There is a widespread belief that “the world is flat,” national borders don’t matter anymore and data processing is inexorably becoming more globalized. However, in Europe the forces of Euroscepticism and nationalism are throwing these beliefs into question.
At least two countries are seriously flirting with national breakup or exit from the EU. In Scotland, a referendum will be held on September 18 on independence from the UK, and the regional government of Catalonia also recently announced that it will hold a referendum in November regarding independence from Spain. In addition, UK Prime Minister David Cameron has announced that if his party wins the next general election in 2015, he will call a vote by the end of 2017 on whether the UK should leave the EU. Opinion polls in all these cases indicate that breakup or exit cannot be ruled out.
What would the implications be for data protection if an EU member state were to break up, or if a member state decided to leave the EU?
The legal implications of EU breakup are controversial, and some of the key issues would ultimately be a matter of negotiation, so that they cannot be fully predicted. The EU constitutional treaties foresee the possibility of a member state leaving the EU, while there is no provision made for the breakup of a member state. However, the key question is the same in both situations: Would EU data protection law continue to apply, and if not, what would this mean in practice?
I agree with those leading experts on international law who believe, with some caveats, that a region or state that decides to leave the EU would likely have to apply for re-admission, so that EU data protection law would no longer automatically apply in the breakaway entity. At a minimum, this would introduce considerable legal uncertainty into the data protection practices of companies operating in the EU.
Whatever criticisms it may have of the proposed EU General Data Protection Regulation, business has generally supported the idea of a more harmonized legal framework throughout Europe, which goal would be fatally undermined if any of these initiatives succeed. Exit from the EU could mean that, for example, companies might have to sign standard contractual clauses, or provide some other legal basis, for transferring personal data from the EU to Barcelona, Glasgow or London.
The confidence of individuals in electronic commerce would also be dealt a blow. Harmonization of data protection law is needed to help individuals understand and assert their data protection rights more easily, and they would become confused about their rights if their region or country exits from the EU.
The long-term political effect on the spread of EU data protection law around the world could be serious. Fragmentation of the EU would make it more difficult to reach an accommodation between the EU and the U.S. on important issues of data protection.
In addition, numerous countries have adopted data protection legislation based on EU law, and others are considering whether to do so. A breakup could result in other countries going their own way rather than using EU data protection law as a model, thus leading to further global fragmentation.
It is striking that in the national debates on this issue, there has been little or no mention of the effects that national breakup or EU exit would have on creating a more harmonized digital single market. The fact that many European politicians seem not to realize the heavy compliance burden that exit from the EU would put on companies indicates that they still do not “get” the economic importance of data processing and data protection.
Companies have so far also not paid much attention to the data protection implications of EU fragmentation, indicating either that they are oblivious to it, or that they regard it as a case of political force majeure over which they have no control.
These initiatives, and the fact that the new European Parliament to be elected this May will be even more Eurosceptic than in the past, present serious challenges to the goal of having a more harmonized data protection framework in the EU. As an unabashed Europhile, I hope that voters will realize the implications of national breakup and EU exit before it is too late.