One of the lessons of crisis management is that you don’t make predictions during a crisis. Not to say that the recent UK vote to leave the EU (“Brexit”) is a crisis per se, but just that it is a period of uncertainty. So what impact will Brexit have on data security, privacy, governance, and international cooperation in combatting cyber-crime?
The short-term answer is, “not much.” The longer term answer is, “it depends.”
It mostly depends on what the UK and its electorate want to do in the areas of data security, security cooperation, information sharing, and even security hiring and retention.
In effect, post-Brexit, the UK has – at least to Europe – become the United States. A friendly country with its own policies and procedures for data protection and security, separate and apart from those of the EU, unbound from the security requirements, but willing to cooperate and coordinate to the extent necessary to be able to continue to do business with the continent.
Just as the United States negotiated “safe harbor” provisions with the European Community – and when those were struck down by the European Court of Justice replaced with the “Privacy Shield” frameworks (kinda), we may see a circumstance where the UK is forced to negotiate independent data privacy and security agreements with the European Union.
This comes in the wake of entities like the Hamburg (Germany) Data Protection Supervisor fining companies for transferring data to the United States without complying with the provisions of the EU Data Privacy Directive. Post-Brexit, we can expect more enforcement actions aimed at British companies, not just from Brussels, but from other EU Data Protection Authorities throughout the continent.
Privacy and data security may be used as a barrier to information transfer or to “punish” the UK voters for Brexit, even though the Directive itself is clear that trans-border data flows are to be encouraged – as long as the receiving country as adequate privacy and security protections. As the United Kingdom moves more toward going it alone, powers on the continent may question the adequacy of those protections, and restrict data flowing into and out of the UK. But probably not.
The UK continues to have relatively strong data privacy rules, a robust Information Commissioner’s Office (ICO) and implementing legislation binding in the UK requiring data privacy and (to a lesser extent) data security As the UK ICO noted, “[t]he [UK] Data Protection Act remains the law of the land irrespective of the referendum result.”
They also noted the need to maintain data protection standards which were consistent with and “equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
Remember, the GDPR regulations – unlike the Data Privacy Directives they are intended to replace – require no “implementing legislation” by EU member nations. Once they go into effect on May 25, 2018, they go into effect in all EU member nations.
With the UK out of the EU, the GDPR would NOT go into effect in the UK unless Parliament passed implementing legislation. Whether they do depends on the will of the British (Northern Irish, Welsh and Scottish) peoples and the mood of the electorate toward greater integration with Europe. Similarly, the EU critical infrastructure rules as part of the Network and Information Security Directive would no longer automatically apply to the UK.
These rules, which impose security obligations for operators of essential services (in critical sectors such as energy, transport, health and finance) and for digital service providers (online marketplaces, search engines and cloud services) would have to be adopted on a voluntary basis by the UK Parliament or UK regulators even though they are set to go into effect in August of this year.
In addition, it’s not clear whether the UK would retain its membership in a host of EU information security organizations like EU Agency for Network and Information Security (ENISA) or CERT-EU. The UK remains part of Europe, but not necessarily part of the governing structure.
What happens after Brexit is that the UK Parliament (and voters) decide how much of the GDPR to implement, while Brussels decides whether these protections are adequate.
This includes UK compliance with EU Regulation 2016/679, EU Directive 2016/680 and the overall Digital Single Market strategy. With the UK out of the EU, it is possible that they will no longer consider themselves (or entities within their borders) bound by these data privacy and protection directives, and EU countries may adopt barriers to free flow of information to the UK.
The UK would likely no longer participate in the European Data Protection Board (except in an advisory capacity) and would now be considered to be a “third country” outside the EU for data transfer purposes. The “one stop shop” for companies to comply with EU data privacy could now be a shop and a half. This means that the UK (and UK companies) will likely still have to comply with some version of GDPR, but would not necessarily be able to influence the making of regulations in Brussels, except in bilateral negotiations with the EU itself.
