Article 29 Working Party: Essential Reading on Essential Guarantees for Transferred European Data

12 April 2016

Ruth Boardman, James Mullock

On 13 April 2016, the Article 29 Working Party published a Working Document on data transfers which looked at the impact of surveillance measures on countries wishing to receive personal data from the EU (WP237).

The Working Document has been rather eclipsed by the accompanying publication of the Working Party's critical views on the adequacy of the Privacy Shield. However, it is an important document which merits closer reading.

First, the Working Party emphasises that data protection authorities can suspend individual data transfers made on the basis of Standard Contractual Clauses, where they conclude that the law of the importing country does not respect EU fundamental rights, which is an implicit warning that the CJEU litigation in Schrems and “Schrems II” may not be the end of the story.

Second, in the light of the Brexit referendum, the Document has added importance for those concerned about data flows to the UK: post-Brexit, will the UK be considered to meet these 'European Essential Guarantees'?

The Document is the conclusion of work undertaken by the Working Party analysing cases of the Court of Justice of the EU (CJEU) and the European Court of Human Rights (ECtHR) which look at surveillance in Member States and in states which are parties to the European Convention on Human Rights.

The Working Party concludes that four 'European Essential Guarantees' can be extrapolated from these cases. Actions which fall foul of these European Essential Guarantees will amount to an unjustified interference with fundamental rights.

A 3-page Annex lists the cases considered by the Working Party. Perhaps worryingly for those concerned about Brexit, more cases feature the UK than any other Member State. The Annex, however, is not complete. For example, the 2010 ECtHR case of Kennedy v UK (which considered the Regulation of Investigatory Powers Act, and which concluded that, in that case, UK practice did not breach Article 8 of the Convention) is not listed in the Annex, although, curiously, it is referred to in the Working Document itself.

The fact that the Working Party has chosen to conflate CJEU and ECtHR cases, may, paradoxically, be helpful for the UK. Post-Brexit, the UK will no longer be subject to the CJEU. However, Theresa May has now committed to the UK remaining a signatory to the European Convention of Human Rights: as UK law relating to national security will have to comply with Convention rights, this may make it harder to successfully to argue that the UK rules on communications data fall short of the Working Party's Guarantees.

The four European Essential Guarantees are that:

A: Processing should be based on clear, precise and accessible rules

The processing must be in accordance with a precise, clear and publicly accessible law. The legal basis for surveillance should be set out in statute. The law should also set out the types of offences in respect of which interception or surveillance can be used, the categories of people who can be the subject of surveillance, a limit on the duration of the surveillance, the procedures for examining, storing and using the data and the precautions when communicating the data to others. Rules governing access (both the justifications for access and the procedural matters relating to access) should also be set out.

B: Processing must be necessary & proportionate to the (legitimate) objectives pursued

Legislation which authorises storage of all personal data transferred from the EU, without setting out rules appropriate to the objective pursued and without objective criterion to determine access and subject use, is not necessary and proportionate.

Mass surveillance must be subjected to very close scrutiny; access should be determined by objective criteria; if an individual is targeted, then this should be on the basis of reasonable suspicion and the individual should be clearly identified.

The Working Party acknowledges that the Courts have not yet considered the lawfulness of mass, indiscriminate, data collection and the subsequent use of such data - this may be considered in part in the pending Tele2/Watson case and in advice to be given on the validity of the agreement relating to the transfer of Passenger Name Record data to Canada.

Legislation allowing access to the content of communications on a 'generalised basis' is not lawful, but the meaning of 'generalised basis' has not been spelled out.

C: There must be an independent oversight mechanism

Independent oversight is essential. Where surveillance is secret and, as a result, abuse potentially easy, supervisory control by a judge is preferred. Access to stored data should also be dependent on the prior review of a court or independent administrative body, whose decisions seek to limit access.

The Working Party notes that while a judge is preferred, other bodies or persons could be responsible as long as they are sufficiently independent, and the qualification of the person is also relevant (for example, the fact that an appointee is qualified to hold judicial office, rather than being a member of the executive). The degree to which the supervisory authority’s activities are open to public scrutiny is also relevant.

On independence, the Working Party references cases assessing the independence of data protection authorities themselves, which note that functional independence by itself may not be sufficient and that reviewers should not be directed or subjected to external influence.

D: There should be effective remedies for the individual ECtHR case law suggests that an effective remedy also involves the individual being notified once surveillance is over. If this is not done, then there can still be an effective remedy if complaints are considered in a court, which is independent and impartial, with its own rules of procedure, and consisting of members who hold, or have held high judicial office or are experienced lawyers. The court should also have access to all relevant information (including closed materials) and have powers to remedy non-compliance.

The Working Party does note that the cases analysed recognise that Member States have a right to introduce legislation to maintain national security and to collect data for intelligence purposes. It also notes that the Member States have a 'fairly wide margin of appreciation' in achieving this aim, for example, including secret surveillance measures, as long as suitable guarantees are in place.

As the Working Party itself acknowledges, it can be difficult to extrapolate general principles from particular cases which are very specific to their facts. Some cases relate to wire-tapping and, indeed, is it right that principles stated in the context of interception should be applied, as-is, to collection and later access to communications data? Some of the cases cited by the Working Party also do not exactly relate to national security and law enforcement access at all. For example, Halford v UK is included, which readers will remember related to interception of calls on a private network by the police - not for national security purposes but to check on legal advice being given to Ms Halford in relation to her discrimination claims against the police force.

Working Party Opinions are influential but should not be treated in the same way as case law. As statements by the authorities tasked with enforcing data protection law and promoting good practice, they reflect the policy objectives of those authorities. However, Working Party Opinions should always be read with care, which is particularly true of this paper, and the Working Party itself draws attention to this by adopting this as a more provisional Working Document, rather than an Opinion.

Not only are the Working Party's Essential Guarantees somewhat imprecise and tentative, their data protection impact is also unclear. The Working Party notes that its 'Essential Guarantees' test is a different test to that required for an adequacy decision. In this case, the CJEU set out a test of 'essential equivalence'. However, as all processing of personal data (including data transfers) must comply with the requirements of the EU Charter and European Convention of Human Rights, the Working Party suggests that data transfers should also be assessed against these European Essential Guarantees.

The Working Party also reiterates that the Standard Contractual Clauses allow (in fact, oblige) data protection authorities to determine if the law applicable to the data importer goes 'beyond the restrictions necessary in a democratic society'. In other words, even if the Working Party is wrong in its suggestion that these Essential Guarantees should be relevant in adequacy decisions, these Guarantees are still what the Working Party will turn to in considering individual complaints about data transfers under the Standard Contractual Clauses.

The full Working Document is available here.