Whilst the majority of media attention on the internet today focuses on cyber attacks on, and privacy leaks from, organisations like Tesco Bank through to Ashley Madison, less attention is paid to the more mundane transfer of millions of pieces of personal data that happens daily. These exchanges are regulated by the EU, however the dilemma of security and privacy abounds.
Yet in this area, the events of 2016 raises some challenging questions for the UK.
In June the main rallying cry of Brexit was the ability to take back control, but the extent to which the UK will be able to ignore the EU on digital issues is less clear cut than Nigel and Boris would have hoped.
In fact the Information Commissioners Office, which protects information sharing for the UK, has warned that many EU laws will continue to influence the UK approach, even after we cease to be a member.
There are three pieces of EU legislation that will continue to stick in the craw of those seeking to take back control from Brussels.
The first of these is the General Data Protection Regulation (GDPR), which given the current Brexit strategy will be enforced before the UK leaves the EU. The main issue for the UK is that GDPR will place greater requirements on companies to disclose hacks and cut down on the unsecure transfer of personal data. The GDPR will also require specialist data privacy officers for all large firms.
Of interest to Vote Leave is the quiet announcement by the Cabinet Office, which houses the new Cyber Security Strategy, that GDPR will be adopted in 2018 and maintained once the UK leaves the EU. This suggests that on this topic at least the Government are more than happy for the EU to lead the way.
The second issue is the EU-US Privacy Shield that currently dictates how data is shared with the EU. The challenge with this legislation is less Brexit related, as it is the election of Donald Trump that could see the whole thing undone. His views on the privacy shield and interaction with the EU are less clear cut than his predecessor, though the Departments of National Intelligence and of Commerce have both stated in recent days that they expect to move forward with the agreement. On the European side there are also threats to the Privacy Shield in the shape of legal cases from French and Irish civil liberties groups, aiming to dismantle the agreement, as was done with its predecessor Safe Harbour.
Should these hurdles fail to derail the privacy shield, the UK could find itself in a situation where US companies dictate the use of shield protocols in the sharing of personal information.
Thirdly there is the Network and Information Security directive which places equal burdens on governments and businesses to protect cyber infrastructure across sectors such as transport, finance, energy and healthcare. For the public sector major companies in the identified sectors, as well as digital service providers like search engines and digital marketplaces will be forced to provide assurances as to their security.
There is however a sliver of light for the UK as the EU’s implementation timeline for November 2019 means that the UK could have successfully concluded Brexit negotiations before the need to adopt the directive arises.
2019 will likely find the UK in a situation where being outside the EU is immediately constrictive to its digital market place. International companies like Google, Facebook and Microsoft may have recently announced large investment plans, but they will also find themselves in a potentially dicey position. Without EU membership the UK would be classed as a ‘Third Nation Country’, removing the easy and secure transfer of data from the US and its European data hubs.
Brexit may not maroon the UK on a digital island, but it will require the UK to agree to the intricate and prescriptive regulations and to even its approach mirroring that taken by the EU, which many hoped become a thing of the past.