The full text (1,246 pages of it) of the UK-Europe trade and cooperation agreement was published late on Christmas Day. The Stack dug in for items of interest not already belaboured to death by hungover hacks in other quarters. Herewith, 6 things to know about the Brexit deal, from encryption to ferrets.
1: No data flow cut-off
The future of data flows between the UK and EU has been a major issue for businesses concerned that the UK may tear up data protections. Plus ça change: under the terms of the agreement, data flows can continue unchanged to the UK for four months, extendable to six months, as long as the UK doesn't make any changes to its existing protections. The can, in short, has been kicked down the road, for now...
During this four-six-month period, Europe will aim to make an "adequacy" decision on UK data protections (data adequacy is a status granted by the EC to countries outside the EEA that provide data protection comparable to that in European law). The UK, meanwhile, has to notify the Union if it "enters into a new instrument which can be relied on to transfer personal data to a third country.... during the specified period."
As per the text (p. 406): "Transmission of personal data from the Union to the United Kingdom shall not be considered as transfer to a third country under Union law, provided that the data protection legislation of the United Kingdom on 31 December 2020 [as per the European Union (Withdrawal) Act 2018 and (EU Exit) Regulations 201987], applies and provided that the United Kingdom does not exercise the designated powers without the agreement of the Union within the Partnership Council."
This looks set to remain one to watch...
2: Email encryption (via cut-and-paste) from 2002
When it comes to the encryption requirements for an EU-UK database containing DNA profiles of convicted criminals, the document appears to have been cut-and-pasted from a 12-year-old document.
As a result, it recommends some seriously dated technology...
“The open standard s/MIME as extension to de facto e-mail standard SMTP will be deployed to encrypt messages containing DNA profile information”, reads p.921 of the document (as spotted by Paul Maunders). The section, which details collaboration via Prüm (an EU treaty that facilitates the exchange of fingerprints, DNA profiles and vehicle registration numbers) adds: “S/MIME functionality is built into the vast majority of modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x”.
(Netscape Communicator’s last stable release was 18 years ago in 2002. Mozilla Mail was last updated in 2006. As "modern e-mail software packages" go, we've seen newer...)
The document's recommendation of cryptographic hash function SHA-1 also rings alarm bells: the algorithm was deprecated by standards body NIST in 2011 as insecure. Should we drive home the point? As Microsoft put it in 2016, “The SHA-1 hash algorithm is no longer secure”.
Perhaps the EU and UK shouldn’t be using it to encrypt messages containing DNA profile information?
At the coal face, they may not be. Yet the casual recycling of 2012 legislative text -- already dated eight years ago -- is somewhat troubling: developers know that cut-and-pasting code from open source repos can result in trouble; legislators should too. (n.b. Section 5.75 notes that the system is “shielded” from the public internet, for those tempted to have a poke about and see what they can break...)
3: Financial services
From the 1 January 2021, UK financial services firms will lose their passporting rights -- which had allowed firms to sell their services into the EU from their UK base without the need for additional regulatory clearances.
Most have long factored this in, and the UK itself has implemented a Temporary Permissions Regime to support EEA based firms operating in the UK with a passport.
But many large questions about the relationship between the UK and EU when it comes to financial services remain open: the two have a range of over 40 individual equivalence regimes in their financial services regulation, which the EU groups into 28 heads, as law firm Eversheds Sutherland notes, and Europe has yet to make a decision on how it feels about the UK's approach to its own regulation.
Eversheds Sutherland deems the most significant of these:
- Article 30 of the Benchmarks Regulation
- Article 5 of the Credit Rating Agencies Regulation (“CRAR”)
- Article 25 of the Central Securities Depositories Regulation (“CSDR”)
- Articles 75 and 77 of EMIR
- Articles 46 and 47 of MiFIR
- Article 30 of the Prospectus Regulation
- Article 19 of the Securities Financing Transactions Regulation (“SFTR”)
And in a June 2020 report, it notes that the EU "submitted 1,000 pages of questions to the UK in 28 separate equivalence questionnaires, only delivering the final 248 pages of questions on 25 May, less than 5 weeks before the 30 June deadline for making the assessments." The EC got its replies, eventually, but is still chewing them over.
A series of further clarifications will be needed... The Commission will not take decisions at this point in time.
As the European Commission notes in its own December 24 Q&A:
"The Agreement does not include any elements pertaining to equivalence frameworks for financial services. These are unilateral decisions of each party and are not subject to negotiation. The Commission has assessed the UK's replies to the Commission's equivalence questionnaires in 28 areas.
"A series of further clarifications will be needed, in particular regarding how the UK will diverge from EU frameworks after 31 December, how it will use its supervisory discretion regarding EU firms and how the UK's temporary regimes will affect EU firms. For these reasons, the Commission cannot finalise its assessment of the UK's equivalence in the 28 areas and therefore will not take decisions at this point in time."
4: Cybersecurity: we’ll work together on that...
Howlers like the "modern e-mail" requirements in #2 aside, the two have promised to work closely together on cybersecurity-related issues, with the UK and EU have agreeing to “cooperate in relevant international bodies and forums, and endeavour to strengthen global cyber resilience and enhance the ability of third countries to fight cybercrime effectively”.
What that means in practice is that CERT-EU (the Computer Emergency Response Team for the EU Institutions) and the UK will “ cooperate on a voluntary, timely and reciprocal basis to exchange information on tools and methods, such as techniques, tactics, procedures and best practices, and on general threats and vulnerabilities.”
The United Kingdom may participate – “at the invitation, which the United Kingdom may also request” -- of the Management Board of the EU Cybersecurity Agency (ENISA) across certain categories. (Despite growing funding, the Heraklion, Greece-based ENISA has just 65 staff and is hardly a heavy-hitter in the global security arena). How relevant the UK feels it will be to stay involved is an open question.
5: Digital trade – good for the cloud.
The deal emphasises "digital trade" and reinforces the "legal effect and admissibility" of electronic documents, signatures, seals, and time stamps.
It adds that "a party shall not require prior authorisation of the provision of a service by electronic means solely on the ground that the service is provided online, and shall not adopt or maintain any other requirement having an equivalent effect" it adds (while ruling out broadcasting, gambling, legal and real estate from this clause, as well as collateral securities).
Cross-border data flows “to facilitate trade in the digital economy” meanwhile will not require the use of “computing facilities or network elements” in a given territory for processing, and shall not be restricted by “requiring the localisation of data in the Party's territory for storage or processing", the document proclaims. i.e. No mandatory use of EU-based data centres, for given workloads.
6: For the ferrets...
On a lighter note: prepare to get a ferret-sitter: current UK pet passports will no longer be valid as of 1 January 2021, because the UK does "not commit to align with the EU's sanitary acquis and more specifically the rules on pet dogs, cats and ferrets after the end of the transition period".
As the EC notes: "For pet dogs, cats and ferrets introduced into the EU and Northern Ireland an animal health certificate will be required (without the requirement for a test for rabies antibody)."