After giving oral evidence we sent Parliament our views on the proposed EU-UK Security Treaty. We would be concerned if current levels of security collaboration - including access to databases - are maintained but not supported by similar accountability mechanisms and legal oversight.
1. In an ideal world, what is your vision of the “closest possible cooperation” on security between the UK and EU post-Brexit?
From our perspective as civil society, the closest possible cooperation should be fully framed in a system of rights and rule of law. Maintaining the status quo seems unrealistic in the face of evidence, and this applies as well to maintaining the levels of protections afforded by a single judicial regime and the Charter of Fundamental Rights. Any collaboration should be proportionate to the protections afforded. Participation in organisations or schemes with high levels of accountability is desirable, while loose arrangements for data sharing would raise more concerns.
Open Rights Group has followed the principle that, in order to be legitimate, surveillance, including data sharing, should always take place on the basis of specific suspicion. We generally oppose indiscriminate bulk data sharing for general purposes such as “fighting crime”.
Any new regime an opportunity to examine problems with current regime, not just try to ape existing arrangements. We are disappointed that the government position seems focused on security capabilities, and human rights appear to be perceived as hurdles to overcome.
2. What should be the scope of the proposed UK-EU security treaty? Are there any issues that might not be best covered by this type of arrangement?
We believe that a single treaty covering areas that are in a dozen EU regulations, directives and decisions all with different legal bases is a big challenge and it may be more practical to keep separate tracks.
If the government manages to secure a single security treaty, we think that this should include clear and comprehensive privacy and human rights protections.
A treaty modelled on trade deals - as the government has stated - is problematic because these deals generally involve negligible public debate and little parliamentary scrutiny. The ad-hoc arbitration mechanisms created in trade deals sit outside established judicial systems and are less accountable. A security treaty would require clear public scrutiny and legal oversight and the government position paper is not satisfactory on this aspect.
Participation in European organisations such as Europol or Eurojust would clearly be important, but current operational access to live data or the internet referral unit could be problematic if there was weaker oversight.
Cooperation instruments such as the European Arrest Warrant are more controversial and are already subjected to criticisms. Some criticisms are well founded, particularly around political issues, and we would want to see a proper review, not just aping existing arrangements.
For example, would want to understand the impact on the right to family life of children of prisoners of sending people to countries where after Brexit close relatives may not be able to relocate for regular visits.
We are concerned that the UK may try to include in the treaty the recent EU proposal for a single EU production order for electronic evidence. It is unclear how this would work in practice, but the UK is already negotiating a bilateral Executive Agreement on such data access with the United States.
Access to databases needs to be necessary and proportionate, based on evidence and not just for mass data mining. A detailed review of databases would be required. Many databases should probably continue but maybe not all. In particular, Passenger Name Records data is an issue, as demonstrated by the CJEU striking down the Canada deal.
The existing EU regime for data access is already problematic in some cases, and proposals for increased interoperability increase risks. The report by Fundamental Rights Agency on biometrics and asylum provides some examples.
3. What sort of provisions would you hope would be included in the proposed treaty, in order to secure the rights of individuals?
We believe that European civil society organisations will expect any treaty to include protections against indiscriminate surveillance of the type in the bulk warrants - or even the thematic warrants - in the Investigatory Powers Act.
The government proposals focus on data protection, which is certainly an important element, and having a common framework. The government is asking the EU to create a bespoke arrangement for the UK, with a streamlined process for an adequacy decision. This would follow the GDPR procedure but would not necessarily be the same. Our understanding is that the UK government is trying to avoid scrutiny of its mass surveillance regime in order to avoid the risk of a negative decision. It seems unlikely that the European Commission will take such drastic step, given the immense financial implications, but it is very likely that any adequacy decision will be challenged by individuals or organisations in the EU and the CJEU will be forced to rule on the matter.
In addition, adequacy for law enforcement will now require a separate decision under provisions in the Law Enforcement Directive (LED), which are new and untested. The lack of a common judicial system outside the CJEU and missing the Charter of Fundamental Rights may be a bigger challenge in this context than with the general regime in GDPR.
Independently of the success of these adequacy decisions, any treaty should include specific safeguards and redress mechanisms, given that data protection law gives Member States many opportunities to derogate and the LED is not fully harmonised.
We expect that the treaty will include an agreement for the exchange of classified and sensitive information, possibly modelled on the EU agreement with Norway. While a general agreement of this kind may provide some basic safeguards, we do not think that it is enough for citizens. Incidentally, the difficulties that Norway has encountered in access to some key data, such as the Galileo PRS encrypted signal, gives an indication of the impact Brexit may have.
4. What fall-back options would be available to the Government should the UK fail to reach an agreement on security cooperation with the EU?
Given the complexity it is possible that the treaty approach may fail, or be reduced to a top level framework agreement. Each specific area could be negotiated separately.
