Last week, the Irish High Court made a judgement on transatlantic data flows that could have far reaching implications for US tech firms and point the way towards economic disaster for the UK.
Yes, it might not have received much coverage at the time, but the court’s decision was a biggie.
It asked the European Union Court of Justice (CJEU) to scrutinise the mechanism by which Facebook and many other firms transfer data: standard contractual clauses (SCCs).
Why? Because Austrian law student Max Schrems is still not happy that his personal data could theoretically be snooped on by the US authorities whilst residing in Facebook datacentres over there. His previous battle with Facebook over this issue led to the collapse of the Safe Harbour agreement between the EU and US.
Its replacement, Privacy Shield, is the other main legal mechanism – aside from SCCs – that govern data transfers outside the US.
“In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that,” Schrems said in a written statement following the court’s decision. “As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run.”
Emily Taylor, CEO of Oxford Innovation Labs and Chatham House associate fellow, took time out to discuss the issue with me.
“The reference to the CJEU is no surprise, and the fact that the US government applied to be joined as party shows how high the stakes are on all sides – for governments, for big data platforms like Facebook, and for individuals,” she told me.
“The case shows that the Snowden revelations continue to reverberate on both sides of the Atlantic. The CJEU has taken a consistently hard line against mass data collection and retention, and increasingly relies on the EU Charter of Fundamental Rights. The Charter allows for ‘more extensive protection’ of fundamental rights such as privacy, compared with the more familiar European Convention.”
That spells some uncertain times ahead for Silicon Valley, especially with Privacy Shield also facing an uncertain future.
That’s not all though. The case tells us much about what may happen to post-Brexit Britain.
Our digital economy is worth around £160bn and responsible for over 1.5m jobs, by some estimates. That makes it a vital part of the economy, and means unhindered data transfers with the EU – our biggest trading partner and the largest trading bloc in the world – are absolutely essential.
So how do we square the EU’s requirements around strong privacy protections for citizens, with the round hole of the UK’s brand spanking new Investigatory Powers Act? Also known as the Snoopers’ Charter, the new law has given the UK authorities probably more power than any country on earth – save for China and North Korea – to snoop on their own citizens.
“It is difficult to see how the UK’s mass data collection requirements under the Investigatory Powers Act could satisfy the EU Charter and this could have a severe impact on EU-UK data flows, potentially damaging UK business interests post-Brexit,” Taylor concluded.
That should be getting people in all sorts of high places very nervous indeed.
Europe’s new data protection laws might have been over a decade in the making but it would take about as long again to read every piece of advice that’s since been produced on how to comply. In search of some simple answers to a typically complex piece of European legislation, I asked a few legal experts on their thoughts.
With 13 months to go before the compliance deadline, organisations across the country will be scrabbling to ensure they’re not one of the unlucky ones caught out in the months following 25 May.
Start with the Data
Most experts I spoke to were in agreement that firms need to start by mapping their data – after all, you’ve got to know where it is and what you do with it first before working out how to keep it safe.
“For those that are compliant with existing laws, GDPR is going to be an evolution. For the others, it’s going to be a deep, radical change. In general, I think that every organisation should be working on assessing their current practices in light of GDPR,” Forrester analyst Enza Iannopollo told me.
“My advice is, regardless of the kind of support an organisation chooses, it must put together a team of internal people – hopefully the privacy team – and make sure that that team leads the work. Compliance with GDPR is not a one-off effort, but an ongoing process that has to be ingrained in firms’ business model,” she said.
Change the culture
That cultural change might be the hardest thing for organisations to achieve, although a good start is hiring a Data Protection Officer (DPO) – one of the key requirements of the GDPR. Another is the privacy impact assessment, which PwC’s US privacy lead, Jay Cline, recommends as a key stage once you’ve completed a data inventory.
“Data protection impact assessments (DPIAs) are the eyes and ears of the privacy office throughout the company,” he told me by email. “DPIAs are how chief privacy officers enlist the help of the whole company to keep their privacy controls current with all the change going on in the company.”
