The Implications of Brexit on UK Cyber Policy

The United Kingdom’s vote to leave the European Union has prompted pundits and politicians to speculate on what the result means for the country, Europe, and the world. To paraphrase Churchill, never before have so few created such doubt for so many. These speculations touch on the practical politics and philosophical implications of the United Kingdom’s disengagement from the European Union. The Brexit process will affect practical and philosophical aspects of cyberspace politics as well.

In practical terms, the Brexit impact on cyber policy will be determined by how the United Kingdom approaches data protection and privacy issues previously under EU authority, ensures the British economy the benefits from digital trade, and manages cybersecurity. In philosophical terms, Brexit raises questions about democratic self-governance, sovereignty, and cyberspace’s future.

Data protection and privacy

Brexit means the United Kingdom will no longer be subject to EU law, including on data protection. The British government has to decide whether it will follow the privacy-centric EU approach or chart a new course. U.S.-EU difficulties over transatlantic data flows and privacy now become relevant for British calculations. The European Union has not backed down in pushing the United States on these issues, making it unlikely Brussels would cut London any slack either. However, Brexit does not relieve the United Kingdom of privacy obligations under the European Convention of Human Rights or undo the Human Rights Act implementing this treaty.

Digital trade

Brexit removes the United Kingdom from the European Union’s Single Digital Market designed “to make the EU’s single market fit for the digital age.” The remaining twenty-seven EU member states will probably not change this strategy after Brexit. As it must do with trade generally, the United Kingdom must decide whether it wants to play by EU rules for the single digital market or forgo the full benefits of access to this market for British digital goods and services.

For its members, the European Union negotiates trade agreements with non-EU states. Now, the United Kingdom will negotiate for itself, including on digital trade. The post-Brexit trade agenda is daunting. The British need to reach trade arrangements with the European Union and countries subject to EU-concluded agreements, such as Economic Partnership Agreements. The United Kingdom will also be outside any Transatlantic Trade and Investment Partnership (TTIP) agreement the United States and the European Union might reach. How well the British can advance their interests in digital trade without being within the EU market remains to be seen.

Cybercrime, cybersecurity, and intelligence

The European Union has limited authority in criminal law and national security, so Brexit should not redirect British policy on cybercrime and cybersecurity. The United Kingdom will now be outside EU efforts on cyber crime, including the European Cybercrime Centre, but Brexit will not affect British participation in other cybercrime regimes, including the Budapest Convention on Cybercrime.

The European Union has adopted some cybersecurity policy and legal measures, which the United Kingdom no longer has to follow. References to the European Union in the UK cybersecurity strategy and the latest strategy progress report are infrequent and unimportant compared with the emphasis on the United Kingdom’s global leadership in this area. Whether this leadership continues post-Brexit is not clear because, in part, the United Kingdom’s influence has been connected with its participation and stature in the European Union. Another open question involves whether the political dislocation and economic fallout from Brexit will cause cybersecurity to become less important in British policymaking and less well funded by Parliament.

Brexit also should not upend British cooperation with the United States on national security matters, including intelligence sharing. The United Kingdom has been part of the “Five Eyes” during its EU membership, and Brexit will not affect its status in this intelligence cooperation arrangement. Again, the major concern is whether short- and long-term political and economic costs from Brexit will weaken British national security and intelligence capabilities, making the United Kingdom less important for U.S. national security and cybersecurity interests.

“We want our country back”

The Brexit referendum result simultaneously caused incredulity that the United Kingdom is leaving the most important community of European democracies in history and celebration that Britons exercised their power of democratic self-government. What Brexit means for democratic countries and the liberal international order that democracies crafted is important for cyber policy. Certainly, the “Leave” and “Remain” campaigns underscored social media’s importance in democratic politics, with the Leave effort apparently winning this battle. But Brexit has deeper implications.

The referendum unleashed among Britons a desire to regain sovereignty, raising fears this attitude might spread within the United Kingdom, the European Union, and beyond. Similar impulses increasingly appear in cyberspace politics, with countries complaining about losing sovereign control as the internet creates vulnerabilities to outside forces. These concerns feed, in various ways, a momentum toward “internet sovereignty,” where countries seek to assert their borders and jurisdiction on the internet. After Brexit, are we facing a convergence of demands for national and internet sovereignty that might transform how nation-states behave in real space and cyberspace?