So, the CJEU decision in the Joined cases
of Tele2 Sverige AB and Tom Watson et al. (Cases C‑203/15 and C‑698/15) came out today and maybe unsurprisingly
- after the fairly decisive Advocate General Opinion in July - it is not good
news for the UK government.
Admittedly, the judgment does, in theory,
concern an Act (the Data Retention and Investigatory Powers Act 2014 (DRIPA)) that
is only going to be on the UK statute book for ten more days when it expires
under a sunset clause. However, that Act was, to all intents and purposes,
replaced by something even worse and far more serious. Despite the inclusion of
certain procedural safeguards, it is probably safe to say that, for example, the
provision on bulk data collection contained in the Investigatory Powers Act 2016, Britain’s latest version of the “snoopers’ charter”, which now includes a
requirement to retain internet connection data, make it a significant advance on
anything the country has seen before. In many respects, the IP Act is DRIPA on
steroids. And that will be significant.
Incoming
data flows post-Brexit
It will be significant not just because we
can now surely expect a judicial challenge to the IP Act just as soon as the
ink is dry on the CJEU decision (for a detailed analysis of the decision's implications for the IP Act, see Angela Patrick's excellent blog post). It will also be significant because of the long-term effect of the
judgment not just on the UK’s ability to monitor the online activities of its
population, but on the UK’s economy – particularly its information economy –
after Brexit.
It’s a funny thing, this Brexit lark.
Intended to free the UK from the shackles of EU regulation and an attempt to relocate
“sovereignty” (whatever that means these days) back to the Westminster
Parliament (Matron will bite her tongue for now on any comment arising from the
points so beautifully made before the Supreme Court in the Miller case), it is
in fact likely to cause the UK no end of trouble when it comes to its data
protection laws. A point that, to date, the UK government has only seemed to
have grasped slowly and incompletely, if recent legislative activity is
anything to go by, and that much of the UK public will find difficult to follow
given current rhetoric on the benefits of a red, white and blue Brexit.
Although the UK government has now
confirmed that it will opt in to the GDPR in May 2018, its failure to commit to
the continued application of the framework post-Brexit already creates legal
uncertainty for UK data controllers and processors. But in the face of today’s
judgment, it is now seriously putting at risk the ability of any UK company to
receive personal data from inside the EEA after the UK’s departure from the EU
club. And that is something that UK businesses should view with some concern.
To quickly sum up the current situation:
the EU data protection law framework has always been, and will continue to be,
in the service of two seemingly conflicting objectives: it seeks to protect
personal data and hence the individual citizen’s right to privacy and data
protection (now guaranteed to them under the EU Charter of Fundamental Rights),
and to facilitate the free flow of personal data, which is a basic requirement
for the functioning of the digital economy that we are all now operating in.
The way in which this has been achieved since
the adoption of the Data Protection Directive in 1995 was by creating some sort
of “protective bubble” around the EU (and later the EEA) member states within
which everyone applied roughly the same rules with regard to the processing of
personal data. This made it possible to allow for free data flows from one member state to another, safe in the knowledge
that no country would be able to either:
- create “data havens” with a low standard of data protection as a means to entice data heavy businesses to settle and invest there, or
- use high standards of data protection as a protectionist measure to guard its own businesses from outside competition.
Now, we can all agree that, EU-internally,
this hasn’t worked out quite as well as it should. Most of us suspect that there
is a reason why some of the more interesting judicial challenges in this area
of law originate from Ireland. But where this approach has arguably been quite
effective is in the relationship this has created between the EU/EEA and
so-called “third countries”.
Because one of the main tenets of EU data
protection law is that EU data controllers may only transfer personal data to a
country outside the EU, if that country provides adequate protection of
personal data, the relative high standard of the EU data protection framework
has already spread, missionary style, to other, non-EEA countries that wish to
trade with the EU.
And this, dear Watson, is of course the
circle the UK will have to square post-Brexit when it takes on the noble mantle
of “third country” status.
Debunking
the “We’re out of here” myth
A quick perusal of today’s press shows that
commentators were quick to assume that today’s CJEU ruling will not affect the
UK much given its impending exit from the EU and the fact that it will no
longer be subject to the CJEU’s jurisdiction.
