Once the UK has worked out trade, immigration, fisheries and pretty much anything else you think of, Brexit negotiators will be left with one final headache: data sharing.
Cross-border data sharing is governed by well-established laws and allows for unfettered trade and sharing of law enforcement information. Although the government claims it is committed to maintaining this, a Lords sub-committee has warned the government is showing a striking “lack of detail” on its plan. This is despite trade in digital services accounting for 44 per cent of the UK’s total global exports. Three-quarters of that data sharing is with EU states.
Read more: Article 50 and Brexit: tech's leaders have their say
Operations such as the Internet Watch Foundation’s Hash List, which assigns unique signifiers to criminal images and videos posted online, such as child sexual abuse, rely on this framework to share data with law enforcement agencies globally. If negotiations falter, institutional norms such as unhindered sharing of the European Criminal Records Information System could be threatened.
While Theresa May is committed to removing the UK from the jurisdiction of the European Court of Justice (ECJ), the Lords report is not so sure. Data going from the EU to the UK will still be subject to the same laws, so operating under a different system seems an incongruous and costly choice.
Stewart Room, who heads up cyber security and data protection at PwC and submitted evidence to the committee, argues the UK will not be able to “escape the influence of the ECJ” if it wants to keep trade with Europe alive. Because the ECJ will still have jurisdiction over the flow of personal data to the UK, it could prevent that flow if it so chose “in serious cases”.
If the UK is no longer subject to EU laws and regulations it will also no longer have the ability to influence it, the Lords report explains. It calls on the government to “secure a continuing role for the UK's Information Commissioner’s Office on the European Data Protection Board”.
Matt Hancock, minister of state for digital, and Baroness Williams of Trafford, the minister of state at the Home Office, both “refused to be drawn on the default position” for what will happen post-Brexit. They proffered assurances the laws would be “compatible”. When pushed, Lady Williams said: “It is too early to say what the future arrangements might look like.”
The Lords recommended the UK government seek an “adequacy decision”. This is an investigation into how a country’s data protection laws sit within the EU’s own, followed by a ruling by the European Commission as to whether sufficient safeguards are in place. For this to happen the UK needs “to find a mechanism to trigger the Commission's process”, says Room, suggesting it could be a feature of David Davis’ Brexit negotiations.
Room believes the chances of security an adequacy decision for GDPR are good. “The most significant potential barrier to an adequacy decision might be the UK's operations on surveillance for law enforcement purposes. However, the UK is a signatory to the Convention on Human Rights, is subject to the rule of law and there is strong judicial oversight of surveillance operations, which are arguments in the UK's favour." Many countries trade with Europe without such a decision, he points out. But that route would lead to expensive and time consuming “administrative hurdles".
If the government heeds the Lords' advice, it will need to move fast. Antony Walker, deputy CEO of TechUK, said the process of securing an adequacy decision could take two years. He warned the impact of not having one would be felt “economy-wide”, putting UK firms at a competitive disadvantage due to the extra admin burdens.
Meanwhile, the volume of our global data flow continues to expand each day. It is expected to grow five times by 2021, two years after the UK leaves the EU.
This article was originally published by WIRED UK