For Alexandra Leonidou, Senior Associate at Foot Anstey, there’ll be a key role for non-IT functions inside the organisation.
“Who needs to know about the GDPR? Who are the key stakeholders? This isn’t just something for IT, information security teams or data officers. Boards should be aware of the risks, and HR teams need to think about employee data. Getting GDPR compliance right will be critical for marketing and communications teams’ activity,” she told me.
“You will need to engage key stakeholders and implement measures that leave you with an acceptable level of commercial risk.”
Leonidou was also keen to stress the need for independence in the DPO role.
“Guidance from Europe suggests that this role is likely to be incompatible with certain existing C-suite executives,” she explained. “The awareness-raising that follows on from the allocation of accountability will be an ongoing process.”
For those still in the dark, some useful free resources include the Article 29 Working Party and our very own Information Commissioner’s Office. It’s also expected that even post-May 25, the regulators will give firms a little bedding in time before they start going after some high profile offenders.
All over Europe organisations of all sizes are currently scrabbling desperately to get their house in order for 25 May 2018. What happens then? Only the biggest shake-up to Europe’s data protection laws in nearly a generation. The implications are immense, both in terms of the scope of the new regulation and the companies who will now be held liable.
There’s just one problem. The UK’s Snoopers’ Charter, or Investigatory Powers Act. Its enshrining into law of mass surveillance powers could create major problems down the line, possibly putting UK firms at a competitive disadvantage precisely at a time when they need the digital economy most.
What’s the problem?
Let’s start at the beginning. UK firms will have to comply with GDPR, even with Brexit looming. That’s because the extrication of the country from the EU will take at least two years from whenever Article 50 is triggered – presumably in March – and probably much, much longer. And even beyond that, the UK government has said in its Brexit white paper:
“The European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.
As we leave the EU, we will seek to maintain the stability of data transfer between EU Member States and the UK.”
This implies that the UK will broadly speaking harmonise its laws with the GDPR. But the bulk data collection powers granted by the IPA mean the regime is certainly not equivocal to that in Europe. Emily Taylor, CEO of Oxford Innovation Labs and associate fellow of Chatham House, told me that the European Court of Justice (CJEU) shows no signs on shifting its stance on bulk data collection – having recently ruled against the forerunner to the Snoopers’ Charter, DRIPA.
“Other elements of the judgment are likely to cause problems with the Investigatory Powers Act: the CJEU says that targeted data retention may be allowable, but must be restricted solely to fighting serious crime; warrants must be signed off by a court, not a minister; and the data concerned must be retained within the EU. All these will potentially conflict with core elements of the IP Act,” she told me.
If its kept as is, the Act could therefore impact the legality of data transfers between Europe and a newly independent UK, which will be bad news for most firms reliant on a thriving digital economy.
“The impact of conflicts between the GDPR and our Investigatory Powers Act may be to hamper the competitiveness of UK tech, particularly as the GDPR seeks to protect EU citizens’ data wherever it will be processed,” she argued.
Not great for America
This is a hot button issue for Europe In fact it’s the reason why data transfers to the US were put under threat after Safe Harbour was torn down because of fears of US authorities snooping on Europeans’ data. Despite a new agreement – Privacy Shield – being put in place, there could still be bumps in the road ahead.
“Transatlantic data flows will not be legal unless there is a robust framework in place to offer EU citizens’ data equivalent protection to what is enjoyed in the EU,” said Taylor.
“President Trump’s ‘America First’ policy is likely to renew tensions over Privacy Shield – a shaky compromise which was hurriedly reached following the CJEU’s obliteration of its predecessor ‘Safe Harbour’.”
KPMG’s globa privacy advisory lead, Mark Thompson, told me that firms outside of Europe that need to comply with the GDPR are better off keeping data on European citizens inside the EU so as not to fall foul of any changes to data transfer agreements.
“Despite the USA and EU having some cultural alignment, there is potential for significant culture clash between the EU’s view of a fundamental human right to privacy and the US view on what constitutes privacy, which is significantly different,” he added.
