The UK is on its way out of the EU. The transition period that started on January 31, 2020 will end on December 31, 2020.
- Will Britain keep implementing GDPR after Brexit?
- Will the country continue abiding the European Convention on Human Rights that, among other things, guarantees everyone the right to privacy?
- What about mass surveillance and facial recognition, which already caused problems back when the UK was a member of the EU?
Answers to these questions are rather complicated...
UK citizens are safe online, at least until the end of 2020
For the moment, UK citizens are still under the protection of the GDPR.
The country is under EU laws during 2020 and this state will last until the end of the year. This means increased online privacy, but also means respecting citizens’ rights to personal and data privacy, included in articles 7 and 8 of the European Convention on Human Rights.
GDPR implementation is part of the Withdrawal Agreement Bill, the international treaty (between the UK and EU) that took the UK out of the EU.
The WAB sets the ground for Brexit and thanks to it, UK citizens’ privacy is protected at the moment. But recent events set the stage for the future beyond 2020, and things don’t look so good.
Google in the UK
Google is the first company that’ll take steps towards the post-Brexit future of the UK.
The company is planning to transfer accounts of its British users from its European headquarters in Ireland to US servers. This means that the EU will lose jurisdiction over the UK citizens’ data, transferring it to the US. And that’s not good if you’re living in the UK.
While the GDPR protects user data no matter where it’s stored, with the end of 2020 that won’t be the case. And storing private data in the US means leaving “the sensitive personal information of tens of millions with less protection and within easier reach of British law enforcement.” Nothing is set in stone at the moment.
"Google’s decision to move the data wasn’t brought because the UK government decided to walk from GDPR in 2021."
It has been brought because it isn’t clear which moves the UK government will pull once in 2021 and beyond. One thing is certain. If the data stayed in the EU “it would be more difficult for British authorities to recover it in criminal investigations.”
But since the UK and US recently signed an agreement on “cross-border law enforcement demands for data from service providers,” which is a part of the Cloud Act, it is easier for British authorities to obtain data from US companies that host user data in the US than it would be if they stored the same data in EU servers.
Google’s former lead for global privacy technology stated that she would be surprised if Google decided to keep UK user data in the EU after Brexit.
This turn of events is worrying. Google moving the user data to US-based servers, the Cloud Act and the Five Eyes partnership sheds doubt on the belief the UK will continue to fully implement the GDPR after December 31, 2020.
The UK won’t fully implement GDPR, which is worrisome
The Brexit plan was for the UK government to fully retain GDPR in domestic law after the end of the transition period.
The Withdrawal Agreement Bill gave Britain some freedom though. The lenient part of the WAB was to allow the UK to implement some “amendments to the regulation to ensure that it works as effectively as possible for UK residents.” But the recent turn of events suggests that won’t be the case.
About a month ago Boris Jonson, UK Prime Minister, stated that Britain will work to produce independent policies in a wide range of fields, including data protection. He also stated that “We will restore full sovereign controls over our borders, immigration, competition, subsidy rules, procurement, data protection.”
Further, the UK may have trouble signing an adequacy agreement with the EU. Adequacy agreements are signed with countries outside the EU ensuring the safety of personal data of the EU citizens. The change of direction regarding GDPR implementation isn’t the only issue that may hurt the UK’s chances of signing the adequacy agreement. A series of scandals made its allies in the EU concerned about the country’s ability to protect personal data.
"The United Kingdom will demand complete legal independence."
The United Kingdom have made another move that may push the United Kingdom further from the level of online privacy its residents have at the moment. Aside from guaranteeing to continue implementing GDPR after December 31, 2020, the UK government was also expected to follow the European Convention of Human Rights (ECHR). Well, that may not be the case anymore.
The United Kingdom will demand complete legal independence.
That will allow the country to come up with new laws regarding online privacy. But this also means the country will be able to repeal the ECHR in the future. And if you remember, the ECHR contains two articles guaranteeing personal and data privacy to every person residing in the EU.
