- Cillian Kieran is the CEO and founder of data privacy company Ethyca.
- The UK has quit the EU and may deviate from its strict data privacy laws if the two can’t agree a trade deal before the post-Brexit transition period ends, he writes.
- Future data flows between the UK and the EU have emerged as a key bone of contention during the deal discussions.
- It’s hugely valuable for British businesses to access customers in the EU, but the UK has to prove its post-Brexit data protection is up to snuff.
- This is an opinion column. The thoughts expressed are those of the author.
- Visit Business Insider’s homepage for more stories.
A few years ago, it became trendy to describe consumer data as “the new oil” — the fuel that sustains a modern digital economy. That comparison is instructive as the world comes to the end of a seismically disruptive year.
And it could show the data-related unrest that’s around the corner.
Oil has historically been a key tool for the exercise of soft power. It’s also been one of the first goods to feel the tug of protectionism as global tensions rise.
Through this lens, Brexit is a case where data truly lives up to its “new oil” billing.
Let’s see how the Brexit data discussion fits into wider global trends that presage a future of potentially damaging data nationalism.
Brexit is finally set to go ahead at the beginning of next year. Data flows have emerged as a key bone of contention between the UK and the European Union.
Exchanges of personal data between the EU and UK fuel business-as-usual for companies across a full spectrum of industry verticals. It’s notoriously difficult to calculate a hard dollar value for data flows like this. But in the modern economy, every business is in the data business.
Right now, the European Commission is trying to figure out if Britain’s policies for personal data management will be strong enough to ensure adequacy with GDPR.
If they’re satisfied, then those vital data flows can continue even after the UK leaves the European Union on January 1, 2021.
But if the European Commission doesn’t find adequacy between new British data standards and GDPR, they can shut down the transfer of EU data to the newly isolated island. This is not the sort of “splendid isolation” that will help British businesses compete in a global economy.
The governing Conservatives have been vocally anti-GDPR for some time — indeed they made the perceived heavy-handedness of the law a talking point for their Brexit campaign. Dominic Cummings, the top adviser to the UK’s prime minister, is on record calling GDPR “horrific”. His recently released national data strategy, framed as radically “pro-tech”, will do little to calm the adequacy concerns of EU privacy regulators. So it’s not out of the question that an adequacy agreement is not reached by the end of the year, throwing the legality of data transfers between Europe and the UK into question.
The UK will cut itself off from the agenda-setting regime
It’s impossible to separate competing political agendas from this adequacy discussion.
The European Union is getting more comfortable using data policy as a means of exercising soft power. Its large, affluent “user base” and the world’s most progressive privacy legislation has effectively made it the global agenda-setter for the world’s “new oil”.
In July, the European Court of Justice ruled that the adequacy agreement between the US and EU, the so-called Privacy Shield, was not adequate, citing US government authorities’ ability to access privately-held information.
Shortly thereafter, the Irish Data Protection Commissioner initiated an order that, if upheld, would force Facebook to suspend all data transfers from the European Union back to the US — effectively crippling the company’s European operation.
Now it’s Britain’s turn to agonize over access to the European data “market” of roughly 450 million citizens.
Like the Privacy Shield decision, this is not a straight question of box-ticking between two groups of bureaucrats. This is about deeper political economy questions of who has a right to what — about Europeans being able to hold non-native companies to certain standards if they want to profit off European user data.
It boils down to: “If you want access to our markets, you play by our data rules.” Cummings, Boris Johnson, and other Tory luminaries may be about to find this out the hard way.
Businesses left in the dark
From the summer’s Privacy Shield ruling to the present Brexit jockeying to the US’s continued escalation of data gamesmanship against China, 2020 is emerging as the year that data nationalism jumped rails from China and Russia to impact the world at large.
Businesses everywhere could be forgiven for wondering if vital data flows will be staunched tomorrow by a new round of political upheaval.
But there’s really not much they can do to prevent the first-order impacts.
Facebook will throw its full legal might behind a challenge to the Irish DPC’s data shutdown order. If the European Commission fails to find data adequacy, expect a UK government challenge to take years to wind its way through the courts. Most businesses aren’t able to move the needle like Facebook or the United Kingdom. Is there any way to hedge against this risk?
There’s one very important step any business can take to protect itself from the data upheaval breaking out in every corner of the globe. That’s to know exactly what data it holds, and where that data lives. In other words: You’ll be able to adapt fastest if you maintain an active and robust business data map.
This basic capability is still beyond reach of many data-driven businesses all over the world. Anyone who’s tried to build a data map will testify that it can be an arduous task — it involves conducting a thorough inventory of every business system that holds personal data and documenting how all of those systems (comfortably over 100 in many businesses) link together. But the value of a data map shines when your business’s data infrastructure is placed under pressure. As data regulation expert Chiara Rustici writes in Forbes: “Broken links can be mended if you know where to look: when a data link is broken, few businesses can clearly map the strategic role data flows, let alone personal data flows, play in their value chain.”
We are presently in a dynamic moment for worldwide flows of personal information.
Brexit is likely closer to the beginning of this story than the end of it; there are still chapters to write regarding federal US privacy policy, the data discussion with China, and plenty more patchwork privacy regulation before anything approaching global harmonization of data standards could be achieved. My advice to businesses is to accept the things you can and can’t control. And always make sure to bring a (data) map.
Powered by WPeMatico