Is there a safe way out? Brexit’s impact on Data Protection and Cybersecurity

(Article written by our fellow Gillian Cafiero)

The UK rocked the political world by announcing its intention to ‘Leave’ the EU. No one seems sure of what it means to ‘Leave’ the EU and politicians worldwide have encouraged people to subdue their reactions until a clear exit strategy is agreed.

One thing is certain: nothing will change until Article 50 of the Lisbon Treaty is officially invoked. The article allows for a negotiation phase that can take a maximum of two years unless there is unanimous consent of the remaining member states to extend the consultations.

If the UK stands any chance of overcoming the challenges inherent in Brexit, it must take time to plan its future before it invokes Article 50 and starts the clock ticking.

To advance the debate, here are a few thoughts on what leaving the EU could mean for the UK’s Data Protection and Cybersecurity efforts.

Data Protection

General Data Protection Regulation

Brexit is unlikely to mean that the UK can escape obligations under the newly ratified General Data Protection Regulation (GDPR).

Firstly, there is a timing consideration. The GDPR is due to come into effect on the 25th May 2018; less than two years from today. It is highly unlikely that the UK will invoke Article 50 and reach a unanimously agreed exit strategy before this date. Due to this timing discrepancy, it is probably safe to assume that most UK companies will be expected to comply with the GDPR by May 2018 in spite of the recent ‘Leave’ vote.

Secondly, the UK has to consider the far-reaching jurisdiction of the GDPR. The obligations on data controllers and data processors under the Regulation are set to apply to all companies that process data of EU citizens. This means that all UK companies that interact digitally with a European citizen’s personal data (and it’s a safe bet to say that most do) will need to comply with the provisions and be subject to the penalties. This is on the proviso that UK companies will be allowed to process data of EU citizens at all. To be able to do this, the UK will have to either subject itself to the Regulation by remaining a member of the EEA (like Norway) or obtain an official acknowledgement of “adequacy” for the protection of personal data (like Switzerland).

As the ICO acknowledged, any country that is regarded as “adequate” for the purposes of data processing will not be able to deviate too far for the GDPR’s provisions. The EU’s strictness in this regard is currently being tested through the EU-US Privacy Shield negotiations. The outcome of this agreement will probably have a considerable impact on the future of the UK’s data policy.

If the UK chooses to leave the EEA and it fails to obtain a status of “adequacy”, then its companies will have to resort to Model Clauses or Binding Corporate Rules to process European personal data. These are ad hoc transfer agreements for personal data. American companies are currently using them to overcome the restrictions after the Safe Harbor agreement was declared invalid. These contracts are complex and costly because they involve a great deal of administrative work. Additionally, the Irish Data Commissioner is challenging their legal validity in a case against Facebook. It is unlikely that the European Courts will rule that these Model Clauses and Binding Corporate Rules are altogether invalid, but it might well place additional restrictions on them.

The uncertainty and bureaucratic pains that accompany ad hoc agreements for data processing, combined with the likelihood that the EU will measure any standard of “adequacy” against the GDPR, are going to keep UK’s data protection regime in check for quite some time.

Data Retention

While compliance with the GDPR seems unavoidable, Brexit may enable the UK to re-establish a blanket data retention regime. There has always been some tension between the EU and the UK on this topic. The UK was one of the countries that championed the Data Retention Directive that was struck out in European Courts following the Digital Ireland case.

When the Court of Justice of the EU vetoed measures under the Directive on human rights grounds, the UK responded by streamlining the Data Retention and Investigatory Powers Act (DRIPA). This legislation allows the Government to force individual companies to retain data for a set period of time so that it may be used for investigatory purposes. The MPs and human rights campaigners that oppose these powers have asked the Court of Justice of the EU to rule on the legality of this legislation.

Theresa May, who is favoured to be the next conservative prime minister, has actively supported increased data retention powers. She was one of the key sponsors of DRIPA, and she is also championing the Investigatory Powers Bill that, if enacted, will place even more extensive data retention obligations on companies.

As per data protection, the UK’s ability to distance itself from the European standards on data retention depend on the type of relationship that it will negotiate with its continental neighbours. Compliance with the protections of the GDPR may even preclude a more expansive data retention regime. However, it is likely that surveillance and data retention are two policy areas that the next conservative government will want to advance through Brexit.


The impact of Brexit on the Cybersecurity environment is uncertain. Unless it negotiates wisely, the UK stands to lose a considerable amount in terms of research funding, influx of talent from other parts of the EU and membership to international task forces.

The EU recently adopted the Network and Information Security Directive (NIS), which sets out general best practices for policing and governing cyberspace. The NIS, like the GDPR, is likely to be ratified before the UK ‘leaves’ the EU. However, abiding by the common sense policies set out in the NIS, will not suffice to keep the UK’s cybersecurity standards where they are today.

Simon Crosby, CTO of Bronium, told that: “Over a third of research funding for universities in the UK comes from the EU. In the absence of new funding from the UK Government, there will be a huge impact on university’s ability to deliver highly skilled tech workers to the UK economy”.

Cyber-criminal markets, conversely, are becoming increasingly lucrative and several researchers have noted that the UK’s financial institutions are becoming an obvious target amidst the uncertainty caused by Brexit.

In addition to the potential lack of research funding, the UK stands to lose top European tech talent to closed border policies and anti-immigration sentiment.

The UK Government and the EU have yet to agree how borders will be managed, however, given the emphasis on immigration from the Leave campaign, it is likely that the free movement of people will be curtailed to some extent. This will impact the number of skilled researchers in the UK.

Finally, the UK will have to renegotiate its membership to international law enforcement bodies and task forces. The European Police Office (Europol) The

European Union’s Judicial Cooperation Unit (Eurojust), and the European Network and Information Security Agency (ENISA), are just some of the agencies that have considerably bolstered the fight against cybercrime in recent years. These bodies are critical to building analytical capacity and fostering international cooperation. The UK’s participation in the initiatives led by these groups will also be up for debate. Any break in the valuable network that these organisations provide will be a significant blow to efforts directed at countering international criminal networks.

As Julian David, CEO of TechUK, summarized it: “To succeed, the UK tech sector needs great people, great infrastructure, world-class science and research, unfettered access to global markets, and a world-class smart and predictable regulatory environment”.

We all hope that these words will be listened to when the negotiations commence.