Quick admin note

Seven months after I last logged into this site, it’s safe to say that I’m no longer actively updating it. Since October 2020, I’ve been working full-time on the front lines of post-Brexit tech policy. When my work day is over, understandably, it’s rather difficult to want to treat the same subject as my out-of-hours hobby.

Even if that wasn’t the case, the site’s purpose has largely come to an end. The “what if” phase, where we speculated what the UK’s post-Brexit tech regulation landscape might look like, is over. We’re in the reality now. And, yes, it’s every bit as dark and difficult as I warned it might be. But I’m in that fight, as opposed to watching it helplessly from the audience, and that is where I like to be.

I want to thank everyone who consulted this site, bookmarked it, referenced it, and used it as a teaching resource from its first iteration in late 2016 onwards. I also want to thank those who donated to cover its running expenses, and cover the odd coffee, when I had a donation form up.

If you want to discuss any of the topics on this site further, you can find me here, here, or in the sunlit uplands.

What the Schrems II ruling means for Brexit

This morning the CJEU issued its long-awaited ruling on the “Schrems II” case. Of all the ways it could have gone, the ruling was the best possible outcome where privacy is concerned, and in many ways, where the Brexit transition is concerned too, particularly with SCCs.

In my view, however, the ruling’s invalidation of the Privacy Shield system carries a warning shot for the UK regarding its approach to securing a data protection adequacy agreement.

The UK is a Five Eyes partner with a less-than glorious history of its own domestic surveillance issues. We were, as I have said for years, barely an adequate country in terms of domestic surveillance while within the EU. To secure adequacy, the UK’s privacy practices will need to be better outside the EU than they were in it.

Where does this go next? Trade deals. After all, the UK is trying to align itself closer to the US system – no Federal privacy law, a highly politicised debate on intermediary liability, and open threats to encryption – than to the EU system. What the UK compromises now also compromises the integrity of the web.

For now, if you send EU data to the UK, I would strongly advise securing standard contractual clauses ahead of the Brexit transition deadline. You can no longer assume the UK will be granted data protection adequacy. Not after today.

This is important, because the Minister for Digital recently set out securing adequacy as a pillar of the UK’s upcoming digital strategy. This change of tone came after Boris bombastically declared in February that the UK would go their own way on data. If that digital strategy isn’t going to fall over before it begins, government must work with the tech sector, cluster groups, civil society, and tech policy bodies to iron these issues out, understanding the implications for both the economy and human rights if they don’t. Let’s get to work.

Learn more about data protection, adequacy, and Brexit.

Where are we now?

On the fourth anniversary of the Brexit referendum, I wanted everyone to know that I’ve not forgotten this site. I’m continuing to update it quietly in the background. I had grand plans to do a full redesign, as well as blog on a more regular schedule, but the COVID lockdown has limited my energies. Bear with me as I get them back.

For now, I can offer you a handful of purely personal observations based on my own work behind the scenes in policy-land.

First, the EU has fully shifted its attention to the Digital Services Act and the next several years of its digital vision. When you follow those debates, participate in those workshops, and speak with people on the ground in Brussels, you don’t ever hear the B words: Brexit and Britain. We have left the stage, in every sense. We are not seen as an asset, nor are we seen as a threat. We’re seen as a toxic ex who they have moved on from, and they are so over us. Nothing more. The B word you do hear them discussing, however, is Beijing.

Second, the UK still lacks a digital vision to replace the Digital Single Market. What it has offered so far is a glut of frameworks, design codes, white papers, and reports which – as I have said for years – do not constitute an economic and commercial strategy: they constitute a moral and behavioural one. They’re missing the point. Internet regulation, to Conservative politicians and policymakers, means trust and safety issues around American platforms. This stance is always presented in a negative, reactionary, and hostile tone. Those issues are the internet and the businesses who work on it, as far as they are concerned. They should use the Covid pause to step back and think about bigger pictures, talent, skills, and incentives for homegrown businesses, rather than hectoring about morality, THE CHILDREN, and building policies around specific individuals they don’t like personally.

Third, the battles I discuss in this blog have shifted from the Channel to the Atlantic. Trade deals, not divorce deals, are where issues like data protection, intermediary liability, and cybersecurity will now be hammered out. The problem is that the UK spent four years seeking to spite the EU and align itself to America. So they got what they wanted: except it’s Donald Trump’s America, where digital policy – such as it is – is determined by his personal grievances, vendettas, and conspiracy theories, and where the overt goal is to destabilise and control any digital infrastructure, be it legal or technical, that gets in his way.

And that’s why a handful of my friends remember the state of me, four years ago at this moment, drained of colour and rubbing my queasy stomach. Everything running through my head that morning has come to pass, but in a world far sicker than any of us could have imagined.

The next day

With the UK now out of the European Union, it is clear beyond any doubt that Brexit is being used as a means for British policymakers to embark on an open regulatory experiment. Legislators across all parties, think tanks, and media outlets are seeking to fundamentally redraft the legal and social foundations of the open web, our access to it, and our use of it, under the guise of “taking back control”. This policy drive is unabashedly nationalistic, specifically promoted as a “British Model” of internet regulation crafted to “British values”. Yet those values, whether they aim to take the form of replacements or wholesale eliminations of European digital frameworks, are far darker than what they will replace. Many proposals coming out of government will dramatically restrict freedom of speech, freedom of expression, and personal privacy, while imposing severe new obligations for content moderation, filtering and censorship, and corporate monitoring. They will regulate private behavior in the online world in ways not replicated in the offline world.

This drive to turn British tech businesses into the arbiters of civil discourse, as well as arms-length privatised law enforcement bodies, carries grave implications for the sector’s economic future as well. The divergent “British Model”, which will see the UK operating under its own set of restrictive rules not replicated in any other western system, is being sold as an incentive to trade deals – when, in fact, it is a barrier to them. The implementation costs for domestic businesses for compliance with the “British Model” will make the UK an impossible place to do business online, and will render the UK a no-go zone for foreign investment in our domestic tech sector.

It is our work, our projects, our startups, our businesses, our content, and our livelihoods which are stuck in the middle. Professionals working in the sector must not assume that we will be consulted on these changes, or that our experience will be respected. Equally, we must proceed on the understanding that the removal of European safeguards on human rights, privacy, and freedom of expression will not protect our users, or ourselves, from the “British Model” and its rapacious demands for a more restricted, monitored, and surveilled open web.

This is a daunting time for us, both personally and professionally. Yet as the makers of the web, we are only helpless bystanders to this process if we choose to be. Please use this site to empower your advocacy efforts on behalf of our industry and the amazing people we build the web for every day.