Our Thoughts On Brexit For People Here, There, And Everywhere

News & Analysis
Our thoughts on Brexit for people here, there, and everywhere

Brexit and Privacy

It's as clear as mud, what it means when a country decides to willingly pull out of a trading bloc, a policy coordination mechanism, a relatively democratic network, and a framework for the free flow of people, data, and rights. Meanwhile today the minister in charge of surveillance for the past six years will assume the leadership of the country.

There is much speculation as to what is next. Here's our take. Importantly, there's a lot to be worried about, some to like, much we cannot foresee. The future has rarely been so murky.

What I am practically certain of is that there will be renewed pushes for surveillance as a result of Brexit. And there is no meaningful political resistance. The Minister in charge of the police has today become the Prime Minister and is claiming to have a mandate of controlling borders. Such uncertain times are often fertile ground for attempts to enhance surveillance powers.


For the EU: Loss of a ringleader

To some degree, rejoice. The UK Government was the enfant terrible of the European Union, consistently the strong promoter of greater surveillance and an apologist for weaker safeguards. Its fingerprints are all over the EU's many highly problematic surveillance decisions (for a continued inventory, see (and support) the extraordinary work of Statewatch).

The UK often laundered surveillance policy through Europe.

When it held the presidency over the summer and fall of 2005, the UK Government pushed the communications surveillance policy of data retention through the European Parliament. For years it had the opportunity to raise this policy in the UK Parliament, asking its approval of the legal requirement upon telecommunications service providers to maintain logs of our interactions and movements. The UK Government was playing a long game through Europe to avoid domestic debate: having long-held ambitions for the power - first records date to 2000 just weeks after the Government got Royal Assent of its comprehensive surveillance legal framework; then the UK Government only sought voluntary data retention in its post-9/11 legislative push. Rather than having the courage to debate mandatory data retention in the UK, the UK pushed it through the European Parliament at George Bush's behest, and then brought it home as a harmonisation process, claiming that it was all because of EU demands.

Similarly, Tony Blair tried to launder his ID card through Europe by getting the European Parliament to approve the collection of fingerprints for biometric passports. He then tried to claim that the EU was demanding that he create a massive fingerprint database of all UK passport holders. This also let him blame the EU for the costs of the fingerprint database that provided the core of the Government's ID register, which the Coalition Government killed in 2010 by deciding against adopting the EU requirement on fingerprints.

More recently, the UK Government promoted greater surveillance at borders, monitoring all movement of all people across Europe, and compelling train operators and airlines to hand over data in bulk.

Admittedly in all of these policy fights, the UK Government wasn't alone and has plenty of pro-surveillance friends in the EU. But surveillance proponents in Europe will have lost a cheerleader, and sometimes ring leader.

We're not going to see a fall in surveillance legislation at the EU just because the UK is exiting. But, at least it's one less negative force trying to drag down the rights of 450m people (at least from the inside).

There won't be any Five Eyes representation in the EU. Will this matter? Probably. The UK surveillance regime may be questioned in the same way that Max Schrems brought attention to the U.S. legal framework over mass surveillance. And looking at the Investigatory Powers Bill now, we have strong doubts it will withstand such scrutiny.


For rest of world: Dislodged from the centre of a web

The UK Government monitored the world from the centre of a web. It will now hack itself into the lives of the world from these isles.

As Britain re-establishes its borders and boundaries, it will invest even more so in the building of surveillance walls. The EU's free flow of people was one of the braver ideas of our time, particularly in historically fragmented Europe. The free flow of people was a relinquishing of state control and an embracing of individual autonomy. Britain is now abandoning that idea and instead is re-establishing that control.

Some of it is to spite itself. Britain capitalised on its branding of being a trade-friendly, regulation-lite, while being an English-speaking EU member state. This image gave it much currency in the business world. Companies established themselves here, Heathrow became a bridge, and London became a financial centre.

As a result, people and data flowed through the United Kingdom. This provided UK government agencies the perfect opportunity to scrutinize people, grab data, and glean intelligence. The stop and search of David Miranda at Heathrow was just one example of a human being intercepted; the mass surveillance system enabled by the world's telecommunications data flowing through Cornwall is another; and having financial centres in the UK moving not only the world's money, but the associated data, must have its benefits. A country who turns its back on the free flow of people and goods will see its intelligence agencies shut out from the wonders that come with sitting at the centre of a web.

