On the 13 September the Government introduced the Data Protection
Bill into the House of Lords. The Bill had been announced in the Queen’s Speech
earlier in the year and in August the Government had published a Statement of
Intent which made clear that the UK intended to apply data protection
standards, consistent with the GDPR, to the processing of personal data which
is outside the scope of EU law and therefore outside the direct application of
the GDPR. The Bill carries out this intent. It also implements the Data
Protection Directive on Policing and Criminal Justice, which is now referred to
as the Data Protection Law Enforcement Directive (‘DPLED’).
The decision to apply the GDPR standards generally will avoid the
possibility of having two regimes for non-policing data: one for those areas of
activity which are subject to EU competence and another for those areas of
activity outside EU competence. The Government has also decided to apply the
DPLED to all policing and criminal justice activity. This is also welcome. The
UK has an opt-out from the application of the DPLED to domestic policing and
could therefore have elected to limit the application of the DPLED to
cross-border activity, leaving domestic policing subject to the Data Protection
Act 1998. The decision that the DPLED will be applied in respect of both
domestic and cross-border law enforcement will allow for one standard under the
DPLED. The requirements under the GDPR and the DPLED are broadly compatible but
not identical so there will be some inevitable differences between the two
regimes, but this seems to be inevitable.
In addition the Bill includes a separate data protection framework
for processing for national security purposes. This is based on the standards
found in the Council of Europe Convention for the Protection of Individuals
with Regards to the Automatic Processing of Personal Data (‘Treaty 108’). This
is an interesting development. It is a new departure and clearly distinguishes
between, on the one hand, the areas of activity which are either covered by EU
competence or where the UK is prepared to extend the scope of the standards in
the GDPR and, on the other hand, the area of national security which is clearly
delineated as being outside EU competence.
The Bill is a complex piece of legislation, largely because of the
technical challenges of applying new data protection rules under the three
different elements of the package (general processing, policing and criminal
justice and national security). The Statement of Intent optimistically stated
that the Government would aim to minimise the levels of complexity, reduce
duplication and produce a regime as internally compatible as possible. In
effect, the Government’s intention is clearly to create a robust and
comprehensive data protection regime for the UK.
One of the aims of such a regime must be to provide a strong basis
for the continued free movement of personal data from the EU once the UK leaves
the Union. However, the success of this strategy may depend on a number of
factors, some of which are not directly connected to the new data protection
regime. These include:
·
whether the UK’s exercise of its areas of
discretion under the GDPR meet the tests of necessity and proportionality,
particularly in the use of the derogations;
- whether the UK’s implementation of the DPLED
meets the requirements of the Directive; - how the UK’s human rights regime is viewed
once it is no longer bound by the European Union Charter of Fundamental Rights;
and - how other areas of UK law intersect with the data
protection regime based on EU law, in particular:
o
the nature of the regime for processing of
personal data for the purposes of national security; and
o
how the Investigatory Powers Act 2016 (which covers the range of investigatory
powers including interception, access to communications data and data retention)
is viewed.
This article focusses on the final point, which is the interface
between the data protection regime and the IPA 2016. It does not examine the
detailed provisions of the IPA 2016 but rather the scope and those issues which
are likely to be relevant to an adequacy decision post-Brexit.
Transfer
solutions
The Bill clearly supports the Government’s stated aim of ensuring
that a ‘free flow of data’ continues after Brexit.
In its Statement of Intent the Government had commented that:
The
ability to transfer data across international borders is crucial to a
well-functioning economy. We are committed to ensuring that uninterrupted data
flows continue between the UK, the EU and other countries around the world. The
Data Protection Bill will place us on the front foot in allowing the UK to
maximise future data relationships with the EU and elsewhere.
Nevertheless the Statement of Intent, as with other Government
statements on the issue,[1]
remains silent as to how this is to be ensured. The Bill itself does not add
anything to this point.
