Tag Archives: CJEU

Even if post Brexit-UK adopts the GDPR, it will be left without its “heart”

Gabriela Zanfir Fortuna

brexit

There has been lately a wave of optimism of those looking for legal certainty that the GDPR will be adopted by the UK even after the country leaves the European Union. This wave was prompted by a declaration of the British Secretary of State, Karen Bradley, at the end of October, when she stated before a Committee of the Parliament that “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the publicThe information commissioner of the UK, Elisabeth Denham, welcomed the news. On another hand, as Amberhawk explained in detail, this will not mean that the UK will automatically be considered as ensuring an adequate level of protection.

The truth is that as long as the UK is still a Member of the EU, it can’t opt in or opt out, for that matter, from regulations (other than the ones subject to the exemptions negotiated by the UK when it entered the Union – but this is not the case for the GDPR). They are “binding in their entirety” and “directly applicable”, according to Article 288 of the Treaty on the Functioning of the EU. So, yes, quite normally, if the UK is still a Member State of the EU on 25 May 2018, then the GDPR will start applying in the UK just as it will be applying in Estonia or France.

The fate of the GDPR after Brexit becomes effective will be as uncertain as the fate of all other EU legislative acts transposed in the UK or directly applicable in the UK. But let’s imagine the GDPR will remain national law after Brexit, in a form or another. If this happens, it is likely that it will take a life of its own, departing from harmonised application throughout the EU. First and foremost, the GDPR in the UK will not be applied in the light of the Charter of Fundamental Rights of the EU and especially its Article 8 – the right to the protection of personal data. The Charter played an extraordinary role in the strengthening of data protection in the EU after it became binding, in 2009, being invoked by the Court of Justice of the EU in its landmark judgments – Google v Spain,  Digital Rights Ireland and Schrems.

The Court held as far back as 2003 that “the provisions of Directive 95/46, in so far as they govern the processing of personal data liable to infringe fundamental freedoms, in particular the right to privacy, must necessarily be interpreted in the light of fundamental rights” (Österreichischer Rundfunk, para 68). This principle was repeated in most of the following cases interpreting Directive 95/46 and other relevant secondary law for this field, perhaps with the most notable results in Digital Rights Ireland and Schrems. 

See, for instance:

“As far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data” (Digital Rights Ireland, para. 66).

“As regards the level of protection of fundamental rights and freedoms that is guaranteed within the European Union, EU legislation involving interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter must, according to the Court’s settled case-law, lay down clear and precise rules governing the scope and application of a measure and imposing minimum safeguards, so that the persons whose personal data is concerned have sufficient guarantees enabling their data to be effectively protected against the risk of abuse and against any unlawful access and use of that data. The need for such safeguards is all the greater where personal data is subjected to automatic processing and where there is a significant risk of unlawful access to that data” (Schrems, para. 91).

Applying data protection law outside the spectrum of fundamental rights will most likely not ensure sufficient protection to the person. While the UK will still remain under the legal effect of the European Convention of Human Rights and its Article 8 – respect for private life – this by far does not equate to the specific protection ensured to personal data by Article 8 of the Charter as interpreted and applied by the CJEU.

Not only the Charter will not be binding for the UK post-Brexit, but the Court of Justice of the EU will not have jurisdiction anymore on the UK territory (unless some sort of spectacular agreement is negotiated for Brexit). Moreover, EU law will not enjoy supremacy over national law, as there is the case right now. This means that the British data protection law will be able to depart from the European standard (GDPR) to the extent desirable by the legislature. For instance, there will be nothing staying in the way of the British legislature to adopt permissive exemptions to the rights of the data subject, pursuant to Article 23 GDPR.

So when I mentioned in the title that the GDPR in the post-Brexit UK will in any case be left without its “heart”, I was referring to its application and interpretation in the light of the Charter of the Fundamental Rights of the EU.

***

Find what you’re reading useful? Please consider supporting pdpecho.

Interested in the GDPR? See the latest posts:

CNIL just published the results of their GDPR public consultation: what’s in store for DPOs and data portability? (Part I)

CNIL’s public consultation on the GDPR: what’s in store for Data Protection Impact Assessments and certification mechanisms? (Part II)

The GDPR already started to appear in CJEU’s soft case-law (AG Opinion in Manni)

Section 5. The awkward two level necessity test that convinced the AG PNR schemes are acceptable

(Section 5 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After he establishes that the Court should carry out “a strict review of compliance with the requirements resulting from the principle of proportionality, and more particularly, from the adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and uses the PNR data pursuant to the agreement envisaged” (§200), the AG further assesses if the interference is “strictly necessary”.

He considers the “strict necessity” test as a component of the proportionality test, together with “the ability of the interference to achieve the ‘public security’ objective pursued by the Agreement”.

With regard to the latter criterion, the AG does not believe “there are any real obstacles to recognising that the interference constituted by the agreement envisaged is capable of attaining the objective of public security, in particular the objective of combating terrorism and serious transnational crime” (§205). “As the United Kingdom Government and the Commission, in particular, have claimed, the transfer of PNR data for analysis and retention provides the Canadian authorities with additional opportunities to identify passengers, hitherto not known and not suspected, who might have connections with other persons and/or passengers involved in a terrorist network or participating in serious transnational criminal activities” (§205).

