UK startup blasts gov’t plan to downgrade data protection

The UK government’s post-Brexit appetite to ‘reform’ domestic privacy rules by reducing the level of protections wrapping people’s data is already having wider ramifications for the country’s tech ecosystem.

Last month the Department of Digital, Culture, Media and Sport (DCMS) announced a consultation on reducing privacy standards — claiming ‘simplified’ rules would be a boon for business innovation.

Now a homegrown scale-up has blasted the consultation in an excoriating blog post — warning that any reduction in data protection standards will “certainly” damage its EU business and could even weaken its US business, given that a number of states (such as California) have already passed similar laws to Europe’s General Data Protection Regulation (GDPR).

US lawmakers on both sides of the aisle are now also pressing the case to pass comprehensive federal privacy legislation. So — outside the UK at least — the direction of travel on personal data is toward greater protections, not fewer.

But inside the UK ministers are eyeing current high standards wrapping data and looking for ways to downgrade those protections — making a superficial claim that reducing privacy rights will be good for business.

What deregulation will certainly mean is increased legal uncertainty and risk for businesses — and potentially a lot of lost business too.

In the blog post, Cronofy, a 2014-founded UK startup which sells a calendar API and scheduling platform for enterprises, writes that it’s making preparations to prevent a domestic deregulatory bomb cratering its business — saying it will be opening a new company in the Netherlands and offering customers the ability to contract with Cronofy BV under Dutch law.

“That will become the new HQ for all of our data processing so we can be under the oversight of the Dutch data regulator and thus the EU,” writes CEO and co-founder Adam Bird. “Our new General Counsel overseeing all of this is Dutch.

“How does Britain fare out of this? Not very well I’m afraid,” he adds, suggesting the restructuring will also mean Cronofy ends up reducing the level of investment it makes into UK skills and UK jobs.

Bird is not alone in blasting the UK proposal to rip up data protection rules, either.

The UK’s newly appointed information commissioner, John Edwards, defended the current data protection rulebook in a pre-appointment hearing with MPs, describing the UK’s GDPR as a ‘how to not a don’t do’ just last month.

While, earlier this month, Ed Vaizey, the former minister of state in charge of DCMS (now Lord Vaizey), warned the UK must stay aligned with the GDPR — or face “disastrous” consequences for the economy and digital businesses.

“The U.K. was very influential in how data protection legislation was drawn up when we were members of the EU so I think it’s slightly odd that we should shy away from that legislation,” Vaizey told TechCrunch last week.

“You do not want a position where you make yourself vulnerable to attacks by the EU to say that your data protection regime is not adequate and we can’t therefore have cross-border exchanges of data — that would be disastrous. So whether we like it or not we will have to keep to a certain extent in lock-step with the European Union.”

However even the policy noises coming out of DCMS appear to be doing damage to UK Plc.

In his blog post, Bird describes Cronofy as “a truly global company” — one that’s (currently) headquartered in the UK but with revenue split 55% US, 25% EU, 9% UK. Meaning 91% of the scale-up’s revenue is from exports.

“EU GDPR legislation has not harmed our US business and in many cases has been an advantage,” he goes on. “Having to confront data privacy requirements from the founding of the business puts us at a distinct advantage as US companies wake up to having to protect people’s information.”

Before Brexit ‘got done’, Bird says a “significant” number of EU customers were already raising concerns about what the UK’s departure might meant for their (sensitive calendar) data and relationship with his business.

“We will always do our utmost to protect people’s private data. However we were making these assertions against the backdrop of the UK government grandstanding in the name of ‘strong negotiation’, even to the extent that they voted to break international law,” he continues, saying that even before the end of the transition period customers weren’t confident Cronofy would be able to stand by its word or that the UK government would bother to enforce compliance even if it kept the same data standards on paper. “Even more importantly, they couldn’t give that reassurance to their end users,” Bird adds.

The government’s noises now about ‘simplifying’ UK data protection standards are the “final straw” for Cronofy.

