 I'm here today with Dr David Urdos, who is a university lecturer in law and the open society, and we're going to talk together today about data protection. Could you start David by just telling us what data protection is and why it matters? Sure. Data protection is our entire body of law regulating any dissemination or even any use of personal information. That's anything that relates to is about another identified individual. And it puts in place a whole body of provisions designed to safeguard that individual effectively. Safeguard their privacy, safeguard their reputation interests, and safeguard other sort of individual rights, such as fair treatment, non-discrimination, a whole panoply of different things. And I suppose why it's important is because personal information has become absolutely ubiquitous, or should I say the digital dissemination and use of personal information, which is roughly what's covered by the law. On the one hand, corporations are pushing to use personal information in ever more intrusive ways. We have tracking of people, both online and offline. That's for something relatively innocuous like advertising purposes, but that could then be linked to making some very important decisions related to people such as maybe an employment, or in order to get a mortgage, or to get some other loan. On the other hand, all of us manipulate personal information in this digital environment in ways which could be seen as going beyond the purely personal, which has an exemption from the law. So, for example, you might use a CCTV camera outside your home. That might not be considered purely personal. You might put some information on the web, on some kind of public profile or blog, mentioning someone or including a photo. Again, that would tend in Europe to be considered not purely personal. Personal use is central both to the digital economy and to the enjoyment of other fundamental rights. The use of personal information is actually integral to freedom of expression. It's integral to freedom of association. To the extent we all readily move across borders, it's also integral to freedom of movement across borders as well. So, it has become, although it's seen as very narrow and technical even now, has become pretty critical to the way we organise modern industrialised societies, to be honest. What's been the role of the EU in terms of law and policy in this field? That raises another critical issue because the EU has been a trailblazer, if you like, for some of the most stringent laws on personal information that exist within the industrialised world. So, it takes a very broad approach that almost every form of digital communication or use of personal information, at least within the private sector, is covered. And the detailed default provisions, which it puts in place, relate not just broad principles, which we might all agree with, like fairness, but some quite detailed rules around transparency, around control by the individual data subject, is what we call it, the person who's named in the information, around the movement of information overseas to a different jurisdiction, and prohibiting the processing absent some kind of waiver from the individual. Whole categories of so-called sensitive information are the rules, such as health data, political opinions, religious beliefs, criminal data, philosophical beliefs. So, some quite detailed rules, which it's got in place. So, a very broad and stringent regime, but one that's also suffered from some serious implementation issues. I mean, we're now over 20 years on from when pan-European rules were agreed, and people's daily experience of information might not play that much resemblance with what we see on the books in Europe. Now, some would say that's the question of poor enforcement, maybe partly the fault of the national level. Others would say that this sort of labyrinth, or a UK judge even described it, is a thicket of rules and regulations, just doesn't fit well with digital reality, which again might be argued that that digital reality is integral to the digital economy, the competitiveness of the economy, and also to the enjoyment of liberal freedoms, particularly online. So, that's kind of where the EU is at. It's really at the very centre of these debates. And what's the justification for this regulatory sort of web, and you described it as stringent. What's the EU's justification for having this sort of regulatory regime? Well, I suppose from the point of view of many policymakers within Europe, they reacted, in fact, even before the EU itself got involved, in fact, before the EU actually existed, it was the common marketer, I suppose, then. But the Council of Europe was very much the leader in this field, and saw the computer and the growth of computers and computerised networks as profoundly threatening to the position of the individual to privacy interests, to reputation interests, to fairness interests, to a whole panoply of different individual rights which were implicated by the computer. And 30 years, 40 years on with the growth of the internet, one can kind of see within that ballpark where it's coming from. It's not as if they aren't some serious issues in this area. But data protection, in many ways, was designed for an era where they were a sort of manageable set of computers, a small number, doing a small number of operations. And I suppose we sort of developed that regime from that setting in Europe because we put it in place in some cases in some countries as early as the early 1970s. And so it's from that model that it's been developed. Now alongside relatively poor enforcement and implementation, this has prompted a reaction to simply using the existing framework and augmenting it. And in fact, under the new General Data Protection Regulation, which has just been agreed in Europe, which will come into force in 2018, generally speaking, the rules have become even more stringent. The provisions have become even more voluminous. And there's also a great focus on