The Statement of Intent was followed, on 24 August, by the
publication of the Government’s negotiating paper on DP and Brexit, The exchange and protection of personal data
– a future partnership paper. The paper sets out the UK’s intention to be
aligned with EU data protection at the point when we leave the Union and the
Government’s commitment to maintain a robust, effective regulatory regime for data
protection. It states that:
After
the UK leaves the EU, new arrangements to govern the continued free flow of
personal data between the EU and the UK will be needed, as part of the new,
deep and special partnership. The UK starts from an unprecedented point of
alignment with the EU. In recognition of this, the UK wants to explore a UK-EU
model for exchanging and protecting personal data, which could build on the
existing adequacy model, by providing sufficient stability for businesses,
public authorities and individuals, and enabling the UK’s Information
Commissioner’s Office (ICO) and partner EU regulators to maintain effective
regulatory cooperation and dialogue for the benefit of those living and working
in the UK and the EU after the UK’s withdrawal.
This suggests that the UK will be looking for a bespoke agreement
on adequacy rather than going through the standard process under the
arrangements for an adequacy finding. It remains to be seen how successful this
might be. In any event, the same considerations on the UK legal regime will no
doubt be relevant, irrespective of how an adequacy agreement is reached.
Adequacy
under the GDPR and DPLED
The GDPR and the DPLED both cover the transfer of personal data
outside the EU. In both instruments such transfer is prohibited unless the
receiving jurisdiction is recognised by the EU as offering an adequate level of
protection for the data (the ‘adequacy’ test), or one of the other transfer
solutions or one or more of the derogations apply. Leaving aside those transfer
solutions under the GDPR which lie primarily in the hands of data controllers
and processors (model form contracts, Binding Corporate Rules , other legal
instruments, plus, in the future, codes of practice and certification
mechanisms) the only two routes which appear open to the UK on a national level
are either a Treaty agreement[2]
or findings of adequacy by the European Commission under the GDPR and the
DPLED. It should be noted that an adequacy decision must be made under each
legal instrument, although of course they could be made at the same time. It is
also possible that an adequacy decision could be made under one instrument but
not the other.
The introduction of an adequacy requirement under the DPLED is a
new development which follows on from the extension of EU competence into the
field of policing. Adequacy findings under Directive 95/46/EC do not take
account of the application of data protection law to policing or criminal
justice and do not apply to the transfer of personal data for those purposes.
Adequacy
assessment
An assessment and finding of adequacy is currently made by the
Commission under Article 25 of Directive 95/46/EC. Under the GDPR it will be
made under Article 45. Article 45 is more detailed than its predecessor
provision in relation to the assessment which has to be made by the Commission.
It sets out specifically that the Commission must have regard to the rule of
law and respect for human rights and fundamental freedoms and to rights and
effective redress mechanisms for data subjects. See the highlighted part of
Article 45 below.
Transfers on the basis of an adequacy decision –
Article 45 GDPR
1.
A transfer of personal data to a third country or an international
organisation may take place where the Commission has decided that the third
country, a territory or one or more specified sectors within that third
country, or the international organisation in question ensures an adequate
level of protection. Such a transfer shall not require any specific
authorisation.
2.
When assessing the adequacy of the level of protection, the Commission
shall, in particular, take account of the following elements:
(a) |
the |
(b) |
the |
(c) |
the |
Adequacy findings and policing
The provisions on the transfer of personal data outside the EU in
the DPLED are not the same as under the GDPR. Article 35 sets out the general
principles for transfers of personal data processed for the purposes of
policing and criminal justice and these will apply to all transfers of such
personal data. They require that any transfer by a competent authority (this
means a competent authority for the purpose of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal
penalties[3])
of any personal data processed or intended to be processed for the purposes of
policing and criminal justice can take place only where:
·
the transfer is necessary for the purposes of
policing/criminal justice;
·
the transfer is to a competent authority for
these purposes in the receiving jurisdiction;
· if the personal data came from another Member
State, that State has given prior authorisation to the transfer;
·
there is in place an adequacy decision under
Article 36 or, in the absence of such a decision, safeguards are applied under
Article 37 or a derogation applies under Article 38 and
·
in all cases onward transfers are controlled.
These are
cumulative requirements.