In the consultation document, DCMS talks about carrying out “reforms to create an ambitious, pro-growth and innovation-friendly data protection regime” while “maintain[ing] high data protection standards without creating unnecessary barriers to responsible data use” — but there’s no doubt the proposal’s aim to remove layers of protection.

Ministers are, for example, considering expansive legal permissions for businesses to use data for ‘innovation’ purposes, whatever that might mean (hint: anything) — and consulting on removing the need for individual consent to process certain types of data, among other potential amendments to the UK’s version of GDPR.

Entirely removing a provision that gives people a right of review of purely automated decisions that have a legal/equivalent impact is also being eyed by government.

(And on that front, the professional body BCS, aka The Chartered Institute for IT, has warned today against such a drastic step — suggesting in a blog post that increased clarity of the existing provision would be the more judicious policy than keeping it exactly as-is or dumping it altogether.)

“With the recent announcement by the government of the changes they want to make to the UK’s data privacy legislation, it seems that those fears were well founded,” writes Bird, sounding the alarm over the direction of UK data policy.

“It wants to move to a ‘do and ask for permission’ model driven not by benefit to mankind but instead by commercial interests. Whatever we say to our customers about how Cronofy approaches data privacy and controls, corresponding enforcement will not follow.

“We can make our protestations about ISO certifications, data management controls, segmented data hosting. However, prospective customers won’t necessarily get that far because we’ll be discounted based on our location. I don’t blame them. Data protection is fraught and complicated. Why even entertain the risk of going with a provider from outside the EU.”

If the UK’s level of protection gets downgraded, the immediate risk is the UK will lose a key data flow agreement with the EU — which has only just be put in place now it’s a so-called ‘third country’, in EU terms.

UK companies with customers in Europe rely on this EU ‘data adequacy’ agreement for smooth running as it allows for personal data to flow freely from the bloc to the UK. But if UK law is assessed as no longer equivalent the European Commission has said it will revoke the arrangement signed off this summer.

The data flows deal already includes a sunset clause — meaning there will be an automatic review of UK standards in 2025.

But EU lawmakers warned they could revoke it at any moment if there’s divergence. So blistering attacks on UK privacy policy by homegrown entrepreneurs like Bird are unlikely to go unnoticed in Brussels…

“This national act of self-harm will have ramifications for decades to come,” Bird warns. “It turns out that Project Fear [as Brexit supporters dismissively dubbed objections to leaving the EU by those that wanted to remain], was actually Project Fact.

“Instead of taking it as a warning of something to avoid, the UK government seem to have taken it as an outcome to exceed. Whilst in isolation, Cronofy being collateral damage is unimportant. What we are facing is a worrying portent for the UK and its relationship with the rest of the world.”

“I expected and wanted to be building Cronofy into a world-beating, UK company. Membership of the EU gave us an enviable platform to do that and, in turn, invest that success back into the UK,” he adds, underscoring his point that UK government policy has left Cronofy with little choice but to restructure its business in a way that puts the EU at the core.

DCMS has been contacted for a response to Bird’s blog post.

For a glimpse of the future that awaits UK startups if government ‘reforms’ end up torching the UK’s data adequacy status see the EDPB’s intricate guidance on transfers to third countries. And prepare to level up your legal expense budget..

Are you a UK startup with views on the government’s Data: a new direction proposal? Get in touch by contacting natasha@techcrunch.com 

Ex-minister predicts ‘huge battleground’ over UK’s plan to set Internet content rules

The former UK minster of state for what is now the digital and culture department, DCMS, has warned of the looming battle in parliament over the exact shape of incoming online safety legislation.

In an interview with TechCrunch, Ed Vaizey — a former Conservative Party MP, now Lord Vaizey of Didcot, who was head of the culture, comms and creative industries department, as it was then, between 2010 and 2016 — predicted a huge tug-of-war to influence the scope of the Online Safety Bill, warning that parliamentarians everywhere will try to hang their own “hobby horse” on it.

The risk of over regulation or creating a disproportionate burden for startups vs tech giants is also real, Vaizey suggested, setting out several areas that he said would require a cautious approach.

