Schrems 2 for the UK? CJEU Ruling Threatens Future Adequacy Talks
10 October 2020
The CJEU ruled on Tuesday that Directive 2002/58/EC (‘the Directive’) precludes national legislation from ordering telecommunication companies to transfer data in a “general and indiscriminate” manner to security agencies, even for purposes of national security. This is following a challenge by Privacy International to UK security agencies over their practices of collecting bulk communications data (BCD).
The ruling could throw up roadblocks to a post-Brexit “adequacy” agreement over the UKs data protection regime. Adequacy is granted to data protection regimes to confirm that they conform to the data protection standards of GDPR, and thus that companies may move data about EU data subjects outside of the EU to those regimes. Recently, the adequacy rating of the US “Privacy Shield” was invalidated by the Schrems II judgment. This ruling could prove to be an analogous issue for the UK’s adequacy rating at the end of the transition period.
The UK government argued that, as issues of national security are beyond the competencies of the EU, BCD collection schemes were as a result beyond the remit of EU regulation on data privacy. The CJEU ruled that although the practices were national security measures, they were nonetheless within the scope of the Directive and therefore subject to the limitations set out in it.
The dispute focuses on powers given to the Secretary of State by the Telecommunications Act 1984. Section 94 gives the Secretary broad discretionary powers to order telecommunications providers to retain and turn over data to security services if it is considered in the interests of national security. Furthermore, the Secretary of State does not have to disclose the use of those powers to parliament if the disclosure is judged to render the powers ineffective.
In 2015 it was revealed that this has been happening since the early 2000s. Various UK security services have been ordering telecommunications companies to retain metadata in case they want access to it.
Metadata refers to data about data; i.e. not the content of the data itself but has information about it. For example, if John were to send a message to Claude, the metadata would not contain the contents of the message (what was written in it), but would contain information about it, such as the time it was sent, the size of the message, the device from which it was sent, the IP address (basically a number that uniquely identifies a particular device such as a phone or computer) of the sender and receiver, and the location of the sender and receiver.
The Secretary of State was empowered to order the telecommunications providers to retain large amounts of metadata and to turn over that metadata if it was considered in the interest of national security. The security services could then analyse the bulk data in an attempt to find the “needle” in the “haystack” of the BCD: the larger the “haystack”, the more needles there would be to find.
The Directive that the 1984 Telecommunications Act was said to contravene, Directive 2002/58/EC, is intended to implement Article 7 and 8 of the Charter of Fundamental Rights, namely the Respect for Privacy and Family Life and The Protection of Personal Data. To that end, Article 3 of the Directive holds that “Member States shall ensure the confidentiality of communications” through national legislation. It prohibits the collection and storing of data without consent except for purposes of traffic management (i.e. technical considerations and billing issues for telecommunications companies).
On the subject of scope, the Directive is slightly confusing and somewhat contradictory. Article 1(3) of the Directive holds that “This Directive shall not apply to activities which fall outside the scope of [the TFEU]… activities concerning public security, defence, State security”. Article 15(1) holds that
“Member States may adopt legislative measures to restrict the scope of the rights and obligations…when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security”
This is subject to the condition that legislative measures “shall be in accordance with the general principles of [EU] law”, namely necessity, appropriateness and proportionality. Both Article 1(3) and 15(1) take their authority from Article 4(2) of the Treaty of the European Union, which states that “national security remains the sole responsibility of each Member state”.
As such, the question of interpretation arises as to whether issues of national security, and the Telecommunications Act 1984, are exempt from the regulation per Article 1(3), or whether they are within the scope of the regulation per 15(1), and therefore subject to the “general principles” of EU law.
The court considered two questions: do the powers given by the Telecommunications Act 1984 fall within the scope of the Directive, and if so, have they been used illegally as a result? The court answered both questions in the affirmative.
On the first question, the Court rejected the governments’ arguments that 1(3) puts legislation on national security beyond the scope of the Directive. The governments had argued that the sentence in 1(3) that “excludes from its scope ‘activities of the State’” reflected the principles in TEU 4(2) that excludes national security policy from the competence of the EU.
The court held that, as the Telecommunications Act 1984 empowered the Secretary of State to order telecommunications companies to collect bulk data, the legislation is as much concerned with the activity of commercial telecommunications providers as national security. The Directives express concern is, inter alia, regulating telecommunications providers. In that regard, those activities are regulated by the Directive.
Furthermore, if one were to read Article 1(3) such that legislation like the Telecommunications Act 1984 was excluded from the scope of the Directive, it would deprive 15(1) of any material significance. If any measure to do with national security were immediately outside the scope of the regulation, 15(1) would regulate nothing. As such, the court did not read Article 1(3) as excluding all national security issues by definition as beyond the scope of the regulation.
Powers resulting from the Telecommunications Act 1984 were therefore considered to be under the scope of the Directive, and as result, were legal only within the “general principles of [EU] law”, because, as the court concluded, the Directive must be read such that legislation like the 1984 Act “falls within the scope of that directive”.
As such, the second question was engaged, as to what impositions the regulations put on the Secretary of State in using the powers arising from the 1984 Act. The court held that the general principles of EU law to be applied were proportionality, necessity and appropriateness, read in the light of Articles 7 and 8 on the Charter of Fundamental Rights.
The court held that in order to meet the requirements of proportionality and necessity, “the legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards” which were binding under the domestic law. The general and indiscriminate access the UK security services were given under the 1984 legislation failed to meet those standards.
Furthermore, in derogating from the principle of confidentiality
in a general and indiscriminate way, [the 1984 legislation] has the effect of making the exception to the obligation of principle to ensure the confidentiality of data the rule, whereas the system established by Directive 2002/58 requires that that exception remain an exception.
Allowing the security services to derogate from the principle generally, rather than in a targeted manner with a specific goal in mind, made the exception to the regulation the rule. This issue was compounded by the fact that the 1984 legislation empowers the Secretary of State to order that the data accessed could be sent to third countries.
As the requirement to retain data was “general and indiscriminate”, with the stated aim of constructing a haystack in which to find a needle, the data retention program could not be said to be proportional or necessary, especially in light of Articles 7 and 8 of the Charter.
The court therefore concluded that the Directive
must be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security
This decision may have significant impacts on whether the UK data protection regime that comes into place after the end of the transition period is awarded “adequacy”. Adequacy is the certification that a country’s data protection regime is of a sufficient standard that EU companies can transfer data freely into that country.
Most recently, the importance of adequacy has been highlighted by a case known as Schrems II. In Schrems II, the CJEU judged that the so called “Privacy Shield”, a mechanism whereby companies in the United States could take on certain responsibilities to be granted adequacy, was invalid as an adequacy measure. As such, data transfers from the EU to the US are no longer legal under that regime.
See David Hart’s post on the Schrems challenges here.