Article 36 provides for the Commission to make adequacy decisions
in the same terms as in Article 45 of the GDRP. It follows that the Commission
must have regard to the rule of law, respect for human rights and fundamental
freedoms, and effective redress mechanisms for data subjects in relation to
both decisions.
Confidentiality
of communications, interception and redress
Confidentiality of communications and freedom from surveillance,
including electronic surveillance of individual activity, are important aspects
of the fundamental rights to privacy and data protection under EU law. The
extent to which it is legitimate and proportionate to breach these rights will
be relevant issues in any adequacy determination made under Article 45 of the
GDPR or Article 37 of the DPLED.
Interestingly however, the specific EU legal regime under which
confidentiality of communications is protected, that is under Directive
2002/58/EC (the ePrivacy Directive), is not directly relevant in assessing
adequacy for the purposes of decisions under either the current Directive
95/46/EC or the GDPR or the DPLED. When making assessments of adequacy the
Commission currently does not assess whether the applicant country has laws
which are equivalent to the ePrivacy Directive. If it did so it would have to
look at rules on email marketing, use of location data, directories and all the
other elements covered by the ePrivacy Directive. There is no change to this
under the GDPR or the DPLED. It might be thought, therefore, that the issue of
confidentiality of communications and the limits of interception by the State
could be argued to be outside the range of issues which the Commission is
entitled to take into account in assessing adequacy. This would be a
misconception; together with rights to freedom from surveillance and rights of
redress for breach, confidentiality of communication is regarded as being a
part of an individual’s fundamental rights. That is not to say however that the
ePrivacy Directive, its implementation in UK law and its replacement provisions
would be wholly irrelevant in relation to an adequacy assessment.
Current
position on UK implementation of the ePrivacy Directive
The bulk of the requirements of the ePrivacy Directive have been
implemented in the UK by the Privacy and Electronic Communications Regulations
2003 (‘PECR’). That part of the ePrivacy Directive which deals with the
confidentiality of communications and limits the interception of
communications, Article 5, is currently implemented by the Regulation of
Investigatory Powers Act 2000.
The Commission is in the process of reviewing the ePrivacy
Directive. In January 2017 it issued a proposal under which it would be
replaced by a regulation and would therefore be directly applicable to those
areas of activity covered by EU competence. The legislation is currently making
its way through the European Parliament and the Council. The Commission’s
stated intention is to complete the legislative process in order for the new
regulation to come into effect at the same time as the GDPR and the DPLED, in
May 2018, which would be before the UK leaves the EU. It should be recognised
that this may be an optimistic timetable given the various controversial
elements of the proposed ePrivacy Regulation.
The provisions in the proposed regulation which cover the
confidentiality of communications are substantially identical to those in the
current Directive. The relevant part of
Article 5 of the current ePrivacy Directive provides:
Confidentiality
of the communications
1.
Member States shall ensure the confidentiality of communications and the
related traffic data by means of a public communications network and publicly
available electronic communications services, through national legislation. In
particular, they shall prohibit listening, tapping, storage or other kinds of
interception or surveillance of communications and the related traffic data by
persons other than users, without the consent of the users concerned, except
when legally authorised to do so in accordance with Article 15(1). This
paragraph shall not prevent technical storage which is necessary for the
conveyance of a communication without prejudice to the principle of
confidentiality.
The relevant part of the proposed new regulation provides:
Electronic
communications data shall be confidential. Any interference with electronic
communications data, such as by listening, tapping, storing, monitoring,
scanning or other kinds of interception, surveillance or processing of
electronic communications data, by persons other than the end-users, shall be
prohibited, except when permitted by this Regulation.
The proposed regulation also has provisions which impact on the
retention of communications data. Article 7(1) requires the erasure or
anonymisation of content data after its receipt by the intended recipients.
Article 7(2) requires the erasure or anonymisation of communications metadata when
it is no longer needed for the purpose of the transmission of a communication
or for billing purposes.