“In theory it’s just going to be the big platforms that will be regulated,” he said of the scope of the Internet Safety Bill, which was published in draft form back in May — and which critics are warning will be catastrophic for free speech.

“Some platforms that should be regulated could potentially not be be regulated. But you’re right that people are concerned that, in effect, there’s a paradox — that it could help the Facebooks of this world because the regulatory hurdles that get going might be too big. And if anyone is capable of being regulated it’s Facebook, as opposed to a startup. So I think that’s something we have to be very careful of.

“Secondly, although I support the principle of legal but harmful content being regulated I have no doubt at all that that is going to be the big battle in parliament. The balance between legal but harmful free speech is going to be a huge battleground. And it will be interesting to see in what form it survives.

“And thirdly — I think, paradoxically — everyone is going to try and hang their own particular hobby horse on this piece of legislation.”

With sweeping goals for the Online Safety (neé Harms) Bill from the get-go — the government is proposing to make online platforms tackle not just illegal but harmful content, which could mean everything from terrorist propaganda and child sexual abuse material to racism, bullying, pro-suicide and pro-eating disorder content to anti-vaxxer views — the draft legislation has attracted plenty of concern and controversy already, and the formal parliamentary debate hasn’t even started yet.

The ‘hobby horse’ risk could mean a vast encrusting of an already wide-ranging proposal for Internet regulation, with MPs trying to barnacle on all sorts of issues and grievances that can be loosely attached to the digital sphere. But it will be UK tech businesses saddled with risk and regulatory red tape at the end of the process, while fundamental British values like freedom of expression could be caught and crushed in the middle.

Signs of MPs’ appetite to shoehorn random pet peeves into what some have dubbed a “kitchen sink bill” are plain to see.

Just last week, concerns were raised that anti-sex work campaigners intend to target the bill to include clauses against “online pimping”, for example. So a “battleground” sounds like a polite way to characterize the looming cacophony of arguments in parliament over what does and doesn’t get stuffed into this Great British Internet rulebook…

Vaizey gave the example of online scams as one likely target for amendments to further extend the scope of the Online Safety Bill. Although provisions to target ad scams are probably one of the less controversial additions that could come.

“I obviously do not support online scams but it’s pretty obvious that people will try to put amendments down to make sure that certain things are caught which are not currently in the scope of the bill. And one has to be careful it doesn’t get weighed down with too many, too much regulation — so there are all sorts of weird contradictions,” he warned. “It could be gutted, it could be fattened up, depending on who prevails in parliament.”

But he also generally welcomed the plan — saying the government deserves praise for drafting what he described as a “pioneering” bill and arguing that Internet regulation is “long overdue”.

“I think it is a pioneering piece of legislation. People will criticize this legislation, of course. My view is you can’t let the best be the enemy of the good. It is not — by no means — going to be perfect when it arrives in parliament. And it will probably not be perfect when it emerges out of parliament. And as it’s implemented by Ofcom in the next few years there will be areas of mistakes,” he said. “But I think that tech regulation of this kind is long overdue.

“Very important countries like Canada and Australia, and indeed the European Union and the US are looking at this and they will look to the UK example and take lessons from it.”

Ofcom chair role

The former minister of state has recently been in the running for a key vacancy atop Ofcom, the UK telecoms and media regulator which is itself in the process of being fattened up for an expanded role overseeing Internet content and social media giants.

The government has said it wants to give Ofcom powers to levy fines of up to 10% of a company’s annual global turnover (or £18M, whichever is higher) if they fail to live up to the bill’s requirements to protect users from illegal or harmful content.

So the regulator is set to have major powers to influence tech giants’ approach to content moderation and online freedom of expression in the coming years.

Vaizey was interviewed for the role of chair of Ofcom and shortlisted by an independent panel. However, earlier this year, the then secretary of state for digital, Olivier Dowden, chose to rerun the competition — rather than pick a candidate from the whittled down shortlist.

