In this blog, I look at the main findings of the Court of Justice of the European Union (CJEU) which confirmed, yesterday, that EU law precludes national legislation that requires a general, bulk and indiscriminate retention of traffic data and location data.
The judgement (in the UK context) relates to the Data Retention and Investigatory Powers Act 2014 (DRIPA) which according to the judgement “exceeds the limit of what is, strictly necessary and cannot be considered to be justified, within a democratic society“. DRIPA by the way expires at the end of the year to be replaced the Investigatory Powers Act 2016 (IPA).
It should be said at the outset that the ruling does not relate to national security as this subject is not within CJEU competence; this explains why the judgment is couched in terms of “serious crime”. However, as the national security agencies have a statutory role in supporting the police in cases of serious crime (e.g. see Security Service Act 1996), it follows that the judgment should apply to such support.
In addition, if any litigation on bulk dataset collection under the IPA were to wend a path to the European Court of Human Rights, that Court is likely to follow the CJEU’s analysis. After all, there is not much difference between the interference to privacy caused by DRIPA’s bulk communications data retention and IPA’s bulk personal dataset collection.
It follows the ruling should have some consequences for national security agencies and IPA just enacted; however, I am not sure whether the IPA will need much changing to meet the requirements of this judgment. In this blog, I explain why.
What is clear is that if the UK fails to make changes to IPA procedures (and possibly modify the IPA itself), then transfers of personal data into the UK post Brexit are at considerable risk.
The Home Office says publicly it is going to robustly appeal the decision (don’t know how by the way). However, the more it contests, the more the UK can kiss good-bye to any adequacy determination under the GDPR post Brexit.
In the following paragraphs, I summarise what the judgement is stating and comment on how I think its impacts on the IPA (in italics). I have also emphasised some key words in the text by bold, italic & underline
Court ruling details
The press release associated with the judgement states that “it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary”.
CP comment: the word “solely” excludes using retained communications data by many law enforcement authorities for lesser crimes (i.e. non “serious crime”). For example, Section 55 of the Data Protection Act which is non-custodial and therefore “non serious” crime (which ironically is explicitly proffered by Section 1(5)(b) of IPA as a key privacy protection!). The use of the word “targeted” suggests that mass retention and bulk personal datasets have significant Article 8 problems as they are not targeted at all.
The legislation must indicate in what circumstances and under which conditions a data retention measure is, in practice, actually limited to what is strictly necessary. CP comment: IPA refers to the test of “necessary” not “strictly necessary” which is far higher; it carries a sense of “really this is a last resort” interference into private life.
The fact that the communications data are retained without the users of electronic communications services being informed is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. CP comment: it has yet to be seen whether data subjects will be informed of mass data retention (and indeed any bulk personal dataset collection). In my evidence to Parliament, I showed that this has been done without prejudice to operations (see references).
Consequently, only the objective of fighting serious crime is capable of justifying such interference (my emphasis). CP comment: the use of “only” is at odds with the Code of Practice on telecommunications data that, according to Schedule 7, para 3(2)(d) will permit “(d) the processing of the data for purposes otherwise than in connection with the purposes for which it was obtained or retained” (i.e. a whole host of other purposes). The Code will thus need revision in my view.
Access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime. CP comment: the use of "only in conjunction with “suspected” or “implicated” excludes the possibility of mass personal data collection on, individuals “who are not of interest to the intelligence services” (as per Section 199(1) of IPA).
The Court states that any national legislation must be clear, precise and must provide for sufficient guarantees of the protection of data against risks of misuse. CP comment: Reference to the non-custodial sentence of Section 55 of the DPA (in Section 1(5)(b) of IPA) and a maximum penalty of £50,000 (in Section 7 of IPA) for a flagrant unlawful breach of the IPA law does appear to me form any guarantee at all. The maximum Monetary Penalty can be seen to be derisory when compared to the GDPR for instance.
National legislation must lay down the substantive and procedural conditions governing access by law enforcement authorities to the retained data for serious crime. CP comment: The detail of the substantive and procedural conditions is found, not in the lPA legislation itself, but in the associated Codes of Practice (Schedule 7 of IPA).
Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, national legislation must make provision for that data to be retained within the EU and for the irreversible destruction of the data at the end of the retention period. CP comment: Brexit means we are outside the EU! This could make it difficult for instance, GCHQ to monitor French communications in bulk for the French authorities or for bulk personal data on Europeans be shared with USA national security agencies.
There has been a lot of press coverage that the UK’s Snoopers’ Charter (the populist description for the IPA) is in trouble from future legal challenge.
I am not so sure about this because the Judicial Commissioner procedures and textual changes to the relevant Codes of Practice could pick up many of the CJEU requirements. In addition, there is no actual evidence that IPA has gone wrong; just the widespread suspicion that it will.
I also suspect the Judicial Commissioner’s cannot ignore this judgment in the short term as we have not left the EU. For instance, the Judicial Commissioner as part of the IPA’s double lock could:
- Tone down any bulk personal dataset collection, content or retention request so that it is “strictly necessary” and “targeted”
- Check that retention times are appropriate to the nature of the serious crime
- Permit any onward use or disclosure is limited to that “strictly necessary for a serious crime”
- Require the timely and secure irreversible destruction of personal data
- Require a comprehensive audit trail so that problems can be dealt with.
Codes of Practice can be changed to reflect the above requirements as well as ensure that data subjects are informed that their personal data are being used (as required by the judgment). Such information can be made public in a way that does not prejudice an inquiry.
When you look at the above list, they are all related to recognisable Data Protection Principles. It shows again the great mistake of not including data protection considerations as part of the warrant authorising procedures (in particular the extent to which the Section 28 national security exemption applies; see references).
It can also be seen that if the UK fails to accommodate the CJEU changes, it is unlikely to be a safe place for transfers even if it gets an assessment of adequacy in Brexit negotiations. This is because of the Schrems decision (see references) and because, inevitably, there will be suspicions that the bulk personal dataset provisions are misused.
And how do you allay such suspicions? Well it’s a mixture of transparency, good independent oversight and a firm approach to the concept of “necessity”. If the Judicial Commissioners and Investigatory Powers Commissioner can do their job properly (and the Codes of Practice reflect these objectives), then the changes to IPA could be minor.
Will it happen? I suspect not, but only time will tell.
Can I wish you a good holiday period; Hawktalk returns in the New Year
Forthcoming Amberhawk’s courses in January
- Next GDPR Workshops: 23 February (London)
- DP Foundation Course: Starts 10-12 January (BCS syllabus; London)
- DP Practitioner Course: Starts 17 January (BCS syllabus; London)
Advanced warning: we have devoted the next UPDATE session on 3rd April 2017 to the GDPR. We have an impressive array of speakers lined up including from ICO and DCMS https://www.amberhawk.com/bookevents.asp
The judgment in “Cases C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson and Others”: https://curia.europa.eu/juris/liste.jsf?num=C-203/15
I cannot see the UK being adequate following Brexit if no adjustment is made to IPA procedures. This is a consequence of the Schrems CJEU judgment which empowers European Data Protection Authorities considerably: https://amberhawk.typepad.com/amberhawk/2016/02/politicians-agree-a-privacy-shield-as-the-working-party-of-data-protection-commissioners-display-a-s.html
Blogs on national security and data protection etc:
- Put privacy first! Parliamentary report calls for national security agencies to apply Data Protection Principles: https://amberhawk.typepad.com/amberhawk/2016/02/put-privacy-first-parliamentary-report-calls-for-national-security-agencies-to-apply-data-protection.html
- National security agencies should be subject to Data Protection law. https://amberhawk.typepad.com/amberhawk/2014/10/national-security-agencies-should-be-subject-to-data-protection-law.html
- Should national security certificates exclude the Data Protection Principles? https://amberhawk.typepad.com/amberhawk/2014/02/should-national-security-certificates-exclude-the-data-protection-principles.html
- My evidence to relevant Parliamentary Committees on this subject: https://www.publications.parliament.uk/pa/cm201516/cmpublic/investigatorypowers/Memo/IPB51.htm and https://amberhawk.typepad.com/files/blog_evidence-to-isc.pdf