In addition, the AG finds the statistics provided by the Commission and the UK relevant to find that “the data constitutes a valuable tool for criminal investigations” (§205). He reaches this conclusion in spite of the fact that at §151, when summarizing the contributions of the parties before the Court, the AG recalls that “The Commission accepts that there are no precise statistics indicating the contribution which PNR data makes to the prevention and detection of crime and terrorism, and to the investigation and prosecution of offences of those types.”

With regard to the strict necessity of the interference, the AG establishes that its assessment “entails ascertaining whether the contracting parties have struck a ‘fair balance’ between the objective of combating terrorism and serious transnational crime and the objective of protecting personal data and respecting the private life of the persons concerned” (§207), by making a reference to §77 of the Schecke judgment. That paragraph in Schecke seems to me to establish a different principle – namely that, when balancing two opposing rights, one of which is the right to the protection of personal data, it must be taken into account that “derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”[1].

Notwithstanding, the AG follows by stating that “the terms of the agreement envisaged must also consist of the measures least harmful to the rights recognised by Articles 7 and 8 of the Charter, while making an effective contribution to the public security objective pursued by the agreement envisaged” (§208). He explains:

“That means that it is not sufficient to imagine, in the abstract, the existence of alternative measures that would be less intrusive in the fundamental rights at issue. Those alternative measures must also be sufficiently effective, that is to say, their effectiveness must, in my view, be comparable with those provided for in the agreement envisaged, in order to attain the public security objective pursued by that agreement” (§208).

In quite a big leap, AG Mengozzi relies for this twofold test for necessity on a paragraph in the Schwartz judgment, §53, which states that “the Court has not been made aware of any measures which would be both sufficiently effective in helping to achieve the aim of protecting against the fraudulent use of passports and less of a threat to the rights recognised by Articles 7 and 8 of the Charter than the measures deriving from the method based on the use of fingerprints.”

This twofold test is not used in any of the most recent landmark judgments of the Court – DRI, which relies greatly on the analysis of the condition of “necessity”, and Schrems. However, looking at strict necessity through this lens of proportionality and equivalent effectiveness persuaded the AG to conclude that PNR schemes, even if they constitute the kind of interference he accurately described in §176, are acceptable.

Comparing the wealth of PNR data to data collected usually for border control purposes by immigration authorities, including Advance Passenger Information and information collected by Canadian authorities for their eVA program, the AG concluded that “data of that type (API, eVA – my note) does not reveal information about the booking methods, payment methods used and travel habits, the cross-checking of which can be useful for the purposes of combating terrorism and other serious transnational criminal activities. Independently of the methods used to process that data, the API and the data required for the issue of an eVA are therefore not sufficient to attain with comparable effectiveness the public security objective pursued by the agreement envisaged” (§214).

The AG further justifies that PNR data of all passengers are transferred to the Canadian authorities, “even though there is no indication that their conduct may have a connection with terrorism or serious transnational crime” (215) by arguing that “as the interested parties have explained, the actual interest of PNR schemes, whether they are adopted unilaterally or form the subject matter of an international agreement, is specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the assistance of automated processing and scenario tools or predetermined assessment criteria, individuals not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently to more thorough individual checks” (§216).

He finds at §244, referring to the fact that the Agreement involves transfers of data of all passengers between the Union and Canada, irrespective of whether they are suspects or not, that no other measure which, while limiting the number of persons whose PNR data is automatically processed by the Canadian competent authority, would be capable of attaining with comparable effectiveness the public security aim pursued by the contracting parties has been brought to the Court’s attention in the context of the present proceedings”.

The AG therefore concluded that “generally, the scope ratione personae of the agreement envisaged cannot be limited further without harming the very object of the PNR regimes” (§245).

Another characteristic of PNR schemes that is generally considered questionable – the lack of an ex ante control of access to PNR data, is found justifiable by the AG in the light of the “fair balance” test for strict necessity: “the appropriate balance that must be struck between the effective pursuit of the fight against terrorism and serious transnational crime and respect for a high level of protection of the personal data of the passengers concerned does not necessarily require that a prior control of access to the PNR data must be envisaged” (§269).

Therefore, the idea of PNR schemes seems to be compatible with the fundamental rights to data protection and respect for private life, in the view of AG Mengozzi. However, the list of conditions he develops for the Agreement in the current case to be fully compliant with EU primary law is quite long and quite strict and it bears bad news for other similar arrangements.

 

……………………………………………

[1] §77 of Schecke states this: “It is thus necessary to determine whether the Council of the European Union and the Commission balanced the European Union’s interest in guaranteeing the transparency of its acts and ensuring the best use of public funds against the interference with the right of the beneficiaries concerned to respect for their private life in general and to the protection of their personal data in particular. The Court has held in this respect that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (Satakunnan Markkinapörssi and Satamedia, paragraph 56).”