Wednesday 21 December 2016

Squaring the data protection circle just got harder for the UK

So, the CJEU decision in the Joined cases of Tele2 Sverige AB and Tom Watson et al. (Cases C203/15 and C698/15) came out today and maybe unsurprisingly - after the fairly decisive Advocate General Opinion in July - it is not good news for the UK government.

Admittedly, the judgment does, in theory, concern an Act (the Data Retention and Investigatory Powers Act 2014 (DRIPA)) that is only going to be on the UK statute book for ten more days when it expires under a sunset clause. However, that Act was, to all intents and purposes, replaced by something even worse and far more serious. Despite the inclusion of certain procedural safeguards, it is probably safe to say that, for example, the provision on bulk data collection contained in the Investigatory Powers Act 2016, Britain’s latest version of the “snoopers’ charter”, which now includes a requirement to retain internet connection data, make it a significant advance on anything the country has seen before. In many respects, the IP Act is DRIPA on steroids. And that will be significant.

Incoming data flows post-Brexit

It will be significant not just because we can now surely expect a judicial challenge to the IP Act just as soon as the ink is dry on the CJEU decision (for a detailed analysis of the decision's implications for the IP Act, see Angela Patrick's excellent blog post). It will also be significant because of the long-term effect of the judgment not just on the UK’s ability to monitor the online activities of its population, but on the UK’s economy – particularly its information economy – after Brexit.

It’s a funny thing, this Brexit lark. Intended to free the UK from the shackles of EU regulation and an attempt to relocate “sovereignty” (whatever that means these days) back to the Westminster Parliament (Matron will bite her tongue for now on any comment arising from the points so beautifully made before the Supreme Court in the Miller case), it is in fact likely to cause the UK no end of trouble when it comes to its data protection laws. A point that, to date, the UK government has only seemed to have grasped slowly and incompletely, if recent legislative activity is anything to go by, and that much of the UK public will find difficult to follow given current rhetoric on the benefits of a red, white and blue Brexit.

Although the UK government has now confirmed that it will opt in to the GDPR in May 2018, its failure to commit to the continued application of the framework post-Brexit already creates legal uncertainty for UK data controllers and processors. But in the face of today’s judgment, it is now seriously putting at risk the ability of any UK company to receive personal data from inside the EEA after the UK’s departure from the EU club. And that is something that UK businesses should view with some concern.

To quickly sum up the current situation: the EU data protection law framework has always been, and will continue to be, in the service of two seemingly conflicting objectives: it seeks to protect personal data and hence the individual citizen’s right to privacy and data protection (now guaranteed to them under the EU Charter of Fundamental Rights), and to facilitate the free flow of personal data, which is a basic requirement for the functioning of the digital economy that we are all now operating in.

The way in which this has been achieved since the adoption of the Data Protection Directive in 1995 was by creating some sort of “protective bubble” around the EU (and later the EEA) member states within which everyone applied roughly the same rules with regard to the processing of personal data. This made it possible to allow for free data flows from one  member state to another, safe in the knowledge that no country would be able to either:
  • create “data havens” with a low standard of data protection as a means to entice data heavy businesses to settle and invest there, or
  • use high standards of data protection as a protectionist measure to guard its own businesses from outside competition.

Now, we can all agree that, EU-internally, this hasn’t worked out quite as well as it should. Most of us suspect that there is a reason why some of the more interesting judicial challenges in this area of law originate from Ireland. But where this approach has arguably been quite effective is in the relationship this has created between the EU/EEA and so-called “third countries”.

Because one of the main tenets of EU data protection law is that EU data controllers may only transfer personal data to a country outside the EU, if that country provides adequate protection of personal data, the relative high standard of the EU data protection framework has already spread, missionary style, to other, non-EEA countries that wish to trade with the EU.

And this, dear Watson, is of course the circle the UK will have to square post-Brexit when it takes on the noble mantle of “third country” status.

Debunking the “We’re out of here” myth

A quick perusal of today’s press shows that commentators were quick to assume that today’s CJEU ruling will not affect the UK much given its impending exit from the EU and the fact that it will no longer be subject to the CJEU’s jurisdiction.

This is the same attitude that allows some people to believe that the UK actually has a choice when it comes to the kind of data protection law that it will adopt after Brexit. Already, there have been a number of suggestions on how to skin this particular cat, ranging from, yes, the continued wholesale application of the GDPR to the adoption of a significantly “less burdensome” data protection standard aimed to make the UK an attractive destination for inward investment by data-heavy industries. What the latter camp fail to acknowledge, however (as with so many other Brexit-related questions), is the UK’s current importance as port-of-entry to the EU markets – which is likely to be much diminished after its departure from the EU - as well as the significant level of data-heavy services that UK businesses themselves provide to other EU member states, all of which require a continued ability of those UK business to be able to receive inward transfers of personal data from the EU.

That continued ability relies heavily on the UK being viewed as a jurisdiction that provides an adequate  level of protection for personal data in a way that would enable the European Commission either to a make a finding of adequacy with respect to the UK or to negotiate some other mechanism, for example, in the form of an EU-UK Privacy Shield, that would authorize those inward transfers.

Reading only reports from inside the UK, it is easy to believe that, because much of these negotiations are generally highly politicized, the UK’s proven skills in getting concessions out of the EU that no other member state would ever even dare ask for will ensure that a deal that favours the UK could be struck. And maybe they are right.

But today’s judgment might nonetheless have served a blow to the long-term viability of that strategy.

Because, although as a judgment it is important in its own right, it becomes even more important when read in conjunction with last year’s CJEU decision in Schrems v Data Protection Commissioner (Case362/14).

Advantage EU?

By way of a reminder, the Schrems decision answered the question whether national data protection authorities should have the right to conduct their own investigation into transfers of personal data to a third country (in this case the US) despite the fact that that transfer was, on the face of it, authorized by a decision of the European Commission (in this case the decision that put in place the EU-US Safe Harbour arrangement). The CJEU answered this question in the positive and in the process the court took a number of significant steps that are bound to haunt EU and non-EU data controllers and processors for years to come.

Yes, it invalidated the Safe Harbour decision. But, more importantly, it asserted for itself the right to judicially review all Commission decisions (and possibly  other executive and legislative measures adopted by the Commission and other EU institutions as well) for their compliance with the EU Charter of Fundamental Rights.

It also made it clear that:
  • in the context of data protection, national authorities have the right and indeed the obligation to bring matters that, in their opinion, might necessitate such a judicial review before their national courts with a view to having them referred to the CJEU.
  • when determining whether a third country does provide an adequate level of protection and therefore should be allowed to receive personal data from inside the EU, the court itself would take into account the entire legal framework of that country including the laws permitting the mass surveillance of electronic communications to the extent that those laws might arguably authorise the third country’s law enforcement and security services to access EU citizens’ personal data transferred to that country under the instrument in question.

Although the decision in Schrems was limited to the EU-US Safe Harbour arrangement, it does therefore not require much of a stretch of the imagination to see how the same reasoning could be (and most likely would be) applied to any other type of legal instrument authorising cross-border data transfers from the EU to a third country. And indeed, cases brought by the Irish DPO (with regard to the validity of the standard contractual clauses) and by Digital Rights Ireland and La Quadrature du Net (with regard to the Privacy Shield that has now replaced the Safe Habour) seem to suggest that this is a valid concern.

Game, set and match?

Which brings us back to today’s decision and the way in which the CJEU has reiterated, once again, just how it feels about national legislation that “prescribes the general and indiscriminate retention of data”. Such activity, according to the court, is not in compliance with the rights and freedoms guaranteed to EU citizens under the Charter. Specifically, EU member states are not allowed to make laws that mandate the retention of traffic and location data unless they limit retention to that which is strictly necessary and make access to the retained data subject to substantive and procedural conditions. This includes objective criteria in order to define the circumstances and conditions under which the competent national authorities are granted such access. Access must also, except in cases of urgency, be subject to prior review by a court or an independent body.

In the case at hand, this is likely to mean that DRIPA is unlikely to comply with the CJEU’s conditions (although the final determination of this is of course left to the referring court in the UK). Moving forward, this is also likely to mean that the IP Act will face difficulty in passing muster on that score.

And although, of course, the UK has the option to say “Why should we care? We’re off” and thus refuse to change its laws to accommodate today’s ruling,  the existence of a surveillance framework that so obviously and disproportionately interferes with the rights and freedoms of EU citizens will make it difficult, if not impossible for the UK in the future to provide evidence that it does in fact ensure an adequate level of protection of personal data.

Because the way the CJEU has phrased its conditions for a data retention framework that meets the requirements of the Charter sounds remarkably similar to the way it talked about the requirements that the US would have had to meet (and, in practice, failed to meet) to justify the validity of the Safe Harbour framework.

I am sovereign, you are protectionist?

In fact, in an outstanding show of asserting the EU’s own sovereignty vis a vis third countries, the court, in Schrems, gave a dressing down to the EU Commission for the fact that it had issued a decision that authorised data exports from the EU without a proper examination of whether or not the receiving country ensures an adequate level of protection "by reason of its domestic law and international commitments".

Specifically, the court ruled that the Commission should have taken into account whether the authorization of personal data transfers from the EU to the US under the Safe Harbour framework did, in practice, facilitate the interference by US public authorities with fundamental rights of the persons whose data is transferred to the US. The Commission’s decision should have included therefore (and didn’t) findings regarding the existence of US rules to limit any interference with the fundamental rights of those persons, as well as the existence of effective legal protection against interference of that kind.

The fact that, by its own assessment, the court felt that US law was found wanting on either of those points, directly contributed to its decision to invalidate the Safe Harbour.

Implications of Schrems and Watson for a post-Brexit UK

So what does this mean for the UK post-Brexit, when it takes on the noble mantle of “third country” status?

It means that regardless of the type of legal instrument it may come to agree with the EU to secure its continued ability to receive personal data from other EU member states, its approach to the surveillance of electronic communications as well as its "international commitments" in this area is now likely to be part of the issues that will be assessed if a challenge to that instrument ever finds its way to the CJEU. And it would probably be naïve to assume that no such challenge would be made.

Meaning that even though the CJEU may no longer be able directly to influence UK surveillance laws in a post-Brexit world, it would very much still be in a position to put a stop to EU-UK data transfers if it finds that the legal instrument that authorizes those transfers facilitates the interference by UK public authorities with the fundamental rights of EU citizens. For as long as UK laws like DRIPA or the IP Act exist or in the event that the UK indiscriminately allows bulk access to EU citizens' personal information under as part of its "international commitments"(like the Five Eyes arrangement"?) to countries that might not be considered "safe" themselves, today’s judgment in combination with the courts ruling in Schrems is likely to present a clear and present danger for the economic outlook of UK data controllers and processors.

Where to we go from here?

So here is Matron’s take on how UK privacy advocates should take today’s judgment forward. Not just by celebrating the fact that “we won” (although a certain amount of celebratory glee must surely be allowed at least for today). And certainly not by getting into fights with the right-wing press on whether or not this is just another sign of how the EU affects UK sovereignty and national security and just another reason for severing ties with the lot of them as soon as possible.

But by pointing out - calmly but relentlessly - that, like a post-Brexit UK, a post-Brexit EU is sovereign and competent to decide which countries it allows its businesses to trade with. And that a post-Brexit EU, being bound, as it is, by the Charter, is unlikely to allow its businesses to transfer EU citizens'  personal data to countries where their protection from what would be considered, under the Charter, unlawful access by law enforcement and security agencies cannot be guaranteed.

Which means that, like the US before it (in the Microsoft case) – the UK now faces a choice: it can either moderate its ever more intrusive surveillance laws to make them compliant with the EU Charter or it can exercise its “sovereignty” in the area of national security at the long-term expense of its digital and cloud industries.  But until that choice is made, the economic position of any UK business that relies for its viability on the ability to receive inward transfers of any kind of personal data from inside the EU has just become a lot more difficult.


Time to get popcorn!