CJEU RULES BULK DATA RETENTION SCHEMES UNLAWFUL: IMPACT ON BREXIT AND SCHREMS II

  • A recent CJEU judgment has found bulk data retention laws in the UK, France and Belgium to be incompatible with EU law.
  • The judgment could have a negative impact on the UK’s efforts to obtain an adequacy decision from the EU Commission before the end of the year to enable to free flow of personal data between the EU and the UK post-Brexit.
  • In light of the recent Schrems II judgment which criticised US authority access to data, even if the UK obtains its adequacy decision, a change to its surveillance laws must surely be required in order to avoid a Schrems-style challenge in the future.

Background

The Court of Justice of the European Union (“CJEU”) recently issued a judgment in favour of various rights advocacy organisations, including Privacy International and La Quadrature du Net in relation to a number of cases that the organisations had brought against bulk data retention schemes run by British, French and Belgian security and intelligence agencies.

In these cases, the rights advocacy organisations raised objections to the intrusiveness of bulk data retention schemes, seeking to rein in the extensive powers exercised by security and intelligence agencies to either:

  1. retain users’ traffic and location data (“Metadata”) received from providers of electronic communication services; or
  2. require providers of electronic communication services to retain Metadata on their behalf,

for the purposes of conducting mass surveillance in the interests of protecting national security.

Finding in favour of the rights advocacy organisations, the CJEU made it clear in its judgment that:

  • national legislation requiring providers of electronic communications services to retain Metadata or to forward that data to security and intelligence agencies falls within the scope of EU law, including when this is done for the purposes of protecting national security;
  • Member States are prohibited from adopting legislation, for national security purposes or otherwise, intended to restrict the scope of rights and obligations provided for in EU law, specifically the obligation to ensure confidentiality of communications and traffic data, unless the legislation is in accordance with the general principles of EU law;
  • the general principles of EU law, in particular the principle of proportionality and the fundamental rights guaranteed by the Charter, apply to bulk data collection and preclude Metadata transmission or retention in a “general and indiscriminate manner”, restricting it to what is “strictly necessary” (i.e. requiring member states to authorise retention or transmission on a case by case basis rather than giving blanket authorisations); and
  • Member States may only authorise indiscriminate and bulk retention of data where they are faced with a serious threat to national security that proves to be genuine and present or foreseeable, subject to review by a court or independent body.

It is important to note that this judgment runs counter to certain elements of the UK’s Investigatory Powers Act as well as the French Decree on specialised intelligence services from 2015, and the Belgian Law on collection and retention of communication data from 2016, all of which may require reform in order to comply with various aspects of the CJEU ruling.

Impact on Brexit

One of the UK Government’s many objectives ahead of 1 January 2021 (i.e. the end of the transition period following the UK’s departure from the EU) is to obtain an adequacy decision from the European Commission to allow the free flow of data between the UK and EU to continue – any failure to achieve adequacy will lead to logistical challenges and increased costs for organisations engaged in EU-UK data transfers. However, the UK Government will only be granted this adequacy decision if it is able to demonstrate that its domestic laws will provide “essentially equivalent” protection to EU data subjects as they are afforded under EU law when their data is transferred to the UK.

This latest judgment potentially represents a major setback for the UK in relation to obtaining an adequacy decision given the CJEU’s finding that UK security and intelligence agencies’ broad powers to intercept and retain digital communications under the UK’s Investigatory Powers Act, together with the UK’s practices regarding access to and bulk retention of data in general, are essentially incompatible with EU law. The UK Government will need to factor the task of reaching a deal in relation to accessing and retaining Metadata for national security purposes into its Brexit timetable.

Impact on Schrems II

The CJEU’s judgment in the Privacy International case follows its Schrems II judgment, which was handed down earlier this year and served to invalidate the EU-US Privacy Shield, a transatlantic data sharing agreement which allowed organisations to transfer personal data between the EU and the US. Part of the reason for the invalidation of this mechanism was on the grounds that US national security laws were too intrusive and that EU individuals did not have sufficient access to legal redress in the US. In light of this, even if the UK obtains an adequacy decision from the European Commission, a change to UK surveillance laws will surely be needed to avoid a Schrems-style challenge in the future.

Schrems II also placed significant emphasis on the due diligence which exporting controllers and supervisory authorities are expected to undertake in relation to the legal environment of third countries to which personal data is to be transferred in reliance on Standard Contractual Clauses, although there has been scant guidance to supplement this aspect of the judgment to date.  By clarifying what it deems to amount to acceptable access and retention of Metadata by security and intelligence agencies in member states, the CJEU’s latest judgment does at least provide an indication of the standard that it expects the national security and surveillance laws of third countries to meet for the purposes of this due diligence.

