I don’t know about you, but I am getting very tired of news stories reporting that the UK economy has shrugged off Brexit fears. Every time I read these articles I feel like finding a convenient rooftop from which to should “we haven’t left yet, idiots!”
One of the consequences of not having left the EU yet is that we’re still subject to EU law and regulation, and in particular the decisions of the European Court of Justice (ECJ) and the European Court of Human Rights (ECHR). Economics aside, my own area of cybersecurity is one of those most strongly affected by these august bodies.
There’s been an interesting example today. You will have read here before about the Investigatory Powers Act (aka the “Snooper’s Charter”); I still think it’s ridiculously widely-drafted, will be very difficult to implement in practice and could lead to significantly greater cyber-crime exposure for UK citizens – because our track record of securing mega-databases of the sort proposed by the Act is not good. Never mind me, though – the ECJ thinks so too.
The key statements are:
“Article 15(1) of Directive 2002/58/EC…as amended by Directive 2009/136/EC…must be interpreted as precluding national legislation which, for the purposes of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.”
“Article 15(1) of Directive 2002/58/EC…as amended by Directive 2009/136/EC…must be interpreted as precluding national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court of independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.”
So…no indiscriminate data slurping, no speculative data fishing expeditions, prior judicial authorisation needed, a restriction on data retention and analysis to “serious crime” only and another reminder of the digital fortress Europe meme that’s becoming so prevalent in EU thinking nowadays.
Another example of EU meddling in national affairs, or a reason for anyone with an interest in privacy and the provision of appropriate checks and balances on government to remain concerned about the impact of Brexit on privacy and data protection?
(In the interests of fair and balanced comment, I feel I should observe that the ECJ has also ruled that we need to insure kiddie scooters, dodgems and Segways, even if they’re only used on private land – here’s the DoT position paper – so it’s not all rosy in the EU garden)
A bigger picture 