Brexit could allow the UK to set its own course on data regulation, but can it strike the right balance with privacy rights?
Arguments around Brexit have largely focused on sovereignty, fishing, flags and numbers on red buses — nostalgic, deeply embedded markers of nationhood that kindle heated emotions and vicious debate. But some of the more direct implications could be felt in a far more contemporary sphere: how companies digest and use your personal data.
Since 2018, this has been subject to the EU’s General Data Protection Regulation (GDPR). Most internet users will have noticed on their first visit to a website a pop-up banner that asks for their “consent” or to “accept cookies”; that’s GDPR in action. The idea is that businesses need to justify what they do with personal data, so they must ask you before they track your behaviour online and sell some version of your information to others.
But data is also the lifeblood of many emergent technologies, not least artificial intelligence. There’s a sentiment that asking businesses to pirouette around digital red tape to collect marginal amounts of additional data might be a little unnecessary.
Now that Westminster isn’t so beholden to Brussels’ legislation, it looks like the UK might move away from some of that cookie-clicker jurisprudence.
A lighter touch for business
Back in June, a group of Conservative MPs, including Iain Duncan Smith, Theresa Villiers and George Freeman, showed their stripes as TIGRR. This Taskforce on Innovation, Growth and Regulatory Reform roared into the legislative debate by declaring that GDPR “overwhelms people with consent requests and complexity they cannot understand, while unnecessarily restricting the use of data for worthwhile purposes”.
Freeman, speaking to Raconteur, says their proposed new data regulation framework “better protects the rights of citizens and customers, creates genuine liabilities to encourage Big Tech to take their wider responsibilities to society more seriously and better facilitates digital innovation”.
On 25 August, it looked like some of those mooted reforms would soon become reality. Oliver Dowden, the culture minister, told the Telegraph that the “data dividend” of Brexit would be “one of the big prizes of leaving”. He promised a “light touch” approach that avoided “box ticking” and allowed the UK to harness the power of data as the new oil.
The next day, Dowden’s office – the Department for Culture, Media and Sport (DCMS) –announced plans to pursue new data partnerships with advanced economies including the US, Australia, Singapore and South Korea. In doing so, it hopes to “unlock more trade and innovation by reducing unnecessary barriers and burdens on international data transfers, thereby opening up global markets to UK businesses”. The benefits for citizens, as consumers, would be “faster, cheaper and more reliable products and services from around the world”.
Freeman welcomes this “bold move” away from the EU’s approach, which he says ties the little guys up in GDPR compliance bureaucracy while leaving many citizens, consumers and small businesses vulnerable to real dangers on the web.
But there are some who worry that such box-ticking — imperfect, annoying and bureaucratic as it might be — serves an important role in protecting individuals’ rights.
GDPR’s weekend hat
There’s a reason the UK has a more liberal approach to data privacy, says Adam Rose, who heads up law firm Mishcon de Reya’s data practice. “Historically, almost the entire continent of mainland Europe was governed at some point by Nazis or Communists and if you’re on the wrong list that could result in you being killed. We’ve been very lucky in the UK, we’ve not had that,” he says.
Rose has spent almost three decades in the field. In recent years he has represented businesses seeking counsel on what they can or cannot do under GDPR, as well as individuals looking for clarity about and control over their own data. In his view, GDPR is like other EU laws insofar as it creates “signposts” instead of hard borders. To his understanding, it shouldn’t create too much difficulty for innovative businesses, “[it] just sets out a framework, in which you can do what you want to do.”
Rose has developed a framework for understanding data regulation. He suggests thinking about the different hats we wear during the week and the weekend. At work, it’s useful to be able to “rapaciously [gather] in this data about people’s spending habits and eating habits and movements”, but at the weekend, when you see a personalised ad based on something you didn’t know you’d shared with the world, you’re a “little more bothered by this, you’re sitting at home wondering ‘how did they know this about me?’”
By recognising that “you are the other person for that other part of the week, then GDPR probably gets the balance fairly right”, argues Rose.
Indeed, even those who deal with GDPR on a regular basis admit that, by and large, the regulation makes sense. “[Our] research shows that most marketers and businesses think [GDPR] was a change for the better,” says John Mitchison, the director of policy and compliance for The Data and Marketing Association (DMA), a trade body representing data-driven marketing firms and marketers in the UK. “Our research has also found it to be a huge benefit for consumers, and it has inevitably increased trust in data sharing.”
But there is also a financial argument for deregulation. In theory, at least, less red tape means more trade, and faster data flows imply more innovation. As the DCMS press release specified, “estimates suggest there is as much as £11bn worth of trade that goes unrealised around the world due to barriers associated with data transfers”. It’s a similar number to the £9bn that was spent by large UK and US businesses preparing for and complying with GDPR.