Yet the Investigatory Powers Bill in the UK will grant the UK universal jursdiction to i) demand that foreign companies comply with UK surveillance demands, and ii) hack infrastructure anywhere in the world to collect data on people. So what they have lost by shutting their doors, they will gain by force.


For the non-subjects of the Queen

The walls will go up against other people. A dominant discourse around Brexit was one of rejecting immigration.  While we have not yet seen what this means at a policy level, it is likely that there will be more tracking and monitoring of non-citizens in the UK.

And naturally, this will start at the borders. It's important to remember that the new Prime Minister used to be the head of the Home Office, Britain’s interior ministry. This ministry is renowned for its surveillance ambitions and technological inadequacies. The latest in a litany of massive IT failures is the 12 year £830-million technology debacle that was the 'e-borders system'.

For those within the country but not of this country, the situation is very unclear. This is probably why the Home Office on Monday rushed out a statement telling everyone to remain calm within minutes of the Home Secretary announcing that she would be Prime Minister. Ironically, one of the reasons that ID cards failed in the UK was that the Government's policy would not have easily applied to EU nationals. That impediment is gone, and now that most technically inept Home Office will be responsible for administering a registration and tracking mechanism for the millions of non-Britons living in the United Kingdom, on top of the one they administer for other immigrants. This is the same ministry that had a passport issuance failure in 2011, as British passport holders had their summer travel plans upended. Not being able to get out of the country is one thing, but a failure of an identity system that would inhibit access to services would be disastrous.

If the anti-immigration discourse continues, we may see more than the tracking of people at the border: we may also see tracking in the country. There is no national ID card, no requirement to show citizenship at schools or to have access to medical care. This may very well change, and the scrutiny will apply equally. In this sense, Britain may become even more like European countries that demand identity for access to nearly all services.


For the British people: Keep calm and don't ask about your rights 

For British citizens, apart from economic uncertainty, your rights will remain relatively unchanged in the short term. The European Convention on Human Rights remains intact within the Human Rights Act – though the new Prime Minister has long campaigned against both.

The common law still protects people. This is why we are taking the Government to court on common law grounds against its assumed powers to hack people's devices, networks, and services.

What will disappear relatively quickly, however, is the protections under the Charter of Fundamental Rights - an EU framework of rights. Though many of those rights are replicated within the Human Rights Act, the ECHR, and the European Convention 108 on Data Protection.

The question for the UK Government is whether it adopts new data protection rules that are consistent with European data protection rules. Doing so would ensure that trade with Europe can continue. But it would require meaningful controls on surveillance. As Steve Peers noted, it creates a stark choice: trade or mass surveillance. Britain has often benefited from both simultaneously - no longer can that be the case.

There are two paths ahead for Britain and privacy:

Option 1. We go ahead with the implementing EU rules in the UK because we want to trade with Europe. Europe would have to assess whether we have adequate protections, and whether we suffer from U.S.-styled mass surveillance as they did with the Schrems case. In that period of time, global industry would be wise to sit this one out until the dust has settled.

Option 2. We genuinely reconsider all our privacy and surveillance laws and ask why we have them, have great national debates on the challenges and virtues, and end up with a new data protection legislative regime that is the envy of the world, and is fondly considered in the UK, well known, and not undermined at every turn by industry and government officials.


Going forward with nobody to blame

Yes, I know, Option 2 will likely result in the same legal instrument as Option 1, but I’m naive enough to want the debate that will ensue. It is ridiculous that this most important legal framework for the protection of human dignity in the digital age is predominantly discussed in the framing of trade. Data protection is too often seen as an ‘EU’ concept. It is a right of all people and should be a matter of constant national debate and ownership.

In sum, the likely outcome of all of this is that the UK will have less sway over European policy and less direct access to data. This is a matter of some relief. And I'm sure this is exactly what worries security experts. Cheltenham, the home of the intelligence agency GCHQ, voted to remain. So did Theresa May.