IAPP-GDPR Web Banners-300x250-FINAL
Can Data Protection Survive if Europe Breaks Up?

There is a widespread belief that “the world is flat,” national borders don’t matter anymore and data processing is inexorably becoming more globalized. However, in Europe the forces of Euroscepticism and nationalism are throwing these beliefs into question.

At least two countries are seriously flirting with national breakup or exit from the EU. In Scotland, a referendum will be held on September 18 on independence from the UK, and the regional government of Catalonia also recently announced that it will hold a referendum in November regarding independence from Spain. In addition, UK Prime Minister David Cameron has announced that if his party wins the next general election in 2015, he will call a vote by the end of 2017 on whether the UK should leave the EU. Opinion polls in all these cases indicate that breakup or exit cannot be ruled out.

What would the implications be for data protection if an EU member state were to break up, or if a member state decided to leave the EU?

The legal implications of EU breakup are controversial, and some of the key issues would ultimately be a matter of negotiation, so that they cannot be fully predicted. The EU constitutional treaties foresee the possibility of a member state leaving the EU, while there is no provision made for the breakup of a member state. However, the key question is the same in both situations: Would EU data protection law continue to apply, and if not, what would this mean in practice?

I agree with those leading experts on international law who believe, with some caveats, that a region or state that decides to leave the EU would likely have to apply for re-admission, so that EU data protection law would no longer automatically apply in the breakaway entity. At a minimum, this would introduce considerable legal uncertainty into the data protection practices of companies operating in the EU.

The long-term political effect on the spread of EU data protection law around the world could be serious. Fragmentation of the EU would make it more difficult to reach an accommodation between the EU and the U.S. on important issues of data protection.

Whatever criticisms it may have of the proposed EU General Data Protection Regulation, business has generally supported the idea of a more harmonized legal framework throughout Europe, which goal would be fatally undermined if any of these initiatives succeed. Exit from the EU could mean that, for example, companies might have to sign standard contractual clauses, or provide some other legal basis, for transferring personal data from the EU to Barcelona, Glasgow or London.

The confidence of individuals in electronic commerce would also be dealt a blow. Harmonization of data protection law is needed to help individuals understand and assert their data protection rights more easily, and they would become confused about their rights if their region or country exits from the EU.

The long-term political effect on the spread of EU data protection law around the world could be serious. Fragmentation of the EU would make it more difficult to reach an accommodation between the EU and the U.S. on important issues of data protection.

In addition, numerous countries have adopted data protection legislation based on EU law, and others are considering whether to do so. A breakup could result in other countries going their own way rather than using EU data protection law as a model, thus leading to further global fragmentation.

It is striking that in the national debates on this issue, there has been little or no mention of the effects that national breakup or EU exit would have on creating a more harmonized digital single market. The fact that many European politicians seem not to realize the heavy compliance burden that exit from the EU would put on companies indicates that they still do not “get” the economic importance of data processing and data protection.

Companies have so far also not paid much attention to the data protection implications of EU fragmentation, indicating either that they are oblivious to it, or that they regard it as a case of political force majeure over which they have no control.

These initiatives, and the fact that the new European Parliament to be elected this May will be even more Eurosceptic than in the past, present serious challenges to the goal of having a more harmonized data protection framework in the EU. As an unabashed Europhile, I hope that voters will realize the implications of national breakup and EU exit before it is too late.

photo credit: luca.m. via photopin cc

Written By

Christopher Kuner


If you want to comment on this post, you need to login.
  • Chad Apr 29, 2014

    Articles of this sort can rather easily be mis-interpreted as indicationg a certain amount of data protection advocacy is actually protectionism.

  • Justin Apr 29, 2014

    In the case of the UK, given that they have already transposed an EU Directive (95/46) on Data Protection into domestic law wouldn't it mean that this law would still be in effect even after secession from the EU? Alternately, if not, procedurally a law identical in substance could be passed to preserve the regime in a newly-independent UK. In both cases, it'd be difficult to see where or how the EU could fail to find such a law 'adequate' for purposes of international data transfer. What left of the international transfer uncertainty? The gap between secession and an adequacy finding?

  • Javier Apr 29, 2014

    Dear Christopher, Yes, thanks God there has been little or no mention of the effects that national breakup or EU exit because spekaing on a "EU breakup" for the (extremly different) issues which Scotland and the region of Catalonia are posing is -if you alow me- an exageration and a frivolity on your side.