The events aren’t rolling out in a way they make us believe the citizens of the United Kingdom will enjoy a high level of online privacy they have today.
This turn of events is the exact opposite of what a former Cambridge Analytica staffer, now a whistleblower, advises Britain to do.
She explained that failing to pass adequate privacy laws will allow companies to mishandle user data in a variety of ways. Collecting it without consent, refusing to share data with users, selling it, and more.
Mass surveillance will only get worse
The country’s focus on mass surveillance, which already led to serious gaffes, is another problem.
UK-based civil rights group Liberty describes IPA in an interesting way:
- The Investigatory Powers Act is the most intrusive mass surveillance regime ever introduced in a democracy.
- It gives the authorities the power to collect information about everything we do and say online – on our mobiles and computers – by tapping directly into communications channels, ordering companies to hold on to our data and hacking into people’s devices.
- Agencies can store and search our web history, records showing where we go with our mobiles, and who we call, email and text. This kind of information paints an incredibly detailed picture of who we are, who we talk to, where we go and what we think.
- It reveals our health problems, our political views, our religious beliefs, our sexual preferences, our daily habits and our every movement.
The Open Rights Group tried to picture the future after the IPA and similar acts take away the digital rights of people living in the UK.
The parody social website Futurebook reflects this future and if you decide to visit the site, you might realize that that kind of future isn’t something you might like. Further, the UK is a member of the Five Eyes Alliance, an international group of intelligence agencies that freely exchange private information about their citizens.
Next, London already has almost the same number of surveillance cameras as Beijing. The recent deployment of real-time surveillance technology is yet another attack on personal privacy. Real-time facial recognition software is used by the UK police, raising concerns among citizens and civil rights activists. And for good reasons.
Firstly, we have the case of a man who sued the South Wales Police because police officers scanned his face two times without his consent. He lost the case. Next, the real-time facial recognition tech is “worryingly inaccurate.” Further, this form of facial recognition technology comes with inherent gender and racial biases. Finally, despite its laughably low accuracy, the office of metropolitan police concluded recent facial recognition trials as successful.
Not all is gloomy
While the UK is transforming into a country that doesn’t respect one’s privacy in general, there are some shades of sunshine penetrating the post-Brexit fog.
For instance, Britain is preparing strict child privacy rules that we can only salute. The set of rules is aiming to exclude children from many immoral practices online companies use in order to collect our data, serve personalized ads, and track our location.
The privacy rules will restrict the ways companies collect data.
They won’t be able to use shady data-collecting techniques with children (so-called “nudge techniques”); they will have to verify user’s age if they want to collect data; they won’t be able to turn off location tracking by default; they will have to make high privacy settings default in their apps, etc. There are 15 standards in total.
All apps, social media platforms, online games, educational websites, and streaming services, as well as connected toys, must meet all 15 standards. The ruleset will be fully implemented by autumn 2020.
The second breath of fresh air concerns the infamous Article 13 of the European Union Directive on Copyright in the Digital Single Market. While the EU does lots of things right when it comes to online privacy and security of its citizens when they are online, Article 13 is just wrong. It imposes impossible rules to websites, like forcing them to scan every piece of uploaded content for possible copyright breaches, or allowing publishing media to “tax” anyone who links their content.
Chris Skidmore, the UK’s Minister for Universities, Science, Research and Innovation, stated that the United Kingdom won’t implement the EU copyright directive.
It isn’t because the government sees it as something that hurts everyone. It’s simply because there isn’t time to implement it before Britain leaves the EU. That doesn’t mean the government won’t come up with a similar legislation in the future. UK’s Minister for Sport, Media & Creative Industries, Nigel Adams stated that the government supports the Directive and that they could come up with their version of it in the future.
Despite the two (well, one and a half) positive examples, mass surveillance and privacy-invading laws combined with recent GDPR and adequacy agreement-related events put a shade over UK’s alleged intent of keeping a high level of privacy of its citizens during post-Brexit.