Living in Interesting Times: Searching for an Adequacy Finding after Brexit

In these uncertain times, Rosemary Jay offers her expert view on one of the crucial post-Brexit issues. It is a long read but worth it.

On the 13 September the Government introduced the Data Protection Bill into the House of Lords. The Bill had been announced in the Queen’s Speech earlier in the year and in August the Government had published a Statement of Intent which made clear that the UK intended to apply data protection standards, consistent with the GDPR, to the processing of personal data which is outside the scope of EU law and therefore outside the direct application of the GDPR. The Bill carries out this intent. It also implements the Data Protection Directive on Policing and Criminal Justice, which is now referred to as the Data Protection Law Enforcement Directive (‘DPLED’).

The decision to apply the GDPR standards generally will avoid the possibility of having two regimes for non-policing data: one for those areas of activity which are subject to EU competence and another for those areas of activity outside EU competence. The Government has also decided to apply the DPLED to all policing and criminal justice activity. This is also welcome. The UK has an opt-out from the application of the DPLED to domestic policing and could therefore have elected to limit the application of the DPLED to cross-border activity, leaving domestic policing subject to the Data Protection Act 1998. The decision that the DPLED will be applied in respect of both domestic and cross-border law enforcement will allow for one standard under the DPLED. The requirements under the GDPR and the DPLED are broadly compatible but not identical so there will be some inevitable differences between the two regimes, but this seems to be inevitable.

In addition the Bill includes a separate data protection framework for processing for national security purposes. This is based on the standards found in the Council of Europe Convention for the Protection of Individuals with Regards to the Automatic Processing of Personal Data (‘Treaty 108’). This is an interesting development. It is a new departure and clearly distinguishes between, on the one hand, the areas of activity which are either covered by EU competence or where the UK is prepared to extend the scope of the standards in the GDPR and, on the other hand, the area of national security which is clearly delineated as being outside EU competence.

The Bill is a complex piece of legislation, largely because of the technical challenges of applying new data protection rules under the three different elements of the package (general processing, policing and criminal justice and national security). The Statement of Intent optimistically stated that the Government would aim to minimise the levels of complexity, reduce duplication and produce a regime as internally compatible as possible. In effect, the Government’s intention is clearly to create a robust and comprehensive data protection regime for the UK.

One of the aims of such a regime must be to provide a strong basis for the continued free movement of personal data from the EU once the UK leaves the Union. However, the success of this strategy may depend on a number of factors, some of which are not directly connected to the new data protection regime. These include:

·         whether the UK’s exercise of its areas of discretion under the GDPR meet the tests of necessity and proportionality, particularly in the use of the derogations;

  •  whether the UK’s implementation of the DPLED meets the requirements of the Directive;
  •   how the UK’s human rights regime is viewed once it is no longer bound by the European Union Charter of Fundamental Rights; and
  •  how other areas of UK intersect with the data protection regime based on EU law, in particular:

o   the nature of the regime for processing of personal data for the purposes of national security; and

o   how the  Investigatory Powers Act 2016  (which covers the range of investigatory powers including interception, access to communications data and data retention) is viewed.                       

This article focusses on the final point, which is the interface between the data protection regime and the IPA 2016. It does not examine the detailed provisions of the IPA 2016 but rather the scope and those issues which are likely to be relevant to an adequacy decision post-Brexit.

Transfer solutions

The Bill clearly supports the Government’s stated aim of ensuring that a ‘free flow of data’ continues after Brexit.

In its Statement of Intent the Government had commented that:

The ability to transfer data across international borders is crucial to a well-functioning economy. We are committed to ensuring that uninterrupted data flows continue between the UK, the EU and other countries around the world. The Data Protection Bill will place us on the front foot in allowing the UK to maximise future data relationships with the EU and elsewhere.

Nevertheless the Statement of Intent, as with other Government statements on the issue,[1] remains silent as to how this is to be ensured. The Bill itself does not add anything to this point.

The Statement of Intent was followed, on 24 August, by the publication of the Government’s negotiating paper on DP and Brexit, The exchange and protection of personal data – a future partnership paper. The paper sets out the UK’s intention to be aligned with EU data protection at the point when we leave the Union and the Government’s commitment to maintain a robust, effective regulatory regime for data protection. It states that:

After the UK leaves the EU, new arrangements to govern the continued free flow of personal data between the EU and the UK will be needed, as part of the new, deep and special partnership. The UK starts from an unprecedented point of alignment with the EU. In recognition of this, the UK wants to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model, by providing sufficient stability for businesses, public authorities and individuals, and enabling the UK’s Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal.

