EU law will continue to govern our data protection regime regardless of whether we are in or out of the union.

If you’re already bored by the cut-and-thrust of the upcoming EU referendum, where there has been barely a finger cut, and a child’s paper plane’s worth of thrust, I want to propose an idea that should play a more prominent role in the debate.

Much has been made of the notion of national sovereignty, which must be returned to us immediately of course. It is assumed that the ‘leave now’ campaign has the upper hand here. But I think they have misunderstood the consequences. We will lose sovereignty if we leave. And a subject with much rock-star allure can prove it: data protection.

Data protection is big news. After years of debate, the new data protection package (a regulation covering the data of individuals, and a directive covering the activities of law enforcement agencies) was agreed between the EU institutions just before Christmas. It still has to go through the formalities of adoption, expected in the first quarter of this year.

A useful summary of the main points can be found in the European Commission’s press release, and the reactions of tech companies, consumer groups and others can be found here.

As for lawyers, there has been little or no coverage of how it will affect us. The main concern as always has been for the protection of professional secrecy. The final package brings somewhat disappointing news. Professional secrecy is not much mentioned.

The regulation divides data into that collected from the data subject, and that not obtained from the data subject. Where the data has not been obtained from the data subject, the regulation allows that data does not have to be disclosed ‘where the data must remain confidential subject to an obligation of professional secrecy regulated by union or member state law, including a statutory obligation of secrecy.

Where the data has been collected from the data subject, though, a more general protection has to be relied on, where the duty to disclose can be restricted to safeguard ‘the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions’.

Disappointingly, too, the powers of supervisory authorities are not so strictly laid down as might be hoped for. Member states may - not must - adopt specific rules to set out the powers of supervisory authorities in relation to controllers or processors who are subject to an obligation of professional secrecy, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy.

These rules will also apply only with regard to personal data which the controller or processor obtains through an activity covered by secrecy.

What has this to do with the referendum debate? Well, the new regulation has a section on territorial scope, which makes it clear that companies based outside Europe will have to apply the same rules when offering goods or services into the EU.

That means that all law firms providing services to clients in the EU will have to follow the new regulation, whether we are members of the EU or not.

Of course, once we are outside, a law firm could presumably choose to run two different data protection regimes, one for purely UK data, and one for EU data, but the expense and complexity of that would make it unmanageable. The majority of other UK companies will have to do the same. In other words, EU law will continue to govern our data protection regime regardless of whether we are in or out. (The only exception would be if our own regime were stricter on all points than the EU’s, which is improbable if we are alone in the world and need to attract custom to our shores.)

At present, the UK government and UK MEPs have taken part in shaping the EU package. We have not had complete control, but we have had the votes and muscle that come from being a large member state. If it had been adopted once we had left, we would still have to comply with the legislation, but without having a word to say about it. In which scenario do we have more national sovereignty?

Data protection is not the only field where we will have to comply with laws drawn up by the EU, and where EU standards will remain our own – safety regulations for goods, agricultural and marine rules, finance and banking, insurance, the list goes on.

There is a word to describe countries which have no control over their legislation, but which are forced to adopt legislation imposed by others. If we leave the EU, we will have managed a transition rare in history: from empire to colony in a single lifetime.

Jonathan Goldsmith is a consultant and former secretary-general at the Council of Bars and Law Societies of Europe, which represents around a million European lawyers through its member bars and law societies. He blogs weekly for the Gazette on European affairs

Topics