To launch a new edition of a legal textbook in the very month that the UK is about to leave the EU – let alone a book focused on the internet at the height of the techlash – may seem a little reckless.
Or perhaps not. Internet law stays still for hardly a moment anyway. The couple of months since the 5th edition of Internet Law and Regulation went to press have already seen two domestic High Court decisions, one CJEU judgment and an Advocate General Opinion all on copyright communication to the public; not to mention three CJEU Advocate General Opinions on government powers to mandate communications data retention for law enforcement and security. As I write, regulations have been laid to implement the UK-US Agreement facilitating cross border data and interception requests direct to online service providers. A textbook in this field is inevitably a snapshot of a rapidly changing landscape.
Divergence from EU law
The new edition’s snapshot is taken at the moment when the UK starts to think about forking away from the influence of EU law. How far and fast it will do so after the transition period expires is still largely an imponderable. The UK’s room for manoeuvre will depend on the outcome of the coming negotiations for a trade agreement. In some areas it may be constrained by the desire to obtain a data protection adequacy decision from the European Commission.
If Brexit can be considered a project, then in business process modelling terms this edition is the “as is” analysis of internet law that precedes the post-Brexit “to be” – a reference point at a crucial juncture against which to measure divergence as time goes on.
Generally speaking, EU law will (if not already implemented as domestic UK legislation) automatically be continued as domestic UK law after the end of the transition period unless and until regulations or Parliament do something different by amendment or repeal. However, the Charter of Fundamental Rights will not continue. The extent to which courts will be able to depart from existing EU Court of Justice decisions after the end of the transition period is subject to regulations made during the transition period.
The most immediate changes after the end of the transition period will be in areas that depend on mutual recognition between EU countries, such as the internal market aspects of the ECommerce Directive. No longer will a UK defendant sued in another EU court be able to prevent application of more restrictive laws of the forum to its service provided from the UK, as happened in Martinez v MGN Ltd (C-161/10, 25 October 2011). No longer will PhonepayPlus, the premium rate phone regulator, have to invoke a derogation from the Directive in order to fine non-compliant online services provided to the UK from other EU Member States.
We will also bid farewell to the Transparency Directive, with its prior notification requirement waiting to trip up the unwary legislator who ventured into the field of information society services. The DCMS fell foul of the Directive twice: once with the Video Recordings Act 1984, which had to be re-enacted in 2010 after the discovery that it had not been notified 25 years earlier; and more recently with un-notified guidelines under the Digital Economy Act 2017.
Mutual recognition arises in other areas. The eIDAS Regulation requires Member States to recognise qualified trust providers (which underpin qualified certificates) registered in other Member States. While the UK has already decided that it will continue to recognise providers registered in EU Member States, the converse would not be the case after the transition period unless recognition formed part of the trade deal. Country of origin regimes such as under the Satellite and Cable Broadcasting Directive, the Audiovisual Media Services Directive and the Net Portability Directive would cease to apply to the UK. The post-transition period status of existing UK holders of .eu domain names remains uncertain.
Maintaining the ECommerce Directive
There is likely to be close focus on the intermediary liability shields derived from the ECommerce Directive. Even assuming that the government maintains the principle of alignment with the Directive as its policy, the mechanics of keeping legislation aligned present a formidable administrative challenge.
That is because the 2002 ECommerce Directive Regulations, which initially implemented the non-financial services aspects of the Directive, did not have prospective effect.
Since 2002, therefore, each time a new piece of legislation has been enacted that might impose liability on a conduit, cache or host, the government has had to remember to include the required liability shields in the legislation. The same has applied when any pre-2002 legislation was amended or re-enacted. Sometimes, inevitably, the government forgot to do it. But the gap could relatively easily be filled by passing secondary legislation under the European Communities Act 1972.
As a result we have a complex patchwork of primary and secondary legislation implementing the Directive, numbering nearly 30 separate items at the end of 2019.
Whether the government will be assiduous in including the liability shields in future legislation and how, in the absence of the ability to pass secondary legislation under the 1972 Act post-transition period, it would go about filling gaps when it forgets, are matters for conjecture.
Relatedly, Article 15 of the ECommerce Directive prohibits Member States from imposing general monitoring obligations on conduit, caching and hosting intermediaries. That operates in two ways: it bars the UK from legislating to impose such an obligation, and it requires the courts to observe the prohibition when granting injunctions and applying common law rules. The second aspect probably counts as retained EU law and would continue after the end of the transition period. The first, however, would fall away: Parliament could in the future enact legislation that imposed a general monitoring obligation.
Surveillance and data retention
Since the 4th edition of the book appeared in 2007, surveillance of communications by law enforcement and intelligence agencies has come to the forefront – in part due to the Snowden revelations in 2013. Lord Anderson QC’s 2015 report “A Question of Trust” described the Regulation of Investigatory Powers Act 2000 (RIPA) as incomprehensible to all but a tiny band of initiates. Although the 4th edition dwelt to a degree on RIPA, the legislation unfolded its inner secrets only as litigation brought by various NGOs proceeded through the Investigatory Powers Tribunal.
Now we have the Investigatory Powers Act 2016, which has codified the full range of targeted and bulk investigatory powers ranging from interception to equipment interference, and which introduced independent prior approval of most powers. A complex web of litigation over surveillance and communications data retention powers is proceeding in the UK domestic courts, the CJEU and Strasbourg. Whilst the direct influence of CJEU decisions may wane after the end of the transition period, they will continue to have indirect influence over negotiations for a data protection adequacy decision. As the USA has discovered with its Safe Harbour and, now, Privacy Shield the CJEU may exert its influence from afar where cross border transfers of personal data are concerned.
Copyright and intermediaries
The potential ability to diverge post-Brexit may provide opportunities to address anomalies such as the personal copying for private purposes copyright exception, which would have legalised the universal practice of ripping CDs to personal digital devices. It was struck down on the grounds that the government had not properly considered whether the exception was de minimis for the purposes of the EU InfoSoc Copyright Directive. After the close of the transition period the government would be free to re-implement the exception, should it wish to do so.
The EU Digital Copyright Directive adopted in April last year has to be implemented in Member States by 7 June 2021. Assuming no extension to the transition period, the UK would not be bound to implement it. Indeed the government revealed in answer to a Parliamentary Question on 21 January that it does not intend to do so, and that any changes to the UK copyright framework will be considered as part of the usual domestic policy process.
The EU is also embarking on proposals for a Digital Services Act at the same time as the UK government is considering legislation following its Online Harms White Paper.
The next few years will not be short of activity in the internet law field. In an ideal world would we start from here? Probably not. But if this new edition of the book helps the reader understand what “here” looks like, it will have achieved some of its purpose.
Graham Smith is Of Counsel at Bird & Bird, specialising in internet, IT and intellectual property law. He is the author of Sweet & Maxwell’s Internet Law and Regulation and blogs as Cyberleagle. Email Graham.Smith@twobirds.com. Twitter @cyberleagle.
Image: Public Domain CC0.
The leading title in its field, by Graham Smith and colleagues at Bird and Bird, Internet Law and Regulation presents an analysis of key areas of internet law and regulation. The 5th edition is fully updated to include recent developments relating to GDPR, the Investigatory Powers Act 2016, eIDAS, online intermediary liability, including site blocking injunctions and updated UK and EU case law.