We’ll have to wait a while to see what the fallout of all this is. But with the UK government unlikely to countenance any changes to the IPA, there could be some potentially bad news for the country’s digital economy in the next few years if nothing changes.
It’s hard to find an optimist in the cyber security industry in these post-referendum days. I spoke to a fair few for an upcoming feature for Infosecurity Magazine and the consensus seems to be that a Brexit will be bad for staffing, the digital economy and the financial stability of UK-based security vendors.
That’s not even to mention the legal and compliance implications. Chatham House associate fellow, Emily Taylor, recommended firms continue on the road to compliance with the European General Data Protection Regulation. Aside from the fact that any firms with EU customers will still need to comply with the far-reaching law, she reckons that if we want to protect the free flow of digital information between the EU and UK, we’ll need to continue following European laws in this area.
Snoopers gonna snoop
However, a Brexit would cause other problems, notably in that the current Snooper’s Charter looks like it will enshrine in legislation the principle of bulk surveillance – the very thing which effectively led to the scrapping of the Safe Harbour agreement between the US and EU. If this bill goes through as is and we go out of Europe but stay in the single market, we’ll have to change that bit, Taylor told me.
“A case brought by David Davis and Tom Watson questioning the legality of bulk surveillance powers under the old DRIPA laws is currently being considered by the CJEU,” she explained.
“It’s not clear which way the CJEU will go on this, because many member states have lined up to support the British approach. However, if CJEU follows its recent decisions, it could strike down bulk data collection. If we wanted to stay in the single market, we’d have to amend our IP Bill in response.”
Even if we broke away from Europe completely and adopted the status of a “third country” like the US, we’d still have to adopt measures “to give equivalent protection to EU citizens’ data as they enjoy within the EU,” she argued. And bulk surveillance would certainly be a no-no in this scenario.
The uncertainty – which could continue potentially for years while Brexit deals are worked out – is also viewed by many as damaging to the cyber security industry, and tech in general. Immigration lawyer and partner at MediVisas, Victoria Sharkey, claimed firms may be unwilling to employ skilled workers if there’s a chance they might have to leave in a couple of years’ time.
“This is certainly going to be the case where significant training and investment is involved,” she added.
In fact, EU nationals are apparently already packing their bags.
“I am already seeing EU nationals who have been here for years make plans to leave and either go home or go to another EU country. They are worried for their jobs, are worried that they will be told to leave and so would rather leave on their own terms, and they are also being made to feel unwelcome,” Sharkey continued.
“I feel that when we do leave that it is going to become significantly harder for UK employers to encourage the best in their industry to come and work in the UK.”
This, for an industry which has always struggled with skills gaps and shortages, is potentially catastrophic.
Can we overcome?
Philip Letts, CEO of global enterprise services platform blur Group, has run businesses in Silicon Valley and the UK. He also pointed out the potential damage that political and financial uncertainty could have on the industry.
“The politicians are in unchartered territory. We don’t yet have a clear timetable for the triggering of Article 50, nor the trade deals that are going to have to be negotiated. There is a political vacuum. Business confidence is low and many will hunker down, try to avoid risk and wait for this to play out,” he told me.
“Globally, the US tech heavyweights will want to remain in the UK and the EU, and they will do both, operating across different European centres. But the EU market is more lucrative than the UK, so things may shift over time.”
So is the tech and cyber security sector really doomed? Not so, according to KPMG UK head of technology, Tudor Aw.
“I believe the resilient UK tech sector can withstand the challenges of Brexit and thrive,” he told me.
“Technology is increasingly a key sector that underpins all other sectors – whether it be back office systems or strategic enablers such as IoT and data analytics. Companies will need to invest in technology to drive efficiencies and strategic growth – one only has to look at developments across a diverse range of sectors such as healthcare, automotive, property, retail and the military to see that technology spend will only increase regardless of Brexit.”
It’s a moot point now, but I wonder how much better it could have thrived had we not voted out on 23 June.