Innovation

GDPR, Brexit and surveillance: the perfect storm

Brexit has had many divisive and damaging effects, not least of which is the now widely held belief that regulations are damaging for national economies – as though mutually agreed quality, security, safety, and trading standards are somehow a bad thing.

May 15, 2017

It stands to reason that fewer protections can only benefit organisations from which citizens need to be protected, and customer data and cloud technologies are very much part of this issue – especially now that real-time national surveillance of citizens’ communications is becoming a real possibility in the UK.

The US and continental Europe have long seen data protection through different lenses, with the power and dominance of US technology providers being the focal point. The US wants to maintain its market position and national security, while Europe wants to protect its citizens from excessive US power and influence, and to strengthen the laws covering data protection, transfer, and security within its borders.

The incoming General Data Protection Regulation (GDPR) is Europe’s definitive statement about the right of citizens within a digital economy.

It comes into effect in a year’s time, at which point the UK will still be a member of the EU. As a result, all UK organisations will have to comply with its terms – and that will remain the case for as long as the country trades with Europe, whether the UK is a member or not.

This is important for countless reasons – fines of up to four per cent of turnover for data protection breaches being perhaps the least of them, alongside a potential end to the data ‘free for all’ that has given many consumers little more than advertising noise in return for their information.

But another reason has been lost in a fog of US technology marketing for over a decade: ‘the cloud’ doesn’t actually exist.

There is no such thing as ‘the cloud’; there is no egalitarian mist of border-defying code afloat in the ether and uniting all humanity. Instead, there are data centres built on land under national laws – out in the wilds of Utah and Wisconsin, perhaps. That’s where many organisations’ data is actually held, not in the sky.

Data protection is a war that’s being fought on land, not in the air.

EU-GDPR

For a decade now, ‘the cloud’ has been a brilliant piece of marketing, designed (in part) to persuade organisations to store and process their data remotely and pay for the privilege – usually in the US, under US laws. As a US tech CEO admitted to me at an event in San Francisco some years ago (after I suggested to him that ‘the cloud’ was highly misleading), “We’ve got to give the consultants something to sell.”

But a lot of UK consumers’ data is held in the mainland European Union, which the UK will shortly be leaving. Where will all of those data centres be located post-Brexit? Back in the UK? And who is going to build them all? And if they remain in Europe, then – obviously – they will do so under European laws that are designed to protect all of Europe’s citizens, even the angry nationalists.

Of course, there are countless benefits from cloud technologies, whether they are public, private, community, or hybrid based, and whether they are on-demand applications, infrastructures, or platforms: predictable opex, scalability, and so on; we can all reel them off.

But the fact remains that in many cases, the core issue in the future will be where your data is stored and processed, and under whose laws and oversight.

So, back to the geopolitical standoff between the US and Europe. The UK has long remained offshore from both of these positions, and is now detaching itself from Europe with little in the way of a strategy beyond a rumoured ‘bonfire of regulations’ – a story that was buried in most newspapers by the announcement of a General Election.

That ‘bonfire’ will be to appease the Leavers who, apparently, want nothing to stand between them and any organisations for whom standards and rights might be a hindrance. There’s no doubt that the UK will quietly opt back in to many of these regulations, once the tabloid triumphalism has died down – just as it has many times in the recent past.

The UK’s favoured negotiating position is a smokescreen of noise and fury.

Nevertheless, this ideological gamesmanship would seem to put the UK on a course across the Atlantic and into President Trump’s hands. But in the real world of business, trade with the EU on mutually beneficial terms will be much higher on Trump’s agenda than the expense, risk, and confusion of trading with a small island that is 100 years adrift from empire, and increasingly adrift from its allies too.

It is much easier and cheaper for US technology companies to trade with Europe as a single bloc than it is to deal with separate countries: every US CEO I have ever spoken to in 20 years has said the same thing.

This is the real reason why US technology will become more expensive in the UK post Brexit – indeed, many US high-tech products already are (check the 20 per cent post-referendum price hikes in your local Apple Store, for example: that was nothing to do with the exchange rate).

But there is a problem with the simplistic assumption that the UK will, automatically, move ideologically closer to Trump’s America in a desperate push for trade. And that is the UK’s national surveillance scheme – the Prime Minister’s pet project when she was Home Secretary.

While US technology companies such as Google, Apple, et al, have been paying lip service to Whitehall’s plans, they have been quietly despairing of the idea and pushing their customers towards greater use of encryption, in recognition of the obvious fact that strong encryption protects and enables digital business, rather than threatens it.

Take the banking sector, for example, the golden coin spinning at the apex of a narrowing British economy. Weakened technology means a weakened banking sector: another reason that some banks may decamp to Dublin or Paris.

In short, US technology companies recognise that an internet that is easier to eavesdrop on at GCHQ is an internet that makes it easier for everyone else to do the same. It’s not complicated.

13399-surveillance_news

Weakened encryption and additional back doors will compromise enterprise-grade technology, and it seems unlikely that multibillion-dollar US technology corporations will ever agree to take a hatchet to those products simply to appease a country that has detached itself from one of the world’s biggest markets, however large its domestic economy might (currently) be.

Just imagine the multimillion-dollar lawsuits that might come Whitehall’s way if a weakened product set leads to a major client being hacked, or to that client’s own customers being compromised.

Which brings us back to GDPR. If customer data were to be compromised in an attack – perhaps thanks to the underlying technology being weakened at Whitehall’s insistence – then who will be responsible? Under GDPR, the data owner or guardian will be, regardless of whether downgraded technology was ultimately to blame.

The client will then sue the supplier, and the supplier will sue the British government for forcing it to compromise its product security – and, as a result of its weakened portfolio, for having its reputation dragged through an all-too-British field of legalistic and bureaucratic mud.

And if the cloud companies, telcos, and mobile networks that are tasked, piecemeal, with retaining customer data under national surveillance – and with protecting it under GDPR – fail to do so properly, then yet more legal chaos will ensue.

Remember: there is no national scheme to protect citizens’ data under the new surveillance laws; individual ISPs, cloud companies, and mobile networks must separately secure all the data that the government demands access to. And as the hack of TalkTalk some months ago proved, many are woefully under-prepared.

But in the resulting legal morass, at least the lawyers will be thriving.

All of this, of course, will take place in an environment in which the UK’s regulatory and trading positions will be in a decade-long state of flux and uncertainty, and while many data centres are being repatriated to the UK. A perfect storm of self-inflicted stupidity: mind-boggling incompetence, in fact, masquerading as stability and vision.

The British government urgently needs to start thinking about the real world that it is creating for the innovators that, it says, represent the country’s future.

At present, few people outside the UK can have much confidence in the UK’s digital economy over the next ten or 20 years, despite the countless innovative start-ups and talented coders out there. And that will be a nightmare for those innovators who actually understand the technologies – rather than the marketing spiel – and are making them as strong and as agile as possible.

The UK’s tech entrepreneurs and coders need to be at the heart of this debate, not on the fringes of Whitehall’s ideological myth-making.