This piece looks ahead to what we might expect as IT law develops in 2021.
2020: an extraordinary year of IT transformation at scale, pace and depth
At last, we can see 2020 through the rear view mirror. A year like no other within living memory, its impact on transformation in the world of IT is huge. It can be summarised in three words: Scale, Pace, Depth.
“The digital economy is consuming the old economy” said a former CEO of HSBC recently, neatly if graphically articulating the scale of change.[i] 2020’s ‘tech celeration’ and great shove online have compressed into months changes previously anticipated in years. And headlines in early December 2020 illustrate how the depth of these changes will impact all our lives:
- DeepMind’s AlphaFold AI system predicting a protein’s shape from its amino acid components;[ii]
- Arm Holdings’ Project Triffid to develop virtually no-power IOT sensors;[iii]
- UK regulatory approval of the first mRNA[iv] and DNA[v] Covid-19 vaccines;
- researchers in China manipulating light particles in a quantum calculation reportedly 10bn times faster than anything before;[vi] and
- SpaceX’s Starship SN8 rocket prototype carrying out its first high-altitude test flight.[vii]
The high street
Retail and the UK high street remained the place where these changes were most visible in 2020. The chart below[viii] shows how internet sales as a percentage of total retail sales inclined relatively gently upwards from 3% in 2006 to 20% in 2019, but then raced ahead to 30% in early 2020. The list of well-known UK retailers that went into liquidation or administration in 2020 as a result is likely to lengthen in 2021.
UK Internet sales as a percentage of total UK retail sales (Source: ONS)
Brexit and digital trade
So now we know what “Brexit means Brexit” means. Having ridden up six floors in the elevator of European economic integration, we finally got out at level 2, where we last were in 1960: tariff-free trade in UK- and EU- originating goods, bolted on to the WTO’s basic principles of non-discrimination and equal treatment (see graphic).[ix]
“Brexit means Brexit” means getting out at Level 2
December’s 1,246 page EU/UK Trade and Cooperation Agreement (‘TCA’)[x] adds to this a number of high level terms on services plus commitments to negotiate. These include seven pages aiming “to facilitate digital trade, to address unjustified barriers to trade enabled by electronic means and to ensure an open, secure and trustworthy online environment”.[xi] The Government has called these out as “some of the most liberalising and modern digital trade provisions in the world” and “the first time the EU has agreed provisions on data in a free trade agreement”.[xii]
Brexit and data protection
As an example of the contortions that may lie ahead, many businesses are likely to end up with dual data protection compliance requirements. During the transition period, the GDPR continued to apply in the UK pretty much as before and the TCA defers the UK from being considered a “third country” for GDPR purposes until 30 June 2021 or (if earlier) when the EU makes an adequacy decision for the UK.[xiii] We will be keenly awaiting the outcome of the Commission’s adequacy review.
However, as well needing to comply with UK GDPR, a UK business will also be subject to EU GDPR if it offers goods or services to data subjects in the EU, monitors their behaviour or has an EU establishment. Whilst divergence is unlikely to be material early on, room for inconsistency and conflict between UK GDPR and EU GDPR will grow over time.
If not reviewed before, the main areas affected that will need attention in 2021 are international data transfers, appointment of EU representatives and regulatory oversight for cross-border processing. The fall-out from the ECJ judgment in Schrems II (which struck down the US Privacy Shield arrangements with the EU)[xiv] and ongoing clarification in Brussels of points of EU GDPR detail are also likely to make this a volatile area of law for UK practitioners for a while.
At the global level, the data protection compliance picture is further complicated in 2021 as more states embed their own GDPR-type laws and rules. These include Brazil (September 2020); California (California Consumer Privacy Act: January 2020, California Privacy Rights Act: from January 2022); Canada (bill introduced November 2020); China (draft published October 2020); and South Africa (June 2021).
