Will EU data protection safeguards be kept post Brexit?
- Published
The rules that govern how our personal data can be used, where it can be stored, and who can see it, are, at the moment, written by the European Union but what will happen when we leave the EU?
The next time you fill your name and other information into a box on a website remember this: when you do it, you are transferring data about yourself.
But what will happen when we leave the EU?
Data is not just a commodity for the likes of Google and Facebook to sell on. It can also be a cure.
At the moment, scientists are taking part in a study of how cancer is affected by lifestyle and diet.
The project is called Epic, and it is one of many research projects that rely on moving large amounts of data around the EU.
"The data can move freely between the researchers," says Beth Thompson, senior policy adviser at the health charity, the Wellcome Trust.
Right now, much of her time is taken up working out whether that will still be the case when we leave the EU.
You might think data is the ultimate borderless commodity, but how it moves is governed by rules made in Europe.
Imagine you're a Liverpudlian tax specialist offering online services to British expats living in Spain. Or an Edinburgh children's toy-maker marketing products in Germany.
When a customer fills in your online form and gives you data about themselves, you're legally covered because the UK is part of the system of EU data laws.
The rules we operate under at the moment were drawn up more than 20 years ago, well before the advent of social media.
New EU rules will come into force next year, and the UK will have to implement them. A year later we leave the Union, and then it will be up to the European Commission to decide whether it believes the UK meets EU standards - whether we are deemed to be "adequate".
"Adequacy is something equivalent to EU standards," says Chris Pounder, a lawyer at information specialists Amberhawk, with 30 years' experience in data protection.
Would we get adequacy?
"Already the Europeans are concerned about the level of protection afforded by the [current British] Data Protection Act."
He believes that if this continues when we implement the new data rules next year we are not going to get adequacy.
It's not just Britain's data relationship with the EU that is at stake here.
"Because we are part of the European Union we trade data with the United States as part of something called Privacy Shield," says Stephanie Hare, a political risk analyst who specialises in technology.
When we leave the EU we will leave that data-sharing arrangement, as we will the EU's other arrangements with Canada, New Zealand and the like. Stephanie Hare says in the future Britain will probably mirror the way non-EU countries currently do it.
"They have to go to these third-party agreements. It's really expensive, it's bureaucratically heavy, it becomes an added cost for business."
'De facto compliance'
Those costs would exist for researchers too.
Beth Thompson, at the Wellcome Trust, isn't worried about data flows stopping, but "if we don't have adequacy the researchers in other EU countries who want to transfer their data to the UK will have to go through a series of hurdles and that will make the UK a less attractive place to do research."
Some argue we will not end up in that sort of situation.
Paul Lindsell co-founded the Data Governance Forum, a not-for-profit organisation dedicated to promoting best practice.
He says firms have to comply with the new EU rules at least until the point of Brexit. "Since the government is unlikely to waste time on unpicking data protection legislation post-Brexit, the vast majority of corporations will have become compliant.
"The result is de facto compliance. 'Adequacy' of legislation is almost sure to remain."
That would be the easiest scenario, but before then, organisations must plan for a more complicated future, even if that's not what emerges in the end.
Matthew Price reports for the Today programme on BBC Radio 4.
- Published29 September 2016
- Published14 April 2016
- Published15 March 2017