Some folks asked me to translate my latest column for the Dutch Financial Times. This is a somewhat expanded version of the column.
After the Brexit vote, politicians, businesses and citizens are all wondering what’s next. In general legal uncertainty permeates the Brexit, but in the world of bits and bytes Brussels and London have in fact been on a collision course at least since the 90s. And the new British prime minister Theresa May has been personally responsible a deepening divide across the North Sea on data and communication policy. While EU citizens will see stronger privacy and cybersecurity protections through EU law after the Brexit, multinational companies should be particularly worried about how future regulation will treat the loads of data they traffic about customers, employees and deals between the EU and the UK.
The UK have frustrated European privacy and cyber security policy for decades. In my recently published book Securing Private Communications, I describe how the UK blocked a visionary EU Council Decision on Information Security in 1990. In 1997, the Brits deleted end-to-end encryption requirements for telecommunications providers from the predecessor of the current E-Privacy Directive. Since 2012, London structurally sought to obstruct and delay the legislative process of the new EU General Data Protection Regulation and the Network and Information Security Directive. On data and communications policy, the EU and the UK have always been strange bedfellows.
On a deeper level, the EU and Britain fundamentally disagree about the value of human rights in policymaking. Actually, a vast body of European human rights jurisprudence originates in proceedings against British legal initiatives or launched by British citizens against their own government – especially with regard to privacy. A case in point is the famous 2008 ‘Liberty’-ruling of the Strasbourg Court of Human Rights on mass surveillance by British intelligence services of all Northern Irish citizens. In 2014 the Luxembourg EU court demolished the EU Data Retention Directive, the controversial surveillance measure launched by former Prime Minister and EU President Tony Blair in 2006, upon the request of then US President George W. Bush. The monumental ruling created a crucial precedent for the widely covered dismissal in 2015 of the Safe Harbor datadeal between the EU and the US by the EU Court.
Although The UK is legally bound by European judgements, the concept of a powerful and continental human rights court apparently amounts to an indigestible oxymoron for any conservative Briton. Indeed, as Justice Minister, the brand new Prime Minister Theresa May launched the Investigatory Powers Bill, draconian surveillance legislation next to which the EU Data Retention Directive, demolished by the EU Court, pales in comparison. Rather than comply with European court rulings, Theresa May repeatedly campaigned for leaving European human rights treaties altogether. While she weakened her tone in recent weeks to safeguard support for her new job, even the posh Foreign Policy magazine recently dubbed May Britain’s new Snooper-in-Chief.
The Brexit brings good news for Europeans that value privacy and freedom: the EU’s data and communications policy will no longer be influenced by Perfide Albion. But for entrepreneurs and especially multinationals, the Brexit is a potential nightmare. The crucial question is whether the European Commission will grant the UK the label of ‘adequate level of protection for European data’. Norway, for example, goes to great lengths to comply with EU legislation, so no data transfer restrictions exist and as a perk Norway sits in with the European meetings of national Data Protection Agencies. But national policies in the UK tend towards the US approach to data protection, and the US structurally fails to provide adequate data protection according to the EU Court. Many argue that the new datadeal between the EU and the US, the so-called ‘Privacy Shield’, still doesn’t meet those standards. Law firms, such as the one I work for, advise multinationals not to rely solely on the new datadeal for their global data transfers.
If the UK fails to meet the test of adequacy, the legal basis of data transfers across the North Sea of most companies evaporates. All cloud and data contracts of multinational organizations must be reviewed and revised. Data-intensive businesses are likely to move shop, settle within the EU, and bid a farewell to the Old Country.
After the Brexit, the superficial data marriage between the strange bedfellows across the North Sea will no longer be bound by treaty. While Snowden’s disclosures still echo across EU policy theatres, Britain’s new Snooper-in-Chief and multinationals will throw all money, power and counselling at their disposal towards saving the data marriage between the EU and the UK. Even if the economic stakes are humungous, over the last decades deep political and constitutional developments have rather been pushing the EU and the UK towards a data divorce.