All the cloud’s a stage
IT transformation will continue to get star billing this year, and the main players are evident as we head into 2021. The cloud sets the stage where digital transformation plays out. In the world of “everything as a service”, efficient use of cloud resources is a pre-requisite to good performances from the rest of the 4th Industrial Revolution cast. Here, AI, 5G, blockchain, process automation, autonomous devices (robots, drones and vehicles), and virtual (aka augmented or extended) reality will be taking up the most important roles in 2021.
Towards the digital supply chain
Against this backdrop, transformation is taking place in different ways across different sectors, but emerging common features across industry include digital twinning, the development of secure digital supply chains and effective end to end governance and management of data and algorithms.
By way of example, the Air Transport Industry (‘ATI’) has faced unprecedented challenges in 2020, from changing traffic patterns, through space and resource re-utilisation, to the green airport and greener ways to fly.
The ATI depends on a complex supply chain of layered, co-ordinated and structured processes, events and interactions from multiple entities including air traffic control, aircraft (in flight, landing, at stand and take-off), airports (departure and arrival), cargo, passengers and ticket distribution.
All these processes, events and interactions, or rather their digital twins, generate vast amounts of digital data. All the actors in the ATI supply chain are reliant on the availability and accuracy of this data: they all need the right data at the right time to perform their role. Viewed through the lens of data, the ATI supply chain becomes data points, data flows and data sharing based on common architectures, and permissioning within and between entities and ecosystems. Rules can be set through smart contracts, blockchain and standards to determine how these processes, events and interactions take place, and the value of data (as an asset) and its risk (as a liability) as it moves through the system.
Each process, event and interaction in the digital supply chain must comply with applicable legal requirements – as critical infrastructure for example, and for cybersecurity, data protection, specific ATI regulation and data contracting and licensing.
The ATI is just one example of representing an industry through a data-centric lens which IT lawyers will see much more of in 2021.
Tech regulation: intermediary immunities and competition law
To the keywords of scale, pace and depth we might add regulation. With significant legislation in the works in Brussels and London, 2021 will be a seminal year for digital regulation, as well pointing the direction that regulatory divergence will take both between the UK and the EU, and between Europe and the US.
Longstanding intermediary immunities and safe harbours from liability are increasingly under challenge around the world “as governments seek to deputise intermediaries to assist in law enforcement”.[xv] These immunities arise in the EU under the E-Commerce Directive,[xvi] which the EU Commission is proposing to overhaul through the two pillars of its Digital Services Act package.[xvii] The first pillar will set out new rules on responsibilities of digital services providers towards their users, and the second will implement new rules on competition.
For the first pillar, the UK government stated in October 2020 that it had “no current plans to change the UK’s intermediary liability regime or its approach to prohibition on general monitoring requirements”,[xviii] indicating that intermediary liability rules in the UK will diverge over time from those in the EU. On the second pillar, 2021 is scheduled to see UK legislative action around a new regulatory regime for online platforms and digital advertising, with responsibility shared between the new Digital Markets Unit of the Competition and Markets Authority, the Information Commissioner’s Office and Ofcom.[xix]
Regulating the distributed web
A feature of 2021 will be the rise of the distributed web, based on open source frameworks for publishing lightweight, peer to peer applications and decentralised data storage (like Holochain), encrypted identity verification (like Keybase) and third party service integration (like Electron). The distributed web heralds a move away from the centralised platforms of web 2.0 and towards a more user-centric, “self-sovereign” internet. But this new web world – where there’s no “canonical” single version of the truth as the data is stored on each user’s device – may make the role of publishers and app developers more challenging in terms of intermediary liability, where the rules are set to tighten and effective notice and take down may no longer be in their gift. As ever, regulation struggles somewhat to keep up with the tech.
