In October 2015, two years after Edward Snowden blew the whistle on mass surveillance in the United States, the European Court of Justice overturned a 15-year-old agreement allowing data to flow seamlessly from Europe to America.
The ruling marked the conclusion of a two-year legal battle instigated by Max Schrems, an Austrian graduate student who had taken issue with the US National Security Agency’s PRISM programme. Snowden’s revelations, Schrems argued, proved that US firms such as Facebook couldn’t be trusted to protect European data from the prying eyes of the US government.
In the months following the ruling, EU and US officials scrambled to put in place new measures to ensure that European data would be better protected across the Atlantic. Eventually, in 2016, they settled on a new framework called Privacy Shield that would enshrine stronger safeguards in law and allow data-sharing between the two jurisdictions to continue. But the collapse of the original agreement, known as Safe Harbour, triggered an avalanche of bureaucracy for businesses.
“We had a member company who had to put in place 2 million standard contractual clauses over the space of a month or so,” Giles Derrington, then a policy director at the trade body TechUK, told MPs in 2018. “The amount of cost, time and effort that took was very significant.”
For Britain’s services sector, the Safe Harbour case serves as a cautionary tale. If the UK fails to secure an adequacy decision from Brussels by the end of the year and, as Boris Johnson has vowed, the Brexit transition period is not extended, thousands of British firms which sell services to customers in Europe will find themselves in the same precarious position occupied by American businesses in light of Schrems’ victory in 2015.
The clauses put in place by the firm referenced by Derrington are a key way to keep the data flowing. They ensure that the privacy of European user data is held to equivalent standards, regardless of whether it is being processed within or outside of the European Economic Area. But they are burdensome, especially for smaller businesses without well-resourced compliance teams.
Such measures would hit tech startups, seen by ministers as a major driver of future economic growth, particularly hard. But they would also have a major impact on the financial services sector, healthcare organisations and the advertising industry, all of which regularly send data around the world for analysis. With services making up around three-quarters of the British economy, securing a deal will be a priority for British negotiators.
The Snoopers’ Charter
In May 2018, parliament incorporated the EU’s General Data Protection Regulation (GDPR) – the most comprehensive privacy framework in history – into British law. The government has also pledged to allow UK data to be transferred, uninterrupted, into the EU.
But some legal experts fear that these commitments will not be enough to guarantee the UK an adequacy deal. Just as the European Court of Justice scrapped Safe Harbour amid concerns about US surveillance, Brussels could deny the UK a deal due to fears over similar practices by the spy agency GCHQ.
Dubbed “the Snoopers’ Charter” by its critics, the Investigatory Powers Act (IPA) was initially framed by the government as a way of making GCHQ more transparent in the post-Snowden era. But privacy activists claim it has instead legalised a frighteningly far-reaching state surveillance apparatus. The human rights advocacy group Liberty describes it as “the most intrusive mass surveillance regime ever introduced in a democracy”.
The legislation, Liberty states, gives security agencies the power to “store and search our web history, records showing where we go with our mobiles, and who we call, email and text. This kind of information paints an incredibly detailed picture of who we are, who we talk to, where we go and what we think. It reveals our health problems, our political views, our religious beliefs, our sexual preferences, our daily habits and our every movement.”
The IPA has plenty of critics in Brussels too. The EU, however, is prohibited from interfering in the national security policies of its members, meaning the law’s compatibility with GDPR has not been tested, yet. The negotiations that take place over the coming months represent the first occasion to do so.
“[The European Commission] will take note of the way in which the [ECJ] has interpreted compatibility of surveillance laws and the fundamental rights to privacy and data protection in previous cases,” researchers at University College London (UCL) state in a recent report (PDF).
“Those cases have set the bar fairly high, so it is plausible that the Commission will decide that the IPA is not compatible with EU law, despite the recent High Court judgement [which ruled in favour of the act]. Even if the Commission does grant the UK an adequacy decision, the IPA and associated practices could provide grounds for it to be invalidated by the ECJ.”
Concerns about UK-US data sharing under the Five Eyes intelligence partnership – between Australia, Canada, New Zealand, the UK and the US – will also be front of mind for Brussels officials keen to prevent a re-run of the Schrems dispute.
A bilateral treaty
In late December, the European Commission’s data protection supervisor, Wojciech Wiewiorowski, suggested he was in no rush to agree a deal with the UK, claiming it was at the back of a queue of 13 countries. Wiewiorowski’s predecessor had said just months earlier that it would take years to conclude discussions, which, due to EU concerns about conflicts of interest, take place separately to the main trade talks.
Not everyone is so downbeat, however. Some observers believe the Commission will put aside concerns about state surveillance for fear of encouraging unwelcome scrutiny of the practices of German and French security agencies. But even if the EU does agree a deal, it would be entitled to review it regularly and the ECJ could challenge its compatibility with other European law at any time.
If interpretations of GDPR in the UK diverge significantly from those on the continent after Britain leaves the EU, the ECJ may also decide that the UK’s data protections are no longer properly aligned with the rest of Europe’s, and revoke the agreement.
“The EU’s preference would be that we agree to lock arm-to-arm on data regulation so that when something happens in the EU, it also means that applies in the UK so we move together,” says the Labour MP Darren Jones. “My guess is that the government’s view is that it would want to be entirely sovereign over how British courts and regulators enforce [GDPR], so long as there’s a way for us to agree that we get to the same outcome. But how you do that I don’t know.”
This is one of the reasons why the UK is pushing for a bilateral treaty, rather than a conventional adequacy decision. An unnamed government official told UCL’s researchers that “adequacy agreements are for third countries, with all due respect, like Uruguay and Argentina, which are outside of the EU framework. The difference is that we have fully implemented GDPR while Uruguay hasn’t.”
Regarded as one of Europe’s most effective data protection regulators, the Information Commissioner’s Office would also remain a member of the “one-stop shop” under the proposals. In the event of a GDPR breach spanning several member states, the arrangement gives one regulator the power to propose the size of a fine issued on behalf of all affected EU citizens, wherever they live.
Although Norway, Iceland and Liechtenstein are not EU members, as part of the single market they also play a role in the one-stop shop, but do not have a right to veto decisions made by the European Data Protection Board. Many business leaders would be happy to see the UK adopt a similar position.
In Britain, digital privacy remains a fringe political issue. This makes it easier for the government to bend to the EU’s will when it comes to data protection. It helps, of course, that GDPR is seen as the gold standard of privacy regulation. But if the UK is to regain sovereignty after the transition period, politicians will expect judges to be able to interpret British legislation however they see fit. In some cases, that might mean putting national security ahead of privacy.
The new president of the Commission, Ursula von der Leyen, sees technological sovereignty as one of the defining issues of her presidency. Under her leadership, officials might be willing to challenge EU-UK adequacy, presuming it is agreed, once it comes up for review. This is especially likely if decisions made in the UK in the name of national security are seen to infringe on EU citizens’ privacy.
Many backed Brexit to reclaim Britain’s sovereignty. But national security may be one area in which the EU has more leverage over the UK after Brexit than before. With several years of further uncertainty ahead of them, British business could be forgiven for recognising, but not appreciating, the irony.