In September 2018, the Marriott hotel chain discovered that the private details of up to 339 million people had been stolen from the company's guest reservation database in a massive hacking operation going back years.

Names and addresses, phone numbers, email addresses, passport numbers, credit card numbers and expiry dates, loyalty card information, dates of birth, gender, arrival and departure information, reservation dates were all hacked.

The British data protection authority announced a fine of £92m (€108m) under the EU's privacy regime, the General Data Protection Regulation (GDPR). Some 30 million of the affected guests were from EU or EFTA member states. 

Thanks to GDPR, privacy regulators in other member states did not need to take action on behalf of their citizens – the British regulator, the Information Commissioner’s Office (ICO), was in the driving seat to investigate and punish the breach.

Now with Brexit, the UK will be out of the GDPR.

Data breaches: what the future holds

"With the ICO outside the tent," says Helen Dixon, Ireland’s Data Protection Commissioner (DPC), "if [Marriott] suffered a breach those member states would have to take their own enforcement action. We can’t turn to the UK any longer and say you’re the lead authority. It increases the workloads on all of us."

However, Brexit will have much more far-reaching consequences for Ireland’s place in the deepening matrix of consumer privacy, big data, organised crime and state surveillance.

Data generated by online consumer activity is now an extraordinarily valuable commodity which flits instantaneously around the globe. 

Consumers and governments struggle to balance privacy with the fight against crime and terrorism; multinationals want to limit its regulation; authoritarian states want to use data to control citizens.

Helen Dixon, Ireland's Data Protection Commissioner

"For the US," Pascal Lamy, the former Director-General of the World Trade Organisation (WTO) told a conference in Brussels this week, "data is there to buy and sell. For Europe data is private property. For China data belongs to the state and the Party."

Within that three-way struggle, Ireland has been under an unusually harsh spotlight because it hosts a disproportionately large number of global multinationals uniquely powered by, and associated with, the harvesting of consumer data.

Because Google, Facebook, Airbnb, Linkedin, Apple and other data behemoths are headquartered in Ireland, any complaint an EU citizen has about their personal data goes to the Irish data protection office.

In 2015, the DPC received 932 complaints. Since GDPR took effect, she has received 13,000 complaints, alongside 8,000 breach notifications.

Enforcement differs across Europe

There is no central EU privacy regulator. Instead, there are multiple national, and in some cases regional, data protection commissioners all enforcing GDPR rules, but with a large degree of discretion over how they do it.

"You’ve got all these different enforcement cultures around Europe," says a senior EU official familiar with how GDPR is applied. "In Spain they slap a fine on every violation, in the Scandinavian countries they never have fines. There are imbalances in resources. There is no rubric for whether, if you have a jurisdiction of a certain size, you should have a certain amount of resources."

With the UK gone, Ireland will be more prone to the accusation that it is soft on data protection so as not to alienate US multinationals.

The UK regulator was seen as a standard bearer for a more nuanced type of enforcement. "It was all about engagement," says the official. "Talking to companies saying, 'if you want to do this and avoid violations then you have to do it this way', allowing companies to test products in a controlled environment."

Ireland has followed this more collaborative approach. With the UK gone, however, Ireland will be more prone to the accusation that it is soft on data protection so as not to alienate US multinationals.

"There’s this conviction in Berlin and Paris that Ireland is a soft touch for these big companies," says the official. "Pre-Brexit you would have got a better synergy with the UK approach to regulation (they want to indulge Google as well), and once that goes I think that leaves Ireland even more isolated than before."

Helen Dixon rejects any suggestion Ireland is a soft touch. "The companies are located in Ireland for lots of reasons," she says. "A skilled workforce, tax arrangements that are favourable - reasons long predating data protection laws being in vogue. So it’s certainly not a question that any company is located here for the data protection regime."

Data flow in post-Brexit era

GDPR may involve maddening boxes to tick when a web page is opened, but it facilitates the free flow of data across EU borders. That means data flowing north and south across the island of Ireland and large data flows from Ireland to the UK and back again.

What happens on December 31 when the transition period ends and the UK leaves the GDPR?

The EU can decide if a third country has an adequate data protection regime that can be trusted to receive the data of EU citizens.

In the Political Declaration which accompanied the Withdrawal Agreement, both sides agreed that the EU would start work on an "adequacy agreement" for the UK, and that the UK would also "take steps to ensure the comparable facilitation of transfers of personal data to the [European] Union."

This week the UK said it would "develop separate and independent policies in areas such as…data protection."

