Brexit and data
The potential exit of Britain from the European Union, or ‘Brexit’ as it has been dubbed, has been examined from various angles, mostly political and economic.
From the tech side of things, trade deals and individual negotiations have been looked at, in light of various parameters, from exchange rates to tariffs and the overall difficulty of doing business.
However, as we look across the small pond to the inner island, another area that demands examination, particularly for its potential to affect Ireland, is how a Britain outside of the EU will fare when it comes to data.
“The interplay between EU Privacy Shield and the Investigatory Powers Bill could be devastating for UK digital industries,” Emily Taylor, Chatham House
Currently, Britain and Ireland compete on a fairly regular basis for data centres and the ecosystems that reside upon them, and we have done quite well on that front.
But what would happen to the kind of mass data gathering and processing that characterises so many current services, if Brexit were to occur?
First of all, Britain would come under the regulation of Privacy Shield, the Safe Harbour replacement that came in when the latter was successfully struck down largely as a result of the actions taken by the enterprising law student Max Schrems.
However, as Emily Taylor, associate fellow, international security, Chatham House, the Royal Institute of International Affairs, writes, “privacy advocates have derided Privacy Shield as gutless, but weak as it may be, the draft adequacy decision goes out of its way to emphasise how limited bulk data collection will be.”
Taylor mentions this because after the bulk retention laws for comms companies were struck down at European level, the UK instituted the Investigatory Powers Bill, which essentially brought back in the bulk retention requirement.
Taylor goes on to say the “interplay of between these two (EU Privacy Shield and the Investigatory Powers Bill) could be devastating for UK digital industries.”
This is because the UK laws allowing bulk collection and retention go against the GDPR regulations which emphasise that bulk collections should be “limited to (exceptional) situations where targeted collection is not possible”.
Taylor says the “document repeatedly states that targeted collection will be preferred over bulk, and that collection will be ‘narrowly focused’ relating to ‘individually identified legitimate targets’”.
The potential impact for the likes of social media, mass marketing, or indeed any online service that is free where the user data (identity and behaviour) is the real commodity, is huge.
It would mean that the current difficulties being experienced by American technology, travel, communications and other service companies, in dealing with Privacy Shield and GDPR would be experienced by the UK too. So from a foreign direct investment (FDI) perspective, why would anyone want to have to deal with a double layer of such bureaucracy if handling EU citizen data?
And the fact is that this would be the case, even for data that does not necessarily reside in the EU, or in Britain.
Chiara Rustici, an independent data protection consultant writing for ComputerWeekly.com, said “if your colleagues who do most of the data collection don’t appreciate it’s who the data is about, not where the data lives that matters for the GDPR, you may end up spending a lot of your cyber security budget to defend data that should not have been collected.”
Her point being that even if you are not in the EU physically, but are processing the data of, or that can identify, EU citizens, then you are subject to GDPR. A point, which Rustici says, blows out of the water an argument made by the leave campaigners that Brexit would reduce EU red tape. Both Taylor and Rustici ably show, that is not the case.
Furthermore, Steve Peers, professor of Law, University of Essex, writing for The Conversation, said “If Britain leaves the EU it will find it must still comply with European Union laws governing personal data handling and privacy anyway, and any British laws or treaties with the EU that don’t will inevitably be challenged.”
“Conflicts between British and European law will not be easily solved, because EU court rulings are based on the EU Charter of Fundamental Rights which takes precedence over ordinary laws and treaties even with non-EU countries – and is much harder to amend”.
Peers writes in the context of a case brought by the Conservative MP David Davis and Labour deputy Leader Tom Watson that seeks to challenge electronic surveillance legislation which was rushed through parliament in 2014, the Data Regulation and Investigatory Powers Act 2014. This is the bulk gathering and retention capabilities mentioned above, restored after the European court struck down the bulk retention laws previously.
Peers says that the Davis Watson judgement will not be made before the referendum, but that it might lead to challenges that will make a post-exit Britain’s stance on data even more uncertain.
The Schrems case, argues Peers, reinforces that even non-EU countries’ data protection laws must be “essentially equivalent” to European law before simplified transfers of personal data between the countries are allowed. He says that this affects both digital businesses and the transfer of policing and security data.
“While the EU and US recently agreed on a Safe Harbour replacement known as Privacy Shield, this too will likely face a legal challenge as soon as it’s adopted. In fact, the transfer of police data between the EU and Canada is already being challenged.”
“The upshot is that if the Britain chooses Brexit,” warns Peers, “the ruling in the Davis and Watson case will effectively establish a non-negotiable demand by the EU regarding data protection and privacy leaving the UK government with an unavoidable choice: either apply EU restraints on mass surveillance of UK citizens, and so lose the British sovereignty that Brexit supporters are campaigning for. Or abandon the framework that allows the simplified transfer of data between police services and digital industries between an independent UK and the rest of the European Union – with the economic and security pitfalls that would bring.”
Uncertainty and opportunity
The upshot of all this, from an Irish perspective, is that major technology and communications companies might find Ireland a far more attractive prospect for the operation of data centres to underpin globally available services to the modern consumer and business markets, where data protection, sovereignty and residence are of critical importance.
The Facebooks, Amazons, Microsofts, LinkedIns and Twitters et al, may see in the immediate post-exit world, that data in Britain is simply to vexed a situation to bother tackling. In which case, the neighbouring island, with all of its other advantages, becomes the de facto destination. Or, Britain remains and we compete on a level field as we have done previously, and in which we fared not too bad.