Member States can derogate from the restrictions in the ePrivacy
Directive where necessary and proportionate for defence of a list of specified
interests, but the derogations must meet the tests of proportionality as well
as respecting the fundamental rights protected by the legislation. Under the
proposed regulation, derogations are permitted under Article 11, including in
relation to the obligations of confidentiality and erasure of data, where the
derogation serves one of the specified interests[4]
and respects the essence of the fundamental rights and freedoms and is a
necessary, appropriate and proportionate measure in a democratic society to
safeguard those interests.
To make the picture more complex, the UK has now replaced the
provisions in RIPA on interception, communications data, retention and access
to such data with amended and more detailed provisions in the IPA 2016. At the
time of writing[5]
only a limited number of the provisions of the IPA 2016 are in force. The
mandatory retention rules came partially into effect to replace DRIPA on 28
December 2016 and the new Investigatory Powers Commissioner assumed
responsibility for oversight on 1 September 2017. However, not all the new
rules on interception, communications data, retention and access to such data
are in place.
It is in this somewhat fluid legislative environment that the UK
will have to prepare for any assessment of adequacy.
Making an
adequacy decision – the formal process
The adequacy decisions made to date have followed a formal
process, although the process is not wholly transparent. The discussions held
within the Commission and the Article 29 Working Party (which gives the
Commission its Opinion on a potential finding) are not made public. The process
requires the applicant State to start the process by sending a formal letter to
the Commission asking the Commission to consider its legislation. It also
delivers a copy of the relevant legislation to the Commission.
The Commission has only limited resources devoted to this area so,
when it is faced with a number of applications, it has to select which
applications to consider first. Earlier
this year the Commission published a policy paper setting out its priorities in
this area of its work.[6]
It summarised its policy position as follows:
Under its
framework on adequacy findings, the Commission considers that the following
criteria should be taken into account when assessing with which third countries
a dialogue on adequacy should be pursued:
(i) the
extent of the EU’s (actual or potential) commercial relations with a given
third country, including the existence of a free trade agreement or ongoing
negotiations;
(ii) the
extent of personal data flows from the EU, reflecting geographical and/or
cultural ties;
(iii) the
pioneering role the third country plays in the field of privacy and data
protection that could serve as a model for other countries in its region; and
(iv) the
overall political relationship with the third country in question, in
particular with respect to the promotion of common values and shared objectives
at international level.
Based on
these considerations, the Commission will actively engage with key trading
partners in East and South-East Asia, starting from Japan and Korea in 2017,
and, depending on progress towards the modernisation of its data protection
laws, with India, but also with countries in Latin America, in particular
Mercosur, and the European neighbourhood which have expressed an interest in
obtaining an ‘adequacy finding’.
It was perhaps too early in the exit process for the Commission to
express any view on a UK application, but there is no express mention of any
potential application by the UK so it is possible that the UK may find itself
at the back of a longish queue in making its application.
Once the process has started, the Commission obtains an expert
report on the legislation and the surrounding legal regime in the applicant
jurisdiction from expert academics. The report is then considered by the
Commission. The Commission seeks the Opinion of the Article 29 Working Party on
the application and the report. During the process there is scope for
additional enquires to be made to the applicant State as required. Finally the
Commission delivers its decision. The process is lengthy and commentators have
acknowledged that it can be influenced by political factors.[7]
Under the current Directive the Commission has so
far recognised Andorra, Argentina,
Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of
Man, Jersey, New Zealand, Switzerland and Uruguay as providing
adequate protection; in addition, there is the US Privacy Shield agreement.
Personal
data retention and access rights
It is inevitable therefore that that the Commission will not
confine its assessment to the UK legislation which implements the GDPR and the
DPLED but will look more widely at the UK legal regime for protecting data and
human rights, including the UK’s regime for protecting fundamental rights and
no doubt the IPA.
In this context the standards required by the revised ePrivacy
regime will be interesting. The review will not technically be an assessment of whether the UK law, including the
IPA, meets the standards of the current ePrivacy Directive or its replacement
regulation. It will be a wider assessment of the rule of law, respect for fundamental
rights and freedoms and redress for data subjects and judicial oversight
because, as has been explained earlier, the ePrivacy legislation is not part of
an adequacy assessment. Nevertheless it would be very strange if the UK could
be held at the same time to have properly implemented the revised ePrivacy
Regulation which covers confidentiality of communications and at the same time
have fallen foul of the more general requirements for respect for the rule of
law and fundamental rights. The final form of the ePrivacy Regulation, in
particular its scope and the scope of potential derogations, is therefore
likely to be important to the UK.
