The UK Sits Between Two Stools … and Must Pick One
The UK Sits Between Two Stools … and Must Pick One
For data, the UK sits between two stools. One is a GDPR-focused viewpoint of the world, and where the citizen has core rights to privacy, consent and security. On the other, we have the other viewpoint where there are too many risks to our society, and where we must break encryption and mass harvest communications. The UK, soon, must decide on which stool it will sit, as it cannot sit on both of these.
The main Cloud service providers in the US, such as Facebook and Google, often now see the world split into two, and where they must be GDPR compliant in some areas of the world, and not in others. It can simply be defined as a US-model for privacy and an EU-one.
The Five Eyes — an intelligence alliance of Australia, US, Canada, UK and New Zealand — see privacy as not absolute, and where the governments want access to encrypted data, communications and devices. As we see in Australia, this alliance is now on a course to put in-place technological, enforcement and legislative measures to enforce their non-absolute security world. While the term “backdoors” has all but disappeared from their media communications, it is likely that these will make up a core part of their focus, especially as the world moves to have nearly all communications encrypted through tunnels.
Of the five, it is the UK which possibly has the most to lose if it continues to push forward with this approach, as the may lose its GDPR compliance. And so as the UK leaves the EU, it will operate outside the EU community, and must now prove that it complies with GDPR. With a Five Eyes approach, the UK may find it difficult to justify that it fully complies with GDPR, and may be cast as an untrusted place for data. This is likely to have a significant effect on the data industry in the UK, as data related to EU citizens might not be trusted to reside — or be processed — within the UK.
The major US cloud service providers are also feeling this pressure, and are in danger of losing user trust outside the US. In order to highlight good practice, the EFF award stars to companies who have good practices for their protection of citizen data [here]:
It can be seen that Facebook, Microsoft and Twitter each gain four stars, and where Pinterest and lyft gain stars. Overall most of the US Cloud service providers, such as Twitter and Google, have resisted pressure from law enforcement agencies to increase surveillance. Twitter, for example, refused to cooperate with PRISM, and which was a programme for US-based law enforcement agencies to easily tap into the Cloud service provider data.
But could US Cloud providers be bending to pressure? Recently Twitter announced that it was dropping its end-to-end encryption on its messaging system, and this is something that worries many within the privacy community. But many feel that the decision relates to their heavy commitments, rather to a change in their values.
The major US-based Cloud service providers, though, feel that there is a great risk to user trust, and are increasingly using encryption as part of their infrastructure, including end-to-end encryption on emails, end-to-end encryption on messaging, and in encrypting network traffic in their internal networks.
The UK might struggle to shake off its part in the Snowden papers, and in the Investigatory Powers Bill. It’ll have to decide, soon, if it believes more in the Five Eyes approach to Internet security, or the GDPR one, as it could become an untrusted country for data in the eyes of the EU.
For the debate on UK and GDPR: