When it comes to data protection law, the same principle would seem to apply. Stay in the EU and in two years, the UK will share a pretty much identical framework with its European neighbors. Yes, there are some areas where Member States have the final say and each national regulator will apply their own way of thinking to the letter of the law, but for the most part, the EU General Data Protection Regulation (GDPR) will lead to much greater harmonization than what is in place today. Should the UK leave the EU, in principle, the British legislator will have a blank canvas on which to paint a picture of its choice. In fact, some of the arguments that have been heard from the Brexit camp are precisely that leaving the EU would allow UK businesses to take advantage of the data economy without the constraints imposed by an otherwise cumbersome and untimely law.
But, as with some many aspects of the Brexit debate, empty claims often get in the way of seeing what the future will look like. The truth is that whatever the outcome of the EU referendum, the creativity of the UK Parliament is unlikely to be put into practice in an area such as data protection where the EU has long been calling the shots. In reality, EU data protection law will always be closely followed by Britain.
Unless the UK provides an ‘adequate level’ of data protection similar to the GDPR, it will become a forbidden territory for European personal data. It is not a coincidence that the first country to receive an adequacy finding from the European Commission was Switzerland. If Brexit happened, it would be inconceivable for the UK not to do the same and immediately knock on the door of the Commission to explain exactly how the GDPR will still make its way into UK national law. What is somewhat imaginable is the Commission itself being a tad smug about the prospect of a ‘Brexited’ UK trying to explain how its data protection law effectively mirrors the one in the rest of Europe.
There is another, perhaps even more important, reason why EU data protection will remain in the UK even if the UK were to leave the EU. Remember that UK data protection law had already been in operation for more than 10 years by the time the original EU data protection directive was adopted in 1995. In other words, Brussels did not invent modern data protection law. The GDPR may be a yet to be tested ambitious piece of 21st century law, but at its core, it is based on the same ideals that inspired the United Kingdom and many other more progressive jurisdictions to pass laws regulating the use of personal data in the early 80s. Today, the respect for the right to privacy and data protection should be seen as public policy priorities in any sophisticated democracy.
If Brexit led to the demise of data protection law in the UK, we would be facing a much more serious problem than just leaving the EU. Data protection law is not an arcane doctrine that exists alongside Napoleonic codes and is nurtured by Brussels’ bureaucracy – it is a true need for the digital age. Protecting people’s data and defending our digital privacy in a way that enables the information economy to prosper is not just in the EU’s interest, but in everybody’s, including of course the United Kingdom. So Brexit or no Brexit, the UK will be best served by ensuring that European-style data protection remains in the statute books. Brexit would indeed be a jump into the unknown but in data protection terms, it will never really happen.