Looking for help with the Online Safety Act  - Ofcom consultation & guidelines? Please get in touch. 

I presented this speech entitled 'Data is the new currency' at the ThingMonk conference, Shoreditch, London on 13 September 2017. In the speech, I discuss the implications for the GDPR and for Brexit.

Did you know that by 2020, the European data economy is predicted to be worth some €643 billion? Many companies, yourselves included, are able to monetise the data trails that we all leave online, and you will know how personal data is now important in all kinds of ways from healthcare, to smart cities, to energy management and the Internet of things. This is what is meant by data is

the new currency. Data has become a valuable commodity that is exchanged and traded and transferred across borders minute by minute. Data is used in a whole multitude of different ways, including things like apps, advertising and corporate customer services. Companies that trade in data have vastly inflated stock market valuations. For example, Facebook is larger than CocaCola, in terms of its market capitalisation. The overall value of data to economies is significant.

According to a study by McKinseys, global cross-border data flows added a whopping $2.8 trillion to global GDP in 2014. Here in the UK, we are said to account for 11.5% of those global cross-border data flows according to another study by Frontier Economics.

But I am not here to quote statistics at you. My point is that data is economically important, indeed it is so important that if data cannot flow, trade may not happen, and this kind of economic impact has political consequences. It's the big numbers that get politicians interested. The growth in importance of data in the economy has attracted the interests of governments, and as a consequence, they want to regulate it.

Of course, I am referring to data is data protection law. There is a new European data protection law, that you may have heard about. This is the General data Protection Regulation or GDPR, and it is a direct consequence of the importance of data as the new currency.

GDPR is not just concerned about the volume of data. The GDPR specifically addresses the new ways in which data is processed. If we consider the historical development of data protection law, we can learn more about the changes in processing. In 1984, when Britain first legislated for a Data Protection Act, and in 1995 when the EU brought in the dirst Data Protection directive, the amount of data involved was relatively small. It was mostly lists or databases of people's names, addresses and phone numbers. Maybe some addtional account data attached. It was pretty much static, and two-dimensional. If ever transferred between companies, it was a binary transfer.

Compare that with what we do today with the data. Think about predictive analytics, machine assisted learning, data profiling and articifical intellience. Consider for example a mobile app on a smart phone. It collects data which might include location, contacts, communications, and financial information. It may transfer that data to the cloud and to other providers in other jurisdictions, for processing. The data flows today are no longer two-dimensional and binary. Instead, they are three-dimensional, dynamic and real-time, and inherently cross-border. It is those characteristics that turn the raw data into a currency that can be traded.

It may seem a little strange however, that a currency that underpins economic activity should be governed by a law that is apparently intended to protect people's privacy, which is after all a fundamental right. Let's dig a little deeper. Much of that data that oils the new economy is people's personal data. It is informationon the most private and intimate aspects of people's lives. Indeed, it is often said that Facebook knows you are pregnant before your husband does! This is the reason why we have this kind of paradox, that a law governing a fundamental right also serves to address a major economic issue.

Now, let's go back to that new EU law. The EU felt that the old law, designed for the old system, was no longer appropriate and that is why it it drafted a new law. They felt we needed a new lay to address data profiling and automation of dynamic, real-time data processing of personal data. This new law was adoped at the beginning of 2016, and it takes effect from May next year.

At the heart of the GDPR is the regulation of data profiling, and all of the types of automated processing. It carries big fines for failure to comply.

In the current UK political context, the GDPR has one other interesting provision. That concerns regulation of cross-border data flows and the transfer of data to what the EU calls '3rd countries'. These are any countries that are not Members of the EU. This has very signficant consequences for our current political situation.

After Brexit day on 31 March 2019, the UK will become a 3rd country. The UK will need to comply with the 3rd country regulations if UK companies want to transfer data to and from the EU.

I wonder, are you aware that data flows are being discussed in the Brexit talks?

Both the European Union and the UK government recognise the economic signficance of data. Just as an aside, It's interesting to reflect that when we joined the EU, in 1972, a data protection law had not even been conceived of. I think I am correct, that around 1972 we saw the first email transmissions, and the early technical design of the Internet was being invented.

How different from today!

Leaving the Single Market means quitting a single regulatory regime for data protection that was designed to remove barriers across 28 countries. The big issue for Brexit and data, and one that will affect all of you, is that data flows between the UK and the EU could stop. This is ultimately what both our government and the EU are worried about.

You may be aware that there are 2 position papers on data - one from the UK, and one from the EU? But the 2 position papers are poles apart. The British government says that ' it is essential to avoid regulatory uncertainty that may force businesses to incur additional costs'.

The EU is more direct. It says that data flows between the UK and EU 27 will terminate unless certain conditions are put in place.

The key condition is what's called an adequacy decision. In very simple terms, an adequacy decision means that the European Commission has to determine that the UK is a safe place for the transfer of personal data. An adequacy decision would govern all data transfers by all companies to and fro.

It there is no adequacy decision, it is still possible to transfer data legally between the UK and EU, but it means lots of red tape. The red tape takes the form of things like Binding Corporate rules and Model Contracts. It means you will incur legal fees.

The other way you can do it is to have a data centre inside the EU for the purposes of handling EU personal data, and to reconfigure your systems. This of course entails expense.

What bothers me about the Brexit situation relates to what I said earlier about the way that data processing itself has changed. It is no longer a two-dimensional binary process, but a 3-dimensional dynamic and real-time, cloud-based and multi-jurisdiction. The studies of the data economy show that cross-border data transfers are a significant element of the global economy. I would suggest that pulling out of a regime governing 28 countries, doesn't really make sense.

However, we are where we are. It may be in the interests of all of us to watch how the political talks over Brexit will impact the value of data currency.


I have spent the past 10 years studying European Union policy, in the context of some specific policy agendas and legislative proposals including the GDPR. This speech is based on my own experience and previous research. See EU 'historic' data protection rules highlight privacy paradox If you would like assistance with Brexit analysis, you will find my contact details via the Contact Us page. I am also available for training and round table sessions.

To cite this article or its contents, please attribute Iptegrity.com and Monica Horten as the author.

If you liked this article, you may also like my book The Closing of the Net which discusses the legislative path of the GDPR and includes chapters on data protection and data retention policy.

Find me on LinkedIn

About Iptegrity

Iptegrity.com is the website of Dr Monica Horten. I am an  independent policy advisor, with expertise in online safety, technology and human rights. I am a published author, and post-doctoral scholar. I hold a PhD from the University of Westminster, and a DipM from the Chartered Institute of Marketing. I cover the UK and EU. I'm a former tech journalist, and an experienced panelist and Chair. My media credits include the BBC, iNews, Times, Guardian and Politico.

Iptegrity.com is made available free of charge for non-commercial use. Please link back and attribute Dr Monica Horten.  Contact me to use any of my content for commercial purposes.