UK Bill a serious concern for privacy and data protection

The Bill if passed would allow the UK reach into companies based outside its territory

Watching legislation being made is, as the saying goes, a bit like watching proceedings in a sausage factory – you would really rather not know.

But Ireland – the whole world, really – needs to take a look at what is happening in the UK right now with that government’s Investigatory Powers Bill (IP Bill), aka the Snooper’s Charter.

Many aspects of it are grotesque, on privacy, security, and just plain commonsense grounds. It is hard to see how many of its features could hold up to, say, European Court of Justice scrutiny, suggesting one alarming aspect of the Brexit scenario could be a Britain ready to trample over civil liberties and human rights, free of Charter of Human Rights restraints.

In a letter this week to the Guardian newspaper, a group of 200 senior lawyers stated the Bill compromises a "fundamental right to privacy and may be illegal".

READ MORE

And it would affect us. The Bill allows the UK to force its provisions internationally, affecting businesses, other world governments, and citizens whose data are processed by companies globally.

Extraterritorial

One of the most egregious of these is that the Bill gives the UK extraterritorial reach into companies based outside the UK, to demand access to data or other materials and potentially to hack into systems as part of UK-based investigations.

In other words, the Bill would could allow UK spy organisation Government Communications Headquarters (GCHQ) access – by front or back door – to data held in an Apple, Yahoo or Facebook server in Ireland, even though none of those companies has its European headquarters in the UK.

The request could be made simply because each company has a subsidiary office in the UK. Such a provision would give the UK extraordinary, direct snooping powers into international companies.

Or, as Apple has put it in a submission of evidence on the Bill: “[The law] would place businesses like Apple – whose relationship with customers is in part built on a sense of trust about how data will be handled – in a very difficult position. For the consumer in, say, Germany, this might represent hacking of their data by an Irish business on behalf of the UK state under a bulk warrant – activity which the provider is not even allowed to confirm or deny.”

This issue of “extraterritoriality” is critical for the way companies operate today – for internet business, cloud computing, social media, data processing and much else.

Microsoft is currently challenging the US government over these core concerns. In New York state, the company has refused to hand over directly to a judge, emails held in an Irish server. The Irish Government has formally sided with Microsoft, submitting that international law enforcement treaties are the correct approach for data held in another sovereign territory.

The same issues arise in the IP Bill. But it has had very little publicity by comparison to the US case, even though the stakes are as high for companies and citizens (as well as governments, of course, who face the prospect of jurisdictional tussles over data access with countries that are allies as well as enemies).

Several technology multinationals with significant operations (including headquarters) in Ireland, filed a joint submission of written evidence on this and other aspects of the Snooper’s Charter.

Confusion

In it, Facebook, Google, Microsoft, Twitter and Yahoo state that among other confusions inherent in the Bill, "unilateral assertions of extraterritorial jurisdiction will create conflicting legal obligations for overseas providers who are subject to legal obligations elsewhere".

In other words, if GCHQ comes knocking in Ireland, demanding data from a Yahoo server, this would almost certainly conflict with protections offered to companies, individuals and data under Irish as well as EU data protection law. So whose law prevails?

The companies also raise concerns about the Bill’s proposal to weaken security by weakening encryption. Again, extraterritoriality arises, since the Bill potentially could force the introduction of back doors even on companies based outside the UK.

“We . . have concerns that the Bill includes ‘obligations relating to the removal of electronic protection applied by a relevant operator to any communication or data’ and that these are explicitly intended to apply extraterritorially with limited protections for overseas providers.”

There’s much more too. You can read the full submission here: http:bit.ly/1OFwHNk

Apple’s submission is here: http://bit.ly/1Pcrg4a

Repugnant

This repugnant Bill goes to vote next Tuesday. If wiser heads do not prevail, and the Bill is passed, followed by Brexit and a loss of European-level privacy oversight, what a mess this will be.

We will have a scenario in which the UK will assert it can force any company with any link to the UK, as tenuous as a small subsidiary office or serving UK customers, into weakening security that would affect all users worldwide. And, we would enter a worrying world in which a national government can now insist it has the right to data held in another sovereign territory.