Adam Bowering, Policy Adviser in the European Parliament, takes a look at what divergence from EU digital policy could mean for civil liberties and the economy in the UK. 

---

From hate speech to electoral manipulation, our increasing reliance on digital technology poses many challenges. Now out of the EU, the Digital Single Market, and the fundamental rights laws that underpin it, the UK Government faces a choice as to whether it will respond to these challenges with a strategy based on values or whether it will opt for a more nationalist approach, potentially jeopardising civil liberties, diplomacy and the economy in the process. 

With the grand plans for the Government’s National Data Strategy in limbo, there is little certainty about UK digital policy post-Brexit. While the likelihood is that it will continue to follow that of the EU in the short-term to stave off the worst effects of Brexit, the Government has the option to pursue a more divergent agenda in future, which could undermine the right to privacy and freedom of information online. 

In terms of rights, while the Government has claimed that Brexit will be an opportunity to improve standards such as animal welfare, it has not provided the same assurances for other sectors. The Brexit deal does bind the UK to comply with the European Convention on Human Rights (ECHR) (Art 136), which is implemented by the 1998 Human Rights Act. But since the UK no longer follows the more extensive body of EU human rights legislation, which includes the Charter of Fundamental Rights, it is not clear that specific digital rights, such as the “right to be forgotten”, will be upheld by the UK. 

These changes will have long-term consequences for digital rights and regulation in the UK, but, in the short-term, a more pressing concern, particularly for business and law enforcement, will be securing a data adequacy agreement for the continuation of personal data flows. An adequacy agreement would represent a formal declaration that the UK data protection regime provides an equivalent level of protection to that of the EU and, as uncovered by a recent UCL European Institute report, failure to obtain such a decision could cost UK business up to £1.6 billion. In order to prevent a crash out, the Brexit deal provides that the current arrangement will be extended by up to six months to give the Commission time to decide whether to grant a formal decision.

Despite this last minute reprieve, achieving an adequacy agreement is by no means straightforward. Prior to adoption, it will come under the scrutiny of the European Parliament and regulators, and, if approval is granted, it would face the prospect of legal challenges similar to those raised, successfully, against the EU-US Privacy Shield, which was invalidated by the ECJ last July for failing to provide sufficient protections for EU citizens from US surveillance.

As was made clear in the US case, equivalence requires more than data protection compliance alone. Issues that will weaken the UK’s case for adequacy include its implementation of the GDPR via the Data Protection Bill, which came under heavy criticism for failing to uphold the rights of those subject to an immigration procedure. The case to remove the immigration exemption, which was launched by the Open Rights Group and the3million, is still ongoing. The latest ECJ ruling in October, which found the bulk data collection carried out in the UK under the Investigatory Powers Act to be illegal, could prove to be equally problematic, as will the UK’s e-evidence agreement with the US, particularly following the invalidation of the Privacy Shield.

Given the importance of maintaining EU data protection standards in order to obtain this decision, it will be interesting to see whether the UK Government will depart from EU policy in the coming months. Conventional economic wisdom dictates that the UK should do everything in its power to satisfy EU requirements for the continuity of data flows for UK businesses. This logic could be sorely tested, however, if Conservative Party support for the Brexit deal were to give way to irreconcilable aspirations, such as weakening the Human Rights Act to curb its use by migrants and asylum seekers. 

Other issues to watch for will be whether the UK maintains existing rules on intermediary liability, privacy law and encryption, which are sure to be prime targets for those who favour the interests of the security and surveillance industries over a free and open Internet. The Government’s response to the Online Harms consultation in December was telling, as by introducing requirements for automated filtering it provided an early indication that these rules could be set to change. 

In contrast, the EU recently published new regulations that would not only preserve existing standards but also provide further possibilities to enhance digital rights in the EU. The Digital Services Act and Digital Markets Act, both currently being examined by the European Parliament, will provide new rules for online marketplaces, social media and other platforms. They aim to boost the digital services economy while responding to digital problems ranging from hate speech, disinformation and electoral manipulation with a range of new measures providing greater transparency and enforcing the protection of personal data.

This ambitious agenda is not just important for the EU but it sets an example to third countries throughout the world. The UK may no longer play a part in EU rule-making, but, as a third country, it will have the option to follow the EU’s value-based approach to digital regulation. Unfortunately, the path it takes will depend on a Government which has few clear policies and an unprecedented influence over the course of the country’s future. 

---

This article was first published on Computer Weekly and was reposted with permission.

---

Note: The views expressed in this post are those of the author, and not of the UCL European Institute, nor of UCL.