The EU is obliged to re-assess the trustworthiness of its counterparts' privacy regime every few years.

The EU’s draft negotiating directives likewise say any future deal "should affirm the Parties’ commitment to ensuring a high level of personal data protection".

The EU has only 14 adequacy agreements with third countries. They are not forever and a day - the EU is obliged to re-assess the trustworthiness of its counterparts’ privacy regime every few years.

All the indications would suggest that, nonetheless, both sides are keen for data to continue flowing through an adequacy agreement.

However, there are a number of problems.

Sources say the cooperative spirit reflected in the draft negotiating documents published in London and Brussels this week is in contrast to a tougher line the EU had adopted during the divorce negotiations.

"The Commission was holding a very hard line on data flows," says one well-placed industry source.  "It was saying [to the UK], of course you’ll want to be regarded as adequate in terms of the GFPR and you’ll be assuming you will be because you’ve just left the EU.

"But we’ve got countries in the Balkans who want to become members, we want to assess their regimes. We have other priority countries. After Japan [with which the EU signed a trade deal last year], we’ve got Korea, we’ve got Mexico, we’ve got Chile.

"They were even telling data protection authorities to hold the line, that UK will not get preferential treatment."

Exchange of data is vital for security

The belief is that if the European Commission has changed its tune, it is because the EU is keen to agree a security and defence relationship, and the UK is keen to agree a police and judicial cooperation agreement. 

Data protection for consumers and businesses is generally covered by the GDPR, while the protection of data when it comes to police and judicial cooperation has its own law enforcement directives (cross border agencies such as Eurojust, Europol, Eurodac have their own data protection rules). 

The EU will want the UK to ensure its standards are equivalent across the board through an adequacy agreement. 

Brussels and London have signalled they want to keep cooperating in the field of money-laundering, the financing of terrorism and illegal migration, and a key part of this cooperation will be the ability to exchange data.

This will include the exchange of air Passenger Name Record (PNR) data, as well DNA, fingerprint and vehicle registration data (facilitated under the so-called Prüm Convention, to which 14 EU member states are signatories) and the exchange of information on criminal records.

Interest in Passenger Name Record data was a direct result of the September 11 terrorist attacks.

The EU envisages a PNR agreement so long as the UK complies with "data protection standards essentially equivalent to the EU’s standards" – in other words the GDPR and EU law enforcement directives.

However, the entire PNR operation has been highly controversial from the start.

The interest in PNR was a direct result of the September 11 terrorist attacks. Investigators believed the data footprint left by the hijackers when booking their flights could have helped thwart the attacks.

In 2003, the US introduced a law obliging airlines to transfer all such data – travel itineraries, means of payment, contact details, co-travellers and so on – to the security services so that inbound passengers could be fully screened.

The US and EU then negotiated a joint PNR agreement in 2004 for EU-US flights. Under the agreement the European Commission recognised the US data protection regime as "adequate" under the so-called Safe Harbour Principles.

The European Court of Justice in Luxembourg

However, that agreement was struck down by the European Court of Justice (ECJ) in 2006.  

In 2007, both sides negotiated a new PNR agreement, but this, too, ran into trouble after President George W. Bush exempted a number of US agencies from its remit.

Despite lingering concerns about the safety of EU citizens’ data when flying to the US, the European Parliament finally approved a successor PNR agreement between the EU and US in 2012.

But the tension between personal privacy and the demands of national security has persisted and is certain to complicate the future EU-UK relationship.

Tension between privacy versus security

Member states have always jealously guarded the right to keep national security and the rules of the single market separate.

Indeed, the EU treaties guarantee this. Article 4 (2) of the Lisbon Treaty states that "national security remains the sole responsibility of each Member State."

However, for the past 15 years, the European Court of Justice has been taking an increasingly tough line on defending privacy, which it sees as a fundamental EU right.

This tension has been growing ever since the EU adopted its own anti-terror legislation following the September 11 attacks.

In 2006, the EU followed the US in adopting a Data Retention Directive. It obliged member states to require internet providers to retain user data for between six and 24 months, with member states free to extend that period if they wished.

However, the directive has faced relentless challenge through the European courts.

Swedish telecoms operator Tele2 Sverige stopped retaining communications data. That decision was promptly challenged by the Swedish police who believed it would seriously hamper law enforcement.

In 2010, Digital Rights Ireland (DRI) challenged the directive in the Irish High Court on the grounds that it breached the EU Charter of Fundamental Rights. The High Court referred the case to the ECJ and in 2013 the Luxembourg court found in favour of DRI. 

