Looking for help with the Online Safety Act - Ofcom consultations? Please get in touch. 

Queues of trucks, shortages of carrots, but what about our data? We take it for granted to run our lives. It is the invisible agent that enables everything from sending a photo to a friend, to the vast industrial logistics support for those very trucks that deliver the carrots and other vegetables to our supermarkets.

Data-driven activity is so much a part of daily life in 2019 that we don't even contemplate it not functioning. If it didn't function, we wouldn't either.

The effects of Brexit on the data world are also invisible, lurking under the surface in a quagmire that will make itself felt tangibly if Brexit is in any way allowed to happen ( uncertain and subject to Parliamentary battles at the time of writing).

How can we identify these effects? Here goes.

All data services in the UK, including networks, cloud services, platforms and apps, operate under EU rules and have done so since the 1990s. The rules concern issues such as the transmission, access to and transfer of data and content, and they address issues such as liability and consumer rights in the e-world. These rules address e-commerce activity, cyber- security, telecoms networks, privacy and data protection, and the most recent phase of rule-aking attempts to address issues related to content online and the big platforms. And it's just worth pausing for thought that in that very same period in the early 1990s, a British European Commissioner devised the Single Market, and British civil servants were instrumental in drafting Europe's telecom framework.

The rules were brought in during the 1990s and subsequently reviewed, amended and augmented as the technology evolved and new issues arose. If Britain leaves the EU, it will initially keep these laws, but the problem created isto do with data crossing borders. It does so millions of times a day. With todays apps, smartphones, robotics, sensor-driven systems, and cloud-based services, data flows in multi-dimensional, dynamic and real-time patterns that cross borders all the time and enter multiple jurisdictions. The volumes are eye-watering. Vast swathes of financial data, for example, pass through a data centre in Slough, just outside London carrying trillions of pounds worth of trades between the US and the EU.

Whilst we belong to the Single Market, British businesses can transfer their data, run cloud services, apps, platforms under one set of rules in 28 countries, with the certainty that they conform to regulatory requirements and are considered legal by those 28 governments and regulators. E-businesses can be confident that their services will be accepted by users, in the knowledge that in dealing with an EU data ompany, they can expect a certain quality of service. Importantly, and often forgotten, disputes, should they arise, can be addressed with the European Court of Justice as the ultimate arbiter in difficult cases. EU rules govern liability, consumer protection, interconnection and privacy. The consistent set of rules across 28 countries provides certainty for businesses and consumers and users.

If Britain breaks away, businesses and users lose the certainty of the common framework. A host of EU rules that enable British tech companies to trade across borders will cease to apply.

The rift would put British technology companies at a competitive disadvantage and on a un-level playing field. This is equally likely under the Withdrawal Agreement as it is under a 'no deal'.

A 'no deal' scenario would result in technology companies being very exposed. Importantly, no deal does not mean the status quo (as apparently some in the UK believe). It means that we would be ripped out of the EU legal and regulatory framework with nothing whatsoever to replace it. Depending on the nature of the service, mitigating measures would include moving staff and servers into the EU27, setting up a new headquarters in the EU 27, or going through a lot of legal red tape, likely to be costly. Anecdotally, it's already becoming apparent that British tech firms who trade in the EU 27 are moving in order to continue trading in those countries, as this report from the computer games industry explains. Even a major player like BT has said this could be the case ( giving evidence to the House of Commons Exiting the European Union Committee ) .

The red tape encompasses esoteric legal contracts - known as Binding Corporate Rules (BCRs) or Model Contracts. To implement these types of contracts, firms need to identify how their data flows across borders and how many jurisdictions it enters. For large companies, such as BT with over 18,000 suppliers, this is an enormous exercise, as it also told the Exiting the EU committee. For smaller companies it is not necesarily less complex. A small start up running an app that gathers data from multiple sources (think of some of the apps that run on your phone) and processes it in a cloud-based service, will similarly have to unravel the way its data flows and ensure the relevant contracts are in place. The EU framework is designed to make things easier for them bcause it removes the red tape. By contrast, Brexit is introducing a dual system and unnecessary complexity.

For those who tout WTO as an alternative, sadly, there is nothing there for data businesses. The WTO services agreement (GATS) was drafted in the early 1990s, just as the commercial Internet was getting going. It had an objective to break the national telephone monopolies, but the kinds of networks, services and applications that we rely on today were not even conceived. The WTO has stumbled to even establish a committee to consider e-commerce issues.

In January this year, a contingent of 76 WTO members agreed to launch talks on e-commerce. It has taken them two years from their initial statement of intention to get this far. It will take many more years before we see any progress, and the talks will be held behind closed doors, with no input from civil society or Parliamentary scrutiny. It's a fair prediction that the talks will create a clash between the two big regulatory blocs - EU and US.

