Since leaving the European Union, UK tech firms have called for clarity around the impact of EU privacy laws on the ability to operate digitally overseas
In our focus feature, this week’s article of the week from the 2023 Cloud for Business report by Raconteur, as distributed in The Sunday Times, explores Mark Ballard’s article on this hot topic.
Some states have taken such strong measures to impose their sovereign power over the internet that it has created a reckoning among global powers. Brexit threw the UK right into the centre of the argument
The UK’s digital legal regime has been uncertain since it left the European Union, with a reform of the landmark EU privacy law stalled in parliament, and numerous regulatory reviews and proposals underway. Tech firms have called for clarity, and expressed fear that the government will make the UK into such a maverick regime that they will be blocked from doing digital business overseas.
The UK took a markedly transatlantic stance in reforms it began last year, and in digital trade negotiations it has been participating in around the world. Europe’s GDPR, widely celebrated as the gold standard in privacy, has already influenced legal reforms across the globe, from Brazil to India, Rwanda to South Korea. Some US states are even taking cues from European standards. Commentators say this was the aim of Europe’s digital agenda: to assert its digital sovereignty by drafting laws to protect individual human rights in cyberspace and to project them around the world. For the UK meanwhile, Brexit had been its own act of digital sovereignty, says Sarah Pearce, a partner in global privacy and security law with Hunton Andrews Kurth. By separating data law from the EU, the UK has taken active ownership of it.
UK tech firms have been both worried and encouraged by the draft bill that followed that separation: the Data Protection and Digital Information Bill. Phil Bindley, director of cloud computing at UK-based Intercity, says his business has been left guessing about how the proposals will affect it. The draft bill promises a “bold”, extra-EU data regime that will be “pro-growth” and designed to make it easier for companies to innovate with the use of data.
Nevertheless, says Bindley: “The regulatory uncertainty is a sword of Damocles hanging over our heads. It’s very difficult to make strategic decisions.” Bindley says GDPR brought the realisation to many businesses that the data they hold isn’t theirs. “You are the custodian of it. GDPR was a great step forward,” he says.
Regulatory uncertainty had since suppressed UK innovation and growth, Chi Onwurah, the Labour Party’s shadow minister for science, research and innovation, told a conference of software engineers in February. The Conservative government’s tech policy lacked ambition and was “wholly inadequate”, she said, because it treated regulation as a barrier to innovation and growth. She went on to explain that regulation actually created growth, because it gave people trust in technology, which brought tech firms more users. And more users brought more investors. Yet Matt Peake, policy director for Onfido, a global UK artificial intelligence software firm, points out the dangers of overly stringent regulation.
“GDPR can act as a break on innovation and a chill on investment. There are a lot of hoops and hurdles to go through to generate new products,” he comments. For all its good points, “it can be over-restrictive, highly burdensome, quite costly to comply with and goes beyond what it needs to protect user data,” he says.
Onfido had been trying to use its customer data in innovative ways, but repeatedly found that EU rules make it “really, really difficult”. It had tried to build new services for its customers in financial services and found they were afraid to use them for fear of being prosecuted. But Peake also worries that the UK will diverge so far from GDPR that it will lose its adequacy in EU law. A formal EU adequacy decision in 2021 granted EU and UK firms permission to share data because post-Brexit Britain had not diverged from the data statute it inherited from the EU, but this decision could be reassessed.
“We need to process data all over the world with minimal restrictions. The risk is we take a data sovereign approach and it becomes harder,” says Peake. He fears a global fragmentation of data flows.
Eve Maler, chief technology officer of identity software firm ForgeRock, believes the world is entering an Era of heavy regulation of AI and data and is also concerned about the impact. “It can be an overwhelming burden,” she says. “I’m concerned with crushing innovation.” She thinks the government should leave the market to innovate choice for users, and keep regulation to defining broad principles of behaviour, which should be stated in the negative.
In an October 2022 edition of the Maastricht Diplomat podcast, Margrethe Vestager, the European commissioner responsible for data, AI and social media, stressed that choice is an aim of the “digital agenda” by which the EU has been extending its digital sovereignty.
The energy and commodity shortages that have followed Russia’s invasion of Ukraine have exposed clear vulnerabilities in the EU’s dependence on Russian fossil fuel and Ukrainian minerals. The EU’s sovereignty push, which strove beyond data privacy to build indigenous cloud and chip industries that could rival those of US and Chinese firms, likewise strove to reduce the EU’s dependence on sole foreign suppliers. But Europe’s digital sovereignty project has drawn comparisons to authoritarian regimes such as China and Russia. It has also attracted criticism from the White House, which lobbied against elements of the EU’s proposals.
