Brexit and you: what’s next for digital laws? #wceu

Conferences usually begin with coffee, a browse around the swag table, and the hopeful search for people you know. For us, WordCamp Europe 2016 began with a dear friend throwing his arms around me on the verge of tears whispering “Heather, what are we going to do?” As we straggled into the venue minutes after the referendum result was announced we were, quite simply, numb. I’ve often said that community is everything, but for many of us here in Vienna these past few days, community was our lifeline, and for that we are ever so grateful.

I came here to do a prepared talk on GDPR. Events changed that. On the second day of the conference I was fortunate to be given the opportunity to present a ten-minute lightning talk on some possible implications of the Brexit vote for the digital professions. Slides were not allowed, so in this post, I am simply elaborating on what I discussed on the day.

All of this is of course conjecture based on my own knowledge and research, and is subject to change at any time.

So what happens next for the digital professions?

First off, this is happening.

As uncertainty builds, expect to see more of that.

Are we out of Europe now?

It’s important to understand that the referendum was not legally binding. In fact, the referendum had all the legal force of a Polldaddy poll. Nothing happens until the next Prime Minister triggers what’s known as the Article 50 process to formally remove Britain from the EU. There is every chance it might never happen.

Why is that? This entire referendum was essentially a chess game played between members of a boys club jostling for power. An American conference attendee described it as a very bad case of “hold my beer”. They did not think this was going to happen. They had no plan. They had no blueprint. They still don’t.

The EU cannot force the UK to start the process, nor can any member state.

Can I stop complying with EU laws now?

This is no quickie divorce. If the UK does Brexit, it is at least two years away. Realistically, you are looking at several years after that for all the threads to be cut. This means you still need to be in full compliance with all current EU digital laws as well as any other regulations that come on in that time, including GDPR.

Could the UK remain in the EU with special reduced status?

This is highly unlikely, and here is why.

  1. The UK could not become an EEA member like Iceland and Norway – sort of in and sort of out – because one of the prerequisites for EEA membership is freedom of movement. Awkward.
  2. As we learned in the Scottish Independence referendum – the first one anyway – out means out. When you split up with your boyfriend you can’t keep a few boxes of stuff at his place. (I tried. Didn’t work.)
  3. The rest of the EU is seriously pissed off at the UK right now and is not likely to have the patience for concessions;
  4. Most importantly, granting special status to the UK – thereby legitimising the referendum result – could set off a domino effect. Every region – not member state, region – with a grievance across Europe would feel empowered to demand greater autonomy and independence. Europe could Balkanise.

If the UK is out of Europe, do we still have to comply with EU digital laws?

Sigh.
Yes.
If you are doing business in Europe – whether that is selling to European customers, accepting their membership signups, or collecting data on them for professional purposes, you need to be in full compliance with EU digital regulations regardless of a Brexit.

Anyone rejoicing “yay, we no longer have to do cookie law popups” or “no more VATMOSS!” does not understand how EU legislation works.

What happens with EU laws already on the books?

In the event of a Brexit, there is not going to be some sort of scorched earth policy whereby a non-EU Britain deletes every EU law on the books out of bitterness and spite. Existing digital regulations such as the implementation of the Consumer Rights Directive are likely to stay until such time as the UK decides to do something else.

What about EU digital laws in the pipeline?

Let’s review how a Brexit could affect several topics.

Accessibility

Public sector web accessibility in the UK is generally robust and technically progressive. The upcoming EU public sector accessibility directive is really aimed at other member states with poorer public sector accessibility levels. A Brexit will not have any a11y impact.

VATMOSS

A Brexit means the UK will be removed from the MOSS system. UK retailers will still be obliged to collect European VAT based on the place of supply of their customers, as they do now, but they will no longer have access to the MOSS portal. This means UK retailers will have to register with the tax authority of each individual member state where they make any sales in order to remit their collected VAT. All those tiny payments on tiny sales will become 27 times more complicated.

What’s worse, the UK led the call for the introduction of a VATMOSS threshold. With the UK out of the EU, the promised threshold is likely to be scrapped.

The EU VAT Action campaign is meeting with HM Treasury and HMRC this week to discuss the next steps.

Cookie law

If you continue to do business in Europe you will still need to deploy your cookie law implementations.

Don’t forget the EU is consulting right now on the next iteration of the cookie law. I’m helping to organise a web industry consultation response and I highly encourage you to participate. Despite the referendum result, we are still going ahead with it! Why? One, we will still be required to comply with the cookie law Brexit or not. And two, the consultation response will give us some experience in liaising as an organised profession with governments in the laws that impact our work. Heaven knows that in the event of a Brexit, we’re going to need to do a lot of it.

