The great thing about countries that call themselves democracies is that their governments can claim justification for all kinds of behaviours that would not necessarily even come to the mind of the most vicious tyrant. As the late Richard Crossman once pointed out, democracy really exists nowhere in the world – except maybe a few weeks before a general election.
An illustration of how far the UK is from any democratic nirvana is the Investigatory Powers Bill currently making its way through the UK House of Commons. If passed, this would allow the so-called “intelligence services” in the UK – such as GCHQ – to demand data from multinational companies anywhere in the world, simply on the pretext that the company has a subsidiary on UK soil. Hence no customer, supplier or employee of a multinational enterprise would be safe. It would not make any difference where data was held – as the state snooper could either demand it with menaces or simply hack their way into the company’s system with impunity.
This measure has predictably raised the hackles of many multinationals. In their submission of evidence to the Bill Apple, for instance has stated that its “relationship with customers is in part built on a sense of trust about how data will be handled” and that the Bill would put them “in a very difficult position”. It remains equally uncertain about how other governments will respond to this incursion into their sovereignty. The Irish government has recently been siding with Microsoft in a case before a New York Court requiring the handover of documents held in Ireland, but how far will any other country go to challenge the UK, especially if the UK electorate decides to leave the European Union this Summer?
This threat is not merely theoretical or “academic” but very real, and it could well leave companies – especially IT and HR professionals – in a huge dilemma. It is also an area where legal costs could rapidly mount up as – in truth – no legal professional is going to stick their neck out and tell a company that there are clear legal grounds for either compliance or resistance. However, the moral case is clear – as undertakings to clients should always over-ride all other considerations. Governments of every complexion get involved in dirty tricks and many are at the heart of industrial espionage on behalf of national or state companies. So therefore the only safe course of action is to respect the authority of the country where jurisdiction over sensitive data primarily exists (ie: the country where it is held). Ultimately the UK will not have the powers to enforce orders outside its territory on a company in its own right and if it tries to do so then there is always the option of going public over a point of principle and announcing an exit from the UK market altogether. If enough companies threaten such a move then a UK government rethink may well follow.