The Court of Justice of the European Union continues to make things interesting in the data protection world. First came the court's "Schrems II" decision last July, and this week, the CJEU issued a ruling that could spring a leak and potentially sink adequacy negotiations between the U.K. and EU.
The latest twist came as the CJEU ruled to restrict surveillance activities on phone and internet data by EU member states but specifically to regimes in Belgium, France and the U.K. The decision means governments have limited grounds for mass data retention unless they face a "serious threat to national security." Additionally, access to phone and internet data, as well as the duration of that access, should be determined based on necessity.
In comments to The Privacy Advisor about this week's decision, Fieldfisher Partner Phillip Lee, CIPP/E, CIPM, FIP, said, "In the wake of 'Schrems II,' a criticism commonly leveled at the EU was that it was being hypocritical — that, when it came to surveillance for national security purposes, the EU was holding the U.S. (under Privacy Shield) to higher standards than those of its member states. This ruling might serve to quell some of that criticism."
The U.K. is chief among those affected by the court's ruling as the clock winds down on its Brexit transition period, which is set to expire with or without an adequacy decision from the EU Dec. 31. Doubts about an adequacy agreement already loomed, but the latest CJEU ruling further clouds a potential deal.
"If interlocutors in the EU considering the U.K.’s adequacy decision conclude that the powers applied by the U.K. government exceed those permitted under this judgment, then there could be a question as to whether essentially equivalent protection can be provided to EU data subjects where their data is transferred to the U.K.," Promontory Senior Principal John Bowman, CIPP/E, CIPM, FIP, said.
In particular, the U.K. Investigatory Powers Act now stands as a potential roadblock for negotiations. Adequacy focuses on foreign governments avoiding interference with EU fundamental rights. Following the CJEU decision, the Investigatory Powers Act and its provisions for bulk data collection firmly impede EU citizens' guaranteed rights to privacy and data protection.
"Although the Investigatory Powers Act contains safeguards, such as prior independent approval, on the use of such powers these CJEU judgments appear to set limits on their permissible scope, which may not necessarily be overcome just by adding safeguards," Bird & Bird Counsel Graham Smith said. "Nevertheless, an adequacy determination does not require that a non-EU country’s legal regime for the protection of personal data be the same as that of the EU. The test is whether it provides essentially equivalent protection."
The key to adequacy talks going forward will be the U.K.'s ability to convincingly promote the existing safeguards within its surveillance regime. Fieldfisher's Lee sees a clear argument for the U.K. but one that will undoubtedly still take its share of scrutiny.
"The likelihood is that the U.K. government will argue the Investigatory Powers Act does not provide for 'general and indiscriminate' retention in the way condemned by today's ruling," Lee said. "But instead, it provides a means by which the Secretary of State can issue retention notices, subject first to oversight by a judicial commissioner who must determine whether the notice is 'necessary and proportionate.' However, others will no doubt point out that the scope of retention notices can potentially be very broad, and so, if it walks like a duck and talks like a duck …"
While governments will be left to untangle the CJEU judgment, it did amount to a win for advocacy groups like Privacy International, one of the three organizations that brought forward claims to the court.
"In these turbulent times, it serves as a reminder that no government should be above the law," Privacy International Legal Director Caroline Wilson Palow said in a news release. "While the Police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power. They should focus on providing us with effective, targeted surveillance systems that protect both our security and our fundamental rights."
Photo by Matt Antonioli on Unsplash
If you want to comment on this post, you need to login.