This is the same attitude that allows some
people to believe that the UK actually has a choice when it comes to the kind
of data protection law that it will adopt after Brexit. Already, there have
been a number of suggestions on how to skin this particular cat, ranging
from, yes, the continued wholesale application of the GDPR to the adoption of a
significantly “less burdensome” data protection standard aimed to make the UK
an attractive destination for inward investment by data-heavy industries. What
the latter camp fail to acknowledge, however (as with so many other Brexit-related
questions), is the UK’s current importance as port-of-entry to the EU markets – which is likely to be much diminished after its
departure from the EU - as well as the significant level of data-heavy services
that UK businesses themselves provide to other EU member states, all of which
require a continued ability of those UK business to be able to receive inward
transfers of personal data from the EU.
That continued ability relies heavily on
the UK being viewed as a jurisdiction that provides an adequate level of protection for personal data in a way that would enable the European Commission either to a
make a finding of adequacy with respect to the UK or to negotiate some other
mechanism, for example, in the form of an EU-UK Privacy Shield, that would
authorize those inward transfers.
Reading only reports from inside the UK, it
is easy to believe that, because much of these negotiations are generally
highly politicized, the UK’s proven skills in getting concessions out of the EU
that no other member state would ever even dare ask for will ensure that a deal
that favours the UK could be struck. And maybe they are right.
But today’s judgment might nonetheless have served a
blow to the long-term viability of that strategy.
Because, although as a judgment it is
important in its own right, it becomes even more important when read in
conjunction with last year’s CJEU decision in Schrems v Data Protection Commissioner (Case‑362/14).
Advantage
EU?
By way of a reminder, the Schrems decision answered the question
whether national data protection authorities should have the right to conduct their
own investigation into transfers of personal data to a third country (in this
case the US) despite the fact that that transfer was, on the face of it,
authorized by a decision of the European Commission (in this case the decision
that put in place the EU-US Safe Harbour arrangement). The CJEU answered this
question in the positive and in the process the court took a number of
significant steps that are bound to haunt EU and non-EU data controllers and
processors for years to come.
Yes, it invalidated the Safe Harbour
decision. But, more importantly, it asserted for itself the right to judicially
review all Commission decisions (and
possibly other executive and legislative
measures adopted by the Commission and other EU institutions as well) for their
compliance with the EU Charter of Fundamental Rights.
It also made it clear that:
- in the context of data protection, national authorities have the right and indeed the obligation to bring matters that, in their opinion, might necessitate such a judicial review before their national courts with a view to having them referred to the CJEU.
- when determining whether a third country does provide an adequate level of protection and therefore should be allowed to receive personal data from inside the EU, the court itself would take into account the entire legal framework of that country including the laws permitting the mass surveillance of electronic communications to the extent that those laws might arguably authorise the third country’s law enforcement and security services to access EU citizens’ personal data transferred to that country under the instrument in question.
Although the decision in Schrems was limited to the EU-US Safe Harbour
arrangement, it does therefore not require much of a stretch of the imagination
to see how the same reasoning could be (and most likely would be) applied to
any other type of legal instrument authorising cross-border data transfers from
the EU to a third country. And indeed, cases brought by the Irish DPO (with
regard to the validity of the standard contractual clauses) and by Digital Rights Ireland and La Quadrature du Net (with regard to the
Privacy Shield that has now replaced the Safe Habour) seem to suggest that this is a valid concern.
Game,
set and match?
Which brings us back to today’s decision
and the way in which the CJEU has reiterated, once again, just how it feels
about national legislation that “prescribes the general and indiscriminate
retention of data”. Such activity, according to the court, is not in compliance
with the rights and freedoms guaranteed to EU citizens under the Charter. Specifically, EU
member states are not allowed to make laws that mandate the retention of
traffic and location data unless they limit retention to that which is strictly
necessary and make access to the retained data subject to substantive and
procedural conditions. This includes objective criteria in order to define the
circumstances and conditions under which the competent national authorities are
granted such access. Access must also, except in cases of urgency, be subject
to prior review by a court or an independent body.
In the case at hand, this is likely to mean
that DRIPA is unlikely to comply with the CJEU’s conditions (although the final
determination of this is of course left to the referring court in the UK).
