CJEU ruling on Privacy International case; could it frustrate UK’s GDPR Adequacy Decision?

Data transfers to the UK could be affected by a recent ruling on state surveillance measures and the EDPB’s recently updated European Essential Guarantees following Schrems II

09 December 2020

Recent case law from the Court of Justice of the EU relating to the processing of communications data by the UK security services for investigatory purposes, when considered alongside guidance from the European Data Protection Board, may decrease the likelihood that the UK will be granted an adequacy decision from the EU. This will affect organisations that transfer data between the UK and the EU, and will mean that they will have to ensure that a legal safeguard exists in respect of such transfers for those organisations to remain compliant with GDPR and the UK data protection regime following Brexit.

What is the Privacy International case?

Privacy International, a non-governmental human rights organisation, brought a claim before the Investigatory Powers Tribunal (‘IPT’) that collection of communications data by the UK security intelligence agencies’ (GCHQ, MI5 and MI6) is unlawful. These data collection practices relate to powers granted under section 94 of the Telecommunications Act 1984 and the Investigatory Powers Act 2016.

The security agencies have previously acknowledged that they’ve exercised powers under UK legislation to instruct telecoms operators to disclose copies of large communications datasets. This data may include the 'who, when, where and how' of both telephone and internet use (meaning that it is possible for the agencies to know when one person contacts another, their locations when making that communication and the communication medium). It does not include the content of the communications, which may only be obtained under a specific interception warrant.

According to evidence put before the IPT, such communication data is collected and retained by the agencies to discover unknown threats (e.g. responding to the threat of terrorist incidents). Non-targeted techniques are then used to interrogate the data. The term “trawling” has been used to describe the methods of combing through large datasets to identify possible risks. It’s purported that these practices have helped the security agencies to prevent threats to UK national security.

Privacy International argued before the IPT that the agencies’ communication data regimes are unlawful, both under domestic UK law and also EU law by reference to the European Convention on Human Rights (‘ECHR’).

On 17 October 2016, the IPT concluded that the agencies’ bulk communications data regimes were lawful at domestic law. However, this ruling was made subject to reservation of two issues relating to the ECHR and the adjournment of the issue as to whether the agencies’ communication data regimes are within the scope of EU law.

In a further judgment of 8 September 2017, the IPT provided a provisional view that the matter was outside the scope of EU law. This was on the basis that it concerned national security. The IPT referred the matter to Court of Justice of the European Union (‘CJEU’).

What was the CJEU’s ruling?

On 6 October 2020, the CJEU issued its judgment on the referred matter from the Privacy International case. The CJEU’s decision was that the UK security agencies’ collection of communications data was subject to EU law and that general and indiscriminate collection of such data was unlawful.

Guidance in the judgment (and also in the joined cases C-511, 512, 520/18 La Quadrature du Net & ors issued by the CJEU on the same day) set out:

  1. At EU law, it is generally unlawful for Member State legislation to allow for providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security
  2. There is potentially an exception to this rule where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable
  3. Applicable EU law does not prevent national legislative measures that allow targeted retention, limited in time to what is strictly necessary, of traffic and location data, which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion

How could this impact data transfers to the UK?

As part of the wider political negotiations between the UK and the EU regarding Brexit, the UK government is currently awaiting a decision by the European Commission on its application for an adequacy decision under GDPR.

Under GDPR international transfers of personal data outside the EEA are restricted unless adequate safeguards are put in place regarding that transfer. One of the permitted safeguards under GDPR is where a recipient third country has received an ‘adequacy decision’ from the European Commission. This decision certifies that the relevant country provides a level of protection of personal data substantively similar to that of the GDPR.

The UK government has asserted that the UK upholds a high standard of data protection in compliance with GDPR, due primarily to the fact that GDPR is currently established law in the UK. However, concerns have been raised by the European Data Protection Supervisor, an EU data protection regulatory body, in respect to the UK government’s potential repeal of the Human Rights Act 1998 and the need for the EU to monitor future regulatory developments in the UK.

Furthermore, the European Data Protection Board’s updates to its recommendations on European Essential Guarantees (published on 10 November) following the Schrems II judgment, could present additional challenges to the UK’s case for adequacy. The regulator’s introduction to its recommendations includes the potentially pertinent observation:

The [Schrems II] judgment can thus serve as an example where surveillance measures in a third country (in this case the U.S. with Section 702 FISA and Executive Order 12 333) are neither sufficiently limited nor object of an effective redress available to data subjects to enforce their rights, as required under EU law in order to consider the level of protection in a third country to be “essentially equivalent” to that guaranteed within the European Union within the meaning of Article 45 (1) of the GDPR

With various references to jurisprudence from the Privacy International case forming part of the regulator’s analysis, the EDPB concludes that in order for limitations on data protection and privacy rights in EU law to be justifiable, the following legal requirements are necessary (the ‘EEGs’):

  1. Processing should be based on clear, precise and accessible rules
  2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
  3. An independent oversight mechanism should exist
  4. Effective remedies need to be available to the individual

Several of these requirements were highlighted in the Privacy International case as being absent in respect to the UK security intelligence agencies’ powers under the Telecommunications Act 1984, and subsequently the Investigatory Powers Act 2016, to collect communications data.

When assessing the UK’s adequacy decision application, pursuant to Article 45 GDPR, the European Commission will have to evaluate whether the EEGs are satisfied as part its wider considerations as to whether UK’s legislation as a whole offers a level of protection essentially equivalent to that guaranteed within the EU.

In light of the CJEU’s decision in the Privacy International case and the updated EEGs, there is a disparity between current UK domestic legislation and EU law in respect to security agencies’ use of communications data. We would expect this will be taken into account by the European Commission in its assessment of the UK’s adequacy decision. These judicial and regulatory developments potentially weaken an argument that the UK should benefit from its status as a previous EU Member State and its current compliance with GDPR during the Brexit transition period. This increases the risk that the UK may not obtain an adequacy decision prior to the end of the Brexit transition period.

Next steps

Even without an adequacy decision from the EU, it will still be possible to transfer personal data between the UK and EEA. However, such data transfers will create an additional regulatory compliance burden for data exporters. Regulators, including the UK’s Information Commissioner, are urging businesses to make preparations to ensure continued flows of personal data following the end of the Brexit transition period. We recommend that such preparations include mapping out data flows and considering putting in place alternative adequate safeguards. These could include contractual arrangements that incorporate standard contractual clauses (or commonly referred to as the SCCs or Model Clauses).

Burges Salmon is on hand to assist with your Brexit planning to prevent disruptions to the free flow of data or to help with data protection compliance more generally. Please do get in touch with Andrew Dunlop, David Varney or your usual Burges Salmon contact if it would be helpful to discuss.

This article was drafted by David Varney and Ian Bond.

Key contact

Andrew Dunlop

Andrew Dunlop Partner

  • Head of Outsourcing
  • Head of Technology
  • Head of Data Protection

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more