This suggests that the UK will be looking for a bespoke agreement on adequacy rather than going through the standard process under the arrangements for an adequacy finding. It remains to be seen how successful this might be. In any event, the same considerations on the UK legal regime will no doubt be relevant, irrespective of how an adequacy agreement is reached.

Adequacy under the GDPR and DPLED

The GDPR and the DPLED both cover the transfer of personal data outside the EU. In both instruments such transfer is prohibited unless the receiving jurisdiction is recognised by the EU as offering an adequate level of protection for the data (the ‘adequacy’ test), or one of the other transfer solutions or one or more of the derogations apply. Leaving aside those transfer solutions under the GDPR which lie primarily in the hands of data controllers and processors (model form contracts, Binding Corporate Rules , other legal instruments, plus, in the future, codes of practice and certification mechanisms) the only two routes which appear open to the UK on a national level are either a Treaty agreement[2] or findings of adequacy by the European Commission under the GDPR and the DPLED. It should be noted that an adequacy decision must be made under each legal instrument, although of course they could be made at the same time. It is also possible that an adequacy decision could be made under one instrument but not the other.

The introduction of an adequacy requirement under the DPLED is a new development which follows on from the extension of EU competence into the field of policing. Adequacy findings under Directive 95/46/EC do not take account of the application of data protection law to policing or criminal justice and do not apply to the transfer of personal data for those purposes.

Adequacy assessment

An assessment and finding of adequacy is currently made by the Commission under Article 25 of Directive 95/46/EC. Under the GDPR it will be made under Article 45. Article 45 is more detailed than its predecessor provision in relation to the assessment which has to be made by the Commission. It sets out specifically that the Commission must have regard to the rule of law and respect for human rights and fundamental freedoms and to rights and effective redress mechanisms for data subjects. See the highlighted part of Article 45 below.

 Transfers on the basis of an adequacy decision – Article 45 GDPR

1.  A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

2.  When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a)

the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

 

(b)

the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

 

(c)

the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.


Adequacy findings and policing

The provisions on the transfer of personal data outside the EU in the DPLED are not the same as under the GDPR. Article 35 sets out the general principles for transfers of personal data processed for the purposes of policing and criminal justice and these will apply to all transfers of such personal data. They require that any transfer by a competent authority (this means a competent authority for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties[3]) of any personal data processed or intended to be processed for the purposes of policing and criminal justice can take place only where:

·         the transfer is necessary for the purposes of policing/criminal justice;

·         the transfer is to a competent authority for these purposes in the receiving jurisdiction;

·         If the personal data came from another Member State, that State has given prior authorisation to the transfer;

·         there is in place an adequacy decision under Article 36 or, in the absence of such a decision, safeguards are applied under Article 37 or a derogation applies under Article 38 and

·         in all cases onward transfers are controlled. 

These are cumulative requirements. 

Article 36 provides for the Commission to make adequacy decisions in the same terms as in Article 45 of the GDRP. It follows that the Commission must have regard to the rule of law, respect for human rights and fundamental freedoms, and effective redress mechanisms for data subjects in relation to both decisions. 

Confidentiality of communications, interception and redress

Confidentiality of communications and freedom from surveillance, including electronic surveillance of individual activity, are important aspects of the fundamental rights to privacy and data protection under EU law. The extent to which it is legitimate and proportionate to breach these rights will be relevant issues in any adequacy determination made under Articles 45 of the GDPR or Article 37 of the DPLED.

Interestingly however, the specific EU legal regime under which confidentiality of communications is protected, that is under Directive 2002/58/EC (the ePrivacy Directive), is not directly relevant in assessing adequacy for the purposes of decisions under either the current Directive 95/46/EC or the GDPR or the DPLED. When making assessments of adequacy the Commission currently does not assess whether the applicant country has laws which are equivalent to the ePrivacy Directive. If it did so it would have to look at rules on email marketing, use of location data, directories and all the other elements covered by the ePrivacy Directive. There is no change to this under the GDPR or the DPLED. It might be thought, therefore, that the issue of confidentiality of communications and the limits of interception by the State could be argued to be outside the range of issues which the Commission is entitled to take into account in assessing adequacy. This would be a misconception; together with rights to freedom from surveillance and rights of redress for breach, confidentiality of communication is regarded as being a part of an individual’s fundamental rights. That is not to say however that the ePrivacy Directive, its implementation in UK law and its replacement provisions would be wholly irrelevant in relation to an adequacy assessment.

