With the hype gone, the dust settled, and the reality of the British exit slowly materializing, it is time to take stock of the numerous challenges facing the UK in the digital arena.
The most widely discussed digital policy issue in connection with the British exit is London’s anticipated stance toward the implementation of three pieces of EU legislation: The Network and Information Security (NIS) Directive, the General Data Protection Regulation (GDPR), and the EU-US Privacy Shield.
Network and Information Security (NIS) Directive
Endorsed by the Council in May and adopted by the European Parliament in early July, the NIS Directive entered into force on August 8th 2016. As the “first comprehensive piece of EU legislation on cybersecurity”, the directive is designed to improve cybersecurity capabilities at the national level, increase EU cooperation, and establish risk management and incident reporting obligations for operators of essential services and digital service providers. According to the European Commission, all member states, including the UK, “will have 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services.” This effectively pushes the application deadline back to the end of 2018.
As it currently stands, the UK government will refrain from triggering Article 50 exit-negotiations in 2016, which in turn commits London to implementing all aspects of the NIS Directive into national law. Any failure to do so would force the EU Commission to initiate infringement proceedings which could end up at the European Court of Justice (ECJ). Yet, given that infringement proceedings take on average more than 2½ years to resolve, plus an additional 1½ years until a member state is in full compliance with the court’s ruling, it is highly doubtful whether the UK government would actually face any legal consequences if it were to choose to ignore the NIS Directive.
Not transposing NIS into national law would nonetheless be a step in the wrong direction. According to James Mullock and Simon Shooter at international law firm Bird&Bird, “the obvious benefits of commonality of approach to the global threat of cybersecurity will be a spur to find ways to voluntary lock [the UK] into the EU adopted NIS Directive.” In the end, the UK and the EU can both only benefit from the implementation of a common European cybersecurity standard, which (1) introduces mandatory incident reporting requirements, (2) guarantees an appropriate level of security capabilities, and (3) builds a network of competent authorities to exchange information for incident response and early warning purposes.
Not transposing the directive might also set a negative precedent which could translate into spill-over effects into other issues at stake in the exit negotiations.
General Data Protection Regulation (GDPR)
In contrast to the NIS Directive, the General Data Protection Regulation (GDPR) is a different animal. As a regulation it “appl[ies] automatically and uniformly to all EU countries as soon as [it] enter[s] into force, without needing to be transposed into national law.”
The GDPR is de-facto already active since May 24th 2016; Its enforcement, however, will only begin in May 2018, to allow organizations a feasible transition period to fully comply with the new data protection requirements.
The GDPR is essentially an overhaul of EU consumer and data protection. The most significant changes include: The rule of (1) one continent one law, meaning the GDPR will “establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU,” (2) one-stop-shop, so “business will only have to deal with one single data protection supervisory authority,” (3) European rules on European soil, which forces companies outside the EU to become subject to the GDPR when they are targeting consumers in the EU, and (4) the right to know when your data has been hacked, which imposes a mandatory reporting requirement on “businesses and organizations [to] notify the national supervisory authority of a serious data breach as soon as possible so that users can take appropriate measures.”
Non-compliance with the GDPR comes with a hefty price tag of either “administrative fines [of] up to €20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.” Thus, for any UK business operating in the EU, trading with the continent, employing an EU citizen, or handling EU data in any shape or form, adhering to the GDPR is not a choice, but a necessary requirement.
Currently, awareness of the GDRP is worryingly low in Britain. According to a March 2016 survey by TrendMicro of 100 senior IT decision makers in the UK, “a fifth (20%) […] are still unaware of [the GDPR’s] existence,” and “of those that do [know], almost a third (29%) don’t think that the regulation would apply to their organisation.” Equally, management software firm Ipswitch surveyed 300 IT professionals from the UK, Germany, and France, and found that “just 12 percent said they are prepared for the GDPR. In the UK, that picture is even starker: only 5 percent of IT professionals say they are ready.”
Any UK company that wrongly believes that the GDPR only applies to businesses on the continent will face the inevitable consequence come May 2018.
Following the British exit the UK government will, most notably, also need to sign an EU-UK Privacy Shield agreement, similar to the recently negotiated EU-US Privacy Shield, to ensure “an adequate level of protection […] surrounding a data transfer operation or set of data transfer operations” from the EU to the UK. The UK’s Information Commissioner’s Office (ICO) shared this assessment in a June 26th statement, noting that “if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy'—in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018.”
The UK’s quest for adequacy will not come as easy as many analysts tend to assume. There are at least three factors that will complicate matters for London. First, the still pending ECJ case of Labour deputy leader Tom Watson and Conservative MP David Davis (who withdrew his name from the case after being appointed Secretary of State for Exiting the EU) against the UK government’s Data Retention and Investigatory Powers Act 2014 (DRIPA). Second, the UK’s Investigatory Powers Bill (IPB), also known as the Snooper’s Charter, which was introduced by then Home Secretary, now Prime Minister, Theresa May, in reaction to the English High Court’s ruling to disapply DRIPA in 2016. And third, a possible wave of legal challenges to any post-Brexit UK adequacy assessment, given the public’s knowledge of multiple GCHQ programs that have spied or are still spying on EU data transfers, as revealed by former NSA contractor Edward Snowden.
A first shot was already fired across London’s bow in July 2016 with the publication of the ECJ advocate general’s non-binding legal opinion. While the advocate general noted that DRIPA “may be regarded as consistent with EU law,” he also stipulated that multiple requirements needed to be satisfied to justify any interference with the EU Charter of Fundamental Human Rights (ECHR) or the EU’s directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive 2002/58). In particular the advocate general was not convinced that “retaining data in combating ‘ordinary’ (as opposed to ‘serious’) offenses” could be justified as an objective of general interest to the European Union. Additionally, he noted that in his opinion all safeguards, as lain out in the Digital Rights Ireland case, are indeed mandatory (including an independent authority to oversee compliance with the requirements of privacy protection and security).
If the ECJ follows the advocate general’s opinion in its forthcoming ruling on DRIPA, the impact on IPB and the UK’s adequacy assessment will force the UK government to take a stand. Either London decides to push through IPB regardless of the ECJ’s ruling, or the May government reforms IPB in a quest for smooth adequacy assessment. Max Schrems has already voiced his interest in the UK post-Brexit, arguing that one would simply have to search for a case in which EU data could possibly fall under some UK surveillance law and then say: “you’re not allowed to transfer my data to the UK anymore because I can’t be sure that my data is not spied on.”
Indeed, the UK government would be well advised to avoid such a scenario at all costs. If a watered down IPB is the price to pay for trading with the continent, then so be it. Even the United States chose to accommodate European concerns regarding NSA surveillance programs and practices by implementing: (1) Presidential Policy Directive 28 (PPD-28), which sets out a number of principles and limitations for the collection of signal intelligence, (2) the Judicial Redress Act (HR1428) which “allow[s] foreign citizens in European countries to sue the United States for unlawful disclosure of personal information obtained in connection with international law enforcement efforts,” and (3) the USA Freedom Act (HR 2048), which “limits bulk collection of data and allows companies to issue transparency reports on the approximate number of government access requests.”
Lines in the sand
From here on out it will be up to the May government to prudently navigate Britain through these three challenges. For better or for worse, the lines are clearly drawn in the sand and there is no excuse for any policy misstep.
The European Council on Foreign Relations does not take collective positions. ECFR publications only represent the views of their individual authors.