The UK’s digital legal regime has been uncertain since it left the European Union, with a reform of the landmark EU privacy law stalled in parliament, and numerous regulatory reviews and proposals underway.
Tech firms have called for clarity, and expressed fear that the government will make the UK into such a maverick regime that they will be blocked from doing digital business overseas.
The UK, seeking to relax some strict points of EU law, took a markedly transatlantic stance in reforms it began last year, and in digital trade negotiations it has been participating in around the world.
Europe’s General Data Protection Regulation (GDPR), widely celebrated as the gold standard in privacy, has already influenced legal reforms across the globe, from Brazil to India, Rwanda to South Korea. Some US states are even taking cues from European standards.
Commentators say this was the aim of Europe’s digital agenda: to assert its digital sovereignty by drafting laws to protect individual human rights in cyberspace and to project them around the world.
For the UK meanwhile, Brexit had been its own act of digital sovereignty, says Sarah Pearce, a partner in global privacy and security law with Hunton Andrews Kurth. By separating data law from the EU the UK has taken active ownership of it.
Building a ‘pro-growth’ digital regime
UK tech firms have been both worried and encouraged by the draft bill that followed that separation: the Data Protection and Digital Information Bill.
Phil Bindley, director of cloud computing at UK-based Intercity, says his business has been left guessing about how it would be affected by the proposals.
The draft bill promises a “bold”, extra-EU data regime that will be “pro-growth” and designed to make it easier for companies to innovate with the use of data.
Nevertheless, says Bindley: “The regulatory uncertainty is a sword of Damocles hanging over our heads. It’s very difficult to make strategic decisions.”
“GDPR was a moment of awakening for a lot of businesses, a realisation that the data you hold is not yours. You are the custodian of it,” said Bindley. “GDPR was a great step forward.”
Regulatory uncertainty had since suppressed UK innovation and growth, Chi Onwurah, the opposition Labour Party’s shadow minister for business and industry, told a conference of software engineers in February.
The Conservative government’s tech policy lacked ambition and was “wholly inadequate”, she said, because it treated regulation as a barrier to innovation and growth. She went on to explain that regulation actually created growth, because it gave people trust in technology, which brought tech firms more users. And more users brought more investors.
The scalpel or the sword? – Why firms are wary of excessive regulation
Yet Matt Peake, policy director for Onfido, a global UK artificial intelligence (AI) software firm, points out the dangers of stringent regulation. “GDPR can act as a break on innovation and a chill on investment. There are a lot of hoops and hurdles to go through to generate new products.”
For all its good points, “it can be over restrictive, highly burdensome, quite costly to comply with and goes beyond what it needs to protect user data,” he says.
Onfido had been trying to use its customer data in innovative ways, but repeatedly found that EU rules make it “really, really difficult”. It had tried to build new services for its customers in financial services and found they were afraid to use them for fear of being prosecuted.
But Peake also worries that the UK will diverge so far from GDPR that it will lose its adequacy in EU law. A formal EU adequacy decision in 2021 granted EU and UK firms permission to share data because post-Brexit Britain had not diverged from the data statute it inherited from the EU, but this decision could be reassessed.
“We need to process data all over the world with minimal restrictions. The risk is we take a data sovereign approach and it becomes harder,” says Peake. He fears a global fragmentation of data flows.
Eve Maler, chief technology officer of identity software firm ForgeRock, believes the world is entering an era of heavy regulation of AI and data and is also concerned about the impact.
“It can be an overwhelming burden,” she said. “I am concerned with crushing innovation.”
She believes the government should leave the market to innovate choice for users, and keep regulation to defining broad principles of behaviour, which, she adds, should be stated in the negative.
Who’s setting the gold standard?
In an October 2022 edition of the Maastrict Diplomat podcast, Margrethe Vestager, the European commissioner responsible for data, AI and social media stressed that choice is an aim of the “digital agenda” by which the EU has been extending its digital sovereignty.
Energy and commodity shortages that followed Russia’s invasion of Ukraine exposed vulnerabilities in the EU’s dependence on Russian fossil fuel and Ukrainian minerals.
The EU’s sovereignty push, which strove beyond data privacy to build indigenous cloud and chip industries to rival those of US and Chinese firms, likewise strove to reduce EU dependence on sole foreign suppliers.
But Europe’s digital sovereignty project has drawn comparisons to authoritarian regimes like China and Russia and has been criticised by the White House, which lobbied against parts of the EU’s proposals.
Europe insists it seeks not separation but a competitive market that brings choice of technologies. Western countries, citing fear of foreign interference, have meanwhile stopped Chinese tech firms dominating communications infrastructure within their borders, and blocked Russian misinformation in digital media.
Choice aside, Suki Dhuphar, an executive at software firm Tamr, believes innovations in EU government data processing are held five to 10 years behind China and the US by heavy regulation.
“Rightly or wrongly”, China’s advanced handling of data, such as issuing automatic fines to jaywalkers, set an example. UK reforms would ease rules on police data processing, but such innovations are being challenged in EU courts.
Digital trust and goodwill among nations
Widespread mistrust of the internet was apparent in conversations that Joe Baguley, EU chief technology officer of cloud software firm VMware, has had with government officials around the world, and executives from all sectors of industry.
Government officials have increasingly asked Baguley for his advice on building sovereign cloud-computing systems within the borders. Their motivation is to ensure that the most sensitive data isn’t stored in some other country where foreign governments might interfere with it.
The UK made combating such fears one of the main thrusts of its post-Brexit digital policy. Declaring mistrust a risk to global trade that could be resolved only by the recognition of common data-privacy rules in international forums, it pursued agreement on “global trusted data flows” in the OECD and G7 clubs of democratic nations.
In December, it struck a trade agreement with Japan, which had been striving for a common global data adequacy. This issue was also on the agenda of talks the UK and US opened in January. Trust was in the spotlight again after the US wrote into an adequacy agreement with the EU a capitulation to longstanding demands for checks on US interference in cyberspace.
Their agreement sought to heal mistrust that stemmed from the infamous Snowden revelations that the US, hunting for terrorists, had tapped the world’s internet traffic in ways that federal law forbade it from doing to its own citizens. The US relinquished some of this sovereign power it had assumed over the global internet.
The UK looks to balance the interests of companies and citizens
The OECD, where the UK took its effort to establish a “pro-growth and trusted data regime”, turned the US intelligence reforms into a pledge by which other countries said they would pursue the same course.
The Covid outbreak exposed how severe public distrust was in the internet when it emerged that people in minority, vulnerable and disadvantaged communities withheld data from health authorities for fear it would be used against them by other agencies with nefarious intent.
In reality, the laws underpinning the EU’s digital agenda were never about sovereignty, but only an attempt to restore people’s trust in cyberspace, so digital trade and firms could thrive. This point was made by Werner Stengg, one of the architects of the EU laws in Vestager’s office, in a webinar by The Atlantic Council, a US think-tank, in November.
Software firms celebrated UK proposals to pare back the EU rules, which would allow personal data troves to be used for research and development, and soften permission requirements around data use.
The UK data regulator made the first step, for the sake of innovation and growth, by allowing firms to decide when, where and how it was safe to trade data with foreign regimes based on a mere risk assessment, instead of detailed and onerous comparisons required by the EU.