  • Christopher Kuner Apr 30, 2014

    Thanks for the comments to my post. As I anticipated, even mentioning the possibility of a country splitting apart or leaving the EU calls forth an emotional response from many in Europe. However, no one has been asking what the data protection implications of these developments would be, and I am happy to get the ball rolling. To respond to the points made: first, I do not believe that data protection advocacy is protectionism. Second: yes, the UK has implemented the EU Directive, but that implementation has been criticized by the European Commission and others, and given the political bad blood that would likely accompany a UK exit from the EU, I wonder whether the EU would move quickly to find the UK "adequate" (and even in the best cases, an adequacy finding typically takes years to prepare and enact). And third: while the specific issues regarding Scottish and Catalonian independence may indeed be different, the legal result would be the same, i.e., a region of a country leaving an EU member state (remember that the UK referendum isn't supposed to happen until 2017), with the implications I describe in my post).

  • Kim Apr 30, 2014

    As the agreements with the EEA shows, whereby nearly everything adopted in the EU becomes directly applicable in countries like Norway, Europe is quite capable of extending its legal coverage beyond its own borders and I suppose arrangements would be made to accelerate the process or create this equivalency. I think in the event of a break-up politically the situation would be such that all-hands on deck would be called for leading to a much faster response time than a standard adequacy procedure. One thing Europe abhors above all else is instability and uncertainty. I also agree that Catalonia and Scotland aren't the best of examples as one of the underlying reasons why independence is being considered as viable is precisely because both are betting on being welcomed into the European Union fold quickly as they would upon creation likely meet all the minimum requirements for membership and have the acquis sorted too. There are many academics who would suggest that this is precisely what the EU as a construct eventually leads to. In any case, my understanding is that both regions are maintaining private contact, with the Member States to this effect.

  • Pete Apr 30, 2014

    Yes - I too am surprised that they Scottish people have been spendingly so much time focusing on mundance issues such as whether they will continue to use sterling, the division of the national debt, the division of territorial waters, the removal of nuclear weapons etc., when they should be considering more fundamental issues such as .... data protection? With the greatest respect, this is the sort of thing that gives data protection lawyers a bad name by demonstrating a lack of wider commercial and political understanding.

  • Mike Anderson Apr 30, 2014

    Christopher, I am afraid your article contains litte beyond entertainment value. Since Snowden and a number of high profile security issues, consumer confidence in E-Commerce and data protection has been shaken immensely by factors not even mentioned in passing in your article and with little or no relevance to the issues you discuss. As a practising Privacy Officer in Germany I see a deep and widespread mistrust already in governments, institutions and organizations from the standpoint of the data subjects. Frankly very few people still have ANY trust in coporations and governments to protect their privacy. Furthermore, the bone-headed stupidity of government reactions, including those of the US regime and the UK government in responding to concerns gives no reason to hope that political institutions have the will to regain confidence. And from a NON-UK perspective I get the sense that people in the other EU states couldn't give a hoot whether the UK leaves .. in fact many perceive the UK as little more than a hinderance to the social and economic development of Europe. They may actuall prefer to see the Brits finals leave and to cease acting as a US proxy in EU affairs. To focus on purely business and institutional perspectives as you have done is really missing the bus !

  • Peter Brown Apr 30, 2014

    The chances of the EU breaking up are probably on a par with the chances of the USA breaking up. In other words: much bluster and brimstone from limited quarters but no real appetite nor momentum from either quarter. If there were ever a real risk of the "EU breaking up" (it does beg the question: "break into what?"), I think there would be far more serious and priority concerns - whatever we as privacy professionals would care to admit. I agree with "Pete"

  • Axel Moreira May 9, 2014

    Leaving feelings aside, I think the point Christopher wants to make is pretty valid. A new state will have to go through the entire adequacy process for its law to be considered adequate of the protection of personal data in third countries (because is that what they will become). Argentina may serve as example. The approval process took 2 years to get such status. We should look at those potential "countries" as Russia, yes it has Data Privacy Laws, but at the end, you have to put other mechanisms in place to protect the data and comply with the legislation of the countries your company operates in.

  • Nurul May 9, 2014

    Membership and partnership


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»