After the Brexit vote, politicians, businesses and citizens are all wondering what’s next. In general, legal uncertainty permeates Brexit, but in the world of bits and bytes, Brussels and London have in fact been on a collision course at least since the 90s. The new British prime minister, Theresa May, has been personally responsible for a deepening divide across the North Sea on data and communication policy. Although EU citizens will see stronger privacy and cybersecurity protections through EU law post-Brexit, multinational companies should be particularly worried about how future regulation will treat the loads of data they traffic about customers, employees, and deals between the EU and the UK.
The UK has frustrated European privacy and cybersecurity policy for decades. In my recently published book Securing Private Communications, I describe how the UK blocked a visionary EU Council Decision on Information Security in 1990. In 1997, the Brits deleted end-to-end encryption requirements for telecommunications providers from the predecessor of the current E-Privacy Directive. Since 2012, London structurally sought to obstruct and delay the legislative process of the new EU General Data Protection Regulation and the Network and Information Security Directive. On data and communications policy, the EU and the UK have always been strange bedfellows.
On a deeper level, the EU and the UK fundamentally disagree about the value of human rights in policymaking. In fact, a vast body of European human rights jurisprudence originates in proceedings against British legal initiatives or launched by British citizens against their own government – especially with regard to privacy. A case in point is the famous 2008 ‘Liberty’-ruling of the Strasbourg Court of Human Rights on mass surveillance by British intelligence services of all Northern Irish citizens. In 2014, the Luxembourg EU court demolished the EU Data Retention Directive, the controversial surveillance measure launched by former Prime Minister and EU President Tony Blair in 2006, upon the request of then US President George W. Bush. The monumental ruling created a crucial precedent for the widely covered dismissal in 2015 of the Safe Harbor data-deal between the EU and the US by the EU Court.
Although the UK is legally bound by European judgements, the concept of a powerful and continental human rights court apparently amounts to an indigestible oxymoron for any conservative Briton. Indeed, as Justice Minister, the brand new Prime Minister Theresa May launched the Investigatory Powers Bill, draconian surveillance legislation next to which the EU Data Retention Directive, demolished by the EU Court, pales in comparison. Rather than comply with European court rulings, Theresa May repeatedly campaigned for leaving European human rights treaties altogether. Even if she weakened her tone in recent weeks to safeguard support for her new job, even the posh Foreign Policy magazine recently dubbed May Britain’s new Snooper-in-Chief.
Brexit brings good news for Europeans that value privacy and freedom: the EU’s data and communications policy will no longer be influenced by Perfide Albion. But for entrepreneurs—and especially multinationals—Brexit is a potential nightmare. The crucial question is whether the European Commission will grant the UK the label of “adequate level of protection for European data”. Norway, for example, goes to great lengths to comply with EU legislation, so no data transfer restrictions exist; as a perk, Norway sits in on the European meetings of national Data Protection Agencies. Yet, national policies in the UK tend towards the US approach to data protection, and the US structurally fails to provide adequate data protection according to the EU Court. Many argue that the new data-deal between the EU and the US—the so-called “Privacy Shield”—still doesn’t meet those standards. Law firms, such as the one I work for, advise multinationals not to rely solely on the new data-deal for their global data transfers.
If the UK fails to meet the test of adequacy, the legal basis of data transfers across the North Sea of most companies evaporates. All cloud and data contracts of multinational organizations must be reviewed and revised. Data-intensive businesses are likely to move shop, settle within the EU, and bid farewell to the Old Country.
After Brexit, the superficial data marriage between the strange bedfellows across the North Sea will no longer be bound by treaty. While Snowden’s disclosures still echo across EU policy theaters, Britain’s new Snooper-in-Chief and multinationals will throw all money, power, and counseling at their disposal towards saving the data marriage between the EU and the UK. Even if the economic stakes are substantial, over the last decades deep political and constitutional developments have rather been pushing the EU and the UK towards a data divorce.
It will be especially interesting to see to what extent an EU-UK deal on data transfers will affect a UK-US deal. It is already hard for Europe and the US to negotiate a deal (that will be a living agreement with yearly renewal). It will be even harder for the UK to tow its own line in between the two approaches.