On 29 March 2017, the UK Government served formal notice under Article 50 of The Treaty on European Union to terminate the UK's membership of the EU (following the June 2016 UK referendum on EU membership). Based on Article 50, the EU Treaties shall cease to apply to the UK and the UK exit will take effect in March 2019 (subject to the unlikely possibility of the withdrawal agreement being concluded sooner and unless all Member States agree to extend the period). Negotiation of a new trade agreement with the EU could take several years beyond 2019 although the Prime Minister has declared the objective of achieving such an agreement within the two-year period.
Thus the nature of the future relationship between the EU and the UK is currently uncertain. The UK appears to have discounted membership of the EEA or some kind of associate EU membership.
So at the moment it seems likely that post-Brexit the UK will, for data protection purposes, become a “3rd country” on a par with countries like the USA. However EU data protection law prohibits the transfer of personal data to countries lacking an adequate level of protection for EU citizens’ personal data. Adequacy does not require identical laws, but must provide ‘essentially equivalent’ protection. For most purposes the UK should be well positioned to qualify, since it will have had to comply with the General Data Protection Regulation by 25 May 2018. The UK Government has indicated that it will freeze into UK law the EU legislation in force at the point of the UK's exit to ensure continuity, but it may choose to amend such law in due course.
However, as the USA has discovered recently, the question of adequacy is broader than data protection legislation alone. Adequacy has to take into account the 3rd country’s surveillance powers. In October 2015 the EU Court of Justice in Schrems struck down the Safe Harbour agreed between the European Commission and the USA. Although the decision was more procedural than substantive, the basis of the complaint was US surveillance practices revealed by Edward Snowden. Since then the EU and the USA have agreed the Privacy Shield, which contains considerable detail and some assurances about the operation of the US surveillance regime. The Privacy Shield is now itself being challenged in the CJEU by two NGOs, focusing on bulk surveillance powers.
So if the UK is to obtain a post-Brexit adequacy decision from the European Commission it can expect its surveillance regime to come under close scrutiny. It can also expect any resulting adequacy decision by the Commission to be put under the microscope and challenged in the CJEU if thought to be wanting.
Partly as a result of the fallout from the Snowden revelations the UK now has shiny new surveillance legislation, the Investigatory Powers Act 2016. The IP Act contains a comprehensive code for targeted, thematic and bulk interception, equipment interference and communications data acquisition powers. Most but not all of these are subject to prior approval by a Judicial Commissioner.
Questions remain, however, about whether the powers are sufficiently limited, tailored and safeguarded to comply with EU law (and indeed with the separate, non-EU, European Convention on Human Rights). Indeed the Act was only three weeks old when the CJEU issued its judgment in Watson/Tele2 on the existing data retention regime under the Data Retention and Investigatory Powers Act (DRIPA). As a result the Act is already looking a little tarnished. Mandatory communications data retention provisions of the IP Act will in all probability have to be substantially modified. What is more, the IP Act’s data retention powers go further than DRIPA, for instance into areas that may be regarded as content rather than metadata. That could provide further grounds for new challenges.
The current baseline against which the UK surveillance regime would be tested for the purposes of adequacy is a combination of the EU ePrivacy Directive, the EU Charter of Fundamental Rights, the CJEU decisions in Digital Rights Ireland, Schrems and Watson/Tele2, ECtHR decisions such as Szabo and Zakharov and the Commission’s Privacy Shield decision. While the Commission’s decision does not create law, it does set a political precedent. Unless the law changes in the meantime it would be difficult for the Commission to stray far from the stance that it adopted in the Privacy Shield decision.
However the legal baseline will not remain static. Watson/Tele2 was the first of several post-Investigatory Powers Act cases pending in the CJEU and the European Court of Human Rights that will flesh out and develop the standards required of surveillance legislation.
Although concerned with bulk data retention rather than interception or interference, Watson/Tele2 provides pointers to the possible future direction of CJEU decisions. As did Schrems, Watson/Tele2 emphasises the need for differentiation, limitation and exceptions in the light of the objective pursued. This suggests that while appropriately focused and granular bulk powers may be acceptable, blanket bulk powers may not be.
If that is to be the future direction of CJEU caselaw then the IP Act’s bulk powers, which are longer on safeguards than they are on limitations, may be in trouble.
Consider the variety of differing techniques that fall under the one bulk interception power. Techniques range from real-time application of 'strong selectors' at the point of interception (akin to multiple simultaneous targeted interception), through to pure ‘target discovery’: pattern analysis and anomaly detection designed to detect suspicious behaviour, perhaps evolving towards machine learning and predictive analytics. Between the two ends of the spectrum are seeded analysis techniques, applied to current and historic bulk data, where the starting point for the investigation is an item of information associated with known or suspected wrongdoing.
The statute makes no differentiation between these different techniques. Any of them can potentially be used for any of the broadly framed statutory purposes.
Statutory bulk powers could be differentiated and limited. Distinctions could be made between, for instance, seeded and unseeded data mining. If pattern recognition and anomaly detection is valuable for detecting computerised cyber attacks, legislation could focus its use on that purpose. Such limitations could prevent it being used for attempts to detect and predict suspicious behaviour in the general population, precrime-style.
Under the Act these distinctions are left to assessments of necessity and proportionality by Ministers and Judicial Commissioners when issuing and approving warrants, buttressed by after the event oversight. These are soft limits, rather than the hard limits that may in future be required for bulk powers to pass muster.
As well as the pending Privacy Shield challenges, the CJEU is due to rule on the proposed agreement between the EU and Canada over sharing of Passenger Names Records (PNR data). The particular interest of the PNR case is that the techniques intended to be applied to bulk PNR data are similar to generalised target discovery techniques that could be applied to bulk data obtained by use of the IP Act powers.
Advocate General Mezzini in his Opinion recommends that the Agreement must (among other things): set out clear and precise categories of data to be collected (and exclude sensitive data); include an exhaustive list of offences that would entitle the authorities to process PNR data; in order to minimise ‘false positives’ generated by automated processing, contain various principles and explicit rules concerning scenarios, predetermined assessment criteria and databases with which PNR would be compared. Those must to a large extent make it possible to arrive at results targeting individuals who might be under a reasonable suspicion of participating in terrorism or serious transnational crime. They must not be based on an individual’s racial or ethnic origin, his political opinions, his religion or philosophical beliefs, his membership of a trade union, his health or his sexual orientation. The judgment of the Court is awaited.
As bulk powers come under greater scrutiny in the courts questions of limitation and differentiation of powers may come more strongly to the fore.
In the European Court of Human Rights 10 NGOs have brought a complaint about the existing bulk interception powers regime under the Regulation of Investigatory Powers Act 2000. Domestically, Liberty is in the process of launching judicial review proceedings against all the bulk powers provisions of the IP Act.
With a potentially shifting legal baseline, timing is important. Digital Minister Matt Hancock told the House of Lords EU Home Affairs Sub-Committee on 1 February 2017 that the government would seek to have unhindered data flows the morning that the UK leaves the EU. He said "An adequacy decision could work. There are many different ways that you could make this work".
When the time comes for adequacy to be evaluated some of the court cases may by then have produced judgments. The net result is that the legal baseline for adequacy could have changed substantially, or at least have firmed up. The Investigatory Powers Act might already have had to be substantially modified to take account of those decisions; or if not, it may then be clearer that its powers are appropriately framed. Either way, it is likely that adequacy would be evaluated against a more certain legal background than is currently the case.
This article is part of our Brexit series