The UK has tended to only introduce data-protection laws in conjunction with EU legislation and, according to Ray Walsh from ProPrivacy, the post-Brexit world may see the country prioritise authorities’ access to personal data over citizens’ right to privacy

Credit: Pxfuel

The UK is a country where the constitution only recently enshrined data privacy rights for individuals. 

In fact, even since the introduction of the Data Protection Act of 2018 (DPA 2018), there remains no common law that provides individuals with a general right to privacy. Despite the positive changes established by DPA 2018, British legislation still provides UK authorities with overreaching legal permission to impose surveillance. Existing laws and international agreements like Five Eyes open the door to institutionalised snooping – as well as the harvesting and exploitation of mass data sets. 

The EU’s introduction of GDPR in May of 2018 can be considered as the catalyst for the UK’s introduction of stronger data protections and rights for British citizens. The same was true in 1998, when the UK introduced the Data Protection Act 1998 to comply with the European Union’s Data Protection Directive 95/46/EC. 

Perhaps unbelievably, the 1998 law allowed the UK to comply with the EU’s directive, without once including the word ‘privacy’ in its pages.  

Instead, the legislation focused broadly on the rules surrounding the procurement, possession, utilisation, and dissemination of personal data. Ultimately, DPA 1998 performed a balancing act between the rights of individuals and the interests of those with a legitimate reason to use citizens’ personal information. 

The recent introduction of GDPR in the EU improved things greatly, by ensuring that all data processors and controllers responsible for using personal data must follow much more rigorous guidelines called ‘data protection principles’. Those regulations create a framework in which personal information is used much more fairly, lawfully and transparently. 

In the UK, in order to comply with those strict rules, GDPR was quickly ported over into the UK’s constitution in the form of The Data Protection Act 2018. However, while the primary consumer protections remain the same – and allow UK businesses to legally and effectively coexist with their EU counterparts – the UK’s law does contain considerable derogations that provide UK authorities with the ability to access and exploit personal information if it is deemed necessary for the interests of national security.

What’s more, Brexit creates massive question marks for UK citizens going forward, because at the end of the transition period on 31 December 2020, GDPR will no longer directly apply in the UK and the British government could theoretically decide to update or alter DPA 2018 to allow for greater levels of government snooping. 

What it is important to remember, is that the UK has only ever introduced privacy laws when it was coerced to by the European Union, and without the EU’s direct oversight UK citizens could find themselves living in a regime that puts surveillance first. 

Super snoopers?
Unfortunately, there is plenty of evidence that reinforces the likelihood of this potential eventuality. In 2016, the UK passed the Investigatory Powers Act (IPA); legislation that is fondly known as the Snoopers’ Charter. IPA is largely considered Theresa May’s biggest contribution to British law – not only because it received royal assent during her time as prime minister – but because it was introduced during her tenure as home secretary. 

IPA is a highly controversial law that introduced new powers for UK intelligence and law enforcement to carry out the bulk interception of communications and bulk collection of communications data. This massively invasive legislation requires UK communications service providers to harvest and store citizens’ internet connection records for 12 months. And, it allows that data to be accessed – without the need for a warrant – by a whopping 43 different British authorities.

As if that wasn’t bad enough, the law also creates the legal right for UK authorities to carry out hacking of computers and devices – as well as ‘bulk equipment interference’ for national security matters relating to foreign investigations. The law also introduced requirements for UK communication service providers to comply with data requests in secret (gag orders) and to remove encryption when instructed to do so (backdoors). 

Following IPA’s introduction in November 2016, the EU’s highest court decided that the bulk interception of emails and electronic communications was illegal. The European Court of Justice ruled that only targeted interception of traffic and location data for purposes of combatting serious crime, such as terrorism, is justified. 

Citizens’ data has been proven to allow extremely invasive secondary inferences to be made about them – producing a severe threat to those people’s privacy. What’s more, the role of regulators in overseeing the fair use of these powers has been highly criticised for existing outside of the realms of genuine transparency.

Since that decision was made, the UK has admitted that IPA is in direct conflict with EU regulations. However, this could soon become academic because once the UK has withdrawn from the EU, the ECJ will no longer have jurisdiction and the UK government could begin to enforce IPA to its fullest. 

Time and time again, the British government has revealed itself to be in favour of bulk access to citizens’ data. And legislation in the UK allows for the mass collection of electronic communications, which, in turn, permits for highly precise conclusions to be made about citizens’ private lives. 

Citizens’ data has been proven to allow extremely invasive secondary inferences to be made about them – producing a severe threat to those people’s privacy. What’s more, the role of the Investigatory Powers Commissioner’s Office and the Investigatory Powers Tribunal in overseeing the fair use of these powers has been highly criticised for existing outside of the realms of genuine transparency.

Add to that the problems created by UK intelligence’s partnership with the US, Australia, New Zealand and Canada in the form of the Five Eyes – and, to a lesser degree the greater 14 Eyes – and you have a system that also permits surveillance to occur across borders, sometimes in contradiction to local laws. This, in addition to IPA, and the derogations contained in the UK’s version of GDPR (DPA 2018) provide a dangerous framework for institutionalised surveillance under the guise of national security.