Telecoms regulation: OTT and the EECC
How the tides of tech regulation can catch business unawares is shown by the reach of the new European Electronic Communications Code (‘EECC’).[xx] The EECC came into force on 21 December 2020, with the UK deferring certain provisions for a number of months. As part of a series of measures that replaces the 2002 EU telecoms regulatory package, it sets out general authorisation conditions for telecoms services. Under the old rules,[xxi] over the top (‘OTT’) services – calls and messages over the internet – were outside the reach of telecoms law as they weren’t considered to be regulated electronic communications services (‘ECS’). Brussels changed this in the EECC, where most OTT services now fall inside the definition of ECS and, if public ECS (essentially, where anyone can sign up), are subject to certain rules protecting users that the EECC imposes. However, note that the UK has not yet implemented the EECC fully in relation to OTT.
As public ECS, OTT services will also need to comply with the communications confidentiality, traffic data and location data rules in the (old) ePrivacy Directive (‘ePD’),[xxii] which is due to be replaced in the EU by the ePrivacy Regulation (‘ePR’) when agreed, likely in 2021. Of course, as the ePR won’t apply in the UK and how the UK will deal with e-Privacy in 2021 isn’t yet clear. The EECC, ePD and ePR rules are separate from the GDPR and other (largely EU-based) laws protecting consumers online, where the rule books are also lengthening.
With added dimension provided by Brexit, it’s a racing certainty that the scale, pace and depth of IT and regulatory change we have seen in 2020 will accelerate as we head into 2021.
[i] ‘Warning lights are flashing for Big Tech as they did for banks’, John Flint, FT, 29 November 2020
[ii] ‘DeepMind claims major breakthrough in understanding proteins’, FT, 20 November 2020
[iii] ‘Arm unleashes ‘Project Triffid’ to help deliver internet of things’, FT, 24 November 2020
[iv] ‘Regulatory approval of Pfizer/BioNTech vaccine for COVID-19’, UK Government (Medicines and Healthcare products Regulatory Agency (‘MHRA’)), 2 December 2020
[v] ‘Oxford University/AstraZeneca COVID-19 vaccine approved’, UK Government (MHRA), 30 December 2020
[vi] ‘Chinese researchers claim to have achieved quantum supremacy’, FT, 4 December 2020
[vii] ‘Elon Musk’s latest rocket launch is a successful failure’, The Economist, 10 December 2020
[viii] Internet sales as a percentage of total retail sales (ratio) (%) – Office for National Statistics (ons.gov.uk)
[ix] Except for Northern Ireland, which stays in the Single Market at level 5.
[x] Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part
[xi] TCA, Article DIGIT.1, p.116
[xii] UK-EU Trade and Cooperation Agreement Summary, paragraph 62, page 15,UK Government, December 2020
[xiii] TCA, Article FINPROV.10A, p.406. In one of the Declarations published alongside the TCA, the Commission stated its intention to promptly launch the adequacy procedure for the UK under the GDPR.
[xiv] Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559, judgment of the European Court of Justice, 16 July 2020. The case held that Commission Decision 2016/1250 on the adequacy of the protection provided by the Privacy Shield was invalid.
[xv] ‘Intermediary Liability’, Stanford Law School Center for Internet and Society
[xvi] Directive 2000/31 of 8 June 2000. In the US, the immunities and safe harbours are set out in s.230 of the US Communications Decency Act 1996 (excusing the platform from publisher liability) and s.512 of the US Digital Millennium Copyright Act 1998 (the source of ‘notice and take down’).
[xvii] The Digital Services Act package – Proposal for a Regulation on a Single Market for Digital Services, 15 December 2020 and Proposal for a Regulation on contestable and fair markets in the digital sector, 15 December 2020
[xviii] ‘The eCommerce Directive after the transition period’, UK Government, 16 October 2020.
[xix] ‘New competition regime for tech giants to give consumers more choice and control over their data, and ensure businesses are fairly treated’, UK Government’, 27 November 2020
[xx] Established by EU Directive 2018/1972.
[xxi] At least since 13 June 2019: see the ECJ judgement in Google LLC v Bundesrepublik Deutschland (C-193/18) EU:C:2019:498 (13 June 2019), the Google Gmail case.