Europe insists that it seeks not separation but a competitive market that brings choice of technologies. Western countries, citing fear of foreign interference, have meanwhile stopped Chinese tech firms from dominating communications infrastructure within their borders, and blocked Russian misinformation in digital media. Choice aside, Suki Dhuphar, head of EMEA at software firm Tamr, believes innovations in EU government data processing are held five to 10 years behind China and the US by heavy regulation. “Rightly or wrongly”, China’s advanced handling of data, such as issuing automatic fines to jaywalkers, set an example. UK reforms would ease rules on police data processing, but such innovations are being challenged in EU courts.
Widespread mistrust of the internet was apparent in conversations that Joe Baguley, EU chief technology officer of cloud software firm VMware, has had with government officials around the world, and with executives from all sectors of industry. Government officials have increasingly asked Baguley for his advice on building sovereign cloud-computing systems within the borders. Their motivation is to ensure that the most sensitive data isn’t stored in some other country where foreign governments might interfere with it.
The UK made combating such fears one of the main thrusts of its post-Brexit digital policy. Declaring mistrust a risk to global trade that could be resolved only by the recognition of common data-privacy rules in international forums, it pursued agreement on “global trusted data flows” in the OECD and G7 clubs of democratic nations.
In December, it struck a trade agreement with Japan, which had been striving for a common global data adequacy. This issue was also on the agenda of talks which the UK and US opened in January. Trust was in the spotlight again – after the US wrote into an adequacy agreement with the EU a capitulation to various long-standing demands for checks on US interference in cyberspace. Their agreement sought to heal mistrust that stemmed from the infamous Snowden revelations that the US, hunting for terrorists, had tapped the world’s internet traffic in ways that federal law forbade it from doing to its own citizens. The US relinquished some of this sovereign power it had assumed over the global internet.
The OECD, where the UK took its effort to establish a “pro-growth and trusted data regime”, turned the US intelligence reforms into a pledge by which other countries said they would pursue the same course. The Covid outbreak exposed how severe public distrust was in the internet when it emerged that people in minority, vulnerable and disadvantaged communities withheld data from health authorities for fear it would be used against them by other agencies with nefarious intent.
In reality, the laws underpinning the EU’s digital agenda were never about sovereignty. They were only an attempt to restore people’s trust in cyberspace, so that digital trade and firms could thrive. This point was made by Werner Stengg, one of the architects of the EU laws in Vestager’s office, in a webinar by The Atlantic Council, a US think-tank, in November. Software firms celebrated UK proposals to pare back the EU rules, which would allow personal data troves to be used for research and development, and soften permission requirements around data use.
The UK data regulator made the first step, for the sake of innovation and growth, by allowing firms to decide when, where and how it was safe to trade data with foreign regimes based on a mere risk assessment, instead of detailed and onerous comparisons required by the EU.
In a globalised world, where masses of digital data are generated every second of every day, the waters of data sovereignty are muddy to say the least. In many ways, the issue for businesses is less about drawing lines of geographical ownership around intangible data, and more about simply protecting that data, wherever it is being held.
Firms in certain sectors will necessarily focus on the economics of data protection legislation because, for them, data is currency; something to be monetised for innovation and growth. But for most businesses, data sovereignty is about looking after the customers who keep them running. Businesses rely increasingly on cloud solutions and internet-based applications, and this means data is being stored and processed in more ways and places than ever before. And with the UK’s regulatory future beyond 2025 still looking unclear, it’s important for businesses to do their own due diligence when it comes to protecting themselves, as well as their customers and partners.
It’s important for businesses to know where their data resides, what’s in the cloud provider’s small print, and who is responsible for the security of that data. Because even if data is sat on a server in the UK, the company managing the service could well be based elsewhere in the world and governed by different laws. Amazon Web Services, for example, has UK data centres, but it is an American company with a global support staff and system administrators. Both companies are responsible for securing the data, but which would be held legally responsible if it was stolen? In the event of a breach of UK consumers’ data, the Information Commissioner’s Office will be unforgiving of businesses who haven’t done their due diligence and implemented every protection possible.
More than that, consumer expectations around data are such that, if they can’t be assured their personal information is in safe hands, they will take their business elsewhere. GDPR went a long way in solidifying the idea that data belongs to the subject, not the business it is being entrusted to. Following Brexit, UK legislators now face the unenviable task of wrangling data laws into some semblance of submission while balancing the needs of businesses and the expectations of consumers.
Arguably, any resulting legislation needs to be thought of as the end point for businesses, rather than a place to begin. Responsible, forward-thinking businesses will already be thinking of customer data as a privilege to hold and an asset to be protected. But the sheer volumes of data being generated can be overwhelming, and businesses may want to considering partnering with a trusted third-party provider who can take care of data management, storage, security, backup and yes, compliance, for them.
To download your complete copy of 2023 Cloud for Business report and read more articles like this, click here