The Directive breached the privacy provisions of the Charter of Fundamental Rights because it could "allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out and the social environments frequented by them".

The court effectively overturned the 2006 Data Retention Directive.

After the ruling the Swedish telecoms operator Tele2 Sverige stopped retaining communications data. That decision was promptly challenged by the Swedish police who believed it would seriously hamper law enforcement.

Something similar happened in the UK. The Data Retention and Investigatory Powers Act (DRIPA) was challenged in the High Court, and when it ruled that it was in breach of the DRI judgement, the then Home Secretary Theresa May appealed. 

Both the Swedish and British cases brought the issue back to the ECJ.

In 2016, the ECJ ruled that EU privacy directives and the Charter of Fundamental Rights meant that security agencies could not have wholesale access to the retained data.

National laws which permitted the "general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication" were not compatible with fundamental EU rights.

As recently as January 15 this year, the European Court of Justice issued an opinion that data could be retained only "on an exceptional and temporary basis" and only if it was justified by "overriding considerations relating to threats to public security or national security."

According to one EU official, this is an ongoing struggle between member states who want to use data for security purposes and the ECJ who emphasises personal privacy and the coherence of the single market.

"The member states won’t let go," says the official. "They want to have data retention laws where they oblige telecoms companies and the likes of Google and others to keep data for a certain amount of time so they can access it for their investigations. The court keeps saying you can’t keep doing that systematically for everything. It has to be targeted."

UK may face EU court over data battle

But if the UK is out of the EU and beyond the purview of the ECJ, why should this matter?

It matters because the UK will still be deeply embedded in EU data transfers.

The House of Lords Brexit Committee reported in July 2017 that fully two thirds of British online consumer and public sector cross-border data is shared with EU member states.

The UK privacy regulator told the Committee that the UK "is so heavily integrated with the EU…that it would be difficult for the UK to get by without an adequacy arrangement."

Under Boris Johnson, a post-Brexit UK could well deepen the use of data retention for national security purposes.

The other reason the ECJ will still take an interest in the UK post-Brexit is because of the threat of a legal challenge due to the UK’s putative culture of surveillance of citizens and their private data.

The House of Lords report noted that when the European Commission was assessing its adequacy decision it would look at the UK "in the round, including national security legislation."

In other words, under Boris Johnson, a post-Brexit UK could well deepen the use of data retention for national security purposes.

But if the UK wants an adequacy arrangement with the EU, then a more intrusive approach to data retention might end up before the ECJ again, because the data concerned would be that of EU citizens.

How Privacy Shield was established

It goes without saying that privacy campaigners will be watching this closely, and we need look no further than one Max Schrems.

In 2013, the Austrian student took a complaint against Facebook to the Irish Data Protection Commissioner which ended up being referred to the ECJ.

Privacy campaigner Max Schrems

It followed the allegations by US whistleblower Edward Snowden that US multinationals like Facebook had conspired with the National Security Agency to probe the data of internet users without their knowledge.

The Data Protection Commissioner had argued that any data gathered by Facebook (headquartered in Ireland) was safeguarded by the Safe Harbour Convention, the EU’s adequacy agreement with the US.
In 2015, the ECJ ruled that Safe Harbour was unfit for purpose. 

The EU and US were then forced to construct a new regime, the Privacy Shield, which came into effect on 12 July 2016.

Privacy Shield required the US to more robustly monitor and enforce EU privacy rules and to deepen cooperation with European regulators.

Privacy Shield was not yet ready, so Facebook used SCCs in order to continue transferring data from the EU to the US.

But Max Schrems, by now a world renowned privacy campaigner, was not finished yet.

The ECJ had upheld Schrems’ complaint that sending EU citizens’ data wholesale to the US breached EU privacy laws.

So, Facebook decided to use an alternative route: the Standard Contractual Clause (SCC).  

SCCs have been used for some time by companies in the EU who transfer data to third countries with whom the EU does not have an adequacy agreement. Privacy Shield was not yet ready, so Facebook used SCCs in order to continue transferring data from the EU to the US.

Schrems promptly updated his complaint to the Irish Data Protection Commissioner that SCCs were also suspect. The issue went back to the ECJ via the Irish High Court.

On 19 December last year, the ECJ Advocate General held that the SCCs were valid in that they compensated for any perceived data protection deficiencies that existed in third countries.