While the UK may choose to implement the Privacy by Design and Default requirements of GDPR Article 25, may require Data Protection Impact Assessments required by GDPR Article 35, and may continue to empower its ICO as the Data Protection Authority and Data Protection Officers (Articles 37, 38, 39). This action is no longer automatic, and no longer identical across Europe.
The UK would be free to adopt its own rules on data breach notifications (Article 31), and may or may not impose sanctions on companies that fail to comply. The more the UK adopted rules diverge from the GDPR rules, the more likely we are to see a data transfer war.
With threats by the EU to remove English as the common language of the EU, Brexit may benefit the UK privacy and data protection infrastructure by encouraging entities outside of Europe (and outside of the UK) to comply with the UK rules, and to submit to the authority of the (English speaking) UK/Irish Data Protection Authority, to the extent that the EU considers their regulations to be equivalent to GDPR.
Companies with a presence in the UK could choose to submit to the UK as their “lead supervisory authority” at least as respects UK citizens’ data. For companies with a presence in multiple jurisdictions in the EU and the UK, they could choose to submit to the jurisdiction of the EU DPA where their headquarters is located, or where the data subjects live, and thereby be assured that they are compliant with GDPR – but they may or may not be able to transfer data to their UK operations depending on a finding of “adequacy” of safeguards by the EU.
Brexit may further move the UK out of the GDPR framework and more into the Privacy Shield framework – like the United States. EU nations may seek greater assurances from the UK that entities like MI5, MI6, NDEDIU, NCA, DI, GCHQ and JIO (UK law enforcement, intelligence, and signals intelligence agencies) are subject to the same limitations on access to EU non-UK information as would apply to US agencies access under Privacy Shield to EU privacy related data.
Thus, UK companies collecting or using EU data might have to demonstrate things like effective model contracts, Binding Corporate Rules and other protections to give assurance of “adequacy” of data protection.
It is possible that the UK will voluntarily join the European Free Trade Association and remain in the European Economic Area (the so-called “Norway option”). Under this regime, the UK would remain bound by GDPR, and would be permitted the “free flow of personal data” into and out of the EU. But again, this would be a form of European entanglement and would link London’s policies to those of Brussels. It depends on the mood of the electorate.
In the short term, companies should act as if nothing has changed. They should prepare for compliance with GDPR because they need to irrespective of how Brexit impacts the relationship between the UK and the EU.
If you are doing business in Europe, or that relates to EU citizens, well, GDPR will apply. But if UK data privacy and protection laws begin to diverge from those of the continent, companies in the UK which are compliant with local (UK) laws may no longer be able to collect and process information about individuals from the contitnent unless Brussles gives permission.
Another potential impact of Brexit on information security relates to the free flow of people. It is generally acknowledged (with little empirical evidence, by the way) that there is a shortage of trained and qualified information security professionals. By virtue of its membership in the EU, UK companies could recruit and hire infosec professionals from across the continent, and UK security professionals could seek employment across Europe.
In the (longer term) future, this may no longer be the case. Work permits, employment visas, quotas and the like may be the new normal. With the fluctuation of currencies, and the current devaluation of the Pound Sterling against the Euro, UK companies may find it more difficult to retain qualified candidates in London, and UK institutions may see pressure to move their security operations, data centers, call centers and SOC’s to the continent. Again, this is likely to have a greater impact the longer we have uncertainty and currency fluctuations.
Brexit may also impact the willingness (if not the ability) of EU countries, companies, law enforcement and intelligence agencies to share information about threats, vulnerabilities, incidents and other intelligence related to cyber-attacks with their UK counterparts.
While Brexit does not appear to directly impact the ability of companies and governments to share threat intelligence, (except in inhibiting the free flow of personal data) it may impact their willingness to do so. EU agreements on intelligence sharing, threat intelligence, data use, and similar issues might have to be renegotiated and may disrupt the flow of such information.
When it comes to protecting data and preventing cyber crime, we’re all in this together. How we do it post-Brexit depends on our willingness and ability to work together. In the short term, companies and governments should continue to protect data and share information as if nothing has changed. Until it does.