What Does Brexit Mean For British Data Privacy?

Uploaded on 2016-10-12 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

The UK’s data protection watchdog has three years to convince the government to adopt and enact the EU laws it is set to break away from.

On October 2, UK Prime Minister, Theresa May revealed that she planned to trigger Article 50 by March 2017, and thus set in motion the UK’s departure from the EU. Her announcement comes just days after the, newly appointed, Head of the Information Commissioner’s Office (ICO), Elizabeth Denham, told BBC Radio 4 that Britain must retain the European legislation.

"I don't think Brexit should mean Brexit when it comes to standards of data protection,” she said. “In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.”

The EU has for years been debating and finalising laws that it says will bring European privacy protections up to date with technological progress. The resulting Regulation and Directive came into force in May, to be applied by individual member states by May 2018, and is designed to help cement the EU’s Digital Single Market Strategy

As part of both EU privacy and human rights laws the regulation, the EU says, “is an essential step to strengthen citizens' fundamental rights in the digital age”. Come summer 2019, however, the date by which May promises to have exited the union, UK citizens will not have these safeguards in place.

"We are going to be a fully independent, sovereign country - a country that is no longer part of a political union with supranational institutions that can override national parliaments and courts,” the prime minister told the Conservative Party conference in Birmingham.

There is a chance the EU law will be transported into UK law, however. May also announced that a Great Repeal Bill would make up part of the next Queen’s Speech and will allow for a reversal of the European Communities Act 1972, the law that allows EU legislation to become British. The Bill will enact all EU laws into UK law - however, Parliament will be able to "amend or cancel" any law, reports the BBC.

“EU law will be transposed into domestic law, wherever practical, on exit day,” David Davis, Secretary of State for Exiting the EU, will say at a party conference speech. “It will be for elected politicians here to make the changes to reflect the outcome of our negotiation and our exit. That is what people voted for: power and authority residing once again with the sovereign institutions of our own country.” Scottish MPs, however, have threatened to dampen the force of that statement by voting against the Great Repeal Bill.

Europe’s data protection regulation is vast and thorough, designed to not only protect individuals’ privacy rights but ensure that businesses are not faced with multiple costly legal cases as a result of multiple strands of legislation, both national and European.

Among the protections the regulation affords EU citizens is a compulsory rule forcing companies to disclose data breaches within 72 hours of them being discovered. This is incredibly pertinent, considering it was just revealed that Yahoo took the better part of two years to disclose one of the biggest customer security breaches on record. 

Denham also brought this specific case up on BBC Radio 4’s PM programme, stating she would be personally following up. She also insisted she would follow-up on Facebook's attempt at sharing WhatsApp user data across its services, in direct contravention of the promise the social network made when it bought the app.

Since the EU's data regulation law will be in force before the UK’s expected summer 2019 exit, Denham did say she was “concerned about a start and stop regulatory environment”. The UK will have to implement and abide by the regulation from May 2018 at least up until a summer 2019 Brexit.

The commissioner did, however, assure an audience at the Personal Information Economy 2016 event in London last week that in spite of all this, her aim is to ensure the public feels secure: “What hasn’t changed are the strong data protection rules the UK already has. We need those rules to ensure cross-border commerce, not to mention the privacy protections citizens and consumers expect.

“The fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow. It is fundamental to the digital economy. In a global economy we need consistency of law and standards, the GDPR is a strong law, and once we are out of Europe we will still need to be deemed adequate or essentially equivalent. For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK.

“We’re talking about proper protection for consumers, about certainty for business, and about strong independent oversight of the law...We’d all like a concrete answer about the specific outlines of post-Brexit data protection law. We know businesses don’t generally like uncertainty. But in the end, it’s government that will have to decide.”

She claimed this uncertain time, in fact, has its advantages: the opportunity to strengthen our data protection law with the express aim of inspiring “public trust and confidence.” Her words suggest she understands the importance of bridging the divide between personal rights and internet business growth in such a way that neither will be unduly burdened, so both thrive.

Ultimately, it does not make sense to have too disparate an approach from Europe when it comes to data protection: any UK internet startup will have to abide by European regulations anyway if it hopes to build its business on the continent. It would also seem to be an incredible waste of time to enact different legal approaches, considering the UK has to implement the regulation by May 2018 in line with EU laws, ahead of the 2019 Brexit.

