Taking back control of our personal data in a post-Brexit world…

Much has been written and debated about the impact of Brexit on the movement of people and goods. But relatively has been written about the flow of data post-Brexit.

“Take back control” was a slogan used by the Leave campaign. But this apparently didn’t include taking back control of one’s own data. Remember the Cambridge Analytica-Facebook scandal – and in a separate case – Leave.EU receiving a £45,000 fine in 2019 from the Information Commissioner for unsolicited marketing?

And the irony is that our laws governing the use and movement of personal information are largely EU driven. Probably the most well-known law in this field is the General Data Protection Regulation (GDPR) which came into force in 2018, an update on the 1995 Data Protection Directive governing the use of personal data – and taking into account the massive technological and social changes of the past 20 years. And those infuriating pop-up messages about cookies that appear every time we access a new website – they’re a consequence of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Data storage has become increasingly cheaper and easier during this period now that a tiny SIM card the size of a fingernail that’s inside your phone can now hold as much information as an entire library. Hence the need for updated legislation.

Since the GDPR took effect we’ve seen whopping fines being dished out to big companies across Europe for data protection violations

The French regulator fined Google €50m for a lack of valid user consent around the personalization of ads

The Germany regulator fined clothing retailer H&M €35.3m for unlawful surveillance of employees.

The Irish Data Protection Commissioner fined national children and family agency Tusla €75,000 for unlawful disclosure of and inappropriate access to sensitive data.

But interestingly, UK regulator the ICO still hasn’t fined British Airways or Marriott for cyber-security breaches resulting hundreds of thousands of customers’ data being exposed, despite having declared the intention to do so.

The UK will still be subject to the basic principles of the GDPR after the Brexit transition phase as the Data Protection Act 2018 incorporated GDPR into domestic law – although some amendments will be made to ensure its compatibility with UK law. But by and large, it’s unlikely that much will change.

The “big four” tech giants – Amazon, Apple, Google and Facebook – are all American companies– but thanks to generous tax breaks three of them have their European headquarters in Ireland – Google and Facebook in Dublin, and Apple in Cork. So the GDPR was in some ways Europe’s response to the US domination of the data market. And ironically a significant portion of the data owned by British companies, local authorities and government departments is held in data centres based in Ireland – and will continue to do so post Brexit.

Unless an adequacy agreement is reached with the EU, the UK will be a third country for the purposes of data transfer. So in the event of a no-deal exit, an extra layer of bureaucracy and drafting of cumbersome contractual clauses will ensue every time a British company wants to do business with the continent (or the Irish Republic) that involves the handling of personal information.

It is likely however that an adequacy deal will be reached at some point down the line. Consequently, the UK could join that illustrious group of elite nations – “third countries” – whose data security regimes have been deemed adequate for data transfer into the European Economic Area by the EU – alongside the likes of mighty Andorra, the Faeroe Islands and Guernsey.

The covid pandemic has, of course, presented new challenges in the field of data privacy – but that’s a whole other story, so watch this space.

But make sure you delete your browsing history and disable your cookies.

Photo by Tumisu is licensed under CC BY-NC-SA