Today Theresa May has pulled the trigger to begin the process of withdrawing the UK from the European Union.
(This is likely to lead to Scottish independence and the reunification of Ireland, thereby ending the United Kingdom and reducing England and Wales to an atrophied rump, but we’ll deal with that another day.)
We have had nine months to digest what Brexit will mean for the digital industries and for those of us working in it. We still have more questions than answers. But at least we know those questions.
So let’s explore them. In this briefing I am going to explain the impacts that Brexit will have on the specific structures, policies, and legislation which govern the crafts of design and development in the UK.
This post is a mashup of previous posts I have written and much of the speaking I have done, particularly to the Scottish Ruby Users Group in March 2017 and at WordCamp Manchester 2016. I track individual policies at a sister blog, but this is a longread meant to be read as a full briefing.
I thank everyone who has asked me questions at meetups and conferences since last June, as your questions have helped to shape my own thought process.
When the trigger is pulled
The UK now begins a two-year process of negotiating its exit from the European Union. What will happen in those two years is a debate for another place and time. It is not even certain that there will be any progress forward at the end of it.
Regardless of what does and does not happen, all existing EU legislation remains in place until the divorce. All pending EU legislation in the pipeline will also come into effect as normal. For our purposes, this includes GDPR, the critical EU data protection reform.
Even after the formal exit, all existing EU law will remain in place until replaced by something else. (Followers of American politics will note similarities to the “repeal and replace” debate: you cannot just spitefully pull legislation out of the books without having something to fill the gap.)
Be careful what you wish for. Post-Brexit UK legislation is not guaranteed to be automatically better than the European legislation it will replace. In fact, where some policies are concerned, the UK’s version may well be worse. But more on that in due course.
Extraterritoriality and equivalence
It is important for digital professionals in the UK to understand the concepts of extraterritoriality and equivalence.
European laws pertaining to commerce and digital apply to the people within the EU, not to the countries of the service being accessed.
A Canadian business trading with customers in Europe is beholden to European consumer protection, taxation, and privacy laws. Those customers are not beholden to Canadian laws.
So it will go after Brexit. British businesses trading with customers in Europe, whether that is selling goods, collecting data for the provision of a digital service, or offering software and apps, will continue to be beholden to EU laws.
Let me repeat that. After Brexit, you will have to continue to comply with EU e-commerce, taxation, data protection, and privacy regulations for your European customers.
What changes is that outside the EU, you will lose your right to have a say in how these laws are created. Your voice becomes that of any other third party lobbyist.
Anyone who voted “leave” thinking it would get them out of cookie law popups or VATMOSS submissions needs to have a word with themselves.
Thus we come to equivalence. European data protection law requires any non-EU third country doing business with European customers to prove they have a data protection system in place deemed equal to and adequate with EU data protection law.
If you were still in the EU this would not be a problem as you would be coming into compliance with it regardless. (Indeed, you should be working towards your GDPR compliance now ahead of the May 2018 deadline.)
After Brexit, several years down the road, it is likely that you will need to retain EU data protection standards for your European clients even if, as looks likely to happen, the UK’s own post-EU data protection regime is watered down and handed over to market forces.
This will create the strange situation where your customers still in the EU could have more protections than your domestic customers do.
This is called “taking back control”.
Specific policies and legislation
The Digital Single Market
Digitally speaking, Brexit could not have come at a worse time. It will leave the UK half-in and half-out of a half-completed programme of legislation called the Digital Single Market. This EU strategy aims to create just that – a digital single market across all of Europe – which would allow all 27 countries to work, trade, and code with each other on the same set of rules, ranging from taxation to privacy to copyright.
The DSM has three pillars:
- Access: e-commerce, parcel delivery, geoblocking, copyright, VAT
- Environment: telecoms and media, online platforms, illegal content, security and personal data
- Economy and society: data economy, standards, skills and e-government
The policies which make it up run to the dozens. They haven’t always worked out on the first try. But they are the necessary growing pains on the way to creating a trading bloc which is worth, depending on what source you read, between €370 and €450 billion per year.
The Cameron government was unabashedly in favour of the DSM. The May government is pulling us out of it. This means that on the day of the divorce we will have some DSM regulations in place while the incomplete parts will vanish into the ether.
This means that the very legislative fragmentation which the DSM is working to eliminate will land squarely in our laps.
The DSM will, of course, go on without the UK, leaving one digitally minded trading bloc which knows exactly what its rules, rights, and opportunities are, and one anti-digital island sulking off its northwestern coast, having taken its ball and gone home.
Yes, I used the phrase “anti-digital”. More on that later.
GDPR (General Data Protection Regulation)
GDPR is the continent-wide overhaul of the European data protection regime which, incredibly, dates back to 1995. In the UK we know it as the Data Protection Act. GDPR brings rules created in the dialup era bang up to date for the cloud, and adds a lot more responsibilities, accountability, and individual rights. It becomes legally enforceable on 25 May 2018.