"The ICO, UK Courts and all affected entities will have already put in place the requisite infrastructures to comply with the (the law)," points out Stewart Room, global head of cyber security and data protection legal services at PwC. "The new law will apply automatically from May 2018, exposing non-compliant organisations to a risk of staggering regulatory fines for non-compliance, as well as litigation risk," he tells WIRED.

"On leaving the EU the UK would technically be free to abandon the [law], but the question does arise as to why that option would be more attractive than retaining [it]. Retaining the [law] after exit would likely be in the UK’s interests, the interests of UK citizens and the interests of UK-based data controllers and data processors.”

Great Repeal Bill

The Bill will automatically allow May to do what she has long desired: pick and choose which European laws the UK has to follow. She has had a complicated history with the European Convention on Human Rights, for instance, which thwarted her attempts to deport Abu Qatada to Jordan.

The fact that EU courts will no longer have jurisdiction over UK matters will have major implications for citizen protections. Take the recent spate of surveillance suits taken to Europe, for instance. Having failed to take the UK government to task over the mass surveillance of its own citizens here in the UK, Amnesty International and nine other human rights organisations are currently bringing the case in Europe.

Earlier this year David Davis and Labour’s deputy leader Tom Watson brought a case against the UK government to the European Court of Justice (ECJ): it argued that the Data Retention and Investigatory Powers Act of 2014 - which was rushed through Parliament as an emergency measure to validate UK mass surveillance powers in the face of contradictory rulings made by European courts - should be reversed. In July, the ECJ found that retaining data from phone calls and emails could only be legal if UK law enforcement uses that data to fight serious crime. Cases like these will presumably be shelved.

The so-called 'Snoopers Charter' - which has been blasted by human rights groups internet companies, and the UN’s own privacy chief - is designed to be a more permanent update to the Data Retention and Investigatory Powers Act.

However, the UK’s removal from Europe’s privacy protections could still have an impact as the law is alread drafted.

Wired
 

« Hackers Target Election Systems in 20 US States
Hacking The Vote: Russia Wins, America Loses »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Seclore

Seclore

Seclore is the most advanced, secure, and automated Enterprise Digital Rights Management (EDRM) solution available.

Software Testing News

Software Testing News

Software Testing News provides the latest news in the industry; from the most up-to-date reports in web security to the latest testing tool that can help you perform better.

LEXFO

LEXFO

LEXFO specializes in the security of information systems, assisting clients in protecting information assets using an offensive and innovative approach.

Digital Infrastructure Association (DINL)

Digital Infrastructure Association (DINL)

DINL is the leading representative for companies and organisations which are active within the Dutch digital infrastructure sector.

Secure-NOK

Secure-NOK

Secure-NOK provides products and solutions that detect and remove security attacks and harmful events in industrial networks and control systems.

Futurex

Futurex

Futurex is a globally recognized provider of enterprise-class data encryption solutions.

SysTools

SysTools

SysTools provides a range of services including data recovery, digital forensics, and cloud backup solutions.

ISA Security Compliance Institute (ISCI)

ISA Security Compliance Institute (ISCI)

ISCI, a not-for-profit automation controls industry consortium, manages the ISASecure™ conformance certification program for industrial automation and control systems.

N8 Identity

N8 Identity

N8 Identity helps organizations realize the vision of Autonomous Identity Governance™ with AI-driven Identity solutions.

Internet Security Research Group (ISRG)

Internet Security Research Group (ISRG)

ISRG's mission is to reduce financial, technological, and educational barriers to secure communication over the Internet.

Binare

Binare

Binare empowers companies all over the world to improve their IIot/IoT /Embedded cybersecurity posture and digital privacy.

NANO Corp

NANO Corp

At NANO Corp, we keep your network visible, understandable, operational and secure with state-of-the-art technology.

FTx Identity

FTx Identity

FTx Identity is the world's most advanced age verification technology (AVT) and identity management system.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.

Simpson Associates

Simpson Associates

Simpson Associates is a Data Transformation and managed services provider that helps organisations gain valuable insights from their data and make better-informed decisions.

Trofi Security

Trofi Security

Trofi Security provides Information Technology and Information Security services to organizations in both the public and private sectors.