Reports have suggested the government was unhappy that the independent panel rejected its preferred candidate, ex-Daily Mail editor Paul Dacre — and that it’s still trying to find a way to parachute the divisive former newspaper editor into the top job overseeing social media platforms’ compliance with legally binding content rules.

Vaizey sidestepped these rumors when asked if he’s still in the running for the Ofcom job — suggesting the government decided to rerun the competition because of a lack of applicants in the first round.

“Clearly the government felt it needed a more competitive field. So it may be that I only got an interview because so few people applied,” he told TechCrunch. “But I really enjoyed the interview and I would love to chairman of Ofcom so I’ll see when they reopen the process whether there’s an opportunity for me to apply.”

“Ofcom is at a point where it’s proven itself as a telecoms regulator, and I think to a certain extent as a media regulator. But it is entering uncharted and very exciting territory in terms of Internet regulation,” he added.

Asked what his priorities would be, were he to get the dream job chairing Ofcom, Vaizey said Internet safety would top his list — on account of how challenging overseeing the digital realm will be.

“That is going to be the biggest challenge for Ofcom; how do you absorb such an enormous role? And also how you communicate to the public or the stakeholders that this will be a work in progress?,” he said, predicting: “It will not emerge fully formed.”

Were he to give a “light critique” of Ofcom, Vaizey said it would be that the regulator needs to dial up its ‘pro-business’ flank.

“You can also be pro-consumer by being pro-business,” he argued. “And I think in a highly competitive area… the job of the regulator is not only to regulate but also to know when not to regulate and to step back and let businesses navigate a very complex and competitive environment.

“So if I was to bring any kind of ‘Vaizey-esque’ approach to Ofcom it would be to make sure that businesses felt they had a regulator that wasn’t too much on their case, and was as much a partner as much as a regulator.”

Data adequacy

TechCrunch also asked the former minister of state for his views on the government’s appetite to ‘reform’ data protection rules.

Last month the government announced a consultation on a data reform, suggesting that ‘simplified’ rules in this area would be better for business.

Currently, UK privacy rules are based on the EU’s General Data Protection Regulation (GDPR) — which is considered the ‘gold standard’ for protecting people’s digital information globally. But the UK government’s policy push appears to favor reducing this current high level of protection for UK citizens’ information — without presenting a coherent economic case for why lower domestic privacy standards will be an advantage for digital businesses.

The government has made the simplistic claim that easier access to data will somehow stoke ‘innovation’. However UK startups wanting to access the European market — or indeed US companies subject to rules like California’s CCPA — will continue to need to comply with robust privacy regulations elsewhere.

On data reform, Vaziey suggested there could be room to make the practical implementation of UK data protection rules less “onerous” for UK businesses and organizations without undermining key principles of privacy and protection for personal data.

But on those principles he warned that the UK staying aligned with European Union standards will be vital for the digital economy — saying it would be “disastrous” were the UK to lose the data adequacy agreement with the EU that allows for continued free flows of data from Europe to the UK.

“The UK was very influential in how data protection legislation was drawn up when we were members of the EU so I think it’s slightly odd that we should shy away from that legislation,” Vaizey also told us.

“It is a very EU defining thing — and so I think the biggest watchword for the government when they look at reforming data protection legislation is obviously what’s gone on with the US [which has had two data transfer agreements with the European Commission struck down by Europe’s top court].

“You do not want a position where you make yourself vulnerable to attacks by the EU to say that your data protection regime is not adequate and we can’t therefore have cross-border exchanges of data — that would be disastrous. So whether we like it or not we will have to keep to a certain extent in lock-step with the European Union.”

“I also think it’s the case that the European Union legislation… has become the gold standard of data protection,” he added. “If you look at California adopting data privacy legislation it is based on European legislation and most tech companies will comply with that as their default standard because it just makes their life a hell of a lot easier when they’re trading globally.”

UK must stay open to tech skills

Vaizey has just taken up a new appointment as patron of the digital skills-focused UK industry association ITP, aka the Institute of Telecommunications Professionals.

Discussing the skills challenges facing the country he said there is no room for complacency — given rising global demand and increasingly fierce competition for tech talent around the world.

