On 5 March 2020 Oliver Dowden, Secretary of State for Digital, Culture, Media and Sport gave a speech to the Media & Telecoms 2020 & Beyond Conference where he identified “open and effective use of data” as an opportunity of leaving the EU, pledging to remove “unnecessary barriers whenever they arrive.” This speech was given in the context of the Prime Minister promising to “restore sovereignty” over data protection, claiming,”The UK will in future develop separate and independent policies in areas such as… data protection, maintaining high standards as we do so.”
Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, everyone’s day to day experience of the GDPR has involved a constant barrage of requests for click acceptance of third party cookies as each website has tried to implement compliance with a GDPR regulatory requirement that was ill conceived. In C-suites across the world there has been fear of incurring massive fines for breaches of the GDPR. Neither the cookie clicks nor the massive fines are helpful for trade and citizens’ protections; third party cookies are soon going to be eliminated and the regulatory desire to impose massive fines for breach of personal information is misguided, by reason of the fact that scientific developments over the past two decades have established that the legislative protection of sensitive personal data are worthless because anonymised data can be reidentified by the merging of two or more databases – see Professor Paul Ohm of Georgetown University Law Centre’s 2010 landmark paper Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization.
Third party cookies, which enable tracking of citizens’ browsing activities, are a technology which was phased out last year by both Apple and Mozilla and is to be phased out by Google within the next two years. They are incompatible with the encrypted DNS deployment initiative, whose participants have produced new versions of browsers, some of which are already being rolled out across the USA. These “DNS over HTPPS” (DoH) and “DNS over TLS” (DoT) browsers will improve security for ordinary web users and mobile users respectively, through the use of end to end cryptography to eliminate man-in-the middle attacks and stalking. High standards, as referred to by the Prime Minister, are different from obsolete standards. In less than four years since coming into force, the GDPR will have established itself as an obsolete standard because third party cookies will no longer function.
It is not surprising that a key provision of the GDPR is becoming obsolete in our browsers. GDPR genesis predates social media systems because it took nearly 25 years to come into force. In promoting it as a data protection gold standard, the European Commission (EC) chose to completely ignore the ‘fundamental misunderstandings’ raised by Professor Ohm in his widely cited analytical paper published over ten years ago. It was too big a problem to be addressed under the EU’s inflexible code Napoleon top-down system of law made by unaccountable institutions and delivered to the citizens who are required to comply. As a result, the GDPR has become an erroneous response to the protection of personal data in a world of massive open public databases, big data and social media systems. In the intervening years, the concept of digital sovereignty has taken root in nation states across the globe and, in the words of Oliver Dowden, “open and effective use of data” without having to overcome “unnecessary barriers” has become essential for effective trading systems.
Google has seen where this is heading. According to Google’s new Terms and Conditions which come into effect at the end of March 2020, all UK customers have to agree (if they want to use Google’s services which will include its Chrome browser, Chrome Operating System (OS) and Google Drive) to become a customer of Google LLC, a company established in 2002 and “organised under the laws of the State of Delaware, USA, and operating under the laws of the USA”. Google LLC will become the controller as far as UK users will be concerned and the controller will therefore not be established in the UK nor any EU state. Instead Google’s UK customers will be interested in how the US Federal Trade Commission (FTC) controls companies such as Google LLC.
It is clear from listening to statements from the Cabinet Office, the DCMS and the International Trade Secretary that the direction of travel for the UK, post Brexit, in respect of Digital Trade with the USA will be in accordance with working with the US Department of Commerce and US businesses to come up with a shared protective consumer regime. This needs to be effective, comprehensive and proportionate to the very real harms caused by misuse of personal data. As a common law country, any future US Federal Data Protection laws will be conceptually and judicially similar to data protection laws in other common law Commonwealth countries such as India, Australia and the UK. On this basis, Free Trade Agreements (FTAs) in respect of consumer rights for dematerialised goods and services are going to be capable of implementation in the form of mutual recognition processes amongst common law countries. The adaptability of judicial reasoning in the construction of legislation across common law countries can implement the regulatory consequences of the science of deanonymization.
Thus, under a UK-US FTA it would be straightforward for the FTC to be authorised to extend its protections not just to US consumers but to UK consumers whose personal data is held in the USA by companies, like Google LLC. This would not be a big ask of the US authorities because on the FTC website it states:
The Federal Trade Commission Act allows the FTC to act in the interest of all consumers to prevent deceptive and unfair acts or practices. In interpreting Section 5 of the Act, the Commission has determined that a representation, omission or practice is deceptive if it is likely to:
- Mislead consumers
- Affect consumers’ behaviour or decisions about the product or service.
An early UK-US FTA for Digital Trade. which puts beyond doubt that the term ‘all consumers’ in FTC practices includes ‘UK consumers’, would immediately give effective remedies and redress for UK consumers whose data is being held in the USA under agreements such as those of Google LLC. Given that it was the FTC that fined Facebook $5 billion for mishandling users’ personal data, the protections given to UK consumers would be a real and valuable Brexit bonus.
On 2nd March 2020, FTA discussions between the UK and the US were started by Liz Truss, the UK International Trade Minister, with the publication of a 184 page document which explicitly stated in respect of Digital Trade:
- Include provisions that facilitate the free flow of data, whilst ensuring that the UK’s high standards of personal data protection are maintained, and include provisions to prevent unjustified data localisation requirements.
- The Government notes stakeholders’ responses regarding data protection and privacy standards in the UK and will ensure that robust protections for personal data are maintained…… The Government has taken note of the UK’s interest in facilitating the free flow of data and eliminating unjustified data localisation requirements. Cross-border data flows are an important facilitator of both digitally enabled and digitally delivered trade in goods and services. For example, it is estimated that more than 72% of UK services exports to the US (approx. £46 billion) were delivered remotely in 2018, the majority of which were due to cross-border data flows. …
- The Government recognises the key role of the UK’s Audio Visual (AV) and Creative Industries sectors to the UK economy and consumers. The UK AV sector exported more than £2.4 billion worth of services to the US in 2018, while the Creative Industries exported more than £9.9 billion worth of services to the US in the same year. The Government notes the strong case for ensuring both world-leading sectors are supported by a UK-US FTA.
Notwithstanding the immense problems caused to trade by COVID-19, it should be relatively straightforward for the UK civil servants working for the International Trade Secretary to propose, via video conferencing if necessary, an early UK-US FTA relating to Digital Trade given the similarities between our common law based regulatory processes – possibly to be completed by the late autumn of this year. A Digital FTA in place by this Christmas could be a big boost to our AV and Creative Industries at what might otherwise be a difficult time for international trade. The prospects are less favourable for a UK-EU27 FTA addressing Digital Trade unless there is an acceptance by the EU27 of the comprehensive failure of anonymization as a protective measure for European citizens. The EU27 would need to accept whatever protections the UK and USA, in association with other common law countries in the Commonwealth, eventually propose as the regulatory answer.
The post A UK-US Digital trade agreement should replace obsolete GDPR by the end of 2020 appeared first on Global Vision UK.