GDPR is absolutely massive. It’s difficult. It’s necessary. And after nearly a year of getting to grips with it, I’m prepared to say it’s a little bit awesome.
The good news is that GDPR is the one thing we have clarity on. The May government has confirmed that the UK will be going into GDPR, regardless of Brexit, and will be staying there for the foreseeable future. The UK’s data protection regulator, the Information Commissioner’s Office (ICO), is constantly publishing useful, plain-English compliance information at their GDPR page.
(Yours truly has also written a compliance guide which will be published in time for the one-year countdown. You’ll love it. I promise.)
Now here’s the problem.
What comes after GDPR?
In a few years’ time, when there is a bit of space between the EU and the UK, what sort of domestic data protection regime will the UK government adopt?
Let’s phrase that another way: what sort of data protection regime will the most pro-surveillance, anti-privacy government ever to exist in peacetime – the one that came up with the Investigatory Powers Act, the Digital Economy Bill, and “necessary hashtags” – want to put in?
I’m worried. You should be too.
Here’s my advice: get into compliance with GDPR and once you are there, do not budge.
the ePrivacy Directive
Twinned with GDPR is the refresh of the ePrivacy Directive, a piece of legislation which deals with communications metadata, e-marketing lists, device fingerprinting, and (whispers it) cookies.
Yes, this is the refresh of the cookie law. Don’t fire your party cannons just yet. It is still in draft as of this writing.
The ePrivacy refresh is expected to take effect on the same day as GDPR, 25 May 2018.
As has been previously stated, you will still need to comply with it for your European customers after Brexit.
Why is that a much bigger problem than administrative hassle? It’s because, as I said at the beginning of this piece, it may well come to pass that your European customers and service users have more privacy protections and rights over their data than your domestic users do.
The Place of Supply reforms, hashtaggingly known as VATMOSS, were the controversial tax rules meant to target tax-dodging multinationals which instead devastated small businesses and sole traders.
Following public outcry and grassroots political organisation, the EU tax bods announced a proposed plan of reforms in December to take effect in 2019.
The system will, at that time, be rolled out to the sale of physical goods as well.
After Brexit, if you continue to sell into Europe, you will need to continue collecting and paying in MOSS taxes. It is likely, however, that the UK will lose its MOSS portal.
When that happens, you will be required to register with an EU member state as a non-union member for MOSS purposes.
Cue English-speaking Ireland getting hammered with UK VAT registrations.
So you’ll be dealing with HMRC for your domestic taxes and the Irish Revenue for your European sales. Fun!
There are some superb pieces of accessibility legislation in the pipeline, including the European Accessibility Directive (public sector websites and apps) and the European Accessibility Act (hardware, e-books, and the like.)
What happens to accessibility law after Brexit remains to be seen.
It raises yet another issue that was not dealt with in the lead-up to the referendum: is Brexit also a withdrawal from EU technical standards? What happens when all of Europe’s disabled can count on their ATMs, televisions, and ticketing machines working for them, but a trip across the channel becomes an inaccessible nightmare?
As for withdrawing from the European human rights and equalities laws which guarantee the rights of the disabled in the first place, that is more of a headache than we can deal with this morning.
Other digital policies
There are other digital issues in the pipeline such as geoblocking, copyright, and the rollout of 5g which I cover separately.
The UK’s domestic plans
Returning to our “repeal and replace” metaphor, what sort of plans has the May government come up with to salve over the difficulties of Brexit?
The Brexit White Paper
February’s white paper on Brexit confirmed the conversion of existing EU law into UK law, confirmed GDPR, and, bizarrely, repeated the definition of what the Digital Single Market is.
Its publication did include this Twitter card exalting “New trade agreements with other countries”, featuring a map of bright lines flying over the EU to other places.
I found this rather arrogant, as if the government was trying to dictate business models by PR campaigns and not practicality.
Sadly it gets worse.
The UK Government Digital Strategy
After fifteen months of excuses that were their own sort of drama, the government unveiled its grandiose Government Digital Strategy in February. This was their long-awaited plan for a bold, independent, ambitious post-Brexit digital Britain.
It’s worse than rubbish, in fact. Here’s why.
The missing plans
A Parliamentary watchdog, the Business, Energy, and Industrial Strategy Committee, spent several months trying to drag a straight answer out of the May government concerning its post-Brexit digital plans.
The Government responded with this bit in January, which was published in a Committee report:
We are currently involved in the following EU negotiations related to the digital economy:
- Reforming the European Copyright Law package
- Electronic Communications Framework Review
- Services Package, as part of the Single Market Strategy, including the Services notification procedure
- General approach on geoblocking
- General approach on Consumer protection Co-operation
- Digital Single Market VAT (e)-package (VAT on e-commerce, e-publications, e-books)
- Free flow of data initiative
- Legislative Proposal on Services Passport
That list of DSM and general digital regulations, in that answer to a Parliamentary question, in a January response to a question asked last July, is the only place you will see these policies mentioned. Anywhere. They’re not in the Government Digital Strategy, they’re not in the internal strategy, they are…nowhere.
