Antony Walker, the deputy CEO of technology trade association TechUK, has appeared in front of the House of Lords EU Home Affairs Sub-Committee to give his views on the free flow of data after Britain leaves the European Union.
Walker noted that while digital as a sector in and of itself is of crucial importance for the British economy, it cuts across every other aspect of the economy as well – noting that plenty of more traditional businesses are undergoing digital transformation projects.
"There's this process of digitalisation happening so the rest of the economy is in the process of becoming more digital," he said. He added that 80 percent of the digital sector's exports are in services, and those will "very often involve the transfer of data". With GDPR looming, he warned that he believes "many companies and organisations haven't yet quite fully grasped the significance of the definition of broader data that sits in the GDPR".
Walker noted that the there's a "lot of work ongoing" within the ICO and across government to make sure the UK implements the GDPR in full.
If the government made a request to the European Commission for an adequacy decision today, the process could take as long as two full years before Europe's Article 29 working party reaches a decision.
He warned there could be a major business risk to small to medium sized companies, if they had to undertake data regulation procedures that are significantly more complex than they are now. These could include getting up to speed on knowledge internally and "significant legal costs" for putting new measures in place, plus additional complications around approaching customers or suppliers to sign new contracts. This could "bring in delay and uncertainty", he said, and potentially a "significant impediment" to trading across borders.
For its part, Walker said TechUK is doing a lot of work trying to help companies understand the new legal frameworks of GDPR, and to help them understand their rights and obligations. But he conceded that the work of a trade association can't do much more than "smooth the path a little bit".
He went on to say that TechUK has seen evidence of a pragmatic approach to addressing the free flow of data – adding that there are positive movements from counterparts across Europe, including in Berlin, Brussels and elsewhere.
"There are many businesses across the European Union that are just as concerned there is a smooth transition as UK firms are," he said.
He highlighted the importance of working with the European Union regulators, rather than attempting to go it alone. Walker said that the ICO and the UK should be "really engaging" with the European data protection authorities going forward, and that it is important to be "on the front foot" here. But that will need a better-funded and even more outward-looking ICO.
In terms of bilateral deals, it is important for the UK to focus in particular on the large economies like Frange, Germany, Spain, and Italy, he said, but also those that are at the forefront of digital innovation, such as those in Scandinavia and the Baltic states.
Walker said that TechUK would "urge real caution" in the early stages of Brexit, and that the best thing for both the UK economy and UK citizens right now is "to stay closely harmonised" with European law.
Diverging from these would require a "very careful analysis of the pros and cons" – and in particular said that anything that would impact on gaining an adequacy agreement would need to be "very carefully" questioned over whether it's the right thing to do.
UK Information Commissioner Elizabeth Denham has called for an international treaty on data protection to be set up within the next ten years.
"That is on the horizon, that's where we need to go if we recognise the global nature of data," Denham said during a House of Lords EU Home Affairs Sub-Committee.
She also recommended the UK applies for an adequacy rating with Europe after triggering Article 50.
An adequacy rating – described by the EU as when a third country ensures an adequate level of protection through domestic law or international commitments – would ensure the free flow of data between the UK and countries in the EU.
The requirements for meeting a full adequacy rating are stringent and in practice would probably mean the UK fully adopting the policies of the upcoming General Data Protection Regulation. It would require a negotiation between the UK government and the European Commission, because the latter is the body that grants adequacy ratings to third countries.
"There are other ways for data to flow, or agreements that could be put in place, but it's not as straightforward for businesses to negotiate binding corporate rules and standard contractual clauses," Denham, said.
Denham warned that she is a "long way from the negotiating table" but is advising the government on her field of expertise. "I do think the ministers' doors are open and we are actively providing advice," she said.
But she warned that the government must do its best to help ensure the ICO has a seat at the table so that it can influence debate over the future of data regulation in the EU.
"It's very important the government consider the ICO's place and the ICO's influence in what is going to be the European Data Protection Board," Denham explained. "Anything the government can do to ensure we have some status... if we're a third country, the European Data Protection Board is going to be an adjudicative board – it's not just an advisory board the way it is right now."
"It will make decisions about the data processing of companies and organisations that impacts on UK citizens," she said. If the ICO isn't close to those decisions, it could prove frustrating for both citizens and government, Denham warned.
Denham explained that the ICO meets with many countries outside of Europe, for instance Japan and Singapore, where their data regulation policies are less mature than the UK's – which brought in the Data Protection Act in 1998.
The ICO has created a business case and put this to government for an increase in resources over the next three years – specifically to address the complexities that GDPR might bring – and that even if Britain were to remain in the EU, international work has become increasingly important to the organisation.
"It's a global world when it comes to data," she said.
One member of the sub-committee suggested that the logical answer would be to take the lead in data regulation, and to set a "gold standard" for how these regulators might look.
The Information Commissioner agreed, and added that for public policy reasons and for individual trust, the ICO needs to be the gold standard for both regulation and enforcement. "It goes hand in hand," she said, adding that the best way forward will be to fully adopt the GDPR, put into effect the law enforcement directive, and to look towards a "unified implementation of those instruments".
"We can't have people throwing rocks at us from the outside," she said. "We have to have a very strong regime here, enforced well. Weakening the law, making it less burdensome on business, may seem attractive at the surface but I don't think a sustainable business model is a lowering of data protection regulation and practice. That's going to bite us in the long term."