Relevant
case law of the CJEU
In assessing whether the UK law meets the tests of respect for
rights the Commission will also have regard to the current rulings from the
CJEU. In fact, even if the Commission takes the view that UK law provides an
adequate level of protection and an adequacy decision is forthcoming, such arrangements
could also be challenged and referred to the CJEU. It is therefore also
important to consider whether the UK regime taken as a whole is likely to be
able to withstand such a challenge.
The position is further complicated by the fact that the question
of the lawfulness of the UK’s bulk collection of communications metadata is to
be referred to the CJEU following a very recent ruling by the Investigatory
Powers Tribunal on 8 September 2017. In its judgment the IPT acknowledge the
difficulty of the points at issue. It recognised that the bulk collection of
communications data was ‘essential to the
protection of the national security of the United Kingdom’ and that the
application of the CJEU ruling in the Watson
case ‘would effectively cripple the
security and intelligence agencies’ bulk data capabilities’ but
also that the UK’s bulk collection
of communications data raises serious questions of compatibility with EU law.
It seems unlikely however that the case will be determined by the CJEU before
the Commission makes its assessment of adequacy but the existing case law will
have a relevance.
Previous
challenges
It is in this context that the potential effect of the IPA 2016 on
any finding of adequacy has to be evaluated. The CJEU has looked at a number of
issues which intersect with the IPA 2016 or are related to it. In its approach
the CJEU has maintained a vigilant oversight of the use of State powers to
process and transfer personal data. The judgments have covered the ability of
law enforcement and intelligence agencies to access personal data without
judicial or independent oversight (Schrems),
the requirement for data retention of communications data (Digital Rights Ireland and Watson) and the questions associated
with control of personal data transferred to another State authority (PNR decision).
Access to
personal data
In July 2000 the EU and the USA reached an agreement for the
transfer of personal data from the EU to the USA and embodied that agreement in
the Safe Harbor scheme. The Commission
made a finding that US companies which had joined and continued to belong to
the self-regulatory regime under Safe Harbor could freely import personal data
from the EU. In 2015 the CJEU was asked to rule on that Commission decision as
a result of a case brought by Mr Schrems against Facebook in relation to its
transfer of personal data. The Court struck the decision down, leading to a
period when businesses had to seek other legal routes in order to make
transfers of personal data to the US. The basis of the decision was, in effect,
the ability of law enforcement and intelligence agencies in the USA to access
personal data without judicial or independent oversight.
In 2016 the US and the EU succeeded in agreeing a replacement framework
arrangement for transfer, the Privacy Shield. The Privacy Shield builds on the
Safe Harbor principles but includes further safeguards and rights of redress
for EU citizens. In its turn the Privacy Shield is also currently under attack
by court proceedings brought in the Irish courts as not providing an adequate
level of protection of personal data in the USA.
Retention
of personal data
In other cases the CJEU has looked at the mandatory retention of
communications data. It struck down the EU Directive which mandated such
retention in Digital Rights Ireland and
in the Watson case challenged the
lawfulness of the UK’s Data Retention and Investigatory Powers Act. DRIPA is no
longer in force and the relevant provisions have been replaced by those in the
IPA 2016. The IPA continues to include wide retention obligations and, as a
result, is itself under challenge.
Control of
PNR data
In July 2017, the Court declared that the envisaged EU-Canada
agreement on the transfer of Passenger Name Records (‘PNR Agreement’)
interferes with the fundamental right to respect for private life and the right
to the protection of personal data and is therefore incompatible with EU law in
its current form.
The Agreement would allow the transfer of all air passenger data
to a Canadian authority for the purposes of combating terrorism and other
serious transnational crimes. The transferred data could be used, retained and
possibly transferred to other authorities and non-member countries to achieve
this aim.
