The UK’s digital justice system has been uncertain since leaving the European Union, as a reform of the EU’s landmark data protection law has stalled in Parliament and numerous regulatory reviews and proposals are underway.
Tech firms have called for clarity, raising fears that the government will turn the UK into such an outsider regime that they will be prevented from doing digital business abroad.
The UK, which is trying to relax some tough points of EU law, has taken a distinctly transatlantic stance on the reforms it embarked on last year and has engaged in negotiations on digital trade around the world involved.
Widely hailed as the gold standard in data protection, Europe’s General Data Protection Regulation (GDPR) has influenced legal reforms around the world, from Brazil to India, Rwanda to South Korea. Some US states are even based on European standards.
Commentators say this has been the goal of Europe’s digital agenda: asserting its digital sovereignty by drafting laws protecting individual human rights in cyberspace and projecting them around the world.
For the UK, meanwhile, Brexit was an act of digital sovereignty in its own right, says Sarah Pearce, partner in global privacy and security law at Hunton Andrews Kurth. By separating data law from the EU, the UK has taken active responsibility for this.
Building a pro-growth digital regime
The bill that followed this split has both worried and encouraged British tech companies: the Data Protection and Digital Information Act.
Phil Bindley, director of cloud computing at UK-based Intercity, says his company is unclear about how it would be affected by the proposals.
The draft law promises a “bold” extra-EU data regime that should be “pro-growth” and make it easier for companies to innovate with the use of data.
Still, Bindley says: “Regulatory uncertainty is a sword of Damocles hanging over our heads. It is very difficult to make strategic decisions.”
“GDPR was an awakening moment for many companies, a realization that the data you own does not belong to you. You’re the custodian of it,” Bindley said. “GDPR was a big step forward.”
Regulatory uncertainty has since stifled innovation and growth in Britain, Chi Onwurah, the opposition Labor Party’s shadow secretary for business and industry, told a conference of software engineers in February.
The Conservative government’s technology policies lack ambition and are “woefully inadequate,” she said, for treating regulation as a barrier to innovation and growth. She went on to explain that regulation has indeed created growth because it has given people confidence in technology, which has brought more users to tech companies. And more users brought more investors.
The scalpel or the sword? – Why companies are afraid of over-regulation
Still, Matt Peake, policy director at Onfido, a global British artificial intelligence (AI) software company, warns of the dangers of strict regulation. “GDPR can slow down innovation and slow down investments. There are many obstacles and hurdles to overcome in order to generate new products.”
For all its good points, “it can be overly restrictive, very onerous, quite costly to comply with, and goes beyond what is necessary to protect user data,” he says.
GDPR was an awakening moment for many companies, a realization that the data you own does not belong to you
Onfido had tried to use its customer data in innovative ways, but had repeatedly found that EU regulations made it “really, really difficult”. It had been trying to build new services for its financial services clients and found they were afraid to use them for fear of prosecution.
But Peake also fears that the UK will stray so far from the GDPR that it will lose its adequacy under EU law. A formal EU adequacy decision in 2021 gave EU and UK firms permission to share data as the UK had not backed down from data protection law inherited from the EU after Brexit, but that decision could be reassessed.
“We need to process data globally with minimal restrictions. The risk is that we take a data sovereign approach and it becomes more difficult,” says Peake. He fears a global fragmentation of data streams.
Eve Maler, chief technology officer at identity software company ForgeRock, believes the world is entering an era of heavy regulation of AI and data, and is also concerned about the impact.
“It can be an overwhelming burden,” she said. “My concern is to destroy innovations.”
She believes that government should exit the market to renew user choice and restrict regulation to defining general principles of conduct, which she believes should be denied.
Who sets the gold standard?
In an October 2022 edition of the Maastrict Diplomat podcast, Commissioner for Data, AI and Social Media, Margrethe Vestager, stressed that choice is a goal of the “digital agenda” with which the EU has expanded its digital sovereignty.
Energy and raw material shortages following Russia’s invasion of Ukraine exposed vulnerabilities in the EU’s dependence on Russian fossil fuels and Ukrainian minerals.
The EU’s sovereignty push, which went beyond data protection to build domestic cloud and chip industries that could compete with those of US and Chinese firms, was also aimed at reducing the EU’s reliance on foreign-only suppliers.
But Europe’s digital sovereignty project has drawn comparisons to authoritarian regimes like China and Russia and has drawn criticism from the White House, which has opposed parts of the EU proposals.
Europe insists it is not looking for separation but a competitive market offering a choice of technologies. Western countries, meanwhile, have blocked Chinese tech firms from dominating communications infrastructure within their borders and blocked Russian misinformation in digital media, citing fears of foreign interference.
Aside from the election, Suki Dhuphar, an executive at software firm Tamr, believes the EU government’s data processing innovations are lagging five to 10 years behind China and the US by strict regulations.
“Right or wrong,” China’s progressive handling of data, such as automatically fines jaywalkers, is one example. Reforms in the UK would relax rules on police data processing, but such innovations are being challenged in EU courts.
Digital trust and goodwill between nations
Widespread distrust of the internet was evident in conversations that Joe Baguley, EU Chief Technology Officer at cloud software company VMware, had with government officials around the world and executives from every industry.
Government officials have increasingly asked Baguley for his advice on building sovereign cloud computing systems within the borders. Their motivation is to ensure that the most sensitive data is not stored in another country where foreign governments could interfere.
The UK has made addressing such fears a key focus of its post-Brexit digital policy. She declared distrust a risk for world trade that could only be eliminated by recognizing common data protection rules in international forums and sought agreement on “global trustworthy data flows” in the OECD and G7 clubs of democratic nations.
Regulatory uncertainty is a sword of Damocles hanging over our heads
In December, it struck a trade deal with Japan that had sought common global data adequacy. This issue was also on the agenda of talks that the UK and US opened in January. Confidence was back in the limelight after the US wrote a capitulation to long-standing calls for controls on US encroachments into cyberspace in an adequacy agreement with the EU.
Their agreement aimed to heal the suspicions stemming from the infamous Snowden revelations that the US, in pursuit of terrorists, had wiretapped the world’s internet traffic in a way that federal law prohibited it from doing to its own citizens. The US relinquished some of that sovereign power it had assumed over the global internet.
The UK tries to balance the interests of business and citizens
The OECD, where Britain was striving to establish a “growth-friendly and trustworthy data regime,” made US intelligence reform a promise that other countries said they would follow the same course.
The Covid outbreak has shown the level of public distrust online, as it emerged that people in minority, vulnerable and disadvantaged communities were withholding data from health authorities for fear it would be used against them by other authorities with nefarious intent.
In reality, the laws underlying the EU’s digital agenda have never been about sovereignty, only trying to restore people’s trust in cyberspace so that digital commerce and businesses can thrive. This point was made by Werner Stengg, one of the architects of the EU laws in Vestager’s office, in a November webinar hosted by The Atlantic Council, a US think tank.
Software firms celebrated UK proposals to weaken EU rules that would allow the use of personal data assets for research and development and weaken data use permission requirements.
The UK data regulator has taken the first step in innovation and growth by allowing companies to decide when, where and how it is safe to trade data with foreign systems based purely on a risk assessment, rather than detailed and onerous ones Comparisons to be made necessary by the EU.