enforcement now. I mean, there will be potential administrative regulatory fines administered in the UK case by the Information Commissioner's Office of up to 20 million euros, or even 4% of annual global turnover for a corporation based on Facebook and Google would run into the hundreds of millions. So from Europe's perspective, you know, they are profound threats digitally. And I think that few in Europe would necessarily want to argue with that as a basic reality. But it's more that the structure which we've kind of developed, we started with and we've continued to develop in Europe just might not actually fit with something which is very plausible in a world where there must be, you know, billions of computerised devices which are technically, and in many cases, really actually in terms of impact on individuals, processing personal information. So what do you think the impact of Brexit might be upon data protection? Yeah, well, I mean, I actually hope that Brexit won't happen despite having sort of major criticisms of EU policymaking in this area. But I think it is interesting to think through what the implications would be for data protection should Brexit happen. And I think that they would be, you know, complex in a way. On the one hand, we would be freed, if you like, from having to implement what I would consider some pretty disproportionate and onerous restrictions in this general data protection regulation. We would be free to develop a more flexible regime. And that might offer some benefits for the digital economy here in the UK, to be honest. And it also might offer some benefits for the secure enjoyment of liberal freedoms. We also probably would face a little bit less pressure to actually enforce some of these provisions. Now, if you care about some of the outcomes which the EU has obtained in this area, you might not be too happy about that. So, for example, the only real reason that we have the right to be forgotten rights by to search engines like Google is really as a result of Spanish regulatory action which then led to a pan-European result. We might not be included in those rights should Brexit happen. Now, that's kind of the broad way in which Brexit would, I think, play out in the data protection arena. The complication comes from the fact that we would then become subject to the restrictions on the flow of information outside Europe's borders. And the flow of personal information between us and the rest of Europe is actually integral to so much of our economy. But I think it's almost inevitable that we would seek this sort of gold standard adequacy status of our data regime with the EU. And that would push us more towards a similar regime to the EU because we would only really get an adequacy status if we had a regime which was at least substantially similar to what is existing under the EU and will exist under the regulation. Now, it's true that New Zealand in 2013 managed to obtain adequacy status from the EU with laws which are substantially different, in fact, from the data protection scheme in Europe. They don't have the kind of detailed, or most of the detailed transparency and control rules. They actually have no concept of sensitive personal data, per se, within their law, although many other elements are very similar. But the context, I think, is rather different now. I mean, for a start, the UK is a much larger jurisdiction with a much more substantial trade in personal information between Europe, the rest of Europe and the UK. And the second issue is that the Court of Justice actually just last year has now said that adequacy in this context means essentially equivalent to European rules, which is a much higher threshold than really was being thought about in the case of the New Zealand situation. So I think that realistically the divergence between us and Europe if we were going to end up with a Brexit would be rather less than what we say between the New Zealand regime and the EU regime today. If you had one key message that you'd like to be better communicated and run up to the referendum as concerns data protection, what would that be? I think the key thing to get across is that we really should be debating these issues. Again, whatever you think of the Brexit proposition, if you like, this is an opportunity for the country to talk about the nature of the EU. And we haven't heard much of the debate as regards competitiveness and fundamental rights. It's been drowned out by debates, say, particularly around migration. It is true that some of the key Brexiters, if you like, Michael Gove and John Whittingdale, have made trenchant criticisms of data protection in particular, but we haven't really seen that wider debate and I think we need to see that wider debate. And within the context of that wider debate, I suppose I would say that on balance, Brexit isn't the answer, but more engagement with the debate is the answer within the EU. So using the various limitations which may exist at national level to create that balance which is needed within the law and also engaging with our European partners about an interpretation of the law that is more balanced and eventually a kind of potential alternative vision for data protection which is a bit more contextual and a bit more balanced, but on a pan-European basis because at the end of the day, although they are major issues of divergence in national values which maybe need to be faced as well, a number of the issues which I'm talking about today about the secure enjoyment of liberal freedoms, about competitiveness in a very challenging digital environment are common to the whole of Europe. I don't think it should be seen as a them or an us situation. I think it should be seen as a situation where there's potentially profound learning to take place between all the different countries in the EU to get to a better outcome that achieves the sort of goals which I think probably on balance we all want to achieve in the data protection arena. Brilliant. Thank you. Thank you.