Current position on UK implementation of the ePrivacy Directive

The bulk of the requirements of the ePrivacy Directive have been implemented in the UK by the Privacy and Electronic Communications Regulations 2003 (‘PECR’). That part of the ePrivacy Directive which deals with the confidentiality of communications and limits the interception of communications, Article 5, is currently implemented by the Regulation of Investigatory Powers Act 2000.

The Commission is in the process of reviewing the ePrivacy Directive. In January 2017 it issued a proposal under which it would be replaced by a regulation and would therefore be directly applicable to those areas of activity covered by EU competence. The legislation is currently making its way through the European Parliament and the Council. The Commission’s stated intention is to complete the legislative process in order for the new regulation to come into effect at the same time as the GDPR and the DPLED, in May 2018, which would be before the UK leaves the EU. It should be recognised that this may be an optimistic timetable given the various controversial elements of the proposed ePrivacy Regulation. 

The provisions in the proposed regulation which cover the confidentiality of communications are substantially identical to those in the current Directive.  The relevant part of Article 5 of the current the ePrivacy Directive provides:

Confidentiality of the communications

1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.

The relevant part of the proposed new regulation provides:

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

The proposed regulation also has provisions which impact on the retention of communications data. Article 7(1) requires the erasure or anonymisation of content data after its receipt by the intended recipients. Article 7(2) requires the erasure or anonymisation of communications metadata when it is no longer needed for the purpose of the transmission of a communication or for billing purposes.

Member States can derogate from the restrictions in the ePrivacy Directive where necessary and proportionate for defence of a list of specified interests, but the derogations must meet the tests of proportionality as well as respecting the fundamental rights protected by the legislation. Under the proposed regulation, derogations are permitted under Article 11, including in relation to the obligations of confidentiality and erasure of data, where the derogation serves one of the specified interests[4] and respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard those interests.

To make the picture more complex, the UK has now replaced the provisions in RIPA on interception, communications data, retention and access to such data with amended and more detailed provisions in the IPA 2016. At the time of writing[5] only a limited number of the provisions of the IPA 2016 are in force. The mandatory retention rules came partially into effect to replace DRIPA on 28 December 2016 and the new Investigatory Powers Commissioner assumed responsibility for oversight on 1 September 2017. However, not all the new rules on interception, communications data, retention and access to such data are in place. 

It is in the somewhat fluid legislative environment that the UK will have to prepare for any assessment of adequacy.

Making an adequacy decision – the formal process

The adequacy decisions made to date have followed a formal process, although the process is not wholly transparent. The discussions held within the Commission and the Article 29 Working Party (which gives the Commission its Opinion on a potential finding) are not made public. The process requires the applicant State to start the process by sending a formal letter to the Commission asking the Commission to consider its legislation. It also delivers a copy of the relevant legislation to the Commission.

The Commission has only limited resources devoted to this area so, when it is faced with a number of applications, it has to select which applications to consider first.  Earlier this year the Commission published a policy paper setting out its priorities in this area of its work.[6] It summarised its policy position as follows:

Under its framework on adequacy findings, the Commission considers that the following criteria should be taken into account when assessing with which third countries a dialogue on adequacy should be pursued:

(i) the extent of the EU's (actual or potential) commercial relations with a given third country, including the existence of a free trade agreement or ongoing negotiations;

(ii) the extent of personal data flows from the EU, reflecting geographical and/or cultural ties;

(iii) the pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region; and

(iv) the overall political relationship with the third country in question, in particular with respect to he promotion of common values and shared objectives at international level.

Based on these considerations, the Commission will actively engage with key trading partners in East and South-East Asia, starting from Japan and Korea in 2017, and, depending on progress towards the modernisation of its data protection laws, with India, but also with countries in Latin America, in particular Mercosur, and the European neighbourhood which have expressed an interest in obtaining an ‘adequacy finding’.

