13 November 2020
Guest blog by Emily Jones, Associate Professor in Public Policy, and Beatriz Kira, Senior Research and Policy Officer, both at the Blavatnik School of Government, University of Oxford.
The Government’s new approach to digital trade deserves close scrutiny. It has described the new digital provisions in the UK-Japan agreement as going “far beyond the EU’s” to make the deal “truly cutting-edge”. Digital trade is a priority in negotiations with the US too. Earlier this week a spokesperson said the UK and US have already agreed provisions on digital trade and data that are “forward-leaning” and argued that this would make a UK deal attractive to the new Biden administration.
The new provisions impact how easily data can flow across borders, the extent to which citizens’ personal data is protected, and shape the way we regulate the Internet and manage new technologies like artificial intelligence and algorithmic decision-making. They have implications for large and small businesses, as well as consumers, and workers.
In the UK-Japan agreement, the UK is shifting away from the EU’s approach in some key areas, towards the approach taken by the US and Asia-Pacific countries. The provisions appear to have been crafted with an eye to the UK acceding to the Comprehensive and Progressive agreement for Trans-Pacific Partnership (CPTPP).
What are the implications of the Government’s new approach? So far, we know little. There is hardly any substantive analysis in the public domain, and the Government has yet to provide a detailed explanation or an appraisal of its choices and their implications. Although, the Government did consult a range of stakeholders, in-depth discussions have been limited as only businesses had a seat on the government’s trade advisory group on telecoms and technology. Consumers have had little input, even though protecting digital rights is one of their top priorities for the UK’s new trade agreements.
Time is short. Parliament only has a few weeks to scrutinise the UK-Japan text before it is ratified. Here are three areas where more analysis and discussion are needed:
The most striking changes are in the UK-Japan provisions on cross-border data flows and data localisation. Data underpins the digital economy, and the flow of data across borders is vital for integrated supply chains and the cross-border provision of digital products and services. Yet the ways in which personal data are handled raises concerns, as illustrated in the recent Facebook and Cambridge Analytica case and frequent reports of data breaches.
The provisions on data flows in the UK-Japan agreement are similar to the approach found in recent US trade agreements and the CPTPP. Governments agree not to impose restrictions on the cross-border flow of data, including personal data, where this is for business transactions, or impose data localisation requirements, although some specific and limited exceptions apply including for public policy measures (Article 8.84 UK-Japan).
The EU has not been willing to make these types of commitments in its trade agreements, fearing they would not be compatible with its approach to data protection, embodied in the EU’s General Data Protection Regulation (GDPR). Privacy experts agree. Instead the EU takes a unilateral approach, only allowing its citizen’s personal data to flow freely if it deems that privacy is adequately protected in the data destination country, the so-called adequacy decision. To secure an adequacy decision, the EU requires other jurisdictions to maintain levels of protection equivalent to the GDPR.
The UK Government has taken a different approach in the UK-Japan agreement, and signalled that it wants to change the UK’s regulations on data protection and champion cross-border data flows. At the same time, it has promised to maintain high standards of privacy protection and is seeking a data adequacy decision from the EU, which is vital for UK business and for cooperation in law enforcement.
How does all this align? The UK may be hoping to follow Japan’s footsteps, and secure an adequacy decision from the EU while also agreeing to the types of commitments found in the UK-Japan agreement. But navigating multiple, possibly conflictual, regulatory regimes is no mean feat, and careful analysis of how best to do this and the implications of moving away from the EU’s approach is needed. What are the implications of the new UK-Japan provisions for data protection and privacy, and for an adequacy decision from the EU? The answers are far from obvious, the stakes are high, and the Government’s approach needs to be carefully analysed before the UK-Japan deal is ratified.
The UK-Japan agreement includes a ban on mandatory disclosure of source code, software and algorithm expressed in that software. The recent controversy involving the use of algorithms to predict GCSE and A-level grades in the UK has placed the use of automated decision-making systems in the public spotlight. These systems are increasingly common in public life and, despite their benefits, they raise public policy concerns related to the risks of discrimination, including gender-based and racial-based, and lack of fairness and accountability.