For extradition there is already a public debate on the merits of the Norway model or the 1957 European Convention on Extradition. Transparency in the process and inclusion of rights considerations - including the political exemption - would be our main concerns. Nobody wants the UK to be a safe-haven for criminals, but there is a long tradition of harbouring political dissidents from the Continent.
When it comes to data sharing there is no simple fall-back option. Failure may not come from a single point. Data protection, the Charter and CJEU jurisdiction have been identified as risks for the overall framework of cooperation, but some specific arrangements may fail in their own terms, e.g. PNR.
A data sharing Executive Agreement similar to the EU-US would be a step back in terms of rights and public oversight.
We are particularly concerned that a reduction in law enforcement collaboration could lead to more secretive intelligence collaboration. This is already a problem with the 5 Eyes and intelligence data sharing more widely, where there is very little regulation and oversight, as shown in Privacy International’s recent report.
5.What legal provisions would you hope that the Government would make to ensure existing rights in the event that no agreement was reached with the EU?
This would depend on the actual practical outcome of the breakdown in negotiations. A severe restriction in the level of collaboration and data sharing between the UK and the EU would be different to a situation where the status quo is maintained through a patchwork of ad-hoc arrangements,
We believe that there is a risk that the importance of the UK in security creates less accountable “backdoor” sharing through informal channels, emergency provisions or intelligence agencies.
Another aspect would be the cause if the breakdown. We would be concerned that a lack of adequacy may be seen among some in government as an excuse to weaken data protection more broadly.
Our overall approach to legal protections is encapsulated in the International Principles for the Application of Human Rights to Communications Surveillance, to which we are signatories. These include safeguards for international cooperation:
“In response to changes in the flows of information, and in communications technologies and services, States may need to seek assistance from foreign service providers and States. Accordingly, the mutual legal assistance treaties (MLATs) and other agreements entered into by States should ensure that, where the laws of more than one state could apply to Communications Surveillance, the available standard with the higher level of protection for individuals is applied. Where States seek assistance for law enforcement purposes, the principle of dual criminality should be applied. States may not use mutual legal assistance processes and foreign requests for Protected Information to circumvent domestic legal restrictions on Communications Surveillance. Mutual legal assistance processes and other agreements should be clearly documented, publicly available, and subject to guarantees of procedural fairness.”.
6. What will be the consequences of the UK's withdrawal from the Charter of Fundamental Rights for the effect that the security treaty might have on the rights of individuals?
The Charter is a really important element of the current framework of protections. It contains specific provisions such as data protection not found UK law. It is hard to see how various EU legal arrangements that are built within the Charter can work as well outside.
In addition, the rights in the Charter are based and reflected in CJEU jurisprudence, so the two elements are linked, and removing
7. Can you see any advantages for security cooperation once the UK no longer comes under the jurisdiction of the CJEU?
From a rights perspective, there could be some theoretical advantages in not being forced to take on specific EU initiatives, but historically the UK has been at the forefront of data surveillance, so these benefits would be unlikely to be realised. The loss of the robust framework of rights provided by the EU and a judicial system capable of taking on the executive will be difficult to replace.
8. How likely is it that the UK will come to an agreement with the EU on data-sharing for security cooperation? What are the barriers to such an agreement?
The UK position seems to be that all that is needed is an agreement on data protection and if forced to find an alternative to strict rule by the CJEU. But the problems run deeper due to the mistrust around UK mass surveillance across Europe.
The UK apparent proposal to bypass the adequacy process with a fast-track bespoke deal that avoids scrutiny of bulk surveillance and data transfers to the 5 Eyes is deeply problematic and would almost certainly be challenged by European organisations.
As we said in the previous section, adequacy decisions for law enforcement are new and untested, but on the basis of the existing regime we have serious doubts about this.
There are specific issues with data retention. We do not believe the UK has fully complied with the recent ruling, and despite the efforts of several EU countries the jurisprudence seems very clear.
There are problems with various exemptions in the Data Protection Act, not just on immigration, but generally in the way they are constructed, removing fundamental data protection principles without adequate safeguards.
9. How do you assess the UK's chances of securing similar agreements with other countries such as the US, once it has left the EU?
There is no reason for the US and the UK not to secure a deal. Switzerland has a Privacy Shield agreement with the US. If the UK tries to embed data transfer in the many trade deals we have been told to expect this could indirectly affect EU relations. The EU has expressed that it does not allow personal data to be included in trade deals. There were problems in this area for the Japan free trade agreement recently.
10. Do you have any concerns that personal data will be able to be accessed more easily by the Government once the UK has left the EU?
Yes, we are very concerned because it is well known in Brussels that the UK government has consistently been a force for the weakening of privacy protections for citizens and the implementation of state surveillance measures.