However, the Advocate General also recognised that in some third countries, an SCC was not legally binding and as such may be difficult to implement.

As a result, regulators in third countries would have to assess on a case-by-case basis whether the transfer of EU data complied with a Standard Contractual Clause. If those regulators felt there was a conflict between the SCC and, say, US law, then the SCC would be invalid.

Does a tangled mess lie ahead?

All of this creates a rather tangled mess when it comes to predicting how smooth things will be post-Brexit.

Even if an adequacy agreement is concluded by the EU and UK before the transition expires (December 31), it will still have to be updated every couple of years, and the UK may want to diverge from EU rules in the meantime.

With the Max Schremses of this world still active, an adequacy agreement could be subject to a legal challenge because of the UK tendency towards intrusive surveillance.

"The UK will have the same problem as the US," says Max Schrems by phone from Austria. "As a member state the UK could invoke Article 4(2), the national security exemption. But after Brexit the UK does not have that option, so the ECJ is certain to want to review any adequacy decision.

"The difference is that the UK is still subject to the European Court of Human Rights (ECHR) so at least there is baseline protection for a foreigner when it comes to protecting their data."

According to one senior EU official: "Regardless of whether or not companies behave as if GDPR still applied as before Brexit, Britain’s security apparatus is as intrusive as the one in the US, if not more so. Americans would argue there’s even less control: there’s no equivalent of Congressional oversight, checks and balances that don’t exist in the UK."

Britain 'behaved like a bunch of cowboys'

The UK has already angered the EU over a data breach.

In May 2018, it was discovered that the UK had been illegally copying classified personal information from a database reserved for members of the passport-free Schengen travel zone.

Even though the UK has never been part of the Schengen Area, it had been granted limited access to the Schengen Information System (SIS), a database with 76 million entries used by police to track undocumented migrants, missing people, stolen property and suspected criminals.

Dutch MEP Sophie In't Veld

An investigation by the European Commission, reported by EU Observer, found that the UK had for several years been illegally copying entries and sharing them with other law enforcement agencies around the world.

Sophie In’t Veld, a Dutch MEP, told the European Parliament: "This is a country that is not a member of Schengen because it doesn’t want to be a member of Schengen. It doesn’t want to be a member of the European Union. Nevertheless, in the kindness of our hearts we have given them access to the Schengen Information System and they behaved like a bunch of cowboys."

Administrative headache if deal not agreed

What happens if the EU and UK are unable to reach an adequacy agreement in time for December 31?

Both sides will have to fall back on our old friends, the (now tarnished) Standard Contractual Clauses (SCCs). 
These will have to be used by companies on the island of Ireland – even sports organisations – if they are engaged in the transfer of data across the border.

The European Commission has approved a templated version of SCCs, meaning they can be inserted into a contract between parties in a "plug and play" sense.

"We have become used to these data free-flows and can't comprehend how inconvenient it’s going to be when there is a legal fullstop."

However, Helen Dixon, the Irish Data Protection Commissioner, is concerned not only about the legal question mark that hangs over SCCs, but also the lack of awareness among Irish companies as to what they are, how they work, or whether they have the resources to enter into them.

"It is a big administrative and resource-intensive activity," she says. "There is so much data, particularly between Ireland and Northern Ireland, in so many contexts aside from commercial and banking.

"It’s in law enforcement, road safety, tourism, sport. We have become used to these data free-flows and can’t comprehend how inconvenient it’s going to be when there is a legal fullstop."

Dixon says that during outreach visits to the business sector she has often been greeted with "blank faces" when she asks if companies are aware of the data protection implications of Brexit.

However, the Irish regulator is more concerned about the implications of the December ECJ opinion on SCCs, even if that opinion is not (yet) binding.

For example, let's say a company in Belfast was trading with a company in Drogheda. The effect of the opinion would be to oblige the importer of the data in Belfast to ensure that nothing in the laws and practices of the UK would cause them to be incapable of complying with EU data protection standards.

If the company in Belfast couldn’t do that, then they would have to notify the company in Drogheda and that company would have to suspend the data transfer.

"Really," asks Dixon, "is it possible for the importers and exporters to do this very detailed assessment?"

In the case of SCC transfers to the US, both the importer and exporter of the data would have to undertake an assessment of what US intelligence agencies might do with the data under the powers US laws grant them, and to declare – as this is a legal contract – that none of those powers would put European data at risk.

While trade and fisheries are hogging all the attention ahead of the negotiations, the complexities of Brexit and data protection will be one to watch.