As part of the two-year review of the EU General Data Protection Regulation, the European Commission said it “cannot predict” whether the U.K., now an ex-EU member, will be fit for a data transfer adequacy agreement with the EU on the grounds that the U.K. might adjust its national legislation to deviate from the GDPR. Threatening to make it harder for the U.K. to engage in digital trade with the EU is a misguided move for three reasons.
First, when it comes to the digital economy, there are a number of areas in which the EU needs the U.K. more than the U.K. needs the EU. With cutting-edge companies, such as DeepMind, and world-class universities, the U.K. has become a world leader in artificial intelligence. The country is home to a third of Europe’s tech unicorns, more AI companies and startups than France and Germany combined, and 35 world-renowned research centers, such as the Alan Turing Institute. Investors are still voicing support for London as the best European location for AI brainpower, adequate talent, strong infrastructure and convenient use of English. According to a StartupGenome study, London rivals other global tech startup ecosystems, like New York and Silicon Valley, in terms of value concentration, success rate, market reach, knowledge, talent and investment, vectors on which European cities, such as Berlin and Paris, perform more poorly. It would be reckless to make it more difficult for data to flow freely between the EU and the U.K. because this would only lead to the block falling further behind in the digital economy. And if the EU does make it more difficult to transfer data to the U.K., it only makes sense for the U.K. to reciprocate.
Second, threatening to not grant adequacy to the U.K. makes no sense because the U.K. has already shown its adherence to the GDPR. With Brexit, the Data Protection Act 2018 remains in place and, alongside, the EU Withdrawal Act incorporates the GDPR into U.K. law. And the U.K. Information Commissioner’s Office has been one of Europe’s leading data protection regulators. If the EU will not grant adequacy to the U.K., few other nations have a chance.
Third, the EU’s punitive use of adequacy determinations to force other nations to emulate its data protection laws — a form of regulatory imperialism — is the real problem and should be discontinued. EU policymakers often refer to the GDPR as the “global standard” to sell a narrative that strong privacy rules are a source of competitive advantage, but the reality is that the GDPR actually hurts EU competitiveness by limiting the use of data by European firms, including for AI. The U.K. would be wise to take advantage of Brexit to alter its implementation of the GDPR so as to encourage more AI research and adoption while still protecting privacy, and the EU should allow and encourage such improvements to its framework.
The commission should have used the GDPR’s two-year anniversary review to acknowledge the need to speed up its adequacy decision-making process, which is lengthy, complex and arbitrary. The fastest adequacy assessment so far, for Argentina, took 18 months, but others have taken up to five years. Adequacy determinations also appear arbitrary. For example, the EU granted Israel adequacy even though the country has come under fire recently for its decision to allow the police to use the country’s anti-terrorism location tracking system to track COVID-19-positive individuals’ mobile phones without their consent. In addition, the EU should address cases in which the GDPR allows companies to transfer EU data to China using legal mechanisms, like binding corporate rules and standard contractual clauses, even though these companies are subject to laws, such as China’s National Intelligence Law, that can force them to hand over data to the Chinese government.
If the EU fails to foster digital trade with the U.K., the EU will only fall further behind in the digital economy. To stay competitive post-Brexit and in the digital economy, the EU should ensure its data protection framework facilitates rather than obstructs data transfers with the U.K. and allow easier international transfers with more countries.
Photo by Rocco Dipoppa on Unsplash
