Can Data Protection Survive if Europe Breaks Up?

There is a widespread belief that “the world is flat,” national borders don’t matter anymore and data processing is inexorably becoming more globalized. However, in Europe the forces of Euroscepticism and nationalism are throwing these beliefs into question.

At least two countries are seriously flirting with national breakup or exit from the EU. In Scotland, a referendum will be held on September 18 on independence from the UK, and the regional government of Catalonia also recently announced that it will hold a referendum in November regarding independence from Spain. In addition, UK Prime Minister David Cameron has announced that if his party wins the next general election in 2015, he will call a vote by the end of 2017 on whether the UK should leave the EU. Opinion polls in all these cases indicate that breakup or exit cannot be ruled out.

What would the implications be for data protection if an EU member state were to break up, or if a member state decided to leave the EU?

The legal implications of EU breakup are controversial, and some of the key issues would ultimately be a matter of negotiation, so that they cannot be fully predicted. The EU constitutional treaties foresee the possibility of a member state leaving the EU, while there is no provision made for the breakup of a member state. However, the key question is the same in both situations: Would EU data protection law continue to apply, and if not, what would this mean in practice?

I agree with those leading experts on international law who believe, with some caveats, that a region or state that decides to leave the EU would likely have to apply for re-admission, so that EU data protection law would no longer automatically apply in the breakaway entity. At a minimum, this would introduce considerable legal uncertainty into the data protection practices of companies operating in the EU.

The long-term political effect on the spread of EU data protection law around the world could be serious. Fragmentation of the EU would make it more difficult to reach an accommodation between the EU and the U.S. on important issues of data protection.

Whatever criticisms it may have of the proposed EU General Data Protection Regulation, business has generally supported the idea of a more harmonized legal framework throughout Europe, which goal would be fatally undermined if any of these initiatives succeed. Exit from the EU could mean that, for example, companies might have to sign standard contractual clauses, or provide some other legal basis, for transferring personal data from the EU to Barcelona, Glasgow or London.

The confidence of individuals in electronic commerce would also be dealt a blow. Harmonization of data protection law is needed to help individuals understand and assert their data protection rights more easily, and they would become confused about their rights if their region or country exits from the EU.

The long-term political effect on the spread of EU data protection law around the world could be serious. Fragmentation of the EU would make it more difficult to reach an accommodation between the EU and the U.S. on important issues of data protection.

In addition, numerous countries have adopted data protection legislation based on EU law, and others are considering whether to do so. A breakup could result in other countries going their own way rather than using EU data protection law as a model, thus leading to further global fragmentation.

It is striking that in the national debates on this issue, there has been little or no mention of the effects that national breakup or EU exit would have on creating a more harmonized digital single market. The fact that many European politicians seem not to realize the heavy compliance burden that exit from the EU would put on companies indicates that they still do not “get” the economic importance of data processing and data protection.

Companies have so far also not paid much attention to the data protection implications of EU fragmentation, indicating either that they are oblivious to it, or that they regard it as a case of political force majeure over which they have no control.

These initiatives, and the fact that the new European Parliament to be elected this May will be even more Eurosceptic than in the past, present serious challenges to the goal of having a more harmonized data protection framework in the EU. As an unabashed Europhile, I hope that voters will realize the implications of national breakup and EU exit before it is too late.

photo credit: luca.m. via photopin cc

Written By

Christopher Kuner


If you want to comment on this post, you need to login.

  • Chad Apr 29, 2014

    Articles of this sort can rather easily be mis-interpreted as indicationg a certain amount of data protection advocacy is actually protectionism. 
  • Justin Apr 29, 2014

    In the case of the UK, given that they have already transposed an EU Directive (95/46) on Data Protection into domestic law wouldn't it mean that this law would still be in effect even after secession from the EU? Alternately, if not, procedurally a law identical in substance could be passed to preserve the regime in a newly-independent UK. In both cases, it'd be difficult to see where or how the EU could fail to find such a law 'adequate' for purposes of international data transfer. What left of the international transfer uncertainty? The gap between secession and an adequacy finding? 
  • Javier Apr 29, 2014

    Dear Christopher,
    Yes, thanks God there has been little or no mention of the effects that national breakup or EU exit because spekaing on a "EU breakup" for the (extremly different) issues which Scotland and the region of Catalonia are posing is -if you alow me- an exageration and a  frivolity on your side.
  • Christopher Kuner Apr 30, 2014

