As U.S. President Donald Trump continues to be an awkward house guest, don’t forget British Prime Minister Theresa May has finally published the long-awaited Brexit White Paper, outlining what the UK wants and expects from leaving the European Union.
It’s been controversial, to say the least, and cost two of the UK Government’s most senior ministers their jobs, including, rather embarrassingly, the man who was nominally in charge of Brexit! And all that’s before President Trump weighed in and declared in an interview that it was the wrong sort of Brexit deal that was being pursued and that he had advised against it!
Meanwhile Brussels has yet to comment in detail on the proposals, although the current betting is that Chief Negotiator Michel Barnier is likely to deliver another of his by-now-trademark ‘Non!’s.
It’s a hefty document to absorb - 104 pages - and covers inevitably a vast range of topics. Digital and data protection get their own sections. There’s a reiteration of the Government’s line that the UK will be withdrawing from the EU Digital Single Market, but wants to develop a digital relationship that covers trade, e-commerce and technology as well as ensures free flows of personal data between the UK and the EU, something that’s of great significance to tech firms.
The White Paper acknowledges the importance of getting all this right:
The global digital economy is built on the ability to collect, share and process data. This underpins not just digital trade but all trade flows. Any disruption in cross-border data flows would therefore be economically costly while unnecessary barriers, such as the unjustified localisation of data, could also have a serious impact on future prosperity.
The UK’s proposals therefore are based around three main points:
- ensuring cross-border data flows, providing for the removal and prevention of barriers to the flow of data across borders.
- protecting the free, open and secure internet, working with EU partners to lead the global effort to ensure that the internet is safe and open.
- recognising equivalent forms of electronic ID and authentication, ensuring that these are secure, trustworthy and easy to use across borders.
On the subject of regulatory regimes, the UK pitches:
- joint commitments to an open and liberalised electronic communications sector allowing for fair, equal and competitive access for UK and EU businesses to public telecoms services and networks.
- continuing to share cyber-threat information to ensure the UK’s and the EU’s infrastructure is robust, resilient and able to adapt to evolving threats online or to digital infrastructure.
The UK Government says it also wants to get ahead of protecting and promoting the development of new tech, such as AI, that are “vulnerable to non-tariff barriers”. It proposes:
exploring new models for regulatory cooperation between the UK and the EU to tackle these shared challenges and advance shared objectives in the future. For example, the European Commission recently committed to set up a European AI Alliance to develop draft ethics guidelines by the end of 2018. After the UK withdraws from the EU, the UK’s Centre for Data Ethics and Innovation intends to participate in this Alliance, alongside its European partners.
Life after GDPR
Then there’s the really sticky one - data protection and data flows between the UK and EU states. As stated by the White Paper:
Given the importance of data flows for economic growth and our collective security, the UK and the EU must maintain the ability to exchange data in a way that keeps personal data protected. New arrangements will also be essential in underpinning the economic and security partnerships. For instance, enabling consumers in the EU to continue purchasing goods from the UK over the internet, and supporting the exchange of data between law enforcement authorities to combat crime and terrorism.
This is ground that the UK and Brussels have been over before. The EU operates an adequacy framework to facilitate data transfer between EU and non-EU countries that are considered to have laws essentially equivalent to those that safeguard personal data inside the European Economic Area, such as Canada, Switzerland and New Zealand.
The UK wants to use that as “the right starting point” but to go beyond it:
On stability and transparency, it would benefit the UK and the EU, as well as businesses and individuals, to have a clear, transparent framework to facilitate dialogue, minimise the risk of disruption to data flows and support a stable relationship between the UK and the EU to protect the personal data of UK and EU citizens across Europe...On regulatory cooperation, it would be in the UK’s and the EU's mutual interest to have close cooperation and joined up enforcement action between the UK's Information Commissioner's Office (ICO) and EU Data Protection Authorities...The ICO is an internationally respected, influential and well-resourced regulator in this regard.
As a result, the future UK-EU arrangements on data protection should provide for ongoing cooperation between the ICO and EU data protection authorities. This would avoid unnecessary complexity and duplication, and overcome barriers for EU citizens and UK nationals in enforcing their rights across borders and accessing effective means of redress. . A continuing role for the ICO would also reduce administrative burdens for businesses and provide for cooperation on resolving data protection disputes. . Under the new EU data protection regime, this is achieved through the ICO’s participation in the One Stop Shop mechanism.
The UK Government hopes to take the lead here:
The UK is ready to begin preliminary discussions on an adequacy assessment so that a data protection agreement is in place by the end of the implementation period at the latest, to provide the earliest possible reassurance that data flows can continue.
The trouble is Barnier has already given every indication that this isn’t on the cards. In a keynote speech earlier this year, he stated bluntly:
Who would launch an infringement against the United Kingdom in the case of misapplication of GDPR (General Data Protection Regulation)? Who would ensure that the United Kingdom would update its data legislation every time the EU updates GDPR? How can we ensure the uniform interpretation of the rules on data protection on both sides of the Channel?
The UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision.
That’d be a ‘Non!’ then…
With Trump’s behaviour dominating the news agenda today, the White Paper’s contents have been receiving less detailed attention than they probably should be getting. Instead it’s all about diplomatic controversy and wondering what happens when the President meets the Queen - not to mention the nappy-clad dirigible of Trump currently flying above London.
When the dust settles, the weekend will see another round of arguments within the UK Government - cross party arguments! - that will put the focus back onto whether this White Paper (a) delivers on the Brexit referendum result or (b) represents the softest possible Brexit and, as Trump believes, essentially anchors the UK to the EU.
Meanwhile this will all likely change next week once Barnier decides to intervene. It could be a straight ‘Non!’ Or it could be a call to do more work on this, which would be read by the Leave camp as calling for more compromises.
The White Paper does finally put some meat on the bones of “Brexit means Brexit”, but it fails to answer every question that needs to be addressed. As Julian David, CEO of trade association TechUK notes:
This White Paper is a step forward but many questions remain. With just 260 days left until the UK leaves the European Union there is still a lack of clarity on many areas of importance for the tech sector. For those providing digital services far more detail is needed to assess the future impact on their businesses...Companies currently exporting tech services to the EU or dependent on supply chains that are integrated with the EU will need far more detail in order to understand the extent to which the UK’s departure from the EU will inhibit their ability to export.