Data protection

This is the big one. In the event of a Brexit, the UK would no longer fall under GDPR, the new EU data protection system taking effect across Europe on 25 May 2018. This would leave us stuck with the outdated 1998 implementation, the Data Protection Act – and needing to come up on our own with something to replace it.

GDPR will require non-EU countries processing data on EU residents – whether that is sales records, big data, or employee information – to comply with GDPR rules and standards. This is known as “adequacy.” In the event of a Brexit, the UK would have to come up with its own version of GDPR in order to achieve adequacy.

There are three very scary dangers here.

The first is that an EU-free UK, led by privatisation-mad Tories, could implement its own data protection structure which is watered down and privacy-light in order to attract inward investment from tech giants. Facebook and Google would jump at the opportunity to remake a nation’s data protection laws from scratch to suit their needs.

The second is that an EU-free UK, with no data protection adequacy, could create Safe Harbor II. The ongoing negotiations on the Privacy Shield system – the US-EU data protection framework – would become tripartite. All data flows and transfers between the UK and US would, in the interim, be paralysed in legal limbo.

The third is that Theresa May becomes Prime Minister and tips the entire concept of data protection and online privacy into the bin. Someone who has been hellbent on ratcheting up mass digital surveillance – whose current pet project is the atrocious Investigatory Powers Bill – may well take over the country. Now would be a good time to join Open Rights Group.

What is immediately ahead for us?

Here is what UK web professionals can expect in the upcoming months.

  1. “Be careful what you wish for”. Anyone who has advocated leaving the EU specifically to get out of EU digital laws is now going to see what sort of digital laws the UK has in mind on its own;
  2. You will be under increased scrutiny from EU clients who have to protect their own interests in the face of potentially catastrophic uncertainty;
  3. You should expect contract renegotiations including exit clauses in the event of a Brexit;
  4. You may receive data localisation requests as businesses and individuals remove their data from the UK;
  5. You will witness a heartbreaking brain drain of businesses and people (at least three conference attendees told me they are leaving the UK now);
  6. We. Need. To. Organise. If we are going out, we need to make sure that the digital profession has a voice;
  7. Finally, you will come to understand the need, more than ever, for the values of borderless collaboration, friendship, and mutual respect that thrived in abundance at WordCamp Europe. Matt said “we are the 1%” and for us, that can’t be a critique. It must be an obligation.

Vienna, Austria
27 June 2016

About the author
Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional web site designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.

4 thoughts on “Brexit and you: what’s next for digital laws? #wceu

  1. Great article. I’m in Australia, so doesn’t directly affect me, but very interesting.

    Worth noting that I comply with EU cookie law on some of my sites, even though I’m in Australia, because it’s a requirement for Google Adsense (for EU visitors). So UK sites using Adsense will need to do that as well even if Brexit happens.

    Also, my memory could be deserting me, but when I looked into EU VAT (because we’re supposed to collect too), I had feeling I could register with a single country to submit it (even though I’m not in the EU). So presumably businesses in a brexited UK could do that too?

    • Hi Stephen, thanks very much.

      You’ve hit another question on the head, which I suspect the EU VAT Action team will raise in their meetings this week. Non-EU states have to choose a member state to register with for MOSS purposes under what’s known as the non-union scheme. Logically, UK traders would choose Ireland simply for language purposes. The question is whether Ireland is able or willing to accept several million additional sellers in its systems, especially given last year’s chaos. A related question is whether with the UK out, the EU scraps the promised threshold, which will impact every small trader in Europe. Registering for a non-union MOSS scheme is an acceptable process for a handful of sales. With no threshold, registering with a non-union MOSS scheme to process hundreds of literal pocket change payments is another.

  2. Great article, Heather! 🙂
    To be honest, I was really shocked when I saw the vote results. In the nowadays global economy we need each other in order to succeed. EU has its flaws, but EU members need to work together in order to make it better.
    I’m not from the UK, I am from Bulgaria. For the last 6 months I’ve been thinking and planning how to enter the UK market. But right now I don’t know if there is any point of even trying. I guess my services’ denial rate would be huge, because, you know, I am one of “them”.

    • Hi Val, thanks for your comment. Mario Peshev and Petya Raykovska from Bulgaria are two of the colleagues who I admire the most.

      It breaks my heart to hear that someone might not want to enter the UK market for fear of racism. As an immigrant myself I have experienced only two incidents of racism in 14 years, but I’m in Scotland, which is much more open and friendly than certain other parts of the UK. What I will say is, don’t give up hope yet. I haven’t.

Comments are closed.