It was perhaps too early in the exit process for the Commission to express any view on a UK application, but there is no express mention of any potential application by the UK so it is possible that the UK may find itself at the back of a longish queue in making its application.

Once the process has started, the Commission obtains an expert report on the legislation and the surrounding legal regime in the applicant jurisdiction from expert academics. The report is then considered by the Commission. The Commission seeks the Opinion of the Article 29 Working Party on the application and the report. During the process there is scope for additional enquires to be made to the applicant State as required. Finally the Commission delivers its decision. The process is lengthy and commentators have acknowledged that it can be influenced by political factors.[7] 

Under the current Directive the Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection; in addition, there is  the US Privacy Shield agreement. 

Personal data retention and access rights

It is inevitable therefore that that the Commission will not confine its assessment to the UK legislation which implements the GDPR and the DPLED but will look more widely at the UK legal regime for protecting data and human rights, including the UK’s regime for protecting fundamental rights and no doubt the IPA. 

In this context the standards required by the revised ePrivacy regime will be interesting. The review will not technically be an assessment of whether the UK law, including the IPA, meets the standards of the current ePrivacy Directive or its replacement regulation. It will be a wider assessment of the rule of law, respect for fundamental rights and freedoms and redress for data subjects and judicial oversight because, as has been explained earlier, the ePrivacy legislation is not part of an adequacy assessment. Nevertheless it would be very strange if the UK could be held at the same time to have properly implemented the revised ePrivacy Regulation which covers confidentiality of communications and at the same time have fallen foul of the more general requirements for respect for the rule of law and fundamental rights. The final form of the ePrivacy Regulation, in particular its scope and the scope of potential derogations, is therefore likely to be important to the UK.

Relevant case law of the CJEU

In assessing whether the UK law meets the tests of respect for rights the Commission will also have regard to the current rulings from the CJEU. In fact, even if the Commission takes the view that UK law provides an adequate level of protection and an adequacy decision is forthcoming, such arrangements could also be challenged and referred to the CJEU. It is therefore also important to consider whether the UK regime taken as a whole is likely to be able to withstand such a challenge.

The position is further complicated by the fact that the question of the lawfulness of the UK’s bulk collection of communications metadata is to be referred to the CJEU following a very recent ruling by the Investigatory Powers Tribunal on 8 September 2017. In its judgment the IPT acknowledge the difficulty of the points at issue. It recognised that the bulk collection of communications data was ‘essential to the protection of the national security of the United Kingdom’ and that the application of the CJEU ruling in the Watson case ‘would effectively cripple the security and intelligence agencies’ bulk data capabilities’  but also that the UK’s bulk collection of communications data raises serious questions of compatibility with EU law. It seems unlikely however that the case will be determined by the CJEU before the Commission makes its assessment of adequacy but the existing case law will have a relevance.

Previous challenges

It is in this context that the potential effect of the IPA 2016 on any finding of adequacy has to be evaluated. The CJEU has looked at a number of issues which intersect with the IPA 2016 or are related to it. In its approach the CJEU has maintained a vigilant oversight of the use of State powers to process and transfer personal data. The judgments have covered the ability of law enforcement and intelligence agencies to access personal data without judicial or independent oversight (Schrems), the requirement for data retention of communications data (Digital Rights Ireland and Watson) and the questions associated with control of personal data transferred to another State authority (PNR decision).

Access to personal data

In July 2000 the EU and the USA reached an agreement for the transfer of personal data from the EU to the USA and embodied that agreement in the Safe Harbor scheme.  The Commission made a finding that US companies which had joined and continued to belong to the self-regulatory regime under Safe Harbor could freely import personal data from the EU. In 2015 the CJEU was asked to rule on that Commission decision as a result of a case brought by Mr Schrems against Facebook in relation to its transfer of personal data. The Court struck the decision down, leading to a period when businesses had to seek other legal routes in order to make transfers of personal data to the US. The basis of the decision was, in effect, the ability of law enforcement and intelligence agencies in the USA to access personal data without judicial or independent oversight.

In 2016 the US and the EU succeeded in agreeing a replacement framework arrangement for transfer, the Privacy Shield. The Privacy Shield builds on the Safe Harbor principles but includes further safeguards and rights of redress for EU citizens. In its turn the Privacy Shield is also currently under attack by court proceedings brought in the Irish courts as not providing an adequate level of protection of personal data in the USA.

