From hate speech to electoral manipulation, our increasing reliance on digital technology poses many challenges.
Now out of the European Union (EU), the Digital Single Market, and the fundamental rights laws that underpin it, the UK government faces a choice as to whether it will respond to these challenges with a strategy based on values, or whether it will opt for a more nationalist approach, potentially jeopardising civil liberties, diplomacy and the economy in the process.
With the grand plans for the government’s National Data Strategy presumably carried out in Dominic Cummings’ box as he left Number 10, there is little certainty about the government’s post-Brexit digital policy.
While the likelihood is that UK digital policy will continue to follow the EU’s in the short term to stave off the worst effects of Brexit, the government has the option to follow a more divergent agenda in future, which could undermine the right to privacy and freedom of information online.
In terms of rights, while the government has claimed that Brexit will be an opportunity to improve standards such as animal welfare, it has not provided the same assurances for other sectors.
Upholding digital rights
The Brexit deal does bind the UK to comply with the European Convention on Human Rights (ECHR) (Article 136), which is implemented by the 1998 Human Rights Act.
But since the UK no longer follows the more extensive body of EU human rights legislation, which includes the Charter of Fundamental Rights, it is not clear that specific digital rights, such as the “right to be forgotten”, will be upheld by the UK.
These changes will have long-term consequences for digital rights and regulation in the UK, but government will be more concerned in the short term with securing a data adequacy agreement for the continuation of personal data flows, which are highly important for businesses and law enforcement.
An adequacy agreement would represent a formal declaration that the UK data protection regime provides an equivalent level of protection to that of the EU and failure to obtain such a decision could cost UK business up to £1.6bn.
To prevent a crash out, the Brexit deal provides that the current arrangement will be extended by up to six months to give the European Commission (EC) time to decide whether to grant a formal decision.
Despite this last-minute reprieve, achieving an adequacy agreement is by no means straightforward. Prior to adoption, it will come under the scrutiny of the European Parliament and regulators. If approval is granted, it would then face the prospect of legal challenges similar to those raised, successfully, against the EU-US Privacy Shield, which was invalidated by the European Court of Justice (ECJ) last July for failing to provide sufficient protections for EU citizens from US surveillance.
As was made clear in the US case, equivalence requires more than data protection compliance alone. Issues that will weaken the UK’s case for adequacy include its implementation of the EU’s General Data Protection Regulation (GDPR) via the Data Protection Act, which came under heavy criticism for failing to uphold the rights of those subject to an immigration procedure. The case to remove the immigration exemption, which was launched by the Open Rights Group and campaign group The3million, is still ongoing.
The latest ECJ ruling in October, which found the bulk data collection carried out in the UK under the Investigatory Powers Act to be illegal, could prove to be equally problematic, as will the UK’s e-evidence agreement with the US, particularly following the invalidation of the Privacy Shield.
Continuity of data flows
Given the importance of maintaining EU data protection standards to obtain this decision, it will be interesting to see whether the UK government will depart from EU policy in the coming months. Conventional economic wisdom dictates that the UK should do everything in its power to satisfy EU requirements for the continuity of data flows for UK businesses.
This logic could be sorely tested, however, if Tory party support for the Brexit deal were to give way to long-held Conservative aspirations, such as weakening the Human Rights Act to curb its use by migrants and asylum seekers.
Other issues to watch for will be whether the UK maintains existing rules on intermediary liability, privacy law and encryption, which are sure to be prime targets for those who favour the interests of the security and surveillance industries over a free and open internet.
The government’s response to the Online Harms consultation in December was telling, as by introducing requirements for automated filtering it provided an early indication that these rules could be set to change.
In contrast, the EU recently published new regulations that would not only preserve existing standards but provide further possibilities to enhance digital rights in the EU.
The Digital Services Act and Digital Markets Act, both currently being examined by the European Parliament, will provide new rules for online marketplaces, social media and other platforms.
They aim to boost the digital services economy while responding to digital problems ranging from hate speech, disinformation and electoral manipulation with a range of new measures providing greater transparency and enforcing the protection of personal data.
This ambitious agenda is not just important for the EU, but it sets an example to third countries throughout the world. The UK may no longer play a part in EU rule making, but – once it is a third country – it will have the option to follow the EU’s value-based approach to digital regulation.
Unfortunately, the path it takes will depend on a government which has few clear policies and an unprecedented influence over the course of the country’s future.
Adam Bowering is a policy adviser working on civil liberties, justice and home affairs in the European Parliament.