The UK exited the EU on 31st January 2020. By virtue of the transition period in the Withdrawal Agreement, EU law will continue to apply in and in relation to the UK only until 31st December 2020. The EU Treaties, EU free movement rights and the general principles of EU law will then cease to apply in relation to the UK, and prior EU regulations will only continue to apply in domestic law (by virtue of the European Union (Withdrawal) Act 2018) insofar as they are not modified or revoked by regulations under that 2018 Act.
At the end of the transition period the UK will, for data protection purposes, become a “3rd country” on a par with countries like the USA.
EU data protection law restricts the transfer of personal data to 3rd countries lacking an adequate level of protection for EU citizens’ personal data. The European Commission is empowered to declare a 3rd country to be adequate, whether as a whole or within a limited arrangement such as the US Privacy Shield. The Political Declaration accompanying the UK-EU Withdrawal Agreement commits the Commission to endeavouring to adopt decisions by the end of 2020, if the conditions are met. This is a challenging timetable.
Adequacy does not require identical laws, but must provide ‘essentially equivalent’ protection. For most purposes the UK is well positioned to qualify, since the General Data Protection Regulation came into effect on 25 May 2018, accompanied by the Data Protection Act 2018. Under the European Union (Withdrawal) Act 2018 the GDPR will automatically be converted into domestic UK legislation at the end of the transition period.
However, as the USA has discovered, the question of adequacy is broader than data protection legislation alone. Adequacy takes into account the 3rd country’s surveillance powers. In October 2015 the EU Court of Justice in Schrems struck down the Safe Harbour agreed between the European Commission and the USA. Although the decision was more procedural than substantive, the basis of the complaint was US surveillance practices revealed by Edward Snowden. Since then the EU and the USA have agreed the Privacy Shield, which contains considerable detail and some assurances about the operation of the US surveillance regime.
The Privacy Shield is now itself being challenged in the CJEU. It is potentially implicated in Schrems 2 (C-311/18) and directly challenged in La Quadrature du Net and Others v Commission (T-738/16). The Advocate General’s December 2019 Opinion in Schrems 2 voiced doubts about the protections provided by the US regime.
So if the UK is to obtain an adequacy decision from the European Commission it can expect its surveillance regime to come under close scrutiny (albeit that since the UK will also be considering the adequacy of the EU data protection regime, considerations of mutual respect may come into play). The UK can also expect any adequacy decision by the Commission to be put under the microscope and challenged in the CJEU if thought to be wanting.
Partly as a result of the fallout from the Snowden revelations the UK has new surveillance legislation, the Investigatory Powers Act 2016. The IP Act contains a comprehensive code for targeted, thematic and bulk interception, equipment interference and communications data acquisition powers. Most but not all of these are subject to prior approval by a Judicial Commissioner.
Questions remain, however, about whether the powers are sufficiently limited, tailored and safeguarded to comply with EU law (and indeed with the separate, non-EU, European Convention on Human Rights). The Act was only three weeks old when the CJEU issued its judgment in Watson/Tele2 on the existing data retention regime under the Data Retention and Investigatory Powers Act (DRIPA). As a result the Act has already had to be amended, including the introduction of prior independent approval of some categories of communications data request. What is more, the IP Act’s data retention powers go further than DRIPA, for instance into areas that might be regarded as content rather than metadata.
Additionally, the October 2019 agreement between the UK and the USA catering for cross-border interception and communications data demands direct to service providers may fall to be considered.
The current baseline against which the UK surveillance regime would be tested for the purposes of adequacy is a combination of the EU ePrivacy Directive, the EU Charter of Fundamental Rights, the CJEU decisions in Digital Rights Ireland, Schrems, Watson/Tele2 and Ministerio Fiscal, European Court of Human Rights decisions and the Commission’s Privacy Shield decision. While the Commission’s decision does not create law, it does set a political precedent. Unless the law changes in the meantime it would be difficult for the Commission to stray far from the stance that it adopted in the Privacy Shield decision.