“I think we are doing really well and we continue to do very well but as with any area you cannot afford complacency and all the tools are there with the right resources to really push forward,” he said, discussing the government’s approach to skills — which now includes a ten-year strategy to boost domestic AI capability.

“One looks at what [president] Macron has done in France and I think it’s fair to say that he took France from a standing start… He’s done a tremendous job of raising the profile of France as a tech-friendly nation. So I think we can’t afford to be complacent. We’ve got a lot going for us but we can move up another gear.”

Vaizey also queried whether the government will take what he said must be a necessarily “open” approach to immigration to ensure UK startups are able to thrive.

“Not only does every country in the world have this problem but every startup in any European country is competing for talent, and any startup in the US is competing for talent,” he said.

“I’m pleased to see that with Tech Nation and so on there are more entrepreneur visas available but I think the government has to be very open to the fact that to get people over with the right tech skills to support startups has to be an absolute priority. And they have to be flexible.

“Because when we had free movement [as part of the EU] one of the great advantages of free movement is that you could take a job and you knew that your partner would also be able to get a job in the UK as well. So that’s something that they really need to lean into.”

Financing for students startup StudentFinance raises $5.3M seed from Giant and Armilar

Fintech startup StudentFinance — which allows educational institutions to offer success-based financing for students — has raised a $5.3 million (€4.5 million) seed round co-led by Giant Ventures and Armilar Venture Partners. It’s now raised $6.6 million total, to date.

StudentFinance launched in Spain first, followed by Germany and Finland, with the U.K. planned this year. Existing investors Mustard Seed Maze and Seedcamp, along with Sabadell Venture Capital, also participated.

The startup, which launched at the beginning of 2020, provides the tech back end for institutions to offer flexible payment plans in the form of ISAs (income-share agreements). It also provides data intelligence on the employment market to predict job demand.

It now has 35 education providers signed up, managing over €5 million worth of ISAs. It also works with upskilling platforms including Ironhack and Le Wagon. StudentFinance’s competitors include (in the USA) Blair, Leif, Vemo Education, Chancen (Germany-based) and EdAid (U.K.-based).

As for why StudentFinance stands out from those companies, Mariano Kostelec, co-founder and CEO of StudentFinance, said: “StudentFinance is the only platform in this space providing the full end-to-end, cross-border infrastructure to deliver ISAs for students whilst helping to plug the growing skills gap. Not only do we provide the infrastructure to support the ISA financing model, but we also provide data intelligence on the employment market and a career-as-a-service platform that focuses on placing students in the right job. We are creating an equilibrium between supply and demand.”

With an ISA, students only start paying back tuition once they are employed and earning above a minimum income threshold, with payments structured as a percentage of their earnings. This makes it a “success-based model”, says StudentFinance, which shifts the risk away from the students. They are likely to be popular as workers need to reskill with the onset of digitization and the pandemic’s effects.

The startup was founded in 2019 by Kostelec, Marta Palmeiro, Sergio Pereira and Miguel Santo Amaro. Kostelec and Santo Amaro previously built Uniplaces, which raised $30 million as a student housing platform in Europe.

Cameron Mclain, managing partner of Giant Ventures, commented: “What StudentFinance has built empowers any educational institution to offer ISAs as an alternative to upfront tuition or student loans, broadening access to education and opportunity.”

Duarte Mineiro, partner at Armilar Venture Partners, commented: “StudentFinance is a great opportunity to invest in because aside from its very compelling core purpose, this is a sound business where its economics are backed by a solid proprietary software technology.”

Sia Houchangnia, partner at Seedcamp, commented: “The need for reskilling the workforce has never been as acute as it is today and we believe StudentFinance has an important role to play in tackling this societal challenge.”

Angel backers include investors, which includes: Victoria van Lennep (founder of Lendable); Martin Villig (founder of Bolt); Ed Vaizey (the U.K.’s longest-serving Culture & Digital Economy Minister); Firestartr (U.K.-based early-stage VC); Serge Chiaramonte (U.K. fintech investor); and more.