Overturning of EU-US Privacy Shield Could Affect US-UK Five Eyes’ Relationship

By Jarren Buendia on August 14, 2020

Executive Summary:

According to various articles from the Guardian newsgroups, the European Court of Justice (ECJ) struck down the EU-US Privacy Shield agreement. Complaints were brought to the ECJ that stated that EU data should not be sent to the US, as current US surveillance policies cannot guarantee the privacy of said data or users. In addition to EU and US relations, the UK is currently caught in between. Related to the recent Brexit transition, the UK must decide if they will continue to comply with EU information security regulations. If they decide not to comply, they face information excommunication in Europe. However, if they decide to comply, and data transference between the US and UK becomes illegal or increasingly regulated, then this decision could have drastic effects on the Five Eyes Intelligence Allegiance. Thusly, depending on how the UK responds to the current data protection situation, the decision will have long-lasting effects for multiple countries.

Open Source Intelligence (OSINT) Details:

Based on a summarized timeline of events, published by the Guardian, the ‘EU-US data transference’ topic spans 20 years, and includes a third-party named Max Schrems (Hern, 2020). All information presented below was gathered from the same Guardian article (Hern, 2020):

June 2000 to August 2011: The Safe Harbor privacy principles were created. These principles basically allowed personal information transfers, without breaching the EU’s data protection rules. US companies were then instructed to self-certify and comply. Austrian lawyer, Max Schrems, filed 22 privacy complaints with the Irish data protection commission. This commission regulates Facebook in the EU, and Schrems filed complaints about the inability to prevent photo-tagging, as well as the company’s refusal to, “fully delete data about revoked friendships.”

June 2013 to October 2015: The Guardian reports on NSA surveillance programs. The report stated how this operation allowed direct access to the systems of companies like Facebook. The Irish high court ceased to pursue Schrems complaints any further, but also decided to send the complaints to the ECJ. The ECJ began considering the case in March 2015, and by October 2015, ruled in favor of Schrems. In light of information about these programs, the ECJ struck down the Safe Harbor principles.

November 2015 to July 2020: Facebook Ireland continues operations with Facebook HQ through “standard contractual clauses.” What this meant was in order to transfer data, Facebook had to agree that processing of EU data must follow EU law. In July 2016, the EU-US Privacy Shield agreement was created. This was a comprehensive replacement for Safe Harbor, and was the most recent attempt to secure EU data outside its borders. More discussions about the validity of standard contractual clauses, and the Privacy Shield, carried on for the next year. Then, finally, the ECJ struck down Privacy Shield, stating that the US still hasn’t, “limited surveillance of EU citizens to that which is ‘strictly necessary.’”

In short, the US and the EU have attempted to establish a common ground, when referring to the data transference landscape. However, over time, relations swayed, and a long-running privacy advocacy campaign fanned the flames that have led to the uprooting of two data protection agreements.

In regards to the UK and the EU, tensions are high. In the midst of the Brexit transition, the UK has been inundated with decisions about how they will maintain their relationship with the EU (Hern, 2020). Specifically referring to the information security sector, relations have not been favorable. According to the Guardian, the UK has committed a couple of EU data protection laws (GDPR) infractions. Firstly, it was discovered that British authorities, “[…] made ‘unlawful’ full or partial copies of the [Schengen Information System] database (Rankin, 2020). The SIS database contains more than 76 million items of information, regarding criminal suspects, missing people, and contraband (Rankin, 2020). This database is shared with EU countries that are members of the border-free travel area; however, the UK was not a member (Rankin, 2020). Thusly, the UK technically shouldn’t have access to, let alone make copies of, the SIS database. However, as it stands now, the UK does have permission to access the SIS database (Rankin, 2020).

Secondly, it was found that a British police national computer error caused one-out-of-three criminal alerts to not be sent to EU member states (Beckford & Boffey, 2020). According to the Guardian, the computer error was revealed in some meeting minutes, and the error was present for over five years (Beckford & Boffey, 2020). In other words, information stores, like the SIS database, were incomplete and dangerous individuals may have traveled freely between EU states (Beckford & Boffey, 2020). 

Lastly for this section, the Five Eyes Intelligence Oversight and Review Council (FIORC). The FIORC is an intelligence allegiance comprised of five countries: United States, United Kingdom, Australia, Canada, and New Zealand. According to the Director of Naval Intelligence’s (DNI) official site:

“The Council members exchange views on subjects of mutual interest and concern; compare best practices in review and oversight methodology; explore areas where cooperation on reviews and the sharing of results is permitted where appropriate; encourage transparency to the largest extent possible to enhance public trust; and maintain contact with political offices, oversight and review committees, and non-Five Eyes countries as appropriate.”

Potential Impacts:

The US and the UK have been close allies for generations. In fact, according to another Guardian article, the FIORC relationship between the two countries has origins in WWII (Farrell, 2013). Needless to say, if both countries are part of an exclusive, five-country intelligence team, a lot of information is probably exchanged. Due to recent allegations that have been leveraged against the UK, by the EU, relations have been strained. However, the UK has ample reason to maintain relations with the EU; one reason would be to retain access to the SIS database. If the EU and UK reach an agreement, then the UK is subject to EU laws regarding data protection. This means that, at the moment, there aren’t any overarching data protection policies in place. On the other hand, if the UK decides not to comply with EU laws, then there aren’t any EU regulations that prevent data exchanges with the US. However, this means the UK may be effectively excommunicated from the rest of Europe.

Significance:

If we specifically focus on just open source information, there is no way to tell how termination of Privacy Shield could affect FIORC relations between the US and UK. However, that isn’t to say there is a zero percent chance it won’t affect anything. For argument sake, if data exchange between both countries stopped, or at the very least, flowed restrictively, it would shut off a major information pipeline. The point of the Five Eyes allegiance is to foster interoperability and share up-to-the-minute information between members. If information can’t be shared easily, then it defeats the purpose. However, the other option is that the UK doesn’t play ball with the EU. In this context, the UK could have data regulation freedom. While that would be beneficial for the point made earlier, it leaves the UK in a precarious position. Britain would be at a serious disadvantage if they did not reach some kind of agreement with the EU. Using the SIS database as an example, information sources like that are important when visitors enter the UK. Losing access to the SIS database could leave Britain in a position where intra-national criminal information would need to be completely re-created, from scratch. Thusly, there is incentive for Britain to maintain data exchange relations with the US. However, considering Britain’s overall national interests, there is a lot more incentive to reach agreements with the EU.

Sources:

“Britain could lose access to EU data after series of scandals.” 27 Jan 2020. Retrieved From: theguardian.com. Retrieved: 16 July 2020.

“FIVE EYES INTELLIGENCE OVERSIGHT AND REVIEW COUNCIL (FIORC).” Retrieved From: dni.gov. Retrieved 16 July 2020.

“History of 5-Eyes – explainer.” 02 Dec 2013. Retrieved From: theguardian.com. Retrieved: 16 July 2020.

“Revealed: UK concealed failure to alert EU over 75,000 criminal convictions.” 14 Jan 2020. Retrieved From: theguardian.com. Retrieved: 16 July 2020.

“Tech firms like Facebook must restrict data sent from EU to US, court rules.” 16 July 2020. Retrieved From: theguardian.com. Retrieved: 16 July 2020.

“The background to EU citizens’ court win over US tech giants.” 16 July 2020. Retrieved From: theguardian.com. Retrieved: 16 July 2020.

“UK accused of ‘behaving like cowboys’ over EU database copying.” 09 Jan 2020. Retrieved From: theguardian.com. Retrieved: 16 July 2020.