There is no doubt that the UK's surveillance regimes will come under scrutiny in negotiations on continued data flows with Europe after Brexit, and the government needs to start preparing for that now, MPs have been told.
The British government has been repeatedly warned that gaining an adequacy decision from the EU will not be simple – or fast – and today data protection, law and policy experts emphasised this to members of the Exiting the European Union Committee.
James Mullock, a partner at law firm Bird&Bird, said that decisions can take about two years to go through – which, if the formal negotiations start on the official Brexit date, March 29, 2019 – could mean it would go four months beyond the transition period, which is due to end on December 31, 2020.
He acknowledged that the Privacy Shield deal, which allows transatlantic data flows and was set up after its predecessor Safe Harbor was struck down, was pushed through faster. But he pointed out that much of the groundwork had been done because people could see the court case, brought by Max Schrems, coming.
Similarly, witnesses said that the UK government should make sure it is ready to tackle the more complex questions that it knows it will face – namely, national security and surveillance laws in the nation.
As a member state, the UK benefits from exemptions under EU data protection laws, which means that its regime does not affect data flows within the bloc.
Once it leaves, this protection is removed, and the controversial Investigatory Powers Act – which has been ruled unlawful under EU law – will be part of considerations on whether to grant an adequacy deal.
Information commissioner Elizabeth Denham said there was "no doubt" that the UK's national security and surveillance powers would come under scrutiny.
This would include the intelligence services' collection, retention and use of data, and the secretive Five Eyes intelligence-sharing network between the UK, US, New Zealand, Australia and Canada, as adequacy decisions also set rules on how data is shared with third countries.
Denham said that as part of the team that had been involved in the Privacy Shield discussions, her office was "well aware of the types of questions we’re going to be asked", including around Five Eyes.
In her view, if the Data Protection Bill – which implements a lot of the General Data Protection Regulation – gets on to the statute book, the UK will be in a "good position to check a lot of the adequacy boxes".
That means they could front load their work and "be ready for the assessment on the more difficult questions" on national security and intelligence services.
Giles Derrington, head of policy for Brexit at TechUK, agreed that the government needs to start preparing for this part of the negotiations, including some of the basic hurdles – and for them not to become complacent after recent progress and increased focus on data protection.
For instance, he said, one of the biggest challenges for the US was in setting up processes that allowed the US authorities and the Commission to have a conversation about classified information in a non-classified setting.
The witnesses emphasised the importance of continued data flows on business certainty. Mullock said that his clients were "fairly anxious", noting that in the two or three months after Safe Harbor was struck down there were several tens of thousands of companies searching for patches to make their EU-US data flows legal.
“If we have anything like that, it will be extremely disruptive and it will, I think, be extremely off-putting in terms of business looking at where they will headquarter themselves in Europe,” he said.
An added problem is that the fallback option for businesses if the UK does not have data adequacy agreed once it exits the bloc would be standard contractural clauses – which were used to cover data flows to the US after Safe Harbor.
However, these are subject to a challenge in the Court of Justice of the European Union, part of Schrems' long-running battle with Facebook, which makes the situation much less clear for business.
And even without this added uncertainty, the burden for businesses switching to SCCs would be huge, Stephen Hurley, head of Brexit planning at BT, told the group.
His firm has more than 18,000 suppliers, he noted, and setting up contracts with even a subset would be very cumbersome, especially as the set text "isn't necessarily designed to deal with the modern ways of doing business, and the way flows of data occur in practice".
Elsewhere in the hearing, the witnesses agreed that it would be preferable for the UK to have a treaty on data flows, rather than simply an adequacy deal – something the government has set its sights on.
The idea is that it would allow the UK to be involved in the one-stop shop mechanism – broadly, this means that an organisation that operates in a number of member states only has to deal with one supervisory authority – and let the ICO have a greater role in the European Data Protection Board.
Derrington said that it would "unquestionably" mean the UK would lose influence if the ICO was only allowed to be an observer at the EDPB, which Denham fleshed out.
"At this time, when GDPR is in its infancy, participating in shaping and interpreting the law, I think, is really important," she said.
"If [the ICO] is outside, we're not going to have same effect as we need to have with big tech companies... because that's all going to be decided by that group of regulators." ®