Big tech accountability? Read how we got here in  The Closing of the Net 

I presented this speech entitled 'Data is the new currency' at the ThingMonk conference, Shoreditch, London on 13 September 2017. In the speech, I discuss the implications for the GDPR and for Brexit.

Did you know that by 2020, the European data economy is predicted to be worth some €643 billion?  Many companies, yourselves included, are able to monetise the data trails that we all leave online, and you will know how personal data is now important in all kinds of ways from healthcare, to smart cities, to energy management and the Internet of things.  This is what is meant by data is

the new currency. Data has become a valuable commodity that is exchanged and traded and transferred across borders  minute by minute. Data  is used in a whole multitude of different ways, including things like apps, advertising and corporate customer services. Companies that trade in data have vastly inflated stock market valuations. For example, Facebook is larger than CocaCola, in terms of its market capitalisation. The overall value of data to economies is significant.

 According to  a study by McKinseys, global cross-border data flows added  a whopping  $2.8 trillion to global GDP in 2014. Here in the UK, we are  said to account for 11.5% of those global cross-border data flows according to another study by Frontier Economics.   

But I am not here to quote statistics at you. My point is that data is economically important, indeed it is so important that if data cannot flow, trade may not happen, and this kind of economic impact has political consequences. It’s the big numbers that get politicians interested.  The growth in importance of data in the economy has attracted the interests of governments, and as a  consequence,  they want to regulate it.  



Of course, I am referring to data is data protection law.   There is a new European data protection law, that you may have heard about. This is the General data Protection Regulation or GDPR, and it is a direct consequence of the importance of data as the new currency.    

GDPR is  not just concerned about the volume of data. The GDPR  specifically addresses the new ways  in which data  is processed. If we consider the historical development of  data protection law, we can learn more about the changes in processing.  In 1984, when Britain first legislated for a Data Protection Act, and in 1995 when the EU brought in the dirst Data Protection directive, the amount of data involved was relatively small. It was mostly lists or databases of people’s names, addresses and phone numbers. Maybe some addtional account data attached. It was pretty much static, and two-dimensional. If ever transferred between companies, it was a binary transfer.

Compare that with what we do today with the data.  Think about predictive analytics, machine assisted learning, data profiling and articifical intellience. Consider for example a mobile  app  on a smart phone. It collects data  which might include location, contacts, communications, and financial information. It may transfer that data to the cloud and to other providers  in other jurisdictions, for processing. The data flows today are no longer two-dimensional and binary. Instead, they are three-dimensional, dynamic and real-time, and inherently cross-border. It is those characteristics that turn the raw data into a currency that can be traded.  

It may seem a little strange however, that  a currency that underpins economic activity should be governed by a law that is apparently intended to protect people’s privacy, which is after all a fundamental right. Let’s dig a little deeper. Much of that data that oils the new economy is people’s personal data. It is informationon the most private and intimate aspects of people’s lives.  Indeed, it is often said that Facebook knows you are pregnant before your husband does! This is the reason why we have this kind of paradox, that a law governing a fundamental right also serves to address a major economic issue.

Now, let’s go back to that new EU law. The EU felt that the old law, designed for the old system, was no longer appropriate and that is why it  it drafted a new law.  They felt we needed a new lay to address data profiling and automation of dynamic, real-time data processing of personal data.   This new law was adoped at the beginning of 2016, and it takes effect from May next year.

At the heart of the GDPR is the regulation of  data profiling, and all of the types of automated processing. It carries big fines for failure to comply.

In the current UK political context, the GDPR  has one other interesting provision. That concerns regulation of cross-border data flows and the transfer of data to what the EU calls ‘3rd countries’. These are any countries that are not Members of the EU.  This has very signficant consequences for our current political situation.

 After Brexit day on 31 March 2019, the UK will become a 3rd country.  The UK will need to comply with the 3rd country regulations if UK companies want to transfer data to and from the EU.

I wonder, are you aware that data flows are being discussed in the Brexit talks?

Both the European Union and the UK government recognise the economic signficance  of data. Just as an aside, It’s interesting to reflect that when we joined the EU, in 1972,  a data protection law had not even been conceived of. I think I am correct, that around  1972 we saw the first email  transmissions, and the early technical design of the Internet was being invented.

How different from today! 

Leaving the Single Market means quitting a single regulatory regime for data protection that was designed to remove barriers across  28 countries.  The big issue for Brexit and data, and one that will affect all of you, is that data flows between the UK and the EU  could stop. This is ultimately what both our government and the EU are worried about.

You may be aware that there are 2 position papers on data  – one from the UK, and one from the EU?  But the 2 position papers are poles apart. The British government says that ‘ it is essential to avoid regulatory uncertainty that may force businesses to incur additional costs’.

The EU is more direct. It says that data flows between the UK and EU 27 will terminate unless certain conditions are put in place.

The key condition is what’s called an adequacy decision. In very simple terms, an adequacy decision  means that the European Commission  has to determine that the UK is a safe place for the transfer of personal data. An adequacy decision would govern all data transfers by all companies to and fro.

It there is no adequacy decision, it is still possible to transfer data legally between the UK and EU, but it means lots of red tape. The red tape takes the form of things like Binding Corporate rules and Model Contracts. It means you will incur legal  fees.

The other way you can do it is to have a data centre inside the EU for the purposes of handling EU personal data, and to reconfigure your systems. This of course entails expense.

What bothers me about the Brexit situation relates to what I said earlier about the way that data processing itself has changed. It is no longer a two-dimensional binary process, but a 3-dimensional dynamic and real-time, cloud-based and multi-jurisdiction. The studies of the data economy show that cross-border data transfers are a significant element of the global economy. I would suggest that pulling out of a regime governing 28 countries, doesn’t really make sense.

However,  we are where we are.  It may be in the interests of all of us to watch how the political talks over Brexit will impact the value of data currency.


I have spent the past 10 years studying  European Union policy, in the context of some specific policy agendas and legislative proposals including the GDPR. This speech is based on my own experience and previous research. See  EU 'historic' data protection rules highlight privacy paradox   If you would like assistance with Brexit analysis, you will find my contact details via  the Contact Us page. I am also available for training and round table sessions.

To cite this article or its contents, please attribute and Monica Horten as the author.

If you liked this article, you may also like my book The Closing of the Net which  discusses the legislative path of the GDPR and includes chapters on data protection and data retention policy.





















Iptegrity in brief is the website of Dr Monica Horten. I’ve been analysing analysing digital policy since 2008. Way back then, I identified how issues around rights can influence Internet policy, and that has been a thread throughout all of my research. I hold a PhD in EU Communications Policy from the University of Westminster (2010), and a Post-graduate diploma in marketing.   I’ve served as an independent expert on the Council of Europe  Committee on Internet Freedoms, and was involved in a capacity building project in Moldova, Georgia, and Ukraine. I am currently (from June 2022)  Policy Manager - Freedom of Expression, with the Open Rights Group. For more, see About Iptegrity is made available free of charge for  non-commercial use, Please link-back & attribute Monica Horten. Thank you for respecting this.

Contact  me to use  iptegrity content for commercial purposes


States v the 'Net? 

Read The Closing of the Net, by me, Monica Horten.

"original and valuable"  Times higher Education

" essential read for anyone interested in understanding the forces at play behind the web."

Find out more about the book here  The Closing of the Net


FROM £15.99

Copyright Enforcement Enigma launch, March 2012

In 2012, I presented my PhD research in the European Parliament.


Don't miss Iptegrity!  RSS/ Bookmark