Continental Drift: Brexit and Privacy
As the United Kingdom approaches the early 2017 start of negotiations on its departure from the European Union, questions are emerging about the future direction of the country’s EU-based data privacy laws. In parallel, the British Parliament is close to completing a comprehensive overhaul and expansion of its controversial surveillance laws. At stake in these two exercises is whether the UK will retain a recognizably European balance between privacy and security, or will move closer in approach to its American cousin.
Brexit: When and How?
Published by The Lawfare Institute
in Cooperation With
As the United Kingdom approaches the early 2017 start of negotiations on its departure from the European Union, questions are emerging about the future direction of the country’s EU-based data privacy laws. In parallel, the British Parliament is close to completing a comprehensive overhaul and expansion of its controversial surveillance laws. At stake in these two exercises is whether the UK will retain a recognizably European balance between privacy and security, or will move closer in approach to its American cousin.
Brexit: When and How?
By March 2017, the UK is expected to trigger the formal process for leaving the EU, opening a two-year window during which an agreement on the terms of withdrawal will be negotiated. The UK's unprecedented negotiation with the EU likely will decide not only how it disentangles itself from EU, but also determine its future economic relationship with Europe. Most importantly, these talks will determine whether and to what extent Britain will continue to enjoy access to the EU’s Single Market for free movement of goods, services, persons, and capital.
Prime Minister Teresa May has insisted that her government wants to give “British companies the maximum freedom to trade and operate in the single market” but, at the same time, does not intend to allow free movement of persons into the UK from other EU states. She also has announced that the UK would no longer accept the jurisdiction of the European Court of Justice—the arbiter of the meaning of EU laws—whose rulings apply across the Union. These positions are not easily reconciled with continued participation in the Single Market.
The government does, however, plan to transpose all existing EU law into domestic legislation, unless specifically amended or rescinded by Parliament. Thus, in principle, the UK is expected to continue largely to abide by existing EU rules. Whether future EU legislation also would be taken over by the UK would be determined in the withdrawal negotiations. But beyond this level of generality, as one delves into specific topics such as privacy and security, uncertainty reigns.
Preserving Free Data Flows
As economic tremors in Britain increase, the UK’s future rules for international data transfers with the continent has begun to draw attention. The UK government certainly will aim to preserve unfettered commercial data flows across the Channel, which are crucial to the health of some of its most dynamic economic sectors, including finance and technology. It likewise will seek to achieve a stable basis for trans-Atlantic data flows, since many companies transfer data from Europe to the United States via the UK.
UK industry has voiced its concern clearly. “Tech companies and data-center operators are looking for assurances from the government that legal certainties on data flows between the U.K. and the EU will be a priority in forthcoming negotiations,” a spokesperson for TechUK stated publicly. The UK’s new Information Commissioner responded to such concerns: “I don’t think Brexit should mean Brexit when it comes to standards of data protection. In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.”
In the short term, at least, continuity will prevail. This week the UK government announced that it would implement the EU’s new General Data Protection Regulation (GDPR), which is set to take effect in 2018. That set of privacy rules would prevail in the UK until the UK completes its negotiated departure from the EU, likely to occur a year or more later.
Thereafter, the UK, in tailoring its own national data protection law, could choose to make changes from European rules. It is no secret that the UK vigorously opposed some features of the GDPR during its legislative development. It therefore might be tempted to propose changes to features which impose additional burdens and risks on companies, consistent with the UK’s historically lighter and more flexible regulatory touch compared to other European countries.
One certainty is that after Britain leaves the European Union, data transfers to the continent will become more cumbersome. Data will no longer be able to flow freely on the strength of a shared legal regime. Instead, companies located in Britain will be forced to demonstrate that they have a legal basis before they can move data from EU territory to Britain. They will have to rely on the same set of mechanisms for data transfers that counterparts from non-EU jurisdictions such as the United States currently utilize—principally model contract clauses, binding corporate rules, and consent.
To simplify things, the UK could well opt to apply to the European Commission for a decision that its data transfer system as a whole is “adequate”—obviating the need to prove legality each time data flows are contemplated. This status is currently enjoyed by only a handful of non-EU countries, including Argentina, Canada, Israel and Switzerland, not to mention UK dependencies such as Jersey and the Isle of Man.