The CJEU held that, while the interferences could be justified by
the pursuit of public security, several aspects of the PNR Agreement would fall
outside the scope of what is strictly necessary to achieve that aim, including
the transfer of sensitive personal data, the use of data during the passengers’
stay in Canada without prior review by a court or independent administrative
body and continued storage of the data.
The CJEU noted that the Agreement should:
- ·
Determine clearly and precisely certain passenger
data to be transferred. - ·
Specify that the criteria used for automated
processing of passenger data will be non-discriminatory, reliable and specific. - ·
Indicate that databases used will be limited
to those used by Canadian authorities in the fight against terrorism and
serious transnational crime. - ·
Provide that passenger data may be disclosed
by Canadian authorities to the authorities in a non-member country only if
there is an agreement between the EU and the country in question equivalent to
the envisaged PNR Agreement or a decision of the EU Commission in that field. - ·
Provide air passengers with a right to
notification if their data is used during their stay in Canada or after their
departure, or if it is disclosed to other authorities or individuals. - ·
Guarantee that an independent supervisory
authority will oversee the rules relating to the protection of the processing
of air passengers’ data.
The CJEU has therefore maintained its rigorous view of the
application of tests of necessity and proportionality in relation to the use
and retention of personal data for security purposes.
Basis of
the objections
In all of these cases the CJEU considered the application of the
Charter rights to data protection and privacy.[8] The broad thrust of the objections raised by
the Court in these cases have concerned indiscriminate and general retention of
personal data and wide rights of access to and use of such data without
adequate controls, safeguards, rights and redress.
In applying the Charter rights the Court has made an assessment of
the encroachment into the protected fundamental rights. This involves questions
of judgement as the boundaries of this assessment are difficult to fix when
considering how it impacts on a finding of adequacy. Neither Article 45 nor Article
36 specifically require that the law of an applicant State must reflect all the
Charter rights before a finding of adequacy can be made. The general
requirement to have regard to fundamental rights and freedoms, the rule of law
and rights of redress bring with it a potentially wide area for judgement and
assessment. The Government White Paper on Brexit states that the UK will
withdraw from the Charter but that withdrawal from the EU Charter will cause no
change to the established rights framework of the UK:
The
Government’s intention is that the removal of the Charter from UK law will not affect the substantive rights that
individuals already benefit from in the UK. Many of these underlying rights
exist elsewhere in the body of EU law which we will be converting into UK law.
Others already exist in UK law, or in international agreements to which the UK
is a party. As EU law is converted into UK law by the Great Repeal Bill, it
will continue to be interpreted by UK courts in a way that is consistent with
those underlying rights.[9]
Insofar as cases have been decided by reference to those underlying rights,
that case law will continue to be relevant. In addition, insofar as such cases
refer to the Charter, that element will have to be read as referring only to
the underlying rights, rather than to the Charter itself.[10]
The position of the UK is therefore that the fundamental rights
which are protected by the Charter will remain protected post-Brexit and the
UK’s continued adherence to the European Convention on Human Rights and the
Human Rights Act 1998 are clearly commitments which mean that the UK has human
rights protection in its domestic law equivalent to the protections offered by
the Charter.
Current
challenges
The CJEU continues to be asked to rule on the balance between
individual rights to privacy and data protection on the one hand and the uses
of personal data for security on the other. There are two cases on their way,
now joined by the IPT reference noted earlier, and, given the approach taken to
date, it seems likely that the Court will continue to maintain its rigorous
approach to restricting State powers. The UK is also facing challenges to bulk
interception in the European Court of Human Rights.
Challenge
to the IPA
As has been noted above, only a limited number of the provisions
of the IPA 2016 are currently in force. Nevertheless the Act is already the
subject of a major challenge in the UK courts. In June 2017 it was reported that
the human rights organisation, Liberty, was given permission by the High Court
to seek judicial review of a significant number of the powers in the Act. The
grounds for review include a charge that the powers are incompatible with EU
law.