Experts have argued that, in order to protect individuals subject to automated decision-making, algorithms should be accountable and citizens should have a ‘right of explanation’, by which the reasoning behind a decision is presented to them. The Government has promised that the new Online Harms Bill will demand more transparency from companies about their algorithm designs. There can be many ways of explaining an algorithm, and views on what would be the correct way vary, but some forms of transparency could potentially clash with trade secrets and copyright provisions in trade agreements.
Previous EU agreements, including the one with Japan, already included prohibitions on forced disclosure of source code and software, but the UK-Japan agreement broadened the scope of the protection to include “algorithms expressed in that source code” (Article 8.73.1 UK-Japan). In doing so the UK takes a similar approach to that of the US. Even though the new agreement provides broader exceptions than the ones found in the CTPPP and United States–Mexico–Canada Agreement (USMCA), it leaves less flexibility for government policy-making than the previous EU-Japan deal.
The challenge for trade negotiators is to craft the language on exceptions so that they are able to accommodate future regulations that aim to ensure accountability and oversight over automated decision-making – especially vis a vis individuals’ rights to explanation and reasonable inferences. Does the UK-Japan agreement strike the right balance between protecting the intellectual property of businesses and the ability to regulate new technologies? Again, more detailed analysis is needed.
Internet platforms that host user-generated content such as Facebook, YouTube and Twitter are usually considered intermediaries and not publishers of such content. From a public policy perspective, to what extent should these companies be held legally responsible for online harms and illegal activities conducted by internet users?
The UK-Japan agreement, like the EU-Japan agreement, does not include general rules governing the liability of internet platforms. This is prudent, as there is currently no consensus on which liability model the Government should adopt domestically to address online harms, with an Online Harms Bill expected in 2021.
However, the UK-Japan deal does introduce an intermediary liability regime for intellectual property infringement which was absent from the EU-Japan agreement (art.14.59 UK-Japan). The provision offers Internet companies with immunity to claims of intellectual property violations, so long as they take action to prevent access to infringing materials – a so-called ‘safe harbour’ provision. Safe harbours are contentious. Tech companies and civil society organisations argue that requiring platforms to take action imposes a de facto filtering or blocking requirement, with chilling effects for freedom of expression online. But governments are under pressure from media companies to clamp down on the online dissemination of illegal content. Governments face the difficult task of balancing free-speech concerns with the need to protect innovation and the creative industries.
The US has domestic legislation that provides safe harbours, and the EU recently adopted a similar approach in its new Copyright Directive, although this was highly contentious. While the US agreements and CPTPP contain provisions similar to the one agreed in the UK-Japan agreement, the EU has been reluctant to agree to provisions on safe harbours in its trade agreements (although they were included in the EU-Canada agreement).
Given the controversies around safe harbours, and now that the UK has left the EU, does it want to stay with the EU’s Copyright Directive or change its approach? And what are the implications of the new intermediary liability provisions in the UK-Japan agreement for citizens’ fundamental rights, including the freedom of expression online? More analysis and information are needed to make sure the liability rules are well-balanced and serve the public interest, and not only corporate interests.
Parliament has only a few more weeks to scrutinise the UK-Japan deal. Given the changes in the approach on digital trade we describe, and the lack of evidence and discussion around these issues so far, there is an urgent need to better scrutinise provisions related to cross-border data flows and privacy, algorithm disclosure and accountability, internet regulation and online intermediary liability rules, and to understand the implications of the UK-Japan precedent for future trade agreements.
The opinions expressed in this blog are those of the author alone and do not necessarily represent the opinions of the University of Sussex or UK Trade Policy Observatory.
The UK Trade Policy Observatory believes in the free flow of information and encourages readers to cite our materials, providing due acknowledgement. For online use, this should be a link to the original resource on our website. We do not publish under a Creative Commons license. This means you CANNOT republish our articles online or in print for free
[…] of cross-border data flows, mandatory algorithm disclosure and privacy were thoroughly discussed. It became evident that both businesses and human rights organisations […]