Strict EU rules on privacy mean that online data — whether pictures, emails, health records — can only be transferred within the trading bloc or to countries that guarantee an “adequate” level of protection.
Currently personal data can whizz between EU countries, such as Britain, France and Spain, but can be transferred to places outside the bloc only if certain criteria are met.
When — or if — Britain leaves the EU, the right of UK businesses to spray data wherever they like within the union disappears and British companies face being treated like any other non-EU organisations.
As the future of much of the worldwide tech industry, from fintech and cyber security to connected devices and cars, and the development of artificial intelligence, will be dependent on the storage, quick accumulation and analysis of mass data, this poses big questions for British businesses.
The UK government faces a tough choice on its new data protection regime, which would be outside of EU rules for the first time.
Clients must consider costs, location and reliability before choosing a data centre
Julian David, chief executive of techUK, an industry lobby group, says the UK should tread carefully. “Urgent consideration should be given to the relative merits of maintaining, adapting or completely re-legislating the UK’s data protection laws,” he says.
A Brexit Britain would probably have two choices. The first is simplest: Britain could choose to implement the EU’s rules on general data protection, due to come into force in 2018.
These would empower regulators to dish out fines of up to 4 per cent global turnover to businesses in the event of a security breach. The laws were hammered out over the past four years, with the UK a significant pro-business voice in their making. But for some companies they still represent the cumbersome type of rules many talked about avoiding by leaving the EU. For example, even small companies will need to hire a data protection officer.
The second option is more complex. The UK could devise its own data protection rules based on the EU’s and hope Brussels agrees to them.
This carries risks. European regulators could decide the rules are inadequate, which would mean isolation for UK-based businesses, increasing both cost and inconvenience to companies.
Similar problems have already been encountered in relation to other parts of the world. A data transfer agreement between the EU and the US called “safe harbour” was struck down last year, after judges at the EU’s highest court ruled that overzealous snooping by US spies violated the rights of EU citizens.
Negotiators have spent the past two years hammering out a replacement agreement between Washington and Brussels. But it is still not in place and lawyers suggest it may be vulnerable to legal challenge. In the meantime, companies such as Google and Facebook have scrambled to find their own solutions. Most have opted for so-called “model contract clauses”, although these too face legal challenges.
Industry acts to preserve revenues, but internet users have genuine concerns
Britain would be likely to run into the legal objections faced by the US if it decided to go it alone on data protection, particularly because of its GCHQ spying network.
Jan Philipp Albrecht, a German MEP who worked on the EU’s data protection rules, dismissed the possibility of UK rules being deemed adequate by the European Commission. “Due to GCHQ blanket surveillance [programmes] and less safeguards for intelligence services than in the US I doubt it,” he tweeted.
Given such factors, there might be a part of Britain’s statute book that remains forever European.