However the legal baseline will not remain static. Watson/Tele2 was the first of several post-Investigatory Powers Act cases pending in the CJEU and the European Court of Human Rights that will flesh out and develop the standards required of surveillance legislation. Pending CJEU cases include not only Schrems 2 and La Quadrature du Net, but also three references concerning mandatory communications data retention and a UK reference in the Privacy International litigation over the former use of S.94 Telecommunications Act 1984 for bulk acquisition of communications data.
In the ECtHR the Grand Chamber judgment in the Big Brother Watch case challenging the former UK bulk surveillance regime under the Regulation of Investigatory Powers Act 2000 is pending. The initial Chamber judgment found the regime lacking in three specific respects, each of which could have implications for the Investigatory Powers Act. Also proceeding in Strasbourg is Privacy International’s complaint about equipment interference powers under s.7 of the Intelligence Services Act 1994.
Although concerned with bulk data retention rather than interception or interference, Watson/Tele2 provides pointers to the possible future direction of CJEU decisions. As did Schrems, Watson/Tele2 emphasises the need for differentiation, limitation and exceptions in the light of the objective pursued. This suggests that while appropriately focused and granular bulk powers may be acceptable, blanket bulk powers may not be.
If that is to be the future direction of CJEU caselaw then the IP Act’s bulk powers, which are longer on safeguards than they are on limitations, may be in trouble.
Consider the variety of differing techniques that fall under the one bulk interception power. Techniques range from real-time application of 'strong selectors' at the point of interception (akin to multiple simultaneous targeted interception), through to pure ‘target discovery’: pattern analysis and anomaly detection designed to detect suspicious behaviour, perhaps evolving towards machine learning and predictive analytics. Between the two ends of the spectrum are seeded analysis techniques, applied to current and historic bulk data, where the starting point for the investigation is an item of information associated with known or suspected wrongdoing.
The statute makes no differentiation between these different techniques. Any of them can potentially be used for any of the broadly framed statutory purposes.
Statutory bulk powers could be differentiated and limited. Distinctions could be made between, for instance, seeded and unseeded data mining. If pattern recognition and anomaly detection is valuable for detecting computerised cyber attacks, legislation could focus its use on that purpose. Such limitations could prevent it being used for attempts to detect and predict suspicious behaviour in the general population, precrime-style.
Under the Act these distinctions are left to assessments of necessity and proportionality by Ministers and Judicial Commissioners when issuing and approving warrants, buttressed by after the event oversight. These are soft limits, rather than the hard limits that may in future be required for bulk powers to pass muster.
The CJEU has also ruled on the proposed agreement between the EU and Canada over sharing of Passenger Names Records (PNR data). The particular interest of the PNR case is that the techniques intended to be applied to bulk PNR data are similar to generalised target discovery techniques that could be applied to bulk data obtained by use of the IP Act powers.
Advocate General Mezzini in his Opinion recommended that the Agreement must (among other things): set out clear and precise categories of data to be collected (and exclude sensitive data); include an exhaustive list of offences that would entitle the authorities to process PNR data; in order to minimise ‘false positives’ generated by automated processing, contain various principles and explicit rules concerning scenarios, predetermined assessment criteria and databases with which PNR would be compared. Those must to a large extent make it possible to arrive at results targeting individuals who might be under a reasonable suspicion of participating in terrorism or serious transnational crime. They must not be based on an individual’s racial or ethnic origin, his political opinions, his religion or philosophical beliefs, his membership of a trade union, his health or his sexual orientation. The judgment of the Court found the Agreement wanting in a number of respects and referred to the concerns that the Advocate General had raised about automated processing of PNR data.
Domestically, Liberty's judicial review of all the bulk powers provisions of the IP Act is continuing in the Court of Appeal, alongside its appeal on the communications data retention powers.
As bulk powers come under greater scrutiny in the courts questions of limitation and differentiation of powers may come more strongly to the fore.
When the time does come for adequacy to be evaluated more of the court cases may by then have produced judgments. The net result is that the legal baseline for adequacy could have changed substantially, or at least have firmed up. The Investigatory Powers Act has already had to be substantially modified, and further modifications may be made; or if not, it may then be clearer whether its powers are appropriately framed. Either way, it is likely that adequacy would be evaluated against a more certain legal background than is currently the case.