refresh(PIX) - Fotolia
Now that the dust has started to settle on the outcome of the Brexit vote and people take stock of what it means, it’s time to start exploring opportunities.
Could the UK become a “data haven” after it leaves the EU? The country has already created a technology-friendly environment, with more than $9.7bn raised since 2010 and investment in the tech sector rising year-on-year.
Notice to leave the EU is likely to be triggered later this year and Article 50 of the Lisbon Treaty gives us two years in which to negotiate our exit.
It is likely that the General Data Protection Regulation (GDPR), which comes into force on 18 May 2018, will be effective in the UK before that two-year period expires.
The UK Information Commissioner’s Office issued a statement shortly after the referendum highlighting the importance of “international consistency”, saying it would do its part to ensure clarity and harmony in UK data protection legislation, given its importance to the growing digital economy.
Even if Brexit is achieved before the end of the two-year period, some or even all of the GDPR’s provisions may be transposed into UK law, either via an amendment to the Data Protection Act 1998 (DPA) or by repeal and enactment of new legislation.
Despite the current uncertainty around the future of data protection, the UK already has an opportunity to become a safe haven for big data. The answer lies in Convention 108 of the Council of Europe on the automatic processing of data.
That convention governs the processing of “automated data files” and covers any processing by automated means related to the “storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination” – in other words, big data and certain types of cloud computing (IaaS & PaaS).
Privacy and freedom balance
The convention seeks to balance an individual’s privacy rights against freedom of information regardless of frontiers and the free flow of information between peoples. It permits the transfer of big data from the UK to other state members of the convention – more than 50 countries in all, including the EU member states. The UK’s membership of the Council of Europe is unaffected by Brexit.
UK data controllers are able to make their own assessments when determining whether there is adequate protection to transfer data under the DPA.
The principles for processing personal data are essentially the same under both the DPA and Convention 108. For example, fair and lawful processing, purpose limitation, integrity and security, individuals’ rights of access, correction and erasure are included and the definitions of personal data and sensitive data are also aligned.
Even if the UK forges its own way in relation to equivalent legislation closely aligned with the GDPR, the UK has a reputation for being pragmatic and taking a risk-based approach to processing personal data.
As some commercially significant jurisdictions, such as the US, are not members of the convention, this presents an opportunity for the UK to become a data haven, making it a safe place for both cloud and big data post-Brexit.
Cynthia O’Donoghue is a partner at Reed Smith ....................................................................................................