This is a boiling frog scenario, if ever there was one. Giving the UK’s history of moving the line by increment, and given that any kind of EU response when it comes would be akin to turning an oil tanker, the EU would be so utterly stupid to fall for this one. #salamitactics

Anyone, who has ever observed closely how the UK fudged when transposing EU Directives, should know that this is an approach that spells disaster.

Let me tell you a story. Let me give you two examples from my own area of expertise. “Personal data” and “consent”.

Lets start with “The concept of ‘personal data’: a history”.

In the DPA 1998, the UK adopted a definition of personal data that ever so slightly differed from that included in the 1995 Directive it was supposed to transpose.

This small difference allowed the UK courts, in Durant (2003), to interpret the term extremely restrictively, thus potentially leaving large amounts of PD unprotected under UK law.

The Article 29 Working Party subsequently issued guidance (2007) that made it clear that this transposition and interpretation were too restrictive.

To this the ICO responded with its own updated “technical guidance” that tried to reconcile the Durant decision and the WP29 opinion by somewhat fudging the issue. But Durant stood and UK controllers relied on it.

The EU Commission took enforcement action but for political reasons never went beyond a reasoned opinion. Ultimately, it gave up because it dealt with this (and other harmonisation issues) by making the GDPR a directly applicable regulation (2012).

The High Court sanctioned the ICO’s fudge in the Kelway case in 2013. But it took the Court of Appeal until 2014 (in the Edem case) to finally override Durant, kinda sorta.

By then UK controllers had been able to benefit from the Durant interpretation for four years and from the ICO fudge for a further seven years. There was, in any case, no legal certainty and the resulting gaps were exploited.

The story with regard to “consent” is even worse. The revision of the E-Privacy Directive in 2010 introduced the new “cookie consent” requirement, which had to be implemented by May 2011.

The ICO published guidance just before that date, which interpreted this requirement fairly strictly and probably as it was envisaged by the EU legislator: prior consent, informed consent and, most importantly, no “implied” “opt-out” consent.

It largely followed an earlier 2010 WP29 Opinion on Behavioural Advertising. But it also made it clear that it would not enforce the law against controllers for at least a year (side note: what kind of regulator does that?)

However, that approach didn’t last long. The ICO changed its guidance for the first time only a few months later (I think in December 2011) to introduce a more business friendly “implied consent” interpretation.

It then changed it again (I think) in May 2012 at which point it had been fully captured by the Ad industry. It essentially created the “by continuing to use this site” approach.

Controllers leapt at the chance and the infrastructure that arose from that became part and parcel of the digital economy as we know it. Leading by example, the ICO’s own website changed its consent model from strict opt in to “by continuing to use this site” shortly afterwards.

The WP29 responded with a new Opinion in 2015, which included a significantly more restrictive definition. If memory serves, that was the first WP29 that was not adopted unanimously, i.e. without UK approval (although I was not privy to the process, so this could be urban myth).

But my actual point is that even though that WP29 definition was ultimately then adopted as part of the GDPR, the tech infrastructural damage, not just in the UK, was done.

Controllers collected cookies on that basis for years and we are now still living with exactly the Adtech model that the 2009 E-Privacy Directive had tried to regulate. The revised E-Privacy Regulation failed, not least because of Adtech lobbying.

And we have an ICO that just recently used the Corona crisis as yet another reason for giving the adtech industry a break from enforcement.

So, don’t talk to me about this FTA model like it’s a good idea to solve the “no deal problem”. It’s a UK idea, because this is how the UK thinks, how it has always thought and how it operates.

This is how the UK got its way while it was inside the EU and this is how it now tries to get its way outside of it. It has form, when it comes to this approach. It liiiiiives for this approach. It thrives on it.

Because this approach has allowed it, for many years, to do things exactly as it wants, knowing full well that half the time the EU may not bother. Or it will take forever to respond. And if not forever then long enough to allow the UK to “normalize” the thing it wants to do.

I repeat, I hope that the EU is not stupid enough or short-sighted enough to fall for this “proposal”. Because this is my workers and social rights and food and environmental standards, too, that will be undermined.

I really hope that the EU will not let a non-member state get away with the shenanigans it let the UK as a member state get away with. There are bigger things on the line here. /ends