Retention of personal data

In other cases the CJEU has looked at the mandatory retention of communications data. It struck down the EU Directive which mandated such retention in Digital Rights Ireland and in the Watson case challenged the lawfulness of the UK’s Data Retention and Investigatory Powers Act. DRIPA is no longer in force and the relevant provisions have been replaced by those in the IPA 2016. The IPA continues to include wide retention obligations and, as a result, is itself under challenge.

Control of PNR data

In July 2017, the Court declared that the envisaged EU-Canada agreement on the transfer of Passenger Name Records (‘PNR Agreement’) interferes with the fundamental right to respect for private life and the right to the protection of personal data and is therefore incompatible with EU law in its current form.

The Agreement would allow the transfer of all air passenger data to a Canadian authority for the purposes of combating terrorism and other serious transnational crimes. The transferred data could be used, retained and possibly transferred to other authorities and non-member countries to achieve this aim.

The CJEU held that, while the interferences could be justified by the pursuit of public security, several aspects of the PNR Agreement would fall outside the scope of what is strictly necessary to achieve that aim, including the transfer of sensitive personal data, the use of data during the passengers’ stay in Canada without prior review by a court or independent administrative body and continued storage of the data.

The CJEU noted that the Agreement should:

  • ·         Determine clearly and precisely certain passenger data to be transferred.
  • ·         Specify that the criteria used for automated processing of passenger data will be non-discriminatory, reliable and specific.
  • ·         Indicate that databases used will be limited to those used by Canadian authorities in the fight against terrorism and serious transnational crime.
  • ·         Provide that passenger data may be disclosed by Canadian authorities to the authorities in a non-member country only if there is an agreement between the EU and the country in question equivalent to the envisaged PNR Agreement or a decision of the EU Commission in that field.
  • ·         Provide air passengers with a right to notification if their data is used during their stay in Canada or after their departure, or if it is disclosed to other authorities or individuals.
  • ·         Guarantee that an independent supervisory authority will oversee the rules relating to the protection of the processing of air passengers’ data.

The CJEU has therefore maintained its rigorous view of the application of tests of necessity and proportionality in relation to the use and retention of personal data for security purposes.

Basis of the objections

In all of these cases the CJEU considered the application of the Charter rights to data protection and privacy.[8]  The broad thrust of the objections raised by the Court in these cases have concerned indiscriminate and general retention of personal data and wide rights of access to and use of such data without adequate controls, safeguards, rights and redress.

In applying the Charter rights the Court has made an assessment of the encroachment into the protected fundamental rights. This involves questions of judgement as the boundaries of this assessment are difficult to fix when considering how it impacts on a finding of adequacy. Neither Article 45 nor Article 36 specifically require that the law of an applicant State must reflect all the Charter rights before a finding of adequacy can be made. The general requirement to have regard to fundamental rights and freedoms, the rule of law and rights of redress bring with it a potentially wide area for judgement and assessment. The Government White Paper on Brexit states that the UK will withdraw from the Charter but that withdrawal from the EU Charter will cause no change to the established rights framework of the UK:

The Government’s intention is that the removal of the Charter from UK law will not affect the substantive rights that individuals already benefit from in the UK. Many of these underlying rights exist elsewhere in the body of EU law which we will be converting into UK law. Others already exist in UK law, or in international agreements to which the UK is a party. As EU law is converted into UK law by the Great Repeal Bill, it will continue to be interpreted by UK courts in a way that is consistent with those underlying rights.[9] Insofar as cases have been decided by reference to those underlying rights, that case law will continue to be relevant. In addition, insofar as such cases refer to the Charter, that element will have to be read as referring only to the underlying rights, rather than to the Charter itself.[10]

The position of the UK is therefore that the fundamental rights which are protected by the Charter will remain protected post-Brexit and the UK’s continued adherence to the European Convention on Human Rights and the Human Rights Act 1998 are clearly commitments which mean that the UK has human rights protection in its domestic law equivalent to the protections offered by the Charter. 

Current challenges

The CJEU continues to be asked to rule on the balance between individual rights to privacy and data protection on the one hand and the uses of personal data for security on the other. There are two cases on their way, now joined by the IPT reference noted earlier, and, given the approach taken to date, it seems likely that the Court will continue to maintain its rigorous approach to restricting State powers. The UK is also facing challenges to bulk interception in the European Court of Human Rights.

