« The Fregoli delusion | Main | Purposeful dystopianism »

Traffic stop

rotated-dead-end.jpgIn a week when Brexit has been at peak chaos generation, it's astonishing how little attention has been paid to what would happen to data flows if the UK exits the EU on October 31 with no agreement in place. At a stroke, the UK would become a "third country" in data protection parlance. Granted, at the instant of withdrawal, under the Withdrawal Act (2018), all EU law is immediately incorporated into UK law - which in turn means that the General Data Protection Regulation, which came into force in 2018, is recreated as a UK law. But as far as I can tell, there still has to be a decision that the UK's data protection regime qualifies under EU law as adequate for data flows to continue unimpeded from the EU27 into the UK.

Which means that at the very least a no-deal Brexit will deliver a lengthy delay while the European Commission makes that decision. Most of the other things people are worrying about since the leaked "Yellowhammer" documents outlining the government's expectations in case of a no-deal exit alerted the country to the likely disruption - food, medicines, Customs and immigration clearance - have widespread impact but are comparatively confined to one or a few sectors. Data is *everything*. Food and medicine supply chains, agriculture, national security, immigration, airline systems...there is hardly an aspect of this country's life that won't be disrupted if data flows can't continue. As DP Network explains it, the process of assessing the adequacy of the UK's data protection regime can't even start until the UK has left - and can take months or even years. During that time, the UK can send data to the EU perfectly well - but transfers the other way will require a different legal framework. The most likely is Standard Contractual Clauses - model clauses that are already approved that can be embedded in contracts with suppliers and partners. I haven't seen any assessment of what kind of progress companies have made in putting these in place.

But this, too, is not assured. These clauses form part of the second case brought to the Court of Justice of the European Union by Max Schrems, the Austrian lawyer whose court action brought down Safe Harbor in 2015. Schrems 2.0, calls into question the legal validity of those SCCs as part of his challenge to Privacy Shield, the EU/US agreement that replaced Safe Harbor in 2016. Schrems himself believes that SCCs can meet the adequacy standard if they are properly enforced, and that they can be used to stop specific illegal transfers. For larger companies with lawyers on call, SCCs may be a reasonable option. It's harder to see how smaller companies will cope. The Information Commissioner's Office has advice. Its guidance on international transfers refers businesses to the European Data Protection Bureau's note on the subject (PDF), which outlines the options.

That's if there's a no-deal crash-out. The Withdrawal Agreement, which Theresa May tried three times to get through Parliament and saw voted down three times, has provisions preserving the status quo - unimpeded data flows - until at least 2020 as part of the transition period. This is the agreement that Boris Johnson is grandstanding about, insisting that the EU must and will make changes and that negotiations are ongoing - which the EU denies. I believe the EU, if only because for the last three years it has consistently done what it said it would do, whereas Boris Johnson...

While the UK of course participated in the massive legislative exercise that led to GDPR, it's worth remembering that a number of the business-oriented ministers of the day were not fans of some of its provisions and wanted it watered down. No matter how Brexit comes out, however, the UK will not get to do this: GDPR, like Richard Stallman's GNU license carries with it like a stowaway the pay-it-forward requirement that future use of the same material must be subject to its rules. The UK can choose: it can be a "vassal state" and "surrender" to ongoing EU enhancements to data protection - OR it can cut itself off entirely from the modern international business world.

It's not clear if any of the data issues have filtered through into the public consciousness, perhaps because stopped data flows, as SA Mathieson writes at The Register, don't sound like much compared to the specter of bare supermarket shelves. Mathieson goes into some detail about the fun businesses are going to have: EU-based travel agencies that can't transfer tourists' data to the hotels they've booked, internal transfers within companies with offices spread across several countries, financial services... If "data is the new oil", then we're talking banning all the tankers. No wonder the EU is reportedly regarding no-deal Brexit as the equivalent of a natural disaster, and accordingly setting aside funds to mitigate the damage.


Illustrations: Dead-end sign.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

TrackBack

TrackBack URL for this entry:
https://WWW.pelicancrossing.net/cgi-sys/cgiwrap/wendyg/managed-mt/mt-tb.cgi/868

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Archives