They have not been discussed before that Parliamentary report, they have not been discussed since, and there has been no further explanation.
This evasion confirmed a fear none of us could have envisioned on 24 June: Brexit is being used as a cover for the laws, policies, and regulations which shape our craft to be renegotiated in secret with no discussion, transparency, or accountability.
Taking back control means taking it away from you, not “them”.
I was sufficiently disturbed by this turn of events that I met with my MP, who took my concerns into the House of Commons.
Watch for yourself.
The bottom line
After nine months of rhetoric and reflection, here is what I have come to realise about what Brexit will mean for the digital industries and for the work that we do.
The May government uses the word “opportunity” a lot: Brexit is an opportunity to trade with new markets. It’s an opportunity to shape new legislation. It’s an opportunity to scrap red tape.
What they are doing is engineering a self-fulfilling prophecy.
They are telling you that you can find new markets and opportunities outside of the EU, which is all well and good.
But they are telling you that while doing their best to deliberately make it unnecessarily difficult, if not impossible, to continue trading within the EU. When that happens you will have to find someplace else to do business. Now that’s an opportunity. Right?
I had come to understand that before last weekend, when the Home Secretary launched an uninformed attack on our industry, “named and shamed” digital service providers as being complicit in the lone wolf attack on Westminster, and even used the right-wing media to imply that my friends are terrorist sympathisers.
— Heather Burns (@WebDevLaw) March 26, 2017
If you’re asking yourself how the government is squaring its strategies and promises for digital with its reactionary and uninformed attacks, stop. You are overthinking the matter.
All of that is a reminder that we haven’t even touched on the key questions of Brexit: freedom of movement, the right to work, and the right for many of our friends and colleagues to continue living here, doing business here, and contributing to our communities here. As Kirsten said in the House last week, most of us working in digital have only ever known the EU, freedom of movement, and freedom of trade. We have more to wrap our heads around than we can possibly realise.
So what does Brexit mean?
There is no precedent for an entire industry being pulled out of the only regulatory system it has ever known, while its members lose the personal freedoms of trade and movement which facilitated the creation of the industry in the first place.
There is no precedent for that being done to an industry behind its back.
And there is no precedent for that being done to an industry while it is being publicly associated with terrorism.
That is what Brexit means.
Brexit is a culture war
Last month I told a group something that I could barely believe was coming out of my mouth: Brexit is an attack on digital culture. I thought I was being over the top for rhetorical value. Sunday proved I wasn’t nearly radical enough.
Our industry is inherently international, inherently borderless, and inherently cooperative. The May government believes in isolationism, withdrawal, and the re-establishment of borders.
Digital says we are one world linked together by the better angels of our nature. Theresa May says “if you’re a citizen of the world, you’re a citizen of nowhere.”
She, and those who follow her, are now using last June’s referendum to act on that belief. The vicar’s daughter is going to build Jerusalem in England’s green and pleasant land, and you are not welcome there.
Make no mistake. We are working in anti-digital culture. We are working in a hostile state. Brexit is a culture war and you will be dragged into it. React accordingly.
Organise. Because God knows the ostensible industry bodies that should be livid about this are too close to government at best or deliberately up its backside at worst.
No one is speaking up and speaking out for you. It’s down to us. We have to do it for ourselves.
So that is where we, as an industry and as the people who work within it, are standing on the morning of 29 March 2017 as the Article 50 trigger has been pulled.
But we’re still standing.
Continue to stand, and stand together. Because, as we saw on Sunday, it’s getting personal.
They are going to try to take those of us who love this industry down and they are going to try to get us to turn against each other the way they have gotten this once beautiful country to turn against itself.
They come, they come, to build a wall between us. We know they won’t win.
Bryan Glick has responded to this piece in Computer Weekly by saying:
Digital law specialist and blogger Heather Burns wrote an excellent article outlining the complexities and challenges for the tech community from Brexit, but I disagreed with her on one important point. She says Brexit is “anti-digital” and calls it “an attack on digital culture”. I can’t see that Brexit is a conscious and knowing attempt to prevent the digital revolution, as I think Heather implies. Instead, I see it as a symptom of the wider attempt by those vested interests to prevent or delay the implications of the digital revolution – an attempt that is mostly an instinctive, unconscious reaction to the changes they see taking place in the world around them; changes that threaten their worldview.
I agree that vested interests are in play here, whether conscious or not. The difference for us here is that the Luddites fearing digital culture (as elaborated on in Bryan’s piece) are not the only voices heaping scorn on our industry. There is also a security apparatus tipping poison and paranoia into our work.
— Nadine Dorries (@NadineDorries) March 27, 2017