Challenge to the IPA

As has been noted above, only a limited number of the provisions of the IPA 2016 are currently in force. Nevertheless the Act is already the subject of a major challenge in the UK courts. In June 2017 it was reported that the human rights organisation, Liberty, was given permission by the High Court to seek judicial review of a significant number of the powers in the Act. The grounds for review include a charge that the powers are incompatible with EU law.

It is possible that the case will result in a further reference to the CJEU, unless the IPT case is heard first and brings some clarity to the issue.  In the event that the powers under the IPA 2016 are ruled to breach fundamental rights by the CJEU under either case then, post Brexit, it may be difficult to sustain an argument for a finding of adequacy without changing the IPA 2016, however robust the core data protection regime may be. 

Challenge to the Privacy Shield

As noted earlier the Safe Harbor agreement has been replaced by the Privacy Shield and that decision is already under legal challenge in the Irish courts. These challenges to the Privacy Shield are particularly interesting and may give some guidance as to how a challenge might be mounted to any finding of adequacy that the UK managed to achieve while still maintaining the IPA 2016 powers in their current form.

The challenges to the Privacy Shield have been published by Digital Rights Ireland and are in very broad form. There are 10 grounds for challenge but the ones of interest for these purposes are pleas 4, 5, 8 and 9. The 4th and 5th pleas address the possibility of access to content of communications and the 8th and 9th address communications data.

Fourth plea in law, alleging that the provisions of the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 (‘FISA Amendments Act of 2008’) constitute legislation permitting pubic authorities to have access on a generalised basis to the content of electronic communications and consequently are not concordant with Article 7 of the Charter of Fundamental Rights of the European Union.

Fifth plea in law, alleging that the provisions of the FISA Amendments Act of 2008 constitute legislation permitting public authorities to have secret access on a generalised basis to the content of electronic communications and consequently are not concordant with Article 47 of the Charter Fundamental Rights of the European Union.

Eighth plea in law, alleging that insofar as the contested decision allows, or in the alternative fails and has failed to safeguard against indiscriminate access to electronic communications by foreign law enforcement authorities, it is invalid as a breach of the Rights of Privacy, Data Protection, Freedom of Expression and Freedom of Assembly and Association, as provided for under the Charter of Fundamental Rights of the European Union and by the general principles of EU Law.

Ninth plea in law, alleging that insofar as the contested decision allows, or in the alternative fails and has failed to safeguard against indiscriminate access to electronic communications by foreign law enforcement authorities, and fails to provide an adequate remedy to EU citizens whose personal data is thus accessed, it denies the individual the right to an Effective Remedy and the right to Good Administration, contrary to the Charter of Fundamental Rights and the General Principles of EU Law.

The challenges are specific to access to electronic communications, covering issues already addressed by the CJEU, that is generalised access and indiscriminate access to content and communications data which will include personal data.  The pleas address the powers of the US agencies under the FISA legislation and the absence of compatibility of those powers with Article 7 and 8 of the Charter (rights to data protection and to privacy). The argument is made that the standard of the legislation fails to meet the Article 7 standard and therefore the law of the US is not offering adequate protection for the rights and freedoms of individuals.

The parts of the Privacy Shield which are relevant to these pleas are annexes I, III to VII which set out the oversight and purpose restrictions in relation to the powers of US authorities.  The time-frame for hearings and decisions in the Irish case is not known.

Is the Privacy Shield an appropriate comparator for the IPA?

It is quite difficult to compare the provisions of annexes I and III – VII in the Privacy Shield and the accompanying analysis set out in the recitals to the Decision with the specific provisions of the IPA 2016. It would also be a task well beyond the scope of this article.  However, the core issue is that under the Privacy Shield there remains the potential for the US authorities to seek generalised access to a wide and untargeted set of data without selecting the specific reasons for access and targets in a particular case. On the other hand the Shield includes a number of increased safeguards and layers of authorisation as well as more independent review and at least some rights of redress for individuals. The IPA 2016 clearly gives the State wide powers to intercept, access and retain personal data. At the same time it appears to follow a similar pattern of structure and increased safeguards which makes for a potentially interesting comparison between the two instruments.

