On 21 December 2016 the Court of Justice of the European Union (CJEU) gave its opinion on the Watson/Tele 2 case (C‑203/15 and C‑698/15). It held that the general and indiscriminate retention of electronic communications by government bodies is contrary to EU law and an interference with Articles 7 and 8 (the right to privacy and data protection) of the Charter of Fundamental Rights of the European Union (the Charter). This is in response to the challenge brought by David Davis before he became the Brexit Secretary, and Tom Watson, Labour’s deputy leader, and has a direct effect on the newly-passed Investigatory Powers Act 2016.
The CJEU’s ruling and the IPA’s provisions clash on a number of levels, which have complicated the legal landscape even further in the current Brexit environment. The main points from the decision are:
1. Data retention can only be used for the purpose of fighting serious crime to justify the “far- reaching” and “particularly serious” interference with the right to privacy (see para 100 of the judgment)
The Court considered the data which providers must retain to be too revealing and capable of identifying an individual (para 98). This data as a whole allows for building a detailed profile of the person in question, and represents just as much as content (para 99). What is more, knowing that one might be under such surveillance has the potential of influencing online behaviour generally, thus also adversely affecting freedom of expression under Article 11 of the Charter (para 101). Therefore, only the objective of fighting serious crime can justify such a measure (para 102).
The IPA currently provides for retention of all users’ data even though few will actually have been suspected, directly or indirectly, of serious crime. Moreover, agencies other than the security and intelligence services are allowed to access this data, which is unlikely to show that its use will be exclusively for such purposes.
2. National legislation should lay down clear and precise rules governing the scope and application of such a data retention measure and provide for minimum safeguards (para 109)
Following point 1, there must be an established connection between the data to be retained and the objective pursued, and the data must link the person with serious crime (para 111). As such, data retention must be limited to what is strictly necessary (para 110). In the case of the IPA, this part of the judgment poses questions about the utility of the so-called Internet Connection Records, as they will show every website up to the first “slash” which a subscriber has accessed over the period of 12 months.
3. Access to retained data must be subject to a supervisory authority (para 125)
The involvement of a judge or another supervisory authority is highlighted by the CJEU, which is needed when a balance between two freedoms – the individual right to privacy and the collective right to security – has to be struck. However, given the nature of such decisions in the national security sphere, it also highlights the tension often seen between the judiciary and the executive. This is even more sensible in the UK, especially after the decision of the High Court that Parliament must vote on triggering Article 50, after which some media outlets accused the judges involved of being enemies of the people.
The IPA formally includes a supervisory authority, allowing judges to assess warrants based on judicial principles and not on substance of the decision, and with the newly-created Investigatory Powers Commissioner. A problem in this process is however that their assistance is not required when the case is urgent, and when anything less sensitive than content, according to the IPA, is accessed.
4. People whose data has been accessed to be notified (para 121)
This is to ensure that they can secure a legal remedy. Notification must be given as soon as it will not jeopardise the investigation at hand. Such notification does not currently exist under the IPA.
5. Providers must ensure retained data is effectively protected (para 122)
The 7th data protection principle, security of data, is emphasised in this case, given the quantity and sensitivity of data, and the possible appeal this might have to hackers.
Since the retention of some metadata, such as Internet Connection Records, is not currently part of the normal working of electronic communication providers, the burden this requirement the IPA imposes has been discussed extensively before it passed as law. The physical retention itself will require vast amount of resources, on top of proper security measures, both online and offline. It remains to be seen what the effect on businesses will be in light of new responsibilities, especially considering their status as data controllers and other duties emanating from the General Data Protection Regulation.
6. Data must be retained within the EU and irreversibly destroyed when no longer needed (para 122)
The CJEU has insisted on upholding the protection of data and to ensure it is not transferred to countries which cannot provide the same standards, which is yet another effect of Edward Snowden’s revelations and the Schrems decision. The IPA does not require retained data to remain in the EU and since the UK is part of the “Five Eyes”, it might be expected to be shared with the USA’s security services as well. This is in stark contrast with the ruling and difficult to be overlooked by privacy contenders and organisations.
The Luxemburg court has recently upheld a number of the seven data protection principles: personal data shall be obtained only for one or more specified, lawful purposes, and shall not be further processed in any manner incompatible with those purposes; that it should not be excessive; not retained longer than needed; properly secured and protected; and not transferred outside the European Economic Area. It follows the spirit of Digital Rights Ireland, Schrems, and the opinion of the Advocate General on the referral by the Court of Appeal in the summer of 2016.
Despite looming Brexit negotiations, the UK remains a fully-functioning member of the EU. As such, the implications of Watson/Tele 2 should be considered to avoid breach of EU law. While some revisions might be enough for certain parts of the IPA, provisions on data retention might have to be entirely re-written if they were to comply fully, considering the differences pointed out above. This will cause difficulties in a time where immediate effort is more needed in negotiations with the EU on other topics. On the other hand, the UK could argue that since it will soon leave the EU and thus be outside the CJEU’s jurisdiction, this judgment does not make much difference in the long run. Should this stance be taken, it remains to be seen how the IPA will be evaluated by the EU in future data flow arrangements with the UK.
Regardless of any modifications the IPA goes through as a result of this decision, if any, UK businesses should stay informed about the new duties in regards to data and privacy protection the General Data Protection Regulation is going to impose on them in 2018. A first step in their action plan should be to review their Privacy Policies, and to pay special attention to provisions which allow for data transfer elsewhere than within the EEA by reviewing their Privacy Shield commitments. Additionally, firms should start gearing up towards establishing the necessary systems to retain metadata as legislated for in the IPA.
If you have any questions about privacy or data protection that may affect your business, or would like us to review your privacy policies and practice, please get in touch.
Researched and written by Sofia Parunova, Legal Assistant
The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. Internet subscribers and online readers should not act upon this information without seeking professional counsel.