European Commission approval for the ‘adequacy’ status of our data protection laws has been welcomed by the government. But is the UK making the wrong choice of regimes?
Last week’s news that the European Commission is to approve the treasured ‘adequacy’ status of UK data protection laws came as a relief to much of the legal sector. Apart from allowing businesses to continue sharing personal data across the EU when the current bridging agreement expires in June, adequacy status also helps with law enforcement and other matters where cross-border co-operation is vital.
It was certainly a relief to the government. It had worked hard to keep data protection measures oven-ready for alignment with the EU General Data Protection Regulation (GDPR) through the Data Protection Act 2018 and in negotiations leading up to the Christmas Eve Trade and Cooperation Agreement.
However there are dissenting voices, suggesting that, by continuing to pick Europe from the big three global data protection regimes (the others being north America and China), the UK is making the wrong choice. And they argue that, in the information economy, there is a choice. Unlike, say, shellfish, data does not decay with distance so there is no reason to ally regulations with those of geographical neighbours. Surely it makes sense to adopt regulations most attuned to our national vision of the future?
One such voice is Barnabas Reynolds, partner and global head of the financial services industry group at international firm Shearman & Sterling. In a book* published this month by the Politeia thinktank, Reynolds calls for the UK to grasp the post-Brexit opportunity of shedding the GDPR. This would be part of a wholesale programme of freeing the City from rules originating in civil code-based EU law in favour of a common-law system, better equipped to handle innovation and change. ‘The opportunity now arises for the UK to shed the legacy of codified EU financial services law, and recapture its historical legacy of law-making and implementation, for general economic benefit.’
The current EU-law based framework is ‘prescriptive, inflexible, opaque and voluminous’, he says. Its civil code assumptions, that basic principles must apply to entirely new situations, is ‘unduly ossifying’ and has killed off new industries before they can get going. GDPR is a prime example, and a reason why the EU does not have an equivalent of Google, he told the Gazette. Its stringent requirements create a ‘very top-down and controlled system – no common sense is brought to bear. Sensible lawyers look at it, all feel it is silly but they can’t do anything about it.’
'GDPR is a very top-down and controlled system – no common sense is brought to bear. Sensible lawyers look at it, all feel it is silly but they can’t do anything about it'
Barnabas Reynolds, Shearman & Sterling
While the UK should accept the current adequacy offer, ‘I don’t think we should be making any commitments to keep the scheme’. Rather, the government should consult on a common law-based approach, with less fixed regulation and more room for case law to adapt to new developments created by technologies such as artificial intelligence and blockchain.
One model might be California’s new regime, which Reynolds describes as more based on liability than prescription. It thus nurtures an ecosystem which allows innovation to flourish.
There is little sign of the government picking up this idea. For a start, the Trade and Cooperation Agreement specifically states that both the UK and the EU ‘affirm their commitment to ensuring a high level of personal data protection’ and a willingness ‘to work together to promote high international standards’.
More generally, the government is quietly dousing hopes that Brexit will lead to a bonfire of EU-imposed regulation. The chair of Boris Johnson’s innovation, growth and regulatory reform task force, former Conservative leader Iain Duncan Smith, said last week that he does not intend to lead a ‘slash and burn exercise’.
Meanwhile, the idea of ripping up existing EU rules is largely unpopular with big corporates – which have already incorporated them into their business models – and representative bodies such as the CBI. However by definition, these groups represent existing businesses, which have learned to live under the current regulatory framework. Struggling startups, or postgrad students with bright ideas, get less of a voice.
A bonfire of rules may also be politically toxic: seemingly abandoning protection from the activities of the Amazons and Facebooks of the world would be an especially hard sell.
For all the strengths of the historic common law, it seems that the legacy of 40 years’ absorption of the civil code-based model will be hard to shake off.
*Restoring UK Law: freeing the UK’s global financial market, 172pp, www.politeia.co.uk.