    Thanks for the comments to my post. As I anticipated, even mentioning the possibility of a country splitting apart or leaving the EU calls forth an emotional response from many in Europe. However, no one has been asking what the data protection implications of these developments would be, and I am happy to get the ball rolling. To respond to the points made: first, I do not believe that data protection advocacy is protectionism. Second: yes, the UK has implemented the EU Directive, but that implementation has been criticized by the European Commission and others, and given the political bad blood that would likely accompany a UK exit from the EU, I wonder whether the EU would move quickly to find the UK "adequate" (and even in the best cases, an adequacy finding typically takes years to prepare and enact). And third: while the specific issues regarding Scottish and Catalonian independence may indeed be different, the legal result would be the same, i.e., a region of a country leaving an EU member state (remember that the UK referendum isn't supposed to happen until 2017), with the implications I describe in my post).
  • Kim Apr 30, 2014

    As the agreements with the EEA shows, whereby nearly everything adopted in the EU becomes directly applicable in countries like Norway, Europe is quite capable of extending its legal coverage beyond its own borders and I suppose arrangements would be made to accelerate the process or create this equivalency. 
    I think in the event of a break-up politically the situation would be such that all-hands on deck would be called for leading to a much faster response time than a standard adequacy procedure. One thing Europe abhors above all else is instability and uncertainty.  
    I also agree that Catalonia and Scotland aren't the best of examples as one of the underlying reasons why independence is being considered as viable is precisely because both are betting on being welcomed into the European Union fold quickly as they would upon creation likely meet all the minimum requirements for membership and have the acquis sorted too. There are many academics who would suggest that this is precisely what the EU as a construct eventually leads to. In any case, my understanding is that both regions are maintaining private contact, with the Member States to this effect.     
  • Pete Apr 30, 2014

    Yes - I too am surprised that they Scottish people have been spendingly so much time focusing on mundance issues such as whether they will continue to use sterling, the division of the national debt, the division of territorial waters, the removal of nuclear weapons etc., when they should be considering more fundamental issues such as .... data protection?   With the greatest respect, this is the sort of thing that gives data protection lawyers a bad name by demonstrating a lack of wider commercial and political understanding.
  • Mike Anderson Apr 30, 2014

    Christopher, I am afraid your article contains litte beyond entertainment value. 
    Since Snowden and a number of high profile security issues, consumer confidence in E-Commerce and data protection has been shaken immensely by factors not even mentioned in passing in your article and with little or no relevance to the issues you discuss.
    As a practising Privacy Officer in Germany I see a deep and widespread mistrust already in governments, institutions and organizations from the standpoint of the data subjects. Frankly very few people still have ANY trust in coporations and governments to protect their privacy. Furthermore, the bone-headed stupidity of government reactions, including those of the US regime and the UK government in responding to concerns gives no reason to hope that political institutions have the will to regain confidence.
    And from a NON-UK perspective I get the sense that people in the other EU states couldn't give a hoot whether the UK leaves .. in fact many perceive the UK as little more than a hinderance to the social and economic development of Europe. They may actuall prefer to see the Brits finals leave and to cease acting as a US proxy in EU affairs. To focus on purely business and institutional perspectives as you have done is really missing the bus !
  • Peter Brown Apr 30, 2014

    The chances of the EU breaking up are probably on a par with the chances of the USA breaking up. In other words: much bluster and brimstone from limited quarters but no real appetite nor momentum from either quarter.
    If there were ever a real risk of the "EU breaking up" (it does beg the question: "break into what?"), I think there would be far more serious and priority concerns - whatever we as privacy professionals would care to admit. I agree with "Pete"
  • Axel Moreira May 9, 2014

    Leaving feelings aside, I think the point Christopher wants to make is pretty valid. A new state will have to go through the entire adequacy process for its law to be considered adequate of the protection of personal data in third countries (because is that what they will become). Argentina may serve as example. The approval process took 2 years to get such status. We should look at those potential "countries" as Russia, yes it has Data Privacy Laws, but at the end, you have to put other mechanisms in place to protect the data and comply with the legislation of the countries your company operates in.
  • Nurul May 9, 2014

    Membership and partnership


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»