The threats we face from terrorism, serious crime and cyberattacks did not disappear on 1st January. Those wishing the UK harm, non-state and state actors alike, didn’t declare a truce after Brexit. They don’t particularly distinguish between members and non-members of the EU.
But how we tackle those threats will change.
Over the last decade or so, the UK put a lot of effort into working with our European partners to counter shared threats. Not only through the EU: Nato has taken on a bigger role in addressing some of these challenges; cooperation between intelligence services has strengthened outside the EU framework; bilateral cooperation remains very important. But a lot has been done with the European Union.
So what happens with Brexit? Well, there’s a deal, which is much better than the alternative of no deal. That would have meant a brutal break in cooperation between our police forces, prosecutors, border guards and their European colleagues, with the UK unplugged overnight from the sharing of law enforcement information across Europe. The deal that’s been agreed is very much worth having but leaves our security relationship dialled down. So how did we get here and what difficulties remain?
Things might have gone differently. Theresa May spoke powerfully about post-Brexit cooperation on internal and international security at the Munich Security Conference in 2018. But the EU reacted with caution to ideas of a separate agreement on security; it wanted one overarching EU/UK deal. At the same time, some on the EU side felt the Brits were seeking to use security cooperation as leverage in the wider negotiations. Boris Johnson’s government made clear it wasn't interested in structured cooperation on foreign policy and international security, and insisted on there being no role for the European Court of Justice. For a while it looked like negotiations on security were stuck, with the EU seeking detailed commitments on the protection of fundamental rights and personal data, going beyond what it asked of some other non-EU countries.
In the end, the two sides agreed to find a way forward on the cross-cutting issues which matched the level of practical cooperation envisaged. The EU accepted that the ECJ’s writ wouldn’t run in Britain after 2020, which set a limit on the kind of cooperation that was possible. Both sides made it a condition of continued cooperation that the other would uphold fundamental rights, while respecting the independence of the different legal systems. Security is part of the wider deal, but with its own governance, suspension, termination and review clauses. The issue of personal data was rolled forward while the European data authorities continue their separate consideration of whether UK protections are adequate.
This unlocked an agreement which goes further than some had expected. But it is not plain sailing from here.
Like the US, the UK will now be a third country partner with Europol and EuroJust, the main EU law enforcement agencies which provide platforms for sharing information, mounting joint investigations, operations and prosecutions. The precise solutions for how day-to-day cooperation will work are largely left to further discussion in the various management bodies. There are provisions for law enforcement and judicial cooperation on anti-money laundering, tackling the funding of terrorism, asset freezing and confiscation. And, most importantly, on extradition. Although the European Arrest Warrant has been unpopular with some in the Conservative Party, it’s been used thousands of times over recent years. Practitioners were concerned that the UK position on the ECJ meant they could lose this facility. The agreement includes provision for mutual surrender of those wanted for more serious crimes, built on the model of the EU surrender agreement with Norway and Iceland. Crucially, this relies on political dispute settlement rather than ECJ arbitration. Again, the key will be how this works in practice.
The agreement maintains UK links with some law enforcement databases central to strengthening police cooperation across Europe in recent years: notably the Prum network for sharing information on vehicles, fingerprints and DNA, important, for example, in Northern Ireland, and the PNR network for sharing information on arrivals at UK and European airports, subject to some details on how data is handled which the UK has some years to resolve. There are proposals for sharing information on criminal records, though the process will be slower.
But there remains an important operational gap: the UK has left the Schengen Information System, the main database for sharing alerts about individuals and objects of interest, which police and border guards across Europe consult over five billion times a year.
Losing this access is a real challenge, as leading figures from the National Crime Agency and the Met have told parliament. The agreement does include a legal basis for exchanging security alerts bilaterally. But that’s not the same as a frontline officer being able to consult directly the European-wide database in real time. The government is working on various ways to plug this gap. Making greater use of Interpol’s serious crime and terrorism databases is one option, but not all of Interpol’s 194 members have the same approach to sharing data on serious crime and terrorism. This may be why the government is also seeking to build a new network for exchanging real-time alerts with “trusted countries,” including the Five Eyes intelligence partners, but that remains for now a work in progress.
All these arrangements are subject to a dedicated review, in parallel with the review of the wider agreement, every five years, though there are provisions to suspend or terminate all or some of them before then. And problems could arise sooner rather than later, in particular over protection of personal data. The Commission has given itself up to six months to make a determination on data adequacy. One of the main considerations in granting adequacy to a third country is how that country’s security agencies carry out surveillance of EU nationals. Concerns about such surveillance led last summer to the adequacy arrangement with the US being struck down for the second time in recent years. The UK operates the GDPR today as effectively as EU member states, but the practices of the UK’s security authorities will come under renewed scrutiny, as will UK data legislation and arrangements for onward transfer of data to other countries, especially to the US. The Commission, and particularly the European Parliament, will be following developments closely.
The UK’s agreement with the EU does represent a pretty effective compromise, reflecting our mutual self-interest in tackling shared threats to our security. But it is a damage limitation exercise, and disagreements over how things work in practice could yet cause future difficulties.