Like the United States, the UK might choose to negotiate a Privacy Shield-like international arrangement with the EU as the foundation for an adequacy decision. If it chooses to seek adequacy, Britain could well find itself more of a supplicant than demandeur, given the importance of cross-Channel data flows to key parts of the British economy.
Reconciling Surveillance and Data Flows
Meanwhile, the UK is conducting a major internal debate on reform of its surveillance law. How this debate turns out will influence—and likely complicate—its future efforts to come to terms with the EU on privacy.
The UK long has been seen in Europe as an outlier on surveillance. It has faced repeated challenges at the European Court of Justice and the European Court of Human Rights over the means and extent to which it obtains personal data for counter-terrorism and other security purposes.
The government’s proposed sweeping reform of surveillance law, the Investigatory Powers Bill (IPB), is now making its way through Parliament. The IPB, a signature counter-terrorism initiative of PM May’s during her tenure as Home Secretary, was approved by the House of Commons in June and is expected to pass the House of Lords shortly.
The bill contains, among other things, broad powers to demand the removal of encryption and the design of permanent capabilities for decryption. It also would empower the government to lawfully hack companies’ and users’ equipment in order to obtain data. The government would be able to use these powers on an expanded extraterritorial basis, and for bulk as well as targeted surveillance.
Civil liberties advocates had only modest success in amending the IPB before the Commons, where it ultimately passed by a large margin. Legislators there did mandate the establishment of an independent judicial oversight authority, which must to review instances of government-ordered surveillance or hacking. The Commons also asked outside legal expert David Anderson to undertake a special review of bulk surveillance practices; Anderson in turn strongly endorsed the need for such capabilities. Current indications are that ongoing debate in the House of Lords is unlikely to yield significant further changes to the bill.
The IPB would grant the government permanent authority to retain all individuals’ communications metadata for up to twelve months, so that it would available to law enforcement in the event of a future criminal investigation. The UK’s existing and similar data retention authority, enacted in 2015 and due to expire at the end of 2016, has been challenged on fundamental rights at the European Court of Justice. (Ironically, one of the parliamentarians who complained to the court at Luxembourg, David Davis, is now the minister in charge of exiting the European Union.) The ECJ is expected to rule in the case later this fall.
In a July opinion that is likely to guide the court’s forthcoming judgment, an ECJ Advocate General stated that member states’ data retention laws must be held to the same ‘necessity and proportionality’ standard as the Court had previously applied in invalidating the EU’s own data retention legislation. The Advocate General also set out exacting requirements for national data retention laws, including insisting on independent administrative decision-making on data access.
If the ECJ invalidates the existing UK law, as seems likely, the British government would be obliged to honor the judgment for so long as it remains in the Union. But in the longer term, if the UK succeeds in removing itself from the reach of the ECJ, it might well be tempted to go its own way on law enforcement data retention. Doing so could endanger Britain's chances of eventually achieving EU data privacy “adequacy”, however, since the European Commission takes national law enforcement privacy regimes into account in making its decision.
PM May separately has confirmed that, notwithstanding Brexit, the UK will remain a party to the European Convention on Human Rights and its court. The Strasbourg-based court’s body of law on surveillance—more flexible in some respects than that evolving at the ECJ—thus will continue to influence UK law-making, and could help ensure that it remains part of the European privacy law mainstream. But Britain’s surveillance laws doubtless will continue to generate challenges on a recurring basis at the human rights court, potentially highlighting its variance from Europe in this area.
Continental Drift?
As the UK embarks on Brexit negotiations, it finds itself torn between privacy and security goals that may prove hard to reconcile. It has a strong economic interest in continuing unrestricted data flows between the UK and the European continent. Thus, Britain likely will largely abide by the General Data GDPR even after its divorce from Brussels. And to preserve unrestricted data flows across the Channel, the UK will need a broad finding that its privacy laws are 'adequate' in the eyes of European data protection authorities.
EU officials making that determination, however, will pause over newly-reinforced UK surveillance laws that are among the most aggressive in Europe. And even as the UK escapes the critical eye of the ECJ, it will face further challenges to its security practices at the European Court of Human Rights. The privacy tensions that have complicated relations between Washington and Brussels over the past fifteen years will soon reach London too.