Conferences usually begin with coffee, a browse around the swag table, and the hopeful search for people you know. For us, WordCamp Europe 2016 began with a dear friend throwing his arms around me on the verge of tears whispering “Heather, what are we going to do?” As we straggled into the venue minutes after the referendum result was announced we were, quite simply, numb. I’ve often said that community is everything, but for many of us here in Vienna these past few days, community was our lifeline, and for that we are ever so grateful.
I came here to do a prepared talk on GDPR. Events changed that. On the second day of the conference I was fortunate to be given the opportunity to present a ten-minute lightning talk on some possible implications of the Brexit vote for the digital professions. Slides were not allowed, so in this post, I am simply elaborating on what I discussed on the day.
All of this is of course conjecture based on my own knowledge and research, and is subject to change at any time.
So what happens next for the digital professions?
First off, this is happening.
Today I have been told at least 3 UK startups lost deals from EU-based investors because funding was conditional on Remain to win.
— Mike Butcher (@mikebutcher) June 24, 2016
Holy crap. Friend with contract with UK has been told to stop work by the client. Already. #EURefResults
— Anna Watts (@drannawatts) June 24, 2016
As uncertainty builds, expect to see more of that.
Are we out of Europe now?
It’s important to understand that the referendum was not legally binding. In fact, the referendum had all the legal force of a Polldaddy poll. Nothing happens until the next Prime Minister triggers what’s known as the Article 50 process to formally remove Britain from the EU. There is every chance it might never happen.
Why is that? This entire referendum was essentially a chess game played between members of a boys club jostling for power. An American conference attendee described it as a very bad case of “hold my beer”. They did not think this was going to happen. They had no plan. They had no blueprint. They still don’t.
The EU cannot force the UK to start the process, nor can any member state.
Can I stop complying with EU laws now?
This is no quickie divorce. If the UK does Brexit, it is at least two years away. Realistically, you are looking at several years after that for all the threads to be cut. This means you still need to be in full compliance with all current EU digital laws as well as any other regulations that come on in that time, including GDPR.
Could the UK remain in the EU with special reduced status?
This is highly unlikely, and here is why.
- The UK could not become an EEA member like Iceland and Norway – sort of in and sort of out – because one of the prerequisites for EEA membership is freedom of movement. Awkward.
- As we learned in the Scottish Independence referendum – the first one anyway – out means out. When you split up with your boyfriend you can’t keep a few boxes of stuff at his place. (I tried. Didn’t work.)
- The rest of the EU is seriously pissed off at the UK right now and is not likely to have the patience for concessions;
- Most importantly, granting special status to the UK – thereby legitimising the referendum result – could set off a domino effect. Every region – not member state, region – with a grievance across Europe would feel empowered to demand greater autonomy and independence. Europe could Balkanise.
If the UK is out of Europe, do we still have to comply with EU digital laws?
If you are doing business in Europe – whether that is selling to European customers, accepting their membership signups, or collecting data on them for professional purposes, you need to be in full compliance with EU digital regulations regardless of a Brexit.
Anyone rejoicing “yay, we no longer have to do cookie law popups” or “no more VATMOSS!” does not understand how EU legislation works.
What happens with EU laws already on the books?
In the event of a Brexit, there is not going to be some sort of scorched earth policy whereby a non-EU Britain deletes every EU law on the books out of bitterness and spite. Existing digital regulations such as the implementation of the Consumer Rights Directive are likely to stay until such time as the UK decides to do something else.
What about EU digital laws in the pipeline?
Let’s review how a Brexit could affect several topics.
Public sector web accessibility in the UK is generally robust and technically progressive. The upcoming EU public sector accessibility directive is really aimed at other member states with poorer public sector accessibility levels. A Brexit will not have any a11y impact.
A Brexit means the UK will be removed from the MOSS system. UK retailers will still be obliged to collect European VAT based on the place of supply of their customers, as they do now, but they will no longer have access to the MOSS portal. This means UK retailers will have to register with the tax authority of each individual member state where they make any sales in order to remit their collected VAT. All those tiny payments on tiny sales will become 27 times more complicated.
What’s worse, the UK led the call for the introduction of a VATMOSS threshold. With the UK out of the EU, the promised threshold is likely to be scrapped.
The EU VAT Action campaign is meeting with HM Treasury and HMRC this week to discuss the next steps.
If you continue to do business in Europe you will still need to deploy your cookie law implementations.
Don’t forget the EU is consulting right now on the next iteration of the cookie law. I’m helping to organise a web industry consultation response and I highly encourage you to participate. Despite the referendum result, we are still going ahead with it! Why? One, we will still be required to comply with the cookie law Brexit or not. And two, the consultation response will give us some experience in liaising as an organised profession with governments in the laws that impact our work. Heaven knows that in the event of a Brexit, we’re going to need to do a lot of it.
This is the big one. In the event of a Brexit, the UK would no longer fall under GDPR, the new EU data protection system taking effect across Europe on 25 May 2018. This would leave us stuck with the outdated 1998 implementation, the Data Protection Act – and needing to come up on our own with something to replace it.
GDPR will require non-EU countries processing data on EU residents – whether that is sales records, big data, or employee information – to comply with GDPR rules and standards. This is known as “adequacy.” In the event of a Brexit, the UK would have to come up with its own version of GDPR in order to achieve adequacy.
There are three very scary dangers here.
The first is that an EU-free UK, led by privatisation-mad Tories, could implement its own data protection structure which is watered down and privacy-light in order to attract inward investment from tech giants. Facebook and Google would jump at the opportunity to remake a nation’s data protection laws from scratch to suit their needs.
The second is that an EU-free UK, with no data protection adequacy, could create Safe Harbor II. The ongoing negotiations on the Privacy Shield system – the US-EU data protection framework – would become tripartite. All data flows and transfers between the UK and US would, in the interim, be paralysed in legal limbo.
The third is that Theresa May becomes Prime Minister and tips the entire concept of data protection and online privacy into the bin. Someone who has been hellbent on ratcheting up mass digital surveillance – whose current pet project is the atrocious Investigatory Powers Bill – may well take over the country. Now would be a good time to join Open Rights Group.
What is immediately ahead for us?
Here is what UK web professionals can expect in the upcoming months.
- “Be careful what you wish for”. Anyone who has advocated leaving the EU specifically to get out of EU digital laws is now going to see what sort of digital laws the UK has in mind on its own;
- You will be under increased scrutiny from EU clients who have to protect their own interests in the face of potentially catastrophic uncertainty;
- You should expect contract renegotiations including exit clauses in the event of a Brexit;
- You may receive data localisation requests as businesses and individuals remove their data from the UK;
- You will witness a heartbreaking brain drain of businesses and people (at least three conference attendees told me they are leaving the UK now);
- We. Need. To. Organise. If we are going out, we need to make sure that the digital profession has a voice;
- Finally, you will come to understand the need, more than ever, for the values of borderless collaboration, friendship, and mutual respect that thrived in abundance at WordCamp Europe. Matt said “we are the 1%” and for us, that can’t be a critique. It must be an obligation.
27 June 2016
In a public square in Vienna watching the Bel – Hun match with friends from Lux. Dear God don't let this end. pic.twitter.com/pI54uegrNx
— Heather Burns (@WebDevLaw) June 26, 2016
About the author
Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional web site designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.