Data sovereignty – what the UK can learn post-Brexit

Francois Rodriguez, chief growth officer at Adeya, examines how the UK might adopt data protection standards following Brexit. Could we learn from the Swiss?

Posted 19 August 2020 by Christine Horton

The question of who owns data has been much debated over the past few years. In the European Union, the General Data Protection Regulation (GDPR) has helped to define and clarify where responsibility lies, what private citizens can expect when sharing their data with organisations, and the issue of data sovereignty.

It is a ground-breaking first step, and one that much of the rest of the world has been watching to see how it addresses some of the key concerns around data protection. However, it only relates to EU citizens. What are the implications for those outside the EU or, more pertinently, those citizens that are now outside the EU but still retain a close business relationship with it – the UK?

Why data sovereignty standards matter more than ever

Why does data sovereignty matter? We’re living in a complex, disrupted era, with data constantly captured and analysed. Businesses, and governments, are dealing with users that increasingly expect them to protect personal data, while at the same time having that data accessed from thousands of different locations as remote work booms.

It is absolutely vital, in such circumstances, that countries have a strong grasp of data sovereignty. By defining who owns what data, what they can do with it, how it can be stored, and how it must be secured, the likes of the UK can establish a groundwork for user data privacy, and its protection.

Once this is defined, they can then start looking at minimising data collection. Currently, many organisations, even following the implementation of GDPR, take a blanket approach to data – while they now have to be a bit more explicit in how they’re going to hold and use the information, they haven’t actually adjusted their practices in terms of collection. As highlighted above, with constantly changing circumstances this is potentially extremely risky. Plus, when we consider that the vast majority of data is never used, it raises the question of why they hold it in the first place.

If businesses won’t protect citizens, then countries like the UK need to, which is why having clear standards on what needs to be collected and if it needs to be stored is vital.

Francois Rodriguez, chief growth officer at Adeya

There is also another reason why data sovereignty matters. With the UK now outside the EU, its own citizens no longer enjoy the protection of GDPR, and are at increasing risk of coming under the US’s Clarifying Lawful Overseas Use of Data (CLOUD) Act. It gives U.S. law enforcement authorities the power to request data stored by US technology vendors (and therefore most major cloud providers), even if the information is outside the United States.

It is therefore incumbent on the UK to develop its own data hosting legislation to protect its citizens against the CLOUD Act, in the same way that GDPR does. How? Because unless a warrant issued under the CLOUD Act is recognised as part of an international agreement and is therefore a legal obligation, there is no way of ascertaining the lawfulness of the request. In other words, US law enforcement agencies have to have a warrant in line with the appropriate legal treaty to access EU citizen data.

Currently, the UK doesn’t have this provision. As it wrestles with the twin burdens of defining what post-Brexit life looks like, and the impact of the pandemic, what should its data protection standards look like?

First, does it matter from a business perspective what data protection standards it has? Yes – citizens that have grown used to a degree of control over their data are less likely to give it up if that protection is no longer in place, and without data, businesses will struggle to provide the level of service and experience that is going to be vital as Britain opens up post-lockdown.

In short, without data sovereignty standards, businesses operating in an increasingly digitised, post-Brexit UK will struggle to grow.

Looking back to GDPR for guidance

Much of the Brexit discussions have been characterised by the sort of deal the UK would end up with, with many solutions given national names – such as the Norway model for access to the single market. When it comes to data sovereignty, a similar example exists – the Swiss model.

Switzerland’s approach to data protection standards is built on two pillars – a constitutional right to privacy and its Federal Data Protection Act. While the FDPA is currently undergoing a review in light of GDPR, it offers citizens a similar level of protection and lays out how businesses should be using, storing and protecting customer data.

For the UK, adopting a similar approach would safeguard citizen data and define the rules of engagement for businesses and government – both absolutely critical if individuals are to trust organisations with their data, and for those companies to access the data they need in order to operate effectively. Furthermore, with many UK businesses still having EU customers, adopting legislation that aligns with GDPR will make the handling of such data more straightforward.

A Swiss-made guarantee of neutrality

Data sovereignty, protection and the scrutiny around privacy will continue to be a major issue. As countries adapt to the new normal of post-pandemic life, maintaining citizen trust is going to be absolutely critical. Therefore, having clear standards and frameworks are necessary to support businesses and government organisations that need customers to trust them in order to deliver experiences and services in a post-pandemic, digitised Brexit UK.