On June the 23rd an unprecedented event took place in the United Kingdom. After many months of intense campaigning by both sides of the EU debate, the populace of Britain voted in a referendum to leave the EU. The shock waves reached across the globe when the result came in. Many had predicted that the UK would fall apart if it were to vote ‘leave’. Some, like the then Prime Minister, David Cameron, even said that war would break out. Six weeks on and the world is still turning, but one question that arises from the aftermath is about privacy; with the EU having a very strong privacy ethos, where does that leave the now departing United Kingdom?
A Brief History of EU Privacy
The European Union was established in 1993 out of the Maastricht Treaty. By 1995 they had adopted their now infamous data privacy directive, Directive 95/46/EC. This privacy framework was one of the first of its kind in the world to deal in a comprehensive way with the issues of privacy of citizen data. This being especially true if using or exchanging data across country boundaries. The directive was an extension of Article 8 of the European Convention on Human Rights, which specifically deals with the privacy issues of everyday life, family, and correspondence. The EU privacy directive has further extensions to cover areas such as privacy in the communications sector, in the form of the e-Privacy Directive. Directive 95/46/EC has also, very recently, been updated to the General Data Protection Regulation (GDPR).
In 2000, the Safe Harbor agreement was established. This agreement ensured that any data collected and transferred between the EU and other countries, including the USA, would have certain protections and restrictions applied. This included consent to gather, share and transmit data, as well as ensuring data security and integrity.
Events up to 2015, including the Snowden revelations, and the Schrems vs. Facebook case, both of which highlighted privacy violations by U.S. government departments and companies, resulted in the Safe Harbor agreement being invalidated by the EU. Safe Harbor has since been replaced by the Privacy Shield agreement. The agreement announced on July 12, 2016, basically states that any EU citizen with data stored in the U.S. MUST have the same protection as afforded by the EU privacy directive. Crucially, post-Snowden, the agreement states that,
“The U.S. has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement”.
What is the UK Policy on Privacy?
Now that the UK has decided to leave the EU it needs to stand alone in terms of how it handles privacy, and ultimately data security. There is no precedent in terms of inheriting the EU’s privacy directive. However, the UK has its own privacy and data security custodian’s in the shape of the Information Commissioner's Office (ICO). The ICO’s role is to cover a series of legislations covering the area of information rights and control. This includes privacy and electronic communication regulations, as well as managing the UK’s Data Protection Act (DPA). The day after the referendum results, the ICO put out a statement which said that the DPA would continue to be the overriding law on data security, but that the UK would need to essentially mirror the EU privacy directive to be able to continue to trade with other countries and protect their own, and other citizens. In the ICO’s annual report, released a week after the referendum result, the UK Information Commissioner stated that:
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
A Brexit from Privacy or Will the UK Remain Privacy Enhanced?
The UK has some of the best data protection laws in the world. The DPA covers a wide spectrum of data protection and includes principles of operation around data handling such as how long data can be held, usage restrictions, security of data, data minimization, and that data is not transferable outside of the EU without adequate protection. Importantly, the latter principle is a nascent form of the Privacy Shield agreement which has the potential to be expanded to become the UK’s version of that agreement.
Going back to the e-Privacy Directive. There has been an opinion expressed by the Article 29 working party around the need for the e-Privacy Directive to be substantially updated to incorporate changes in the digital marketplace. The fact this expression has been made, shows that the EU is still improving its approach to data privacy. Certainly the UK could benefit from the hard work done by the EU in this regards. However, the UK could and should also take steerage from this, if the country has to develop its own version of the e-Privacy Directive.
One of the progressive areas the UK government are working on is in the area of privacy enhanced online identity schemes for UK citizens. They have recently taken the beta version of their ‘Verify’ identity program out into production. This scheme, which uses commercial identity providers (IdPs) has had privacy as a core principle in the design since the outset. The system uses a central ‘hub’ to ensure that the identities issued to citizens by the commercial IdPs, cannot be tracked when used across government services.
The departure of the UK from the EU will take at least a minimum of 2 years after Article 50 of the Lisbon Treaty is invoked by the UK Government. This is yet to happen. Until then, the EU is still covered by the EU privacy directive / GDPR. During that time, the UK will need to address their own privacy laws to ensure that the gains made by the EU privacy laws are retained. This needs to include the development of a Privacy Shield agreement equivalent so that the UK can continue to trade freely and with privacy as a core consideration.