How a Brexit could stop UK biz and Europe swapping personal data
An explosive combination of Safe Harbor and Snoopers' Charter
Analysis If the UK decides later this year to leave Europe – the so-called "Brexit" – it would have a severe knock-on impact on sharing people's personal data between Blighty and Euro nations.
So warns internet governance expert Emily Taylor in a piece for London-based international affairs think tank Chatham House.
Taylor warns that the combination of the new Safe Harbor agreement between the EU and the United States, and the "Snoopers' Charter" being pushed through the British Parliament, "could see a ban on the transfer of data between the UK and EU, with a severe economic impact."
The new Safe Harbor agreement – Privacy Shield – was developed after the Edward Snowden revelations of mass surveillance by the US intelligence services led to a lawsuit against Facebook, which led to the European Court of Justice striking down the long-standing prior agreement.
The new agreement is not what privacy advocates had pushed for, but it does contain the provision that bulk data collection will be "limited to exceptional situations where targeted collection is not possible."
It also refers repeatedly to the fact that "targeted" collection is preferable to bulk collection and that any collection should be "narrowly focused" and relate to "individually identified legitimate targets."
The issue, according to Taylor, is that the revised draft of the Investigatory Powers Bill – the Snoopers' Charter – does not in any way meet those same requirements.
The bill retains clauses that write into law the bulk collection and interception of data that existed before the Snowden revelations brought them to everyone's attention.
And despite pointed criticism of the wording by Parliamentary committees, there is no concept of "targeted" collection and no reference to data being collected only where "strictly necessary" in the text.
This approach is problematic in itself and if the Bill passes into law in its current form, it will almost certainly be challenged in the European courts as failing to meet the ECJ's ruling.
But that issue becomes much larger and more immediate if the UK electorate does decide to formally leave the European Union on June 23. If that happens, the EU will want to draw up a separate data-transfer agreement with the UK and it is a virtual certainty that it will follow the same lines as the agreement with the United States.
Such an agreement would be incompatible with UK law – if the Snoopers' Charter is passed as currently drafted. And thus, European companies would almost certainly have to stop sharing data across the English Channel.
Taylor notes that the impact would not be as huge as a breakdown in US-Europe data sharing since the UK is not home to big beasts like Google or Facebook, but it would have a significant knock-on impact. An estimated 45 per cent of UK exports are to Europe; 53 per cent of UK imports come from Europe.
She also recognizes the pragmatic realities of such a move: "The market would move without waiting for the politicians. When the ECJ abolished Safe Harbour, large (US) cloud providers quickly began offering guaranteed hosting in the EU, long before Privacy Shield was agreed."
UK corporations would be bound by one set of rules for data within the UK and to the United States, but would have to treat data from Europe completely differently. And international providers would likely move their data out of the UK to avoid the legal complications.
There would also be no quick solution, she argues. "Even if there is some cobbled-together agreement, Britain may find its former EU partners less willing to jump to the negotiating table to rescue UK economic interests. British business would continue to face barriers, and British citizens would end up with fewer protections than EU citizens against UK government intrusion."
The solution, of course, is for the British electorate to vote not to leave Europe, or the Conservative UK government to back down from its efforts to force through draconian legislation. The first is uncertain; the second unlikely. ®
Sponsored: 2016 Cyberthreat defense report