Although the DMA’s Mitchison agrees with DCMS’s objectives and has heard many businesses say they would benefit from a “more flexible interpretation of the regulation”, he’s wary that straying too far from GDPR’s standards could create more damage than it fixes.
“The UK government should not risk the EU revoking our Adequacy Status,” he says, referring to the important agreement that allows for data transfers to take place in the EU. After all, 75% of UK data movement occurs within the EU, a relationship worth more than £73bn.
Shifting attitudes to data
As both Mitchison and Rose suggest, one of the biggest benefits of GDPR may not have been on a political or an economic front but on an educational one. While cookie pop-ups are clumsy and could soon be technologically redundant, by making individuals take that consenting step, GDPR alerts us to the fact that we are regularly siphoning away portions of our personal data.
Since the Cambridge Analytica scandal, in particular, public awareness and fears surrounding data privacy have grown. Around the world, legislators are taking inspiration from GDPR and moving towards more data protections for their citizens, not less, including some states in the US. Indeed, there aren’t any obvious examples of data deregulation in the modern era. “Privacy is coming to the internet and cookies are going away,” the tech commentator Benedict Evans recently wrote.
What’s more, due to the integrated nature of the modern economy, the more stringent major jurisdictions become the default for other lawmakers and businesses. “GDPR is pretty much universally accepted as a default standard,” confirms Rose. “Most countries look at it and say ‘we need something like that’.”
A week before the DCMS announcement, China published sweeping new data regulations of its own. The Standing Committee of the 13th National People’s Congress stated that “no organisation or individual may infringe upon natural persons’ personal information rights and interests” and that “excessive personal information collection is prohibited”. The reforms were interpreted both as a crackdown on the country’s blossoming tech scene and a recognition of the potential national security risk presented by the mass private collection of data.
A question of security
We live in an age where ride-sharing, streaming and open-source systems have upended traditional conceptions of ownership and property. We interact with many things we don’t own, so should we worry about owning those interactions?
What’s more, we regularly funnel information into major companies (Google, Amazon etc) that have fallen afoul of GDPR’s own standards. Indeed, almost any data that ends up in the US can be accessed by the country’s security services, something that makes European privacy experts uncomfortable. The EU has had similar concerns about the UK, but has, at least until now, given its want-away neighbour the benefit of the doubt on the “adequacy” front.
Nonetheless, the complexities of digital life don’t mean we should give up on our rights to privacy. That’s because, for thinkers like Carissa Veliz, privacy is power. She’s a professor of philosophy at Oxford University who focuses on the ethics of technology and AI in particular. In her view, the latest announcements from DCMS are bad news. Doing away with legislation that was largely put in place to protect the rights of citizens represents a slippery slope.
“The less privacy we have, the less power we have,” she says, “and the more we are vulnerable to abuses of power by others, in particular by companies and governments.”
Although Veliz acknowledges the theoretical business case for Dowden and TIGRR’s light-touch approach, she’s “worried that the UK might try to become what I call a data haven”. Even if the EU were to still grant the UK data adequacy, the harm could be reputational instead of financial. In an extreme case, the UK could become an offshore hub for “data laundering”, a rogue state where less scrupulous businesses can turn data into cash. As Professor Veliz puts it, “even if they do get away with it, they’re hugely damaging their image in front of the world.”
Instead of seeing regulation like GDPR as a barrier to prosperity, we could conceive of “red tape” as a necessary first step that innovative companies must take before using personal information. We manage to think like that in other sectors. “Privacy and safety are minimum requirements,” says Veliz. “If it takes up to 30 days a year to keep my data safe, that’s what it takes. Whatever it takes restaurants to keep the restaurant clean, then that’s what it takes.”
Innovation versus regulation
But the politicians behind the reforms think there’s an important nuance to make around proportionality and the scale of the businesses in question. “We don’t achieve catering hygiene by requiring every diner to sign away their consumer rights before they order a meal,” says Freeman. “All catering establishments have a legal duty to provide proportionate hygiene. What’s expected at a village cricket club tea is different to what’s acceptable at Lords.”
Indeed, Oliver Dowden’s suggestion that “we should not expect exactly the same from a small family run business as we do from a massive social media company” suggests a more equitable approach to both privacy concerns and competition law.
Like all regulation that attempts to keep up with exponential technology, data protection laws will often be overtaken by innovations in the private sector. Everyone interviewed for this article agreed that in many ways GDPR has always been out of date. It was conceived before the likes of Google and Facebook became the giants that they are today. At the same time, new privacy-enhancing technologies are already allowing many companies to go beyond the legal minimum.
Giving small UK firms the opportunity to compete with major big data companies could be a welcome boost to the UK’s digital sector, but the government should be wary of the negative optics that deregulation could have for the Global Britain brand.