Brexit Referendum: 5 Cybersecurity ImplicationsIf UK Leaves, Expect Data Protection, Privacy Laws To Remain
Should I stay or should I go?
See Also: Buyer's Guide to Securing Privileged Access
On June 23, British voters go to the polls to decide if Britain should exit - or "Brexit" - the European Union. In recent weeks, the "Leave" campaign - heavily centered on immigration-related fears - and the "Remain" campaign, which tends to highlight the political benefits of remaining a part of the EU, have been arguing their case.
If Britain exits the EU, much of the impact remains unknown, and remains subject to much debate. While Britain isn't one of the majority of the 28 EU member states that have standardized on the euro currency, the U.K. would no longer enjoy unfettered access to the EU's single market, and would have to renegotiate related treaties, not least surrounding data transfer, and there are no guarantees that the EU courts would uphold such deals.
In the event of a Brexit, here are five likely cybersecurity, privacy and cybercrime-related repercussions:
1. Data Protection Laws: Business Rationale
Even if Britain exits the EU, it will still likely abide by European data protection laws, London-based attorney Eduardo Ustaran, a partner in the global privacy and cybersecurity practice at law firm Hogan Lovells, says in a blog post. "Data protection law is not an arcane doctrine that exists alongside Napoleonic codes and is nurtured by Brussels' bureaucracy - it is a need for the digital age," he says. "Protecting people's data and defending our digital privacy in a way that enables the information economy to prosper is not just in the EU's interest, but in everybody's, including of course the U.K."
2. Full Compliance With GDPR
The EU's previous data protection rules, which came into effect in 1995 - and which were based on U.K. data protection laws from 10 years prior - allowed member states to comply with the related directive in different ways, Ustaran says. But the new General Data Protection Regulation - which comes into force in May 2018 - imposes very precise, non-negotiable requirements for handling EU residents' personal data, and any organization that does business in the EU must demonstrate that they're handling such data in a safe manner (see Mandatory Breach Notifications: Europe's Countdown Begins).
The U.K. Parliament could opt to not comply in full with the GDPR, but there's a strong business case to fully comply. "European data protection law is globally recognized as setting the highest standards of privacy and cybersecurity protection," Ustaran says. "Many countries around the world, from Canada to New Zealand and from Japan to Uruguay, have sought to match those standards to allow their own businesses to prosper under a solid data protection framework," as well as to allow them to say that they comply with EU rules, and may thus do business in those regions. Even non-EU members Norway and Switzerland, he adds, have passed laws that mirror the EU's data protection laws, to enable them to more easily do business with the EU.
3. Cybercrime-Related Challenges
If it's unlikely that U.K. data protection laws will lag behind the EU, the same can't be said when it comes to combating cybercrime. "A Brexit is very likely to lead to a significant reduction on cooperation in criminal and policing matters between the U.K. and the EU," Steve Peers, a professor of law at the University of Essex who specializes in European Union law and human rights law, says in a blog post.
For example, the U.K. works with Eurojust, the EU agency that handles cross-border judicial cooperation relating to criminal matters, as well as with the EU law enforcement intelligence agency Europol. In fact, Europol is led by British civil servant Rob Wainwright, who's Welsh, while its "EC3" European Cybercrime Center is lead by Steven Wilson, who's Scottish.
But in the event of a Brexit, the U.K. would lose full access to EU agencies, and could only participate as an associate, which "means a more limited involvement in each agency than they would have as EU Member States," Peers says.
4. Policing and Prosecution: Less Collaboration
A Brexit would make it more difficult for Britain to see foreign suspects get extradited to face charges in U.K. courts, and vice versa (see Brits Arrest Alleged Fed Reserve Hacker). "EU membership comes with a host of laws regarding police and criminal law cooperation," Peers says in a blog post. "Those laws have helped the U.K. get hold of far more fugitives for trial in the U.K., and also remove more criminals for trial abroad. The amount of data exchanged between police services on alleged terrorists or other criminals has increased too."
Britain could potentially negotiate related treaties with EU member states, but Peers say it's not clear that the EU Court of Justice would uphold those treaties, and if individual countries would go through the effort required to finalize them.
5. Cybercrime Policing: Intelligence Hit
Britain would have to match existing EU data protection laws to gain access to EU law enforcement intelligence, Peers says. "If the UK did not continue to sign up to EU data protection laws fully, there would be difficult legal disputes that could limit the transfer of policing data to the UK's law enforcement authorities from the EU," he says (see Europol Announces DD4BC Arrests).
But even if Britain fully complies with the GDPR, it wouldn't have access to the full panoply of EU law enforcement intelligence. "There would be legal complications if the U.K. sought to renegotiate access to police data exchange after Brexit," Peers says. "There's clear proof of this - even a non-EU country like the USA has faced repeated legal and political challenges trying to obtain such access in practice," he says (see 'Privacy Shield' to Replace Safe Harbor).
The Brexit debate is much broader than just the cybersecurity and privacy-related components outlined above. But when it comes to cybercrime intelligence sharing, policing and prosecution in a potentially post-Brexit world, the related challenges facing Britain would be significant.