Duc Tran
Duc Tran
Senior Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2954
Julia Ostendorf
Julia Ostendorf
Trainee Solicitor, London
+44 20 7466 2154

German Regulator Publishes Schrems II ‘Checklist’

The Baden-Württemberg data protection authority (“LfDI”) has issued guidance to controllers and processors following the Schrems II judgement.  The guidance includes helpful, practical tips which entities can take with respect to their current and future international transfers. Whilst aimed primarily at organisations subject to the jurisdiction of the LfDI, the guidance may be helpful for organisations throughout Europe who are grappling with the impact of the Schrems II decision.

In summary, exporting entities which are supervised by the LfDI are expected to:

  1. review the instances in which they export personal data to third countries;
  2. contact their contractual partners or service providers to inform them of the consequences of the Schrems II case;
  3. check whether there is an adequacy decision for the relevant third country;
  4. research and consider the legal environment in the relevant third country;
  5. check if the SCCs which were approved by the European Commission can be used; and
  6. if so, verify that SCCs are in place and that there are additional transfer guarantees to supplement the SCCs.

In our view it is the underlined step 4 above that is likely to cause the most difficulties and this is an area where further guidance is required. An obligation on exporters to undertake due diligence on the complete legal environment in a third country (some of which may not be completely transparent) goes beyond what most organisations undertake at the moment and it is not clear how this will be achieved going forwards.

Amendments to the Standard Contractual Clauses

The LfDI also suggests that exporting controllers amend or supplement the controller-processor Standard Contractual Clauses in the following ways:

  1. Clause 4(f): The LfDI recommends that exporting entities inform affected persons that their data is being transferred to a third country which does not have an adequate level of protection not only when transmitting special categories of data, but when transferring any personal data in these circumstances. This notification should occur before or as soon as possible after the transfer;
  2. Clause 5(d)(i): The data importer should inform not only the data exporter, but also the data subject(s) of all legally binding requests from an enforcement authority to pass on the relevant personal data. If such contact is otherwise prohibited by law, the data importer should contact the supervisory authority and clarify the procedure as soon as possible;
  3. Clause 5(d): Data exporters should contractually oblige the data importer to refrain from disclosing personal data to third country authorities until the competent court orders or requires them to disclose personal data; and
  4. Clause 7(1): Exporting and importing entities should only include Clause 7(1)(b) (which allows the data importer to refer any dispute to the courts of the Member State in which the data exporter is established in the event that a data subject asserts rights as a third party beneficiary and/or claims for damages against the data importer based on the contractual clauses) and not include Clause 7(1)(a) which allows a data importer to refer the dispute to an “independent person”.

Although it is clear that ‘amendments’ to the Standard Contractual Clauses are not permitted, it has long been recognised that the clauses may be ‘supplemented’ with additional provisions provided that the effect of those provisions is not to amend the substantive content of the clauses themselves. As such, the suggested ‘amendments’ above (with the exception possibly of the rejection of clause 7(1)(a) of the Standard Contractual Clauses) should be lawfully possible. However, from first looks, it appears that there may be logistical challenges with some of the suggestions. For example, is it practical or even desirable for the data processor/data importer to have an obligation to notify data subjects of an access request received by a third country law enforcement agency? The processor is unlikely to have a direct relationship with the data subjects and may not even be able to contact them depending on the data being processed. There also remains the fundamental issue that nothing in a contract between exporter and importer is going to prevent law enforcement access.

That being said, whilst regulators across Europe published some initial thoughts and guidance immediately following the Schrems II judgement, this is the first piece of practical guidance that we’ve seen published by a supervisory authority. It will now be interesting to see whether other supervisory authorities and/or the EDPB follow a similar approach in their Schrems II guidance.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Lauren Hudson
Lauren Hudson
Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2483

Schrems II: Reaction from European Regulators and Technology Companies Suggest an Uncomfortable Road Ahead for Transatlantic Data Transfers

To recap, last week, the European Court of Justice (“ECJ”) ruled that the Privacy Shield is invalid and placed significant emphasis on the due diligence which exporting controllers, recipients and supervisory authorities are expected to undertake in relation to transfers of personal data to third countries which are governed by the Standard Contractual Clauses (“SCCs”).  As foreshadowed in our initial reaction to the Schrems II judgement, and now that we’ve had the benefit of the full judgement and initial commentary from some of the European regulators, the EDPB, and some of the big tech companies, the immediate future of transatlantic data transfers appears to be uncertain and commentary is divided on what is and isn’t possible in light of this new judgement. Continue reading