Brexit: What's Next for Privacy, Policing, Surveillance?

Legislation , Privacy

As Britain Exits EU, the Legal Changes Will Be Immense Brexit: What's Next for Privacy, Policing, Surveillance?

A majority of the voters in Britain on June 23 voted for their country to no longer be a part of the European Union. What happens next, and what will be the implications for privacy, policing, security and related matters?

See Also: How to Mitigate Credential Theft by Securing Active Directory

"The legal and constitutional implications of the Brexit vote cannot easily be exaggerated," says Mark Elliott, a professor of public law at the University of Cambridge, in a blog post.

As with all fresh political changes, related details have been arriving on an almost minute-by-minute basis. After the results were announced - 52 percent voting to leave the EU, 48 percent voting to stay - Prime Minister David Cameron announced that he will resign by October, and Scottish First Minister Nicola Sturgeon said that a new referendum on independence for Scotland - almost two-thirds of the country voted to remain in the EU in 2014 - is "highly likely."

Leaving the EU will require Britain to rewrite many of its laws, likely including rules relating to privacy, and Brexit is "very likely to lead to a significant reduction on cooperation in criminal and policing matters between the U.K. and the EU," says Steve Peers, a professor of law at the University of Essex who specializes in European Union law and human rights law, in a blog post (see Brexit Referendum: 5 Cybersecurity Implications).

Peers says that it's likely - but not certain - that the U.K. would comply in full with the new EU General Data Protection Regulation that goes into effect in May 2018, and which applies to any business in the world that has EU-based customers (see Mandatory Breach Notifications: Europe's Countdown Begins).

Time Until Separation: At Least Two Years

But it will likely be at least two years before Britain withdraws from the EU, officials say. "Legally and constitutionally, nothing has changed yet," Elliot says. That's because Britain's most likely exit is under Article 50 of the Treaty on European Union, which states that "any Member State may decide to withdraw from the Union in accordance with its own constitutional requirements." Once it gives notice, the withdrawal occurs two years later, Elliott says, noting that there can be two exceptions: a member state may negotiate an earlier withdrawal, or can vote to postpone the separation date.

Until then, "as a matter of international law, the U.K. as a state continues to be subject to its obligations under the EU treaties, and that, under the 1972 Act, EU law remains applicable in the U.K. and has priority over U.K. law," Elliot says.

Britain has yet to give any Article 50 notice, although politically speaking it will likely happen sooner than later, experts say. Indeed, Jean-Claude Juncker, the Luxembourgish politician who is currently President of the European Commission - the EU's executive branch - has reportedly called for Article 50 to be triggered "as soon as possible."

.@JunckerEU "The British people have expressed their wish to leave. We regret this decision but respect it" #EURef pic.twitter.com/zAMN7LCKQw

Before the deadline triggered by Article 50 notice occurs - again, two years later - Britain will have to rewrite many of its laws. "It is no exaggeration to say that the process of disentangling EU and domestic law will be a Herculean effort that will occupy lawmakers for a considerable amount of time to come, and will have to be undertaken carefully and thoughtfully," Elliott says.

U.K. Will Face Extradition, Prosecution Challenges

What will be the relationship between the U.K. and the EU going forward? "The most attractive option is, for at least a temporary period, for the U.K. to continue with the 'Norway option', which means continuing to remain part of the European Economic Area (EEA), the association agreement between the EU, Norway, Iceland and Liechtenstein," Peers says.

"EEA membership would leave the U.K. free to sign its own trade deals with other countries," he says. "The EEA doesn't cover foreign policy or criminal law or policing issues, although the UK could seek to negotiate a separate deal with the EU on those issues."

But as Peers notes in a separate blog post, EEA membership wouldn't include the right to access some other EU judiciary tools to which the U.K. currently has access. In particular, it wouldn't be able to use European Arrest Warrants, which are "a fast-track extradition system," and many EU members states haven't ratified various crime-related treaties that get enforced between EU member states, Peers says, meaning it could be harder for the U.K. to prosecute some foreign suspects.

But at least some level of law enforcement intelligence sharing should continue to flow, says Dublin-based information security consultant Brian Honan, who's a cybersecurity adviser to the EU's law enforcement intelligence agency Europol. "With relation to international cooperation against cybercrime, the close working relationships between law enforcement within the U.K. and the EU should continue to work, however there may be implications under the EU data protection regime with regards to the sharing of certain intelligence between both parties," he says. "It is too early to determine what the impact of the Brexit will be but hopefully cybersecurity and data protection are topics that will be dealt with by both sides with the importance and gravity they deserve."

Mass Surveillance Questions

To enable U.K. businesses to work with European consumers, the U.K. government will also have to prove that its existing mass-surveillance practices don't infringe on the human rights of EU residents. In the wake of the Brexit vote, some civil-rights-focused members of the European Parliament have already indicated that they will not allow the U.K.'s surveillance practices to escape scrutiny, as the country attempts to negotiate new treaties or trade agreements with the EU.

The perils of failing to comply with EU law, or reign in surveillance practices that some see as being excessive, have been highlighted by privacy rights campaigner Max Schrems, who pointed to documents leaked by former NSA contractor Edward Snowden, which suggested that Europeans' private information was being shared with U.S. intelligence agencies. The result was the EU's highest court throwing out the U.S.-EU Safe Harbor data-sharing agreement (see EU Court Invalidates U.S.-EU Data Sharing Agreement). Efforts to negotiate a substitute remain unresolved (see 'Privacy Shield' to Replace Safe Harbor).

Of course, Snowden revelations implicated not just the NSA in mass surveillance practices, but also the U.K.'s GCHQ intelligence agency (see UK's Snowden Response: Surveillance Debate).

And Parliament has continued to debate a revised Investigatory Powers Bill - derided as a "Snooper's Charter" by critics - that at least in draft form doesn't contain safeguards that would likely meet the EU's "adequacy" requirement, according to TJ McIntyre, who teaches law at University College Dublin in Ireland, and who is chairman of rights group Digital Rights Ireland.

"U.K. surveillance laws would not meet this standard - not now, and not after the IPBill," McIntyre says via Twitter.

As that suggests, if Britain wants to continue to do business with the EU, many surveillance and privacy-related changes - made to comply with EU law - may be required.

"From a legal [and] human rights perspective, this will be a huge dilemma faced by the new U.K. [government]," Eduardo Ustaran, a partner in the global privacy and cybersecurity practice at law firm Hogan Lovells, says via Twitter.