reality however is that GDPR is an asset, not a liability, for future trade agreements. Implementing GDPR and agreeing adequacy agreements with the EU does not preclude countries from seeking other trade agreements. There would be no tangible benefit to any US trade deal, for example, by diverging on data protection given the EU and US have a model for sharing data based on the EU’s data protection requirements. Similarly, Canada and New Zealand both enjoy EU adequacy while being members of TPP and Japan, another member of TPP, is currently seeking an adequacy agreement.
The tech sector is clear that diverging from EU data protection post-brexit is neither desirable nor helpful. The GDPR represents a high standard of protection for citizens’ information, which will help build trust in the digital economy. Companies are in the middle of preparations for GDPR and further disruption will not help. GDPR can also act as a facilitator of trade by securing adequacy with the EU and negotiating separate trade agreements, underpinned by strong data protection principles, with other countries.