Post-Brexit U.K.'s surveillance practices could spell big problems for business

In the surveillance world, the United Kingdom is kind of a big deal.

A key member of the “Five Eyes” spy club that also includes the U.S., Canada, Australia and New Zealand, the U.K.’s importance stems partly from its history and partly from geography—it has long been a major hub for undersea cables, giving it a good vantage point for monitoring the world’s communications. Across the Channel, European courts have also repeatedly ruled that British surveillance laws, governing the monitoring of the country’s own citizens, breach privacy rights.

Thanks to Brexit, this situation could soon become a major problem for British businesses that handle the data of European customers and staff—in the worst-case scenario, they may be unable to legally continue doing so after this year.

Different rules

That’s because of a peculiarity in the way the EU treats the surveillance behavior of its member states. It’s not like other European countries don’t also spy on their citizens and share intelligence with the U.S.—National Security Agency whistleblower Edward Snowden testified in 2014 that the NSA had a network of deals throughout the bloc. But these activities fall under the category of national security, which is one of the few areas where the EU cannot dictate policy to its members.

Step outside the circle, however, and the situation changes drastically.

Under EU law, the personal data of Europeans cannot be freely sent to a country outside the bloc unless the European Commission has formally decided the country has privacy laws that will adequately protect those people’s rights. The Commission has only granted this “adequacy” status to a dozen countries, including Argentina, Canada, Israel, Japan, and New Zealand—the U.S. doesn’t have it, which is why companies there have to sign up to a special register if they want to easily handle Europeans’ data.

During the Brexit transition period that runs through this year, the U.K. will effectively still be treated like an EU member state—there cannot legally be any obstruction to the flow of data between it and the remaining EU countries. But when the transition period runs out, the U.K. will need to have an adequacy decision in place so that its companies can keep processing customer and employee personal data that originates from the EU.

On Monday, British Prime Minister Boris Johnson told members of Parliament that an adequacy decision would be “self-evidently in the interest of both sides” and the Commission’s decision-making process should be “technical and confirmatory of the reality that the U.K. will be operating exactly the same regulatory frameworks as the EU at the point of exit.”

It is indeed true that the U.K.’s data protection rules are currently aligned with the EU’s tough General Data Protection Regulation (GDPR), because they are just a national implementation of that law. But the adequacy decision-making process won’t be quite so simple, says Johannes Caspar, the head of the data protection authority in Hamburg, Germany.

“The crucial point will be the U.K.’s surveillance activities and their participation in the ‘Five Eyes’ network,” Caspar—who along with other EU privacy regulators will advise the Commission on its decision—tells Fortune. “If the U.K. continues its large-scaled surveillance practice, I have serious doubts whether the Commission can adopt an adequacy decision.”

Hurdles to jump

In 2016, the EU’s highest court—the Court of Justice of the European Union —ruled that the U.K.’s mass surveillance practices were illegal under EU law. Specifically, people’s rights to privacy and data protection were being violated by the general and indiscriminate retention of their electronic communications data. Surveillance is allowed, the court said, but only when fighting serious crime; the U.K. was doing it to everyone.

That ruling involved a law that was superseded by the U.K.’s Investigatory Powers Act. The newer law, popularly known as the “Snooper’s Charter,” is also now being challenged at the CJEU over its mass-surveillance measures. The court has bundled the case with French and Belgian challenges to those countries’ surveillance laws, as the issues are similar.

The court’s top advisor, advocate-general Manuel Campos Sánchez-Bordona, recommended last month that the CJEU should again rule that general, indiscriminate data retention is not permissible. The court does not have to follow his recommendation, but it usually does, so the U.K. could be about to find itself in trouble again.

The EU’s privacy regulators will be looking out for the ruling in this case as they decide on the U.K. adequacy question, says Wojciech Wiewiórowski, the European data protection supervisor, who will also be advising the Commission on its decision.

Of course, the court’s jurisdiction over the U.K. will expire at the end of the Brexit transition period, when the U.K. fully disentangles itself from the EU club. But breaking EU privacy law is not a great look when trying to get a data-protection adequacy agreement.

“An adequacy assessment of a third country means looking at the reality of what the third country is doing,” says Graham Smith, a prominent Internet lawyer at Bird & Bird’s London office.

Apart from the U.K.’s mass surveillance practices and its sharing of intelligence data with the U.S. and other Five Eyes members, another potential hurdle lies in an exemption the country adopted when implementing the EU’s GDPR law in its own Data Protection Act of 2018.

The exemption is for immigration data—essentially, foreigners in the U.K. cannot exercise their GDPR-guaranteed rights, such as the ability to request copies of their personal data or ask for it to be deleted, if the data could be used for “effective immigration control.” This isn’t just potentially in conflict with EU law; it’s also a political problem for the U.K., given that it would apply to many constituents of the EU lawmakers that get to weigh in on the adequacy decision.

“Even if the Commission doesn’t find it fully problematic at first, they may raise issues later,” says Javier Ruiz, policy director at the Open Rights Group, a London-based digital rights organization that campaigned unsuccessfully against the exemption.

All politics

In reality, the political pressure on the Commission to grant the U.K. an adequacy decision will be enormous—without it, companies would need to set up complex and expensive legal mechanisms to keep sending data from the EU to the U.K.

“There will be a lot of pressure not to disrupt economic relations,” says Ruiz, who also pointed out that other EU countries may be less than keen on having a big debate about mass surveillance, given their own use of such tactics.

Even if the Commission cannot bring itself to grant the U.K. a full adequacy decision, it could opt instead for a deal like that between the U.S. and the EU.

The U.S. does not have “adequate” privacy laws, largely because of the powers of its intelligence services. But because its tech companies are so important, in 2000 the two sides struck a pact called Safe Harbor. This set up a register that U.S. firms could sign to say that, even if their country didn’t stick to EU-grade privacy rules, they would.

Then came Snowden, whose 2013 revelations prompted Austrian privacy activist Max Schrems to challenge Safe Harbor at the CJEU—Schrems said the deal did not protect his Facebook data from surveillance in the U.S. Two years later, the court invalidated the agreement with immediate effect, sending the Obama administration and the European Commission scrambling to come up with a new and improved version, which is called Privacy Shield.

As Caspar points out, this case was crucial to the current question of U.K. adequacy, because the court highlighted the relevance of intelligence services’ data access when judging adequacy. “The court noticed serious problems where [U.S.] authorities were able to access and process data beyond what was strictly necessary and proportionate to the protection of national security,” he says.

“Ultimately, if the choice comes down to changing the U.K.’s surveillance laws to accommodate the EU, or not getting an adequacy decision, the [U.K.] government would be faced with a difficult choice,” says Smith. “But it is perhaps more likely that some kind of pragmatic solution would be found, as it was with the U.S. Privacy Shield.”

But the CJEU is this year set to issue judgements in two cases that challenge the basis of Privacy Shield—that Europeans’ data can be safe on American soil. The shaky agreement’s second iteration may meet the fate of the first, as might the aforementioned complex legal mechanisms (so-called “model clauses” and “binding contractual rules”) that are companies’ fallback if Privacy Shield falls.

And therein may lie an indication of the U.K.’s future difficulty—privacy activists in the mold of Max Schrems, who are willing to challenge deals that they say don’t adequately protect their rights.

“Even if the European Commission agrees to give adequacy, it’s very likely that the decision will be challenged in courts in the same way Safe Harbor and Privacy Shield have been,” says Ruiz. “That is where the trouble starts, as courts are not allowed to make political calculations to the same degree as the Commission.”