Will your digital rights be privatised in a Brexit trade deal?

Data is a prime commodity. But as with much else, the UK government appears ready to exchange EU-based rights for US market access
By Sashy Nathan

Where does the UK government stand on digital rights? The current position is far from clear: the privacy notice in the new NHS Test and Trace app, for example, shows mixed legal terminologies based on concepts under US law (‘personally identifiable information’) and EU law (‘GDPR’). The confusion perhaps reflects an underlying reality that will affect people in the UK for decades - the government is preparing to trade away your digital rights in order to obtain more digital commerce.

Firstly, by way of background, the different approaches and emphases of the main cyber blocs globally will shape international affairs, including trade, in the coming decades: The US leads the world in big data, with the historic data harvesting activity of the NSA and by way of being home to some of the largest private sector companies or the FAANGs (Facebook, Apple, Amazon, Netflix and Google). China leads in the development of the next generation of technologies such as 5G, AI, facial recognition and its BAT companies (Baidu, Alibaba, Tencent) which are controlled from the Chinese Communist Party. Russia is one of the most effective cyber warfare proponents with its resources in highly-skilled mathematicians and scientists developing capabilities to disrupt political systems at low cost, according to Chatham House.

The EU, in contrast to these three blocs, has promoted a regulatory approach (the GDPR) that has become the global gold standard on data rights, compared to America’s techno-libertarianism and Chinese digital authoritarianism. Professor Anu Bradford describes this choice as the “Brussels effect”, in that regulation in one of the world’s largest, most affluent consumer markets means “multinational corporations accept compliance with EU rules as the price for doing business in Europe.” This in turn “allows the EU to exert passive but deep influence on corporate behavior, transforming global markets in the process.” The UK government’s stance on digital commerce provisions in trade negotiations with the EU and US represents a meaningful fork in the road.

Digital commerce provisions in trade treaties between countries will play a crucial role in how data flows are prioritised over data protection. For example, restricting transparency over AI technology and on access to code or intellectual property protections on copyright material that prevent the right to repair.

Jim Killock, Director of the Open Rights Group told Little Atoms: “The interaction between digital commerce and trade dispute resolutions is concerning, with governments potentially having to pay to enforce their citizens’ rights. It is likely that where tensions arise between human rights and trade, new treaties could incentivise the lowest possible rights resolution, prioritising compensation to corporate bodies for impact on trade.”

In the US, intermediate liability for user-generated content is safe harboured under section 230 of the Communications Decency Act 1996. This clause protects the FAANGs and although under Congressional pressure to be reformed, continues to be used as leverage in US trade negotiations. The US Executive has pressed foreign governments to adopt similar intermediary liability protections for internet platforms as their own, assisting the growth of the FAANGs globally. Both the United States–Mexico–Canada Free Trade Agreement (USMCA) and the 2019 bilateral trade pact with Japan contain digital commerce provisions committing those governments to enact counterpart legal provisions on intermediate liability.

Donald Trump recently signed an Executive Order designed to pressure regulators, including the Federal Communications Commission and the Federal Trade Commission, to come up with new regulations that would curtail the Section 230 immunity in response to Twitter fact-checking him. Joe Biden has also called for the revocation of Section 230 and the adoption of data protection standards “not unlike [the] Europeans”. It is doubtful though that Trump's knee-jerk Order will survive legal challenge nor that Biden’s purported protection would extend extra-territorially to non-US citizens.

In contrast, the EU law (Directive 2000/31/EC) that has governed online content for almost 20 years is changing. Social media platforms are currently not liable for information posted by social media users if they have no knowledge of the illegal nature of the information, or if the platform acts expeditiously to remove, or disable access to, such information of which it has become aware of it. This year’s EU Copyright Directive and the leaked EU Commission Digital Single Market Note on the proposed Digital Services Act, shows that regulation under EU law on liability for user-generated content is likely to escalate very soon. This could mean EU citizens increasingly holding FAANGs to account over the impact of their online business models on digital rights.

On 31 March 2020, whilst the world was locking down, Google changed the legal entity that controlled UK citizens’ data from Google Ireland Limited to Google LLC (its US entity). At a stroke, millions of UK citizens’ internet habits came under the reach of US regulators in Trump’s America, with little to no protections under the US Constitution. Google rationalised this because the UK was leaving the EU and added the assurance that the General Data Protection Regulation (GDPR) remains in force.

Google is pre-empting a longer-term divergence from GDPR-equivalence in the UK by shifting the data controller to its US legal entity. The immediate commercial benefit to Google is that data protection actions brought against Google Ireland Limited will not affect Google’s UK business, protecting for example its 38.8% share of the UK digital ad market (around £5.72 billion annually). In this context, it is significant that it would also mean UK consumers will not necessarily benefit from advances in digital privacy protections in the same way as Europeans.

Google is also anticipating that a future UK trade deal with the EU or the US will actively risk UK citizens’ data being less protected than EU citizens under EU law and US citizens under the US Constitution (and federal legislation). Google is banking on No 10 also pursuing a loose post-Brexit trade agreement with the EU on digital services (given the potential impact of the Digital Services Act) and acquiescing to the US stance on digital commerce provisions including intermediate liability protections for platforms.

The threat to digital rights from trade deals is small when you are a large economic bloc that is unwilling to compromise on the sovereignty of your citizens online. We will understand more in the next six months about the way in which the UK government prioritises US techno-libertarianism over the Brussels effect and in the face of the growing influence of Chinese digital authoritarianism. In this vein, digital rights advocates and UK citizens need to focus on trade negotiations before it is too late.