Experimental Feature: Audio Read Version
Announced on 16 March, The Integrated Review of Security, Defence, Development and Foreign Policy (IR) affirms the UK’s security-related policy decisions for the next decade. As anticipated post-Brexit, mentions of the EU are sparse and stated priorities include a more active role in NATO. This compartmentalisation of allies neglects to acknowledge the vast overlap between NATO and EU member states, and thus the need to work on regional relationships if the UK is to successfully achieve objectives further afield.
A vital element in mutually beneficial intelligence partnerships is data-sharing, yet it is only mentioned once across the IR’s 114 pages. Data-sharing in this context refers to international transfers of personal data, including for commercial and security purposes. It would be naive to imagine that this signifies a lack of attention paid by the government to the multifaceted issue of international data-sharing. In fact, the UK is in a unique position as its Data Protection Act (2018) near-replicates the EU’s GDPR, but its intelligence-gathering capabilities have been subject to legal challenges.
Despite fears that post-Brexit, the EU would reject UK data-sharing standards on the basis of such criticisms, as of 19 February, the EU has released two draft adequacy decisions that determined that data collected and exchanged between the UK and the EU is appropriately safeguarded. This article will examine the ways in which the adequacy decisions were hard won, and where legal and public challenges within the UK and the EU remain. It highlights the tensions between the ideals shared by the EU and UK courts (which have commercial and social advantages), and the desire to continue rapacious data-collection by the UK. Together, rather than leaving the UK government in a precarious international position, these factors appear to be filling out the currently hollow image of a successful ‘Global Britain’.
The adequacy decisions released on 19 February were important for Britain’s commercial standing because they save individual data controllers from being responsible for each transfer. Without adequacy decisions, data flow with the EU would have been disrupted and piecemeal. This could require individual UK businesses to shoulder the resource costs of between £1 billion and £1.6 billion. Given long-standing concerns that the intrusive nature of the data collection mechanisms allowed by UK laws do not meet continental human rights standards, these adequacy decisions were never guaranteed.
Since it was passed in 2016, the Investigatory Powers Act (IPA) has been the subject of numerous legal cases, mainly related to its facilitation of “Computer Network Exploitation” (hacking) and the collection of bulk communications metadata, i.e. the ill-defined electronic footprint left after a call that gives away all details but what was said. However, crucially, the existence of the draft adequacy agreements indicates that the IPA has not been curtailed by EU restraints. This enables the UK to maintain EU standards for commercial purposes while also continuing intelligence-collection that benefits its security goals and relationships with other countries, such as through the Five Eyes intelligence alliance of the UK, US, Australia, Canada and New Zealand, thus achieving multiple goals simultaneously.
In fact, the absence of “data-sharing” – or even “cross-border information sharing” – in the IR could be to obfuscate the fact that the UK continues to collect vast amounts of data for intelligence purposes, while also benefiting economically from the ability to share data with the EU. Indeed, with the IR receiving significant public attention compared to the adequacy process, this lack of publicity for the UK having its cake and eating it too could be intentional misdirection.
Despite the controversial IPA, which has previously been judged by the Court of Justice of the European Union to contravene privacy rights and EU law, adequacy decisions may have been possible because of a series of recent UK legal decisions that increase oversight of surveillance capabilities via other means. One such decision is a UK High Court ruling on 8 January 2021 that prevents bulk hacking from occurring using insufficiently specific warrants. This marks the successful challenge to a 2016 UK Investigatory Powers Tribunal (IPT) ruling that GCHQ’s bulk hacking is lawful under UK law and in light of the European Convention on Human Rights (ECHR).
The High Court decided that these warrants infringe upon laws that protect the sanctity of a person’s property, according to a novel interpretation of Section 5 of the Intelligence Services Act (ISA) 1994 that denies the Secretary of State executive power to sign off on a general warrant. Although the scope of this ruling does not cover the IPA, the decision may be the factor that persuaded the EU of the UK courts’ dedication to quashing data collection overreach, paving the way to a data-sharing adequacy status.
UK legal systems
It is notable that, despite the previous European court cases, the judgement made on 8 January avoided references to privacy and the ECHR in favour of a UK constitutional foundation and precedent relating to property ownership: an exercise in national sovereignty. This is indicative of the current complex situation in which UK courts are no longer beholden to EU law, but still have similar data protection cultures and a desire to maintain high standards relating to individual rights. As with the tone struck by the IR, this reflects the same cheerily determined portrayal of the UK as a self-reliant trailblazer within the European continent but not the European Union.
Such a choice may be distasteful to the UK’s EU allies, but it has domestic utility. The decision stands even in circumstances where national security is in jeopardy, while allowing the UK High Court to skirt the same criticism that the government levelled at European courts: that the EU should be unable to weigh in on decisions pertaining to individual states’ national security.
Commitment to common principles?
Given the existence of other legal challenges, for example against the IPA, there is the chance that the UK courts will go even further with their inhibition of overzealous data collection. Still, the High Court decision may have signalled enough of a commitment to common principles that the UK was able to meet the EU’s criteria for data adequacy. Indeed, as the IPA has not been amended and other contentious terms (such as Northern Ireland) have not been resolved, this could indicate that the recent ruling was pivotal in negotiations to set up data-sharing mechanisms with the EU.
In the meantime, the UK can continue to wield the IPA, collaborating with private companies to design surveillance tools that allow the creation and storage of everyone in the country’s web-browsing records. This ensures that the data that UK intelligence agencies share with the rest of Five Eyes remains contemporary and comprehensive, enhancing the view of the UK as a global power, through the lens propagated by the IR.
Ultimately, there is the possibility that UK data collection and sharing will be stymied either domestically or by other countries. Equally, through a twist of fate the UK could end up inhabiting the global position that the IR boasts, in a wickedly smart case of “fake it ‘til you make it”.