Moving forward, this is also likely to mean that the IP Act will face
difficulty in passing muster on that score.
And although, of course, the UK has the
option to say “Why should we care? We’re off” and thus refuse to change its
laws to accommodate today’s ruling, the
existence of a surveillance framework that so obviously and disproportionately
interferes with the rights and freedoms of EU citizens will make it difficult,
if not impossible for the UK in the future to provide evidence that it does in fact ensure an
adequate level of protection of personal data.
Because the way the CJEU has
phrased its conditions for a data retention framework that meets the
requirements of the Charter sounds remarkably similar to the way it talked
about the requirements that the US would have had to meet (and, in practice,
failed to meet) to justify the validity of the Safe Harbour framework.
I am
sovereign, you are protectionist?
In fact, in an outstanding show of
asserting the EU’s own sovereignty vis a vis third countries, the court, in Schrems, gave a dressing down to the EU
Commission for the fact that it had issued a decision that authorised data
exports from the EU without a proper examination of whether or not the
receiving country ensures an adequate level of protection "by reason of its
domestic law and international commitments".
Specifically, the court ruled that the
Commission should have taken into account whether the authorization of personal
data transfers from the EU to the US under the Safe Harbour framework did, in
practice, facilitate the interference by
US public authorities with fundamental rights of the persons whose data is
transferred to the US. The Commission’s decision should have included
therefore (and didn’t) findings regarding the existence of US rules to limit
any interference with the fundamental rights of those persons, as well as the
existence of effective legal protection against interference of that kind.
The fact that, by its own assessment, the
court felt that US law was found wanting on either of those points, directly contributed to its decision to invalidate
the Safe Harbour.
Implications
of Schrems and Watson for a post-Brexit UK
So what does this mean for the UK
post-Brexit, when it takes on the noble mantle of “third country” status?
It means that regardless of the type of
legal instrument it may come to agree with the EU to secure its continued
ability to receive personal data from other EU member states, its approach to
the surveillance of electronic communications as well as its "international commitments" in this area is now likely to be part of the
issues that will be assessed if a challenge to that instrument ever finds its
way to the CJEU. And it would probably be naïve to assume that no such
challenge would be made.
Meaning that even though the CJEU may no
longer be able directly to influence UK surveillance laws in a post-Brexit world, it would very much still be
in a position to put a stop to EU-UK data transfers if it finds that the
legal instrument that authorizes those transfers facilitates the interference
by UK public authorities with the fundamental rights of EU citizens. For as long as UK laws like DRIPA or the IP Act exist or in the event that the UK indiscriminately allows bulk access to EU citizens' personal information under as part of its "international commitments"(like the Five Eyes arrangement"?) to countries that might not be considered "safe" themselves, today’s
judgment in combination with the courts ruling in Schrems is likely to present a clear and present danger for the economic outlook of UK data controllers and processors.
Where to we go from here?
So here is Matron’s take on how UK privacy
advocates should take today’s judgment forward. Not just by celebrating the fact that
“we won” (although a certain amount of celebratory glee must surely be allowed at
least for today). And certainly not by getting into fights with the right-wing
press on whether or not this is just another sign of how the EU affects UK
sovereignty and national security and just another reason for severing ties
with the lot of them as soon as possible.
But by pointing out - calmly but
relentlessly - that, like a post-Brexit UK, a post-Brexit EU is sovereign and competent to decide which countries it allows its businesses to trade with. And that a post-Brexit EU, being bound, as it is, by the Charter, is unlikely to allow its businesses to transfer EU citizens' personal data to countries where their protection from what would be considered, under the Charter, unlawful access by law enforcement and security agencies cannot be guaranteed.
Which means that, like the US before it (in the Microsoft case) – the UK now
faces a choice: it can either moderate its ever more intrusive surveillance laws to make them compliant with the EU Charter or it can exercise its “sovereignty” in the area of national security at the long-term expense of its
digital and cloud industries. But until that
choice is made, the economic position of any UK business that relies for its
viability on the ability to receive inward transfers of any kind of personal
data from inside the EU has just become a lot more difficult.
Time to get popcorn!