Join together in the brave new world of data protection

COMMENT “Unfriending” the EU shouldn’t mean abandoning global data protection standards. Facebook sent shock waves through Europe recently, following its threat in an Irish court that it may have to cease the provision of its services on the continent. The threat came following a decision of the Court of Justice of the European Union (Case C-311/18: Data Protection Commissioner v Facebook Ireland and Maximillian Schrems), which in July cast a shadow over the prospect of organisations in Europe sending personal data over to their US bases. Data transfers are a cornerstone of Facebook’s business, and the tech giant’s ownership of other platforms such as Instagram and WhatsApp means any future without Facebook would lead to a drastic shake-up in the way we communicate – not to mention the precedent it could set for future data freedoms. Ireland’s data protection commissioner has issued a preliminary notice requiring Facebook to stop data transfers to the US, following the Schrems II case relating to Facebook’s EU/US personal data transfers. The notice has immediately been challenged by Facebook, given that data transfers are an intrinsic and indispensable part of its business model. The irony that arises in this situation, however, is that Facebook and the EU most likely share a similar end goal – the desire for consistent global standards relating to international data transfers. A recent blog from former UK deputy prime minister and now Facebook vice president Nick Clegg stated: “A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19… Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term.” The international dimension The direction of travel regarding international data transfers is clear, and heading towards more closely aligned regulations. GDPR – seen very much as the gold standard for protecting individual rights and ensuring accountability for how personal data is used – transformed data protection throughout Europe in 2018 and has been widely copied. In 2019, following the implementation of new data protection laws of its own, Japan became the latest country to be granted an “adequacy” decision by the EU. This decision allows data to flow freely between the EU and Japan and shows what can be achieved when international standards are adopted. In America there are also signs that change is afoot. The California Consumer Privacy Act 2018 shares common elements with the GDPR and came into force earlier this year. While it may be a long time before a comprehensive reform of US data law comes to pass, Congress has put issues surrounding data on the agenda, and the Schrems II judgment may hasten the pace of change. This wider trend can be seen elsewhere in the world, with Brazil adopting new data protection laws within the last month. While an international set of rules being established soon may feel far-fetched to many (and even naïve to a cynic), it is clear that standards are converging and most of the big players in this debate seem to be heading in one direction. The UK’s direction, however, seems more uncertain. What next for the UK? The new National Data Strategy sends mixed messages. Brexit will, of course, allow the UK to change its data protection rules, and this in turn is expected to result in some form of break with European standards. As Europe and the world align, this could leave the UK out in the cold. The government has acknowledged the importance of shared standards, stating: “We know that regulatory certainty and high data protection standards allow businesses and consumers to thrive. We will seek EU ‘data adequacy’ to maintain the free flow of personal data from the EEA, and we will pursue UK ‘data adequacy’ with global partners to promote the free flow of data to and from the UK and ensure that it will be properly protected.” Yet the new strategy also feeds into previous rhetoric of “taking back control”. It pledges to “lift the compliance burden” of data protection rules – a clear indication that relaxation of the rules should be expected. This divergence has the potential to see the UK benefit as a data haven, freed of red tape, but also has the potential to cut the UK out of many of the benefits of a united digital world – a dangerous place to be when the stakes are so high.  Facebook’s threat to pull out of Europe is most likely posturing from a position of power. After all, money talks and following Google’s decision to pull out of a deal for a new office in Dublin, Ireland won’t be likely to let another tech giant leave in a hurry. The UK is not in such a strong negotiating position. We need strong legal protections for personal data – and we must acknowledge that the digital world does not see borders the same way that some in Brexit Britain would like to see them. To protect both data freedom and data privacy, we need to establish a common global framework, and this will mean working closely with the EU, the US and the rest of the world. The EU’s hard line on Facebook may cause short-term difficulties for global firms, especially tech, but it will help to move the world towards common international data regulation. This will bring benefits for all, and the UK needs to be behind it – not running scared. Jon Belcher is a senior associate specialising in information governance, data protection compliance and freedom of information issues at Blake Morgan LLP