For the UK ... a Data Cliff-edge?

I'm not political in any way, but I currently see absolutely no benefits from the UK leaving the EU. To me, we have a healthy and thriving economy which is full of innovation, and we risk damaging this for little in return - by little I mean virtually "nothing" ... well "zero".

Having enjoyed discussing collaboration around healthcare and cybersecurity in Rennes this week with other researchers, and with forthcoming collaborations around health and well-being with Bavaria, I am filled with the opportunities that international collaborations can bring.

Currently, I am very worried about the future of the UK leaving the EU. Apart from taking away the rights and freedoms or our next generation, and on the access to skilled workers, the barriers to data flows could be one of the major concerns. While the UK will comply with GDPR, there are no guarantees it will be able to seamlessly integrate its data flows with the EU nations, and that flows between the UK and EU, and between the UK and the US will continue in their current form. To say I am worried, is an understatement, as data drives our modern economy.

General Data Protection Regulation (GDPR)

Over the past few years, the EU has been developing a range of new regulations, and which provide citizens with more control of their data. The key focus is GDPR (General Data Protection Regulation) which aims to apply strong encryption and the pseudo-anonymisation of data. It also focuses on the usage of data exported from the EU to other nation states.

The GDPR regulation was passed in April and will be implemented by nation states in May 2018. The lack of rights to privacy for non-US citizens will thus put US businesses at risk in the compliance Penalties for breaches against EU citizens could reach up to 4% of worldwide turnover, and for a company such as Microsoft, a breach of privacy could cost up to $4 billion.

This will mean that the EU will meet its requirements within GDPR and align itself with NIS (related to the protection of critical national infrastructure). It will also allow law enforcement agencies share information. And while some of the negotiation language used up to now has been strong in other areas, the data sharing one defines a "deep and special partnership". In enacting the Information Commissioner would take a lead role in its enactment, and where a long-term relationship between the EU and the UK would apply.

A data-driven economy

In this modern world, the UK has built its economy around services and on software, and the days that we mainly traded as an industrial nation are passed, and will never come back. So with a hefty bill of over ￡40 billion, there seems little in the ways of benefits for the UK. After trade negotiations, at the top of the list for things to be finalised is that of data transfers. It is estimated that 75% of all U.K. cross-border data flows are with the EU. The UK is also a leading country for data flows, and, in 2015, it was estimated to be accountable for 12% of all global cross-border data flows. Data traffic is also estimated to grow by a factor of five by 2021.

I love the usage of "friction" when used by the #London data sharing partnership to define their aim:

reducing the friction in the sharing of data and value-driven exploitation

Friction is a term normally associated with mechanical systems, but it shows that data flows need to happen and for us to remove barriers when required. On the other hand, we need to make sure that there is lots of friction when it comes to protecting the rights of our citizens to privacy (and give them some control of their data).

Data is becoming one of the greatest industries around, and it is likely to be one of the driving forces within economies, but it needs to flow across borders. In an information age, for barriers to be placed between the UK and the rest of Europe on the flow of data would probably be one of the greatest barriers to trading that the UK would face.

Overall, I think, in the UK, there is a strong desire for many tech-focused companies to stay part of the EU and to continue to support strong collaborations and the flow of labour. And so the UK government want to create a data pact with the EU, and which will allow data to continue to flow without barriers. The UK government are already signed up to implement General Data Protection Regulation (GDPR) in May 2018.

The other major headache for the UK is that it will leave the EU-US Privacy Shield, and where the EU has defined the sharing of data between the EU and the US.

IPA and DPB 2017

In order to make steps towards this integration, in Sept 2017, the Data Protection Bill 2017–2019 (DPB) was introduced to update the Data Protection Act, and which focused on the rights of individuals; and to incorporate General Data Protection Regulation (GDPR) and the Police and Criminal Justice Directive (PCJ Directive). The two bring the UK and the EU closers in synchronisation. Along with commerce, the UK plays a key part in sharing criminal information across Europe, including data related to financial crime.

On 25 May 2017, GDPR will restrict the data flows related to EU citizen to where the data controller (or processor) is fully compliant with the regulation. While the UK will stay a part of the EU for the next two years, the UK must show the EU that its data protection policy is adequate to support data sharing with the EU member states. Many currently think that there is little chance of this by May 2019.

While the UK will aim to synchronise its data protection regulations, the major problem with be the Investigatory Powers Act of 2016 (IPA). This act allows the aggregation of communications data for the use of law enforcement, security and intelligence agencies. At the present time the UK government has said that it is “confident that the Investigatory Powers Act is consistent with the GDPR," but many can see a conflict on the horizon. In order to comply with GDPR, the UK has been pinpointed for general weaknesses around the IPA, including:

• That law enforcement does not need to gain independent permission to access communications data.
• The large-scale collection communication metadata that was not limited to serious crimes.

The changes proposed include:

• Data can only be collected for crimes with a potential prison sentence of six months or more.
• Data cannot be collected for the purpose of public health, collecting taxes or regulating financial markets.

In order to implement this, the UK government is proposing to set up the Office for Communications Data Authorisations (OCDA) in order to comply with requests.

The new DPB 2017 includes a number of citizen-focused additions which synchronise with GDPR including:

• the right to be forgotten.
• a right to data portability.
• a right to know when data has been hacked.

The picture becomes even more difficult when the US and the UK will have to additional regulations to cover data transfers between the countries, as they are currently covered within the Privacy Shield and the Data Protection and Privacy Agreement (Umbrella Agreement). A possible model is the Swiss-UK Privacy Shield framework, and which shadows the EU-US Privacy Shield, but protects sensitive data for Swiss citizens. Data trade agreements, though, can take a long time to agree, and the UK does not have this time.

US and Data Shield

While the EU has generally strengthened their approach to the rights of privacy of citizens, other nations, such as the UK and the US, have moved against it. With the Investigatory Powers Act now enshrined in law in the UK, and which gives investigators the rights to collect data a bulk basis, we now see the US in danger of breaking the US-EU Data Shield agreement.

This agreement allowed US companies to operate within Europe, but recently Donald Trump signed an executive order which takes away any rights to privacy for non-US citizens. The order comes as a major blow to many US-based and may mean that they will struggle to comply with EU laws on privacy, and leave themselves open to fines.

Overall the Data Shield agreement involved years of negotiation and which could have allowed US-based companies the rights to transfer data from Europe to the US, but this is now unlikely to be allowed, especially as it would be open to sanctions applied by the EU.

US Cloud providers, such as Microsoft, IBM, Oracle and Google, have, in the past, struggled to make in areas such as and finance in Europe, and the Data Shield agreement was seen as a way for them to be trusted in allowing data to leave Europe, and be held within the US. With the new executive order signed by President Trump, it is unlikely that the US will be trusted to respect the privacy rights of EU citizens (and thus for US-based companies to end up being sued by EU citizens who can prove that their privacy has been breached).

Conclusions

I don't normally apply my own personal opinions in articles which related to political issues, but I hang my head in the mess that is being created. Hopefully, all the great businesses around in the UK will get on with things, and will sort things out, but, to me, it is a shambles. We haven't even got to academia's role in the negotiation yet, and where many universities are worried about continued collaboration with their European partners, and in keeping and attracting the best researchers and academics.

The debate on leaving the EU was filled by mistruths, with virtually no informed evidence on the damage that leaving the EU would have on our economy. With data now being a fundamental element of our economy, the UK now needs to match the EU on every single line of the legislation and put the rights of the citizen at its heart.

Anyway, does my opinion matter? It seems in this new world, that "experts" have been pushed aside. If you're interested, here is where I gave my "expert" opinion on before it was passed: