This post by Will Perry of Monckton Chambers considers the ramifications for international data transfers of this week’s CJEU judgments on mass surveillance.
What do these two CJEU judgments say?
On Tuesday (6th October 2020), the CJEU issued two judgments in cases concerning bulk data collection and retention by national governments (often referred to as ‘mass surveillance’).
The first – Case C-623/17, Privacy International – was a preliminary reference from the Investigatory Powers Tribunal in the context of proceedings between Privacy International and the UK’s security and intelligence services. It concerns bulk data collection (or ‘transmission’ as the judgment labels it). This occurs when, for example, security services directly collect all data which an internet service provider holds on its customers’ online activities. As the CJEU notes at §71 of its judgment, this data contains sensitive information which allows the security services to build up a profile of individuals to which it relates.
The second judgment – Joined Cases C-511/18, C-512/18, and C-520/18, La Quadrature du Net and Others – answered preliminary references from the French and Belgian courts. It concerns bulk data retention, which is where a country’s security and intelligence services order companies to store vast swathes of data that they would otherwise delete. The CJEU considered the ways in which bulk communications data might be used at §117 of its judgment, stating that it allows:
‘very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. In particular, that data provides the means of establishing a profile of the individuals concerned…’
It should be noted that, although the UK was not a party to the bulk retention cases, Part 4 of the Investigatory Powers Act 2016 provides a legislative framework for the retention of communications data.
In both cases, the CJEU ruled that national legislation concerning mass surveillance falls within the scope of EU law, even if such surveillance takes place in the context of national security. As a result, bulk data collection and retention measures have to comply with the ePrivacy Directive (2002/58/EC) as well as the general principles of EU law, including the principle of proportionality and rights guaranteed by the EU Charter of Fundamental Rights.
Applying those standards to the national regimes in question, the CJEU held in Privacy International that legislation requiring companies to carry out ‘general and indiscriminate transmission‘ of data to the security and intelligence agencies for the purpose of safeguarding national security was unlawful. It similarly held in La Quadrature du Net that the ‘general and indiscriminate retention’ was prohibited. Both conclusions were based on the Court’s interpretation of Articles 7 (right to privacy), 8 (right to protection of personal data), and 11 (right to freedom of expression) of the EU Charter.
The judgments were not a total victory for privacy advocates. Notably, in La Quadrature du Net, the CJEU held that general and indiscriminate bulk retention is permitted where there is a ‘serious threat‘ to national security which is ‘genuine and present or foreseeable‘, so long as this is limited in time to what is ‘strictly necessary‘, and is ‘subject to effective review, either by a court or by an independent administrative body whose decision is binding‘.
Why do these judgments matter for the UK post transition period?
The UK Government is likely to stress that it was not a party to La Quadrature du Net and that the Privacy International judgment concerned the predecessor regime to that contained in the Investigatory Powers Act 2016. However, given the sweeping nature of the analysis in both judgments (the prohibition of “general and indiscriminate” collection/retention appears to capture most forms of mass surveillance), this may prove difficult.
At first glance, it might seem as if these issues will simply disappear once the transition period concludes at the end of this year and the UK ceases to be bound by the ePrivacy Directive and the Charter. So why can’t the UK simply ignore the CJEU’s findings and continue to order retention and collection of bulk data in a potentially “general and indiscriminate” way?
First, the cases (which will constitute EU retained case law post transition) might well affect the way in which the domestic courts in future consider the compatibility of the UK’s bulk collection and retention regime with both retained EU law and the European Convention on Human Rights (‘ECHR’). With that said, the Government can, of course, legislate contrary to retained EU law. It might also successfully argue that it has greater leeway under the ECHR: the Divisional Court last year rejected each of the claimant’s ECHR arguments regarding bulk powers under the Investigatory Powers Act 2016 in R (National Council for Civil Liberties) v Secretary of State for the Home Department [2019] EWHC 2057 (Admin); whilst in Joined Cases C-203/15 and C-698/15 Tele2 and Watson (an earlier decision on mass surveillance), the CJEU hinted at §129 that Articles 7 and 8 of the EU Charter offer greater protection than ECHR Article 8.
The second, and perhaps far bigger, issue concerns post-Brexit data flows between the EU and the UK. Whilst these may sound dry, they are hugely important. As the UK Government stated in its ‘Explanatory Framework’ for discussions about data flows with the EU: ‘Imports and exports of both goods and services heavily depend on the free flow of personal data between the UK and the EU. EU personal data-enabled services exports to the UK were worth approximately £42bn in 2018, and exports from the UK to the EU were worth £85bn.‘
The UK is currently bound by EU data protection laws – most notably the General Data Protection Regulation (2016/679) (‘GDPR’) – and is part of the ‘Digital Single Market’ in and around which personal data can move freely. For example, if a bank in Frankfurt wants to send personal data to a sister company in London, it can do so without having to consider whether the transfer is permitted under Chapter V of the GDPR (which concerns ‘Transfers of personal data to third countries or international organisations‘).
However, at the end of the transition period when EU law ceases to apply, the UK becomes a ‘third country’. At this stage, most data transfers from the EU to UK can only take place if they satisfy one of the provisions at Chapter V of the GDPR . By far the most user-friendly of these provisions (issues with the alternatives are considered below) is Article 45. It permits transfers on the basis of an EU Commission ‘adequacy decision’.
The Commission will only reach an adequacy decision if it is satisfied that the third country’s data protection landscape offers ‘an adequate level of protection essentially equivalent‘ to the level of protection ensured within the EU (GDPR, Recital 104). As Jack Williams explained in a recent talk, adequacy is a prime example of the UK technically having sovereignty in relation to its own internal affairs (in this case, a domestic data protection regime), but nevertheless in practice still having to take account of what it has agreed, or desires to achieve, in its dealings with the EU.
The importance to both the EU and UK of having an adequacy decision in place by the end of the year cannot be understated. For example, look at the prominence given to these issues at §§8 and 9 of the Political Declaration, which highlight ‘the importance of data flows and exchanges across the future relationship‘; commit both sides to ‘ensuring a high level of personal data protection to facilitate such flows between them‘; and state that the Commission will ‘endeavour[]‘ to adopt an adequacy decision by the end of 2020.
Until recently, many commentators were optimistic about the chances of the UK obtaining an adequacy decision before the end of the year; particularly because its post-Brexit data protection laws are almost a carbon copy of the current EU law regime (for example, see how similar the EU GDPR and the new ‘UK GDPR’ are here). The likelihood of a decision will also be increased if reports that the UK has compromised in pledging to keep the Human Rights Act 1998 on the statue book are correct.
However, the CJEU’s judgments are likely to have suddenly and significantly reduced any confidence the UK has of obtaining an adequacy decision by the end of the transition period.
Why does mass surveillance affect data transfers?
The ‘essentially equivalent’ standard is an exacting one. The EU has some of, if not the most, exacting data protection standards in the world. So far only Andorra, Argentina, Canada (on a partial basis), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay have been deemed adequate by the Commission.
Until recently, the most high-profile EU adequacy decision concerned the EU-US ‘Privacy Shield’. However, the CJEU recently invalidated this decision in its Schrems II judgment (Case C-311/18). The reason for its invalidity? US surveillance programmes do not contain limitations and safeguards which ensure protection of rights in a way which is ‘essentially equivalent‘ to GDPR and EU Charter standards (and US law does not provide for effective judicial protection against such interferences).
It is easy to see how Tuesday’s rulings could prove problematic. If the UK’s bulk collection and retention regime leads to the violation of fundamental Charter rights, it is difficult to see how its data protection landscape offers ‘essentially equivalent’ protection to the EU’s.
Even if the Commission decides to adopt a more flexible approach, because it considers the economic consequences of not having an adequacy decision in place are simply too grave, it would still be powerless to prevent the CJEU from considering the validity of the decision. A challenge would be almost inevitable. Having witnessed the uncertainty caused by Schrems II, the Commission may decide it does not want to risk a repeat experience.
What happens if there is no adequacy decision in time of the end of the transition period?
In the absence of an adequacy decision, those transferring data from the EU to the UK would have three main alternatives.
The first are Standard Contractual Clauses (‘SCCs’) (see GDPR, Article 46(1) and (2)(c)). These are templates pre-approved by the Commission, which must be signed by both the data ‘exporter’ in the EEA and the ‘importer’ outside the EEA. Once the contract is entered into, data can move freely between the parties.
The main issues with SCCs are twofold.
First, as the CJEU made clear in Schrems II (see §§104 and 137), SCCs cannot automatically be relied on where the level of protection in a third country is not ‘essentially equivalent‘. If a third country’s mass surveillance regime means there can be no adequacy decision, companies cannot sidestep the risks through SCCs because SCCs ‘are not capable of binding the authorities of that third country‘ (§125). Companies may therefore be prevented from relying on SCCs where, for example, the importer is a ‘telecommunications operator‘ which may be subject to the UK’s bulk data retention powers under Part 4 of the Investigatory Powers Act. In any event, companies will have to work out for themselves what additional safeguards (such as encrypting data) are required to satisfy EU standards. In this regard, Schrems II raises the issue but doesn’t offer any obvious solutions.
Second, putting SCCs in place can be incredibly costly because a new contract is required for each ‘point-to-point’ transfer. For example, in evidence to the Commons’ EU Exit Committee, one expert recalled how, following the invalidation of the EU-UK Safe Harbour (the predecessor to Privacy Shield), a company had to put in place 2 million standard contractual clauses over the space of a month or so.
The second alternative is to use Binding Corporate Rules (‘BCRs’) (GDPR, Article 47). These require entire companies or groups of companies to commit to EU data protection standards which have been pre-approved by a European data protection supervisory authority.
The main issues with BCRs are that:
- They cost on average £250,000 to set up.
- Though BCRs were not considered by the CJEU in Schrems II, like SCCs they too are incapable of binding third country’s security and intelligence services. So companies relying on BCRs would still need to consider applying additional safeguards to combat risks posed by the UK’s surveillance regime.
- They can only be relied on by organisations with operations in the EU.
- They can only be used following a lengthy pre-approval process. If companies are starting to consider BCRs at this stage, they are unlikely to be in place by the end of this year.
The third ‘alternative’, is to avoid the transfer altogether by simply redirecting the processing activities in question. For many businesses, this is likely to be a non-starter.
Where does the UK go from here?
The UK could increase its chances of securing an adequacy decision by the end of the year by rapidly rewriting parts of the Investigatory Powers Act to ensure it complies with the CJEU’s recent judgments. And the Commission might give it some leeway if these changes do not come into effect until early next year.
However, there are two reasons why the Government may be particularly reluctant to do so. First, it may decide that the national security benefits of ‘general and indiscriminate’ collection and retention are simply too great a sacrifice for obtaining an adequacy decision.
Second, and perhaps more importantly, the Government may be politically opposed to the CJEU and Commission effectively interfering with the UK’s national security interests after it has left the EU.
Whatever the Government decides to do, there are less than three months until the end of the transition period. The clock is ticking.
Share this post on social media: