Schrems 2 for the UK? CJEU Ruling Threatens Future Adequacy Talks

10 October 2020 by

Case C‑623/17

The CJEU ruled on Tuesday that Directive 2002/58/EC (‘the Directive’) precludes national legislation from ordering telecommunication companies to transfer data in a “general and indiscriminate” manner to security agencies, even for purposes of national security. This is following a challenge by Privacy International to UK security agencies over their practices of collecting bulk communications data (BCD). 

The ruling could throw up roadblocks to a post-Brexit “adequacy” agreement over the UKs data protection regime. Adequacy is granted to data protection regimes to confirm that they conform to the data protection standards of GDPR, and thus that companies may move data about EU data subjects outside of the EU to those regimes. Recently, the adequacy rating of the US “Privacy Shield” was invalidated by the Schrems II judgment. This ruling could prove to be an analogous issue for the UK’s adequacy rating at the end of the transition period. 

The UK government argued that, as issues of national security are beyond the competencies of the EU, BCD collection schemes were as a result beyond the remit of EU regulation on data privacy. The CJEU ruled that although the practices were national security measures, they were nonetheless within the scope of the Directive and therefore subject to the limitations set out in it.

The dispute focuses on powers given to the Secretary of State by the Telecommunications Act 1984. Section 94 gives the Secretary broad discretionary powers to order telecommunications providers to retain and turn over data to security services if it is considered in the interests of national security. Furthermore, the Secretary of State does not have to disclose the use of those powers to parliament if the disclosure is judged to render the powers ineffective.

In 2015 it was revealed that this has been happening since the early 2000s. Various UK security services have been ordering telecommunications companies to retain metadata in case they want access to it. 

Metadata refers to data about data; i.e. not the content of the data itself but has information about it. For example, if John were to send a message to Claude, the metadata would not contain the contents of the message (what was written in it), but would contain information about it, such as the time it was sent, the size of the message, the device from which it was sent, the IP address (basically a number that uniquely identifies a particular device such as a phone or computer) of the sender and receiver, and the location of the sender and receiver. 

The Secretary of State was empowered to order the telecommunications providers to retain large amounts of metadata and to turn over that metadata if it was considered in the interest of national security. The security services could then analyse the bulk data in an attempt to find the “needle” in the “haystack” of the BCD: the larger the “haystack”, the more needles there would be to find. 

The Directive that the 1984 Telecommunications Act was said to contravene, Directive 2002/58/EC, is intended to implement Article 7 and 8 of the Charter of Fundamental Rights, namely the Respect for Privacy and Family Life and The Protection of Personal Data. To that end, Article 3 of the Directive holds that “Member States shall ensure the confidentiality of communications” through national legislation. It prohibits the collection and storing of data without consent except for purposes of traffic management (i.e. technical considerations and billing issues for telecommunications companies).

On the subject of scope, the Directive is slightly confusing and somewhat contradictory. Article 1(3) of the Directive holds that “This Directive shall not apply to activities which fall outside the scope of [the TFEU]… activities concerning public security, defence, State security”. Article 15(1) holds that 

“Member States may adopt legislative measures to restrict the scope of the rights and obligations…when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security”

This is subject to the condition that legislative measures “shall be in accordance with the general principles of [EU] law”, namely necessity, appropriateness and proportionality. Both Article 1(3) and 15(1) take their authority from Article 4(2) of the Treaty of the European Union, which states that “national security remains the sole responsibility of each Member state”.

As such, the question of interpretation arises as to whether issues of national security, and the Telecommunications Act 1984, are exempt from the regulation per Article 1(3), or whether they are within the scope of the regulation per 15(1), and therefore subject to the “general principles” of EU law. 

The court considered two questions: do the powers given by the Telecommunications Act 1984 fall within the scope of the Directive, and if so, have they been used illegally as a result? The court answered both questions in the affirmative. 

On the first question, the Court rejected the governments’ arguments that 1(3) puts legislation on national security beyond the scope of the Directive. The governments had argued that the sentence in 1(3) that “excludes from its scope ‘activities of the State’” reflected the principles in TEU 4(2) that excludes national security policy from the competence of the EU.

The court held that, as the Telecommunications Act 1984 empowered the Secretary of State to order telecommunications companies to collect bulk data, the legislation is as much concerned with the activity of commercial telecommunications providers as national security. The Directives express concern is, inter alia, regulating telecommunications providers. In that regard, those activities are regulated by the Directive. 

Furthermore, if one were to read Article 1(3) such that legislation like the Telecommunications Act 1984 was excluded from the scope of the Directive, it would deprive 15(1) of any material significance. If any measure to do with national security were immediately outside the scope of the regulation, 15(1) would regulate nothing. As such, the court did not read Article 1(3) as excluding all national security issues by definition as beyond the scope of the regulation.

Powers resulting from the Telecommunications Act 1984 were therefore considered to be under the scope of the Directive, and as result, were legal only within the “general principles of [EU] law”, because, as the court concluded, the Directive must be read such that legislation like the 1984 Act “falls within the scope of that directive”.

As such, the second question was engaged, as to what impositions the regulations put on the Secretary of State in using the powers arising from the 1984 Act. The court held that the general principles of EU law to be applied were proportionality, necessity and appropriateness, read in the light of Articles 7 and 8 on the Charter of Fundamental Rights. 

The court held that in order to meet the requirements of proportionality and necessity, “the legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards” which were binding under the domestic law. The general and indiscriminate access the UK security services were given under the 1984 legislation failed to meet those standards. 

Furthermore, in derogating from the principle of confidentiality 

in a general and indiscriminate way, [the 1984 legislation] has the effect of making the exception to the obligation of principle to ensure the confidentiality of data the rule, whereas the system established by Directive 2002/58 requires that that exception remain an exception.

Allowing the security services to derogate from the principle generally, rather than in a targeted manner with a specific goal in mind, made the exception to the regulation the rule. This issue was compounded by the fact that the 1984 legislation empowers the Secretary of State to order that the data accessed could be sent to third countries.  

As the requirement to retain data was “general and indiscriminate”, with the stated aim of constructing a haystack in which to find a needle, the data retention program could not be said to be proportional or necessary, especially in light of Articles 7 and 8 of the Charter.

The court therefore concluded that the Directive

must be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security

This decision may have significant impacts on whether the UK data protection regime that comes into place after the end of the transition period is awarded “adequacy”. Adequacy is the certification that a country’s data protection regime is of a sufficient standard that EU companies can transfer data freely into that country. 

Most recently, the importance of adequacy has been highlighted by a case known as Schrems II. In Schrems II, the CJEU judged that the so called “Privacy Shield”, a mechanism whereby companies in the United States could take on certain responsibilities to be granted adequacy, was invalid as an adequacy measure. As such, data transfers from the EU to the US are no longer legal under that regime. 

See David Hart’s post on the Schrems challenges here.

Leave a Reply

Welcome to the UKHRB


This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editor: Jonathan Metzer
Editorial Team: Rosalind English
Angus McCullough QC David Hart QC
Martin Downs
Jim Duffy

Free email updates


Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.

Subscribe

Categories


Tags


Aarhus Abortion Abu Qatada Abuse Access to justice adoption AI air pollution air travel ALBA Allergy Al Qaeda Amnesty International animal rights Animals anonymity Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 8 Article 9 article 10 Article 11 article 13 Article 14 article 263 TFEU Artificial Intelligence Asbestos Assange assisted suicide asylum asylum seekers Australia autism badgers benefits Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery British Waterways Board Catholic Church Catholicism Chagos Islanders Charter of Fundamental Rights child protection Children children's rights China christianity citizenship civil liberties campaigners civil partnerships climate change clinical negligence closed material procedure Coercion Commission on a Bill of Rights common law communications competition confidentiality consent conservation constitution contact order contact tracing contempt of court Control orders Copyright coronavirus coronavirus act 2020 costs costs budgets Court of Protection covid crime criminal law Cybersecurity Damages data protection death penalty defamation DEFRA deportation deprivation of liberty derogations Detention Dignitas diplomacy disability disclosure Discrimination disease divorce DNA domestic violence duty of care ECHR ECtHR Education election Employment Environment Equality Act Equality Act 2010 Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Convention on Human Rights European Court of Human Rights European Court of Justice evidence extradition extraordinary rendition Facebook Facial Recognition Family Fatal Accidents Fertility FGM Finance foreign criminals foreign office foreign policy France freedom of assembly Freedom of Expression freedom of information freedom of speech Gay marriage gay rights Gaza Gender genetics Germany Google Grenfell Gun Control Health HIV home office Housing HRLA human rights Human Rights Act human rights news Human Rights Watch Huntington's Disease immigration India Indonesia injunction Inquests insurance international law internet inuit Iran Iraq Ireland islam Israel Italy IVF ivory ban Japan joint enterprise judaism judicial review Judicial Review reform Julian Assange jury trial JUSTICE Justice and Security Bill Law Pod UK legal aid legal aid cuts Leveson Inquiry lgbtq liability Libel Liberty Libya lisbon treaty Lithuania local authorities marriage Media and Censorship mental capacity Mental Capacity Act Mental Health military Ministry of Justice modern slavery morocco murder music Muslim nationality national security naturism neuroscience NHS Northern Ireland nuclear challenges nuisance Obituary ouster clauses parental rights parliamentary expenses scandal patents Pensions Personal Injury physician assisted death Piracy Plagiarism planning planning system Poland Police Politics Pope press prison Prisoners prisoner votes Prisons privacy Professional Discipline Property proportionality prosecutions Protection of Freedoms Bill Protest Public/Private public access public authorities public inquiries quarantine Radicalisation rehabilitation Reith Lectures Religion RightsInfo right to die right to family life Right to Privacy right to swim riots Roma Romania round-up Round Up Royals Russia saudi arabia Scotland secrecy secret justice Secret trials sexual offence shamima begum Sikhism Smoking social media social workers South Africa Spain special advocates Sports Standing starvation statelessness stem cells stop and search Strasbourg super injunctions Supreme Court Supreme Court of Canada surrogacy surveillance sweatshops Syria Tax technology Terrorism tort Torture travel treason treaty accession trial by jury TTIP Turkey Twitter UK Ukraine universal credit universal jurisdiction unlawful detention USA US Supreme Court vicarious liability Wales War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks wildlife wind farms WomenInLaw Worboys wrongful birth YearInReview Zimbabwe

Disclaimer


This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

%d bloggers like this: