Progress is a motherhood and apple pie concept, as the Americans like to call them. Nobody disagrees with it, but few can define exactly why it is especially welcome. If you say a new development is just part of progress, it is a quick way to gain buy-in. Data protection has enjoyed that association, especially with the explosion in volumes generated by technology. But are those days over? Have we passed the moment of peak data protection?
The concept of peak output is an important one in many markets since it defines future production capacity, sets a limit on demand and influences price. It is usually associated with raw materials that are finite, which is why peak oil has been much talked about and forecast since 1956, for example. Typically, there is a normal distribution curve involved.
Data is different since there are virtually no constraints on its production, only on storage and processing. Data protection, however, is another matter since it creates legal parameters that restrict how much of that data can be legally exploited to extract value.
Where personal information is concerned, 24th May 2016 may come to be seen as the moment of peak data protection. That was when the General Data Protection Regulation (GDPR) entered the statute books and expanded the rights of individuals and the obligations of data controllers and processors, as well as throwing its net around a wider set of data which is now considered personal.
But one month later the UK voted to leave the European Union. With the outcome of that referendum, it may well be that the next decade will see a steady rolling back of data protection – potentially all the way to 1981 – as new trade deals are struck that take a very different view on the issue. Economic and political progress for those countries involved could trump notions of data protection and privacy as fundamental human rights as enshrined in the Treaty of Lisbon, around which the European Union has been built.
The first step in this reversal could be taken as a result of delays in the ePrivacy Directive review. While the European Commission has stated that it wants to have a new Regulation in place at the same time as GDPR starts to be enforced, there has as yet been no debate on the draft proposals. Given the scale of amendments that were tabled for GDPR, it seems likely that more than 15 months will be necessary to see a new ePrivacy framework agreed.
In any case, the UK is shortly to trigger Article 51 and its formal exit from the EU. While Theresa May has said all EU laws will be transposed into UK law, there is no reason to suppose that future laws passed after this event will be included. So a new ePrivacy Regulation could become one of the first major items of European law that do not get adopted here.
The second step could be a default to World Trade Organisation trade agreements to cover UK-EU trade relations if negotiations do not produce an acceptable Brexit deal. The attraction is that WTO already has an agreement with the EU, the terms and tariffs are clear, and other nations around the world also work under WTO terms, opening up a pathway to quicker, multilateral deals elsewhere.
America may opt for WTO terms in the wake of scrapping the Transatlantic Trade and Investment Partnership package which President Elect Trump has criticised. If the US and the UK both decide on this path, it would create clear momentum and an alternative framework that could prove hard for other individual countries within the EU to resist, or which may force a new EU position.
The third step results from how WTO tackles data protection. The core legal framework is the Council of Europe Convention 108 on automated processing of personal data, written all the way back in 1981. Forty European countries have signed up to this treaty, as have a handful of other non-European nations. As recently as last July, the United Nations Conference on Trade and Development was viewing it as having realistic potential for globalisation.
What is important about CoE Convention 108 is that it offers a “privacy light” solution and only demands an approximation of European adequacy. Given its status as a CoE treaty, any country operating under it can hardly be refused such a ruling.
So there is a pre-existing, widely understood and adopted framework for data protection ready and waiting should Brexit negotiations fail and the UK find itself operating to WTO rules. But the level of protection for individuals – and the obligations for data controllers – are set below what GDPR contains. We may look back from its shadow and consider whether scaling its heights represents progress or if an alternative route offers an easier way forward.
Related articles: News Analysis – That’s the way the ePrivacy cookies crumble