It is possible that the case will result in a further reference to
the CJEU, unless the IPT case is heard first and brings some clarity to the
issue. In the event that the powers
under the IPA 2016 are ruled to breach fundamental rights by the CJEU under
either case then, post Brexit, it may be difficult to sustain an argument for a
finding of adequacy without changing the IPA 2016, however robust the core data
protection regime may be.
Challenge
to the Privacy Shield
As noted earlier the Safe Harbor agreement has been replaced by
the Privacy Shield and that decision is already under legal challenge in the
Irish courts. These challenges to the Privacy Shield are particularly
interesting and may give some guidance as to how a challenge might be mounted
to any finding of adequacy that the UK managed to achieve while still
maintaining the IPA 2016 powers in their current form.
The challenges to the Privacy Shield have been published by
Digital Rights Ireland and are in very broad form. There are 10 grounds for
challenge but the ones of interest for these purposes are pleas 4, 5, 8 and 9.
The 4th and 5th pleas address the possibility of access
to content of communications and the 8th and 9th address
communications data.
Fourth
plea in law, alleging that the provisions of the Foreign Intelligence
Surveillance Act of 1978 Amendments Act of 2008 (‘FISA Amendments Act of 2008’)
constitute legislation permitting pubic authorities to have access on a
generalised basis to the content of electronic communications and consequently
are not concordant with Article 7 of the Charter of Fundamental Rights of the
European Union.
Fifth
plea in law, alleging that the provisions of the FISA Amendments Act of 2008
constitute legislation permitting public authorities to have secret access on a generalised basis to
the content of electronic communications and consequently are not concordant
with Article 47 of the Charter Fundamental Rights of the European Union.
Eighth
plea in law, alleging that insofar as the contested decision allows, or in the
alternative fails and has failed to safeguard against indiscriminate access to
electronic communications by foreign law enforcement authorities, it is invalid
as a breach of the Rights of Privacy, Data Protection, Freedom of Expression and
Freedom of Assembly and Association, as provided for under the Charter of
Fundamental Rights of the European Union and by the general principles of EU
Law.
Ninth
plea in law, alleging that insofar as the contested decision allows, or in the
alternative fails and has failed to safeguard against indiscriminate access to
electronic communications by foreign law enforcement authorities, and fails to
provide an adequate remedy to EU citizens whose personal data is thus accessed,
it denies the individual the right to an Effective Remedy and the right to Good
Administration, contrary to the Charter of Fundamental Rights and the General
Principles of EU Law.
The challenges are specific to access to electronic
communications, covering issues already addressed by the CJEU, that is
generalised access and indiscriminate access to content and communications data
which will include personal data. The
pleas address the powers of the US agencies under the FISA legislation and the
absence of compatibility of those powers with Article 7 and 8 of the Charter
(rights to data protection and to privacy). The argument is made that the
standard of the legislation fails to meet the Article 7 standard and therefore
the law of the US is not offering adequate protection for the rights and
freedoms of individuals.
The parts of the Privacy Shield which are relevant to these pleas
are annexes I, III to VII which set out the oversight and purpose restrictions
in relation to the powers of US authorities.
The time-frame for hearings and decisions in the Irish case is not
known.
Is the
Privacy Shield an appropriate comparator for the IPA?
It is quite difficult to compare the provisions of annexes I and
III – VII in the Privacy Shield and the accompanying analysis set out in the
recitals to the Decision with the specific provisions of the IPA 2016. It would
also be a task well beyond the scope of this article. However, the core issue is that under the
Privacy Shield there remains the potential for the US authorities to seek
generalised access to a wide and untargeted set of data without selecting the
specific reasons for access and targets in a particular case. On the other hand
the Shield includes a number of increased safeguards and layers of
authorisation as well as more independent review and at least some rights of
redress for individuals. The IPA 2016 clearly gives the State wide powers to
intercept, access and retain personal data. At the same time it appears to
follow a similar pattern of structure and increased safeguards which makes for
a potentially interesting comparison between the two instruments.