Additional considerations

The fragmented nature of the data protection regime was explained at the start of this article. This leads to a number of additional considerations, one in particular which does not appear to have been much canvassed in discussion on transfer under Directive 95/46/EC and indeed appears to have been wholly ignored in the Schrems case. Union law can only extend to areas of activity within Union competence. The ban on transfers of personal data undergoing processing in Directive 95/46/EC and in the GDPR can therefore only extend to processing which falls within the scope of Union competence. Processing which falls outside such competence can be transferred outside the EU wholly outside the control of the Directive. Clearly any Member State can legislate to go beyond the Directive, as the UK did in the 1998 Act. However if a Member State does not legislate to extend the GDPR to processing outside Union competence transfers can still be made lawfully in those areas without any Commission decision on adequacy or any safeguards.  In reality data controllers and processors are not likely to start analysing their processing to take advantage of this. It would be time-consuming, appallingly difficult, contentious and a high-risk approach.  It does however illuminate the point that the DPLED operates as a separate regime.

 In relation to obtaining access to content and communications data it is not apparent how the IPA 2016 will impinge on policing and criminal justice. Both the content of communications made for those purposes and the associated communications data are arguably already in the hands of the police and security communities for their own purposes, after all the material was generated by that community.  As has been noted earlier, there are strict controls in the DPLED itself on the use of and access to data processed for these purposes when the data are transferred. There are also specific rules on retention and data quality. If this logic is accepted by the Commission it may be more straightforward for the UK to seek and obtain an adequacy finding in relation to personal data processed for the purposes of the DPLED than for personal data processed under the GDPR.

Conclusions

As the discussion above shows, the picture at this stage is far from clear. However, it can be seen that the creation of a robust and comprehensive DP regime for the UK which fully implements the GDPR and the DPLED will not necessarily give any guarantee that the UK will obtain a finding of adequacy, at least under the GDPR, or that, if it does so, such a finding would stand against a challenge to the CJEU. The Commission and the CJEU will look at the wider picture including the UK position on the protection of fundamental rights post-Brexit and any relevant specific legislation. It will, inevitably, consider the fact that the Charter rights will no longer apply, however the UK’s commitment to the ECHR and its recognition of fundamental rights as a part of UK law may offer a robust response to any questions on that point. The more serious potential problems appear to lie with the IPA 2016 with its wide powers in relation to interception, communications data and data retention. In this context there are a number of current developments to watch:

·         the impact of the developing ePrivacy Regulation and in particular the scope and nature of the derogations, especially on interception of communications;

·         the current challenge to the Privacy Shield; and

·         the current challenge to the IPA 2016.

The other factor, currently wholly unknown, may be the inclusion of a data protection framework for national security in the Data Protection Bill. If this can be argued to provide for new safeguards or controls which impact on the IPA 2016, it may add another consideration into the mix.

Interesting times indeed!

Rosemary Jay is a consultant senior attorney with Hunton & Williams and a freelance trainer in data protection. Rosemary is the author of Sweet & Maxwell's Data Protection Law & Practice, now in its fourth edition, A Guide to the General Data Protection Regulation, published in 2017, and a contributing editor to The White Book.  She is a Fellow of the British Computer Society and writes and lecturers widely on data protection matters.  She would like to thank Graham Smith of Bird & Bird for his valuable input to this piece.

The views expressed in this article are those of the author and do not represent the views of Hunton & Williams. 

 

 [1] Matt Hancock Minister of State for Digital and Culture appearing before the Home Affairs sub committee 1 February 2017

[2] Can be challenged as not complying with EU Treaties Cases C -402 /05 and C -415/ 05

[3] Article 1 DPLED

[4] The interests are those specified in Article 23(1)(a) to (e) of the GDPR

[5] September 2017

[7] See Reinventing Data Protection 2009 Springer Press Editors Serge Gutwirth, Yves Poullet, Paul de Hert, Cécile de Terwangne, Sjaak Nouwt

[8] It should not be assumed that these are the only issues which will come under scrutiny in any adequacy assessment. There are no closed categories in privacy. They are however ones where the Court’s views have been made clear.

 

[9] Emphasis added.

[10] Ibid, 2.25.



Published: 2017-10-03T09:50:00

    0 comments

      This site uses cookies. By using the site you agree to our use of cookies as set out in our Privacy Policy.

      Please wait...