It's arguable therefore, that falling back on the WTO means going back to legal framework of 20 + years ago that is not fit for purpose in today's world. British data-driven businesses would have no legal framework for cross-border trade. This is not something that UK business, who currently trade under the EU e-commerce framework, can rely on.

Going back to the EU Withdrawal Agreement negotiated with the European Union by the UK Prime Minister Theresa May - this agreement fails to provide much relief. Anyone who has read it will see the word 'adequacy'. Those who are familiar with data protection law will understand that this is a refers to a process of audit by the European Commission of third country data protection regimes, as established by the GDPR.

It means the European Commission will audit the UK data protection regime. It is by no means guaranteed that the Commission will grant adequacy status. One potential obstacle is the role and activity of GCHQ, which became political in the EU context in 2014 after the revelations by Edward Snowden of the close working between GCHQ and the NSA. As a Member State, the UK benefits from the national security exemption in Article 4 of the Treaty on European Union. After we leave, the EU is no longer bound to give us this exemption. The very sensitve politics around this issue may be problematic.

Leaving the EU, whether we do so under an agreement or with 'no deal', means that we will leave the enforcement framework. This aspect is less frequently discussed and less well understood and potentially underrated. In a nutshell, it means that our regulators will leave the European bodies responsible for overseeing regulations and who address cross-border issues. There are mechanisms built in to EU law for joint enforcement procedures in data protection cases where problems arise between firms and their users in two EU countries, for example. This is the so-called 'one stop shop' system in the GDPR. It's also about joint or co-investigations of major breaches of data protection law. Other joint enforcement procedures address cyber-security and joint working to address major data breaches. For UK businesses and users, this would be a serious loss.

However, siren voices can be heard in the sub-text of the Withdrawal Agreement and Political Declaration, and they need to be listened to. The EU only undertakes to 'endeavour to adopt an adequacy decision by December 2020' meaning that the UK risks going over a data cliff edge in two years' time if the EU's 'endeavours' aren't completed in time. [See Political Declaration 26 November 2018, paragraph9]

Then there is the threat that the adequacy agreement will cease to apply at an unspecified date. This is the language 'essentially equivalent' :

"the United Kingdom shall ensure a level of protection of personal data essentially equivalent to that under Union law on the protection of personal data" [Draft Withdrawal Agreement 14 November 2018, Article 71(3).]

At this stage, it is unclear what this means. To use a cliche, it is a known unknown. We have heard muttering by UK Minsters that they would like to diverge from the EU data protection framework, but we do not know in what ways the divergence would operate. We can read in pro-Brexit proposals a suggestion that the UK extricates itself 'from the strictures of the GDPR' * which strongly suggests that 'divergence' means dispensing with the EU data protection framework.

However, if the UK does indeed leave the European Union at the end of March this year, (at the time of writing, the Parliamentary battle to determine if and how was underway] the meaning of these obtuse pieces of legalese could prove to be signficant, and potentially destructive, for UK-based tech industries.


*The reference is to the IEA Plan A, on which Brexit proponents have relied. The document has been taken offline, I believe because it did not meet the impartiality requirements for charitable status. I have downloaded a copy and have it on file.


About me: I have 10 years experience analysing European Union policy. I hold a PhD in EU Communications Policy as well as a Post-graduate diploma in marketing. For many years I was a telecoms journalist where I interviewed people from industry about the single market, and I've also worked in a service planning role in a telecoms industry start-up. More recently, I've worked with the Council of Europe on Internet governance issues, a role which involved travelling around the EU and neighbouring countries. All of these roles have somehow contributed to my analysis of Brexit issues.

If you are interested in my work, please see my books advertised on this site, or contact me via Contact Us page or Twitter.

If you cite my work, please state the author as Dr Monica Horten, www.iptegrity.com.


Iptegrity moves on!

May 2024: Iptegrity is being re-developed to upgrade the Joomla software.

Please bear with us until the new site is ready.

Find me on LinkedIn

About Iptegrity

Iptegrity.com is the website of Dr Monica Horten. I am an  independent policy advisor: online safety, technology and human rights. In April 2024, I was appointed as an independent expert on the Council of Europe Committee of Experts on online safety and empowerment of content creators and users. I am a published author, and post-doctoral scholar. I hold a PhD from the University of Westminster, and a DipM from the Chartered Institute of Marketing. I cover the UK and EU. I'm a former tech journalist, and an experienced panelist and Chair. My media credits include the BBC, iNews, Times, Guardian and Politico.

Iptegrity.com is made available free of charge for non-commercial use. Please link back and attribute Dr Monica Horten.  Contact me to use any of my content for commercial purposes.