Additional
considerations
The fragmented nature of the data protection regime was explained
at the start of this article. This leads to a number of additional
considerations, one in particular which does not appear to have been much
canvassed in discussion on transfer under Directive 95/46/EC and indeed appears
to have been wholly ignored in the Schrems
case. Union law can only extend to areas of activity within Union
competence. The ban on transfers of personal data undergoing processing in
Directive 95/46/EC and in the GDPR can therefore only extend to processing
which falls within the scope of Union competence. Processing which falls
outside such competence can be transferred outside the EU wholly outside the
control of the Directive. Clearly any Member State can legislate to go beyond
the Directive, as the UK did in the 1998 Act. However if a Member State does
not legislate to extend the GDPR to processing outside Union competence
transfers can still be made lawfully in those areas without any Commission
decision on adequacy or any safeguards.
In reality data controllers and processors are not likely to start
analysing their processing to take advantage of this. It would be
time-consuming, appallingly difficult, contentious and a high-risk
approach. It does however illuminate the
point that the DPLED operates as a separate regime.
In relation to obtaining
access to content and communications data it is not apparent how the IPA 2016 will
impinge on policing and criminal justice. Both the content of communications
made for those purposes and the associated communications data are arguably
already in the hands of the police and security communities for their own
purposes, after all the material was generated by that community. As has been noted earlier, there are strict
controls in the DPLED itself on the use of and access to data processed for
these purposes when the data are transferred. There are also specific rules on
retention and data quality. If this logic is accepted by the Commission it may
be more straightforward for the UK to seek and obtain an adequacy finding in
relation to personal data processed for the purposes of the DPLED than for
personal data processed under the GDPR.
Conclusions
As the discussion above shows, the picture at this stage is far
from clear. However, it can be seen that the creation of a robust and
comprehensive DP regime for the UK which fully implements the GDPR and the
DPLED will not necessarily give any guarantee that the UK will obtain a finding
of adequacy, at least under the GDPR, or that, if it does so, such a finding
would stand against a challenge to the CJEU. The Commission and the CJEU will
look at the wider picture including the UK position on the protection of
fundamental rights post-Brexit and any relevant specific legislation. It will,
inevitably, consider the fact that the Charter rights will no longer apply,
however the UK’s commitment to the ECHR and its recognition of fundamental
rights as a part of UK law may offer a robust response to any questions on that
point. The more serious potential problems appear to lie with the IPA 2016 with
its wide powers in relation to interception, communications data and data
retention. In this context there are a number of current developments to watch:
·
the impact of the developing ePrivacy
Regulation and in particular the scope and nature of the derogations,
especially on interception of communications;
·
the current challenge to the Privacy Shield;
and
·
the current challenge to the IPA 2016.
The other factor, currently wholly
unknown, may be the inclusion of a data protection framework for national
security in the Data Protection Bill. If this can be argued to provide for new
safeguards or controls which impact on the IPA 2016, it may add another
consideration into the mix.
Interesting times indeed!
Rosemary Jay is a consultant senior attorney with Hunton & Williams
and a freelance trainer in data protection. Rosemary is the author of Sweet
& Maxwell’s Data Protection Law & Practice, now in its fourth edition, A
Guide to the General Data Protection Regulation, published in 2017, and a
contributing editor to The White Book. She is a Fellow of the British Computer
Society and writes and lectures widely on data protection matters. She
would like to thank Graham Smith of Bird & Bird for his valuable input to
this piece.
The views expressed in this article are those of the author and do not
represent the views of Hunton & Williams.
[1]
Matt Hancock Minister of State for Digital and Culture appearing before the
Home Affairs sub committee 1 February 2017
[2]
Can be challenged as not complying with EU Treaties Cases C -402 /05 and C
-415/ 05
[3] Article 1 DPLED
[4] The interests are those specified in
Article 23(1)(a) to (e) of the GDPR
[5] September 2017
[7] See Reinventing Data Protection 2009 Springer Press Editors Serge Gutwirth,
Yves Poullet, Paul de Hert, Cécile de Terwangne, Sjaak Nouwt
[8] It
should not be assumed that these are the only issues which will come under
scrutiny in any adequacy assessment. There are no closed categories in privacy.
They are however ones where the Court’s views have been made clear.
[9]
Emphasis added.
[10] Ibid, 2.25.