Edoardo Celeste (Dublin City University)
So many countries, so many customs. Unfortunately, this proverb describes well the increasingly divergent approaches to mass surveillance that are emerging around the globe, and more concerningly within Europe. Only last week, the European Parliament (EP) adopted a resolution on the draft UK adequacy decision condemning the British surveillance system as infringing EU fundamental rights. While, a few days later, the Grand Chamber of the European Court of Human Rights (ECtHR), in the case Big Brother Watch v. UK, confirmed that bulk interception regimes do not per se violate the right to privacy of individuals. This shows well that, at the moment, in London, Brussels and Strasbourg, mass surveillance is regarded in very different ways. Far from a harmonious melody, we can distinguish several disjuncted motifs and multiple variations on the same theme. This post will briefly look at this intricate music sheet contextualising the recent EP resolution and the ECtHR Big Brother Watch decision.
UK mass surveillance and data transfer across the Channel
In February 2021, the EU Commission published two draft adequacy decisions related to the UK, respectively under the GDPR and the Law Enforcement Directive regime. In December 2020, the Trade and Cooperation Agreement negotiated between the EU and the UK had indeed included a bridging clause to allow for sufficient time for the EU to adopt an adequacy determination in relation to the UK. For six months, until June 2021, the UK is not considered as a third country from a data transfer perspective, and thus personal data can continue to freely circulate across the Channel without any restrictions. The adequacy decisions that the EU Commission has proposed will ensure that such free flow of data will continue after the end of this bridging period.
According to the GDPR, the EU Commission has to operate a comprehensive assessment of the data protection framework of the third country at stake when considering the adoption of an adequacy decision. On 21 May 2021, the EP adopted a resolution to express its concern about the validity of the evaluation performed by the Commission in relation to the UK. Following the opinions given by the European Data Protection Board on the Commission’s proposals, the EP stressed that some areas of UK law do not satisfy EU standards as set by the Court of Justice of the European Union (CJEU). The EP had already warned the Commission about the deficiencies of the UK data protection regime. With no surprise, the resolution adopted in May reiterates the EP’s previous findings.
The resolution focuses on four main problematic aspects of the UK data protection framework. Firstly, the EP highlighted that the broad derogation that UK law foresees in relation to the exercise of data subjects’ access rights in the context of immigration control is not in line with EU law. This issue is amplified by the fact that after Brexit all EU citizens will not benefit from a special immigration status to enter the UK. The second and third problematic aspects that the EP stressed in its resolution are related to the UK’s declared willingness to freely dispose of its digital sovereignty. Brexit has formally emancipated UK law from the restrictions imposed by EU law. The EP is concerned by the possibility that the UK will conclude data sharing agreements with third countries, such as the US, that do not offer an adequate level of data protection according to the EU standards. More generally, the EP warned against a potential future relaxation of UK rules regulating data processing, bringing as evidence the recently adopted UK’s national data strategy, which has announced an imminent shift towards a wider use and sharing of data. Lastly, but certainly not least, the EP denounced the persisting misalignment between the UK surveillance regime and EU fundamental rights. This question dates well before the advent of Brexit, but has certainly been exacerbated by the fact that, according to the recent CJEU case-law, the EU Commission’s adequacy assessment can and should encompass legal aspects that are theoretically outside the scope of EU law, such as the national security regime of the third country in question. UK law, and in particular its surveillance regime entailing the bulk collection and storage of data and metadata related to electronic communications, was already considered as violating EU law in the 2016 CJEU case Tele2 and Watson. In 2019, the CJEU reiterated its position in the Privacy International case. The melody played in Luxembourg and echoed by the EP is clear: the UK mass surveillance regime infringes EU fundamental rights. However, only a few hundred kilometers away, the Strasbourg court set a variation on the same theme.
The Big Brother Watch (Grand Chamber) case
On 25 May 2021, the Grand Chamber of the ECtHR published the much expected decision in the case Big Brother Watch and others v. UK. Issued in parallel with the judgment in the case Centrum för rättvisa v. Sweden, which condemned the Swedish bulk signals-intelligence regime, the Big Brother Watch decision confirmed that the UK surveillance regime introduced by the Regulation of Investigatory Powers Act 2000 violated Article 8 of the European Convention on Human Rights, which protects the right to respect for private and family life and communications. At first sight, the ECtHR decision might be regarded as perfectly in line with the position taken by the CJEU and the EP. However, a more careful analysis of the judgment reveals that the Strasbourg court in reality espoused an approach which is closer to that defended by the UK, and de facto by the EU Commission. The Grand Chamber indeed reiterated, in line with the 2018 Chamber judgment, that mass surveillance does not per se violate the rights protected by the Convention. In contrast to the position taken by the CJEU, the ECtHR defended the possibility of introducing state systems of generalised surveillance, subject to the adoption of adequate, ‘end-to-end’ safeguards. According to the Grand Chamber, bulk surveillance is admissible in so far as adequate mechanisms to assess the necessity and proportionality of the measures taken are present at each step of the surveillance process, from its authorisation to its ex post review.
With this decision, the ECtHR promotes an approach that pragmatically appraises the benefits of generalised surveillance systems in the age of terrorism and global crime. An approach that, over the years, has not only been defended by the UK, which, in fairness, has progressively amended its surveillance regime to satisfy most of the deficiencies that the Grand Chamber highlighted in relation to the 2000 Act. But that represents the position of many member states, as the 21 April 2021 decision of the French Conseil d’Etat recently confirmed. This more pragmatic approach, which does not demonise bulk surveillance, but strives to reach a sensible compromise between fight against crime and protection of privacy, now clashes against EU data protection law, as interpreted by the CJEU. The basic motif played in Luxembourg differs from the pragmatic variations written in Strasbourg, Paris or London. On the one hand, the sovereignty regained after Brexit motivates the UK to fiercely defend its surveillance practices and to potentially innovate its data protection approach. On the other hand, national supreme courts have started to intervene to claim the last word on the necessary measures to preserve national security. The risk is looming that from a variation on the same theme the composers will write a different melody.
Dr Edoardo Celeste is Assistant Professor of Law, Technology and Innovation at the School of Law & Government of Dublin City University. He is one of the founders of the Cross-Border Data Protection Network and the editor of Data Protection Beyond Borders: Transatlantic Perspectives on Extraterritoriality and Sovereignty (Hart, 2021).
For a more detailed analysis, see Celeste Edoardo, Cross-Border Data Protection After Brexit (February 12, 2021). Brexit Institute Working Paper Series, No 4/2021, Available at SSRN: https://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=2360654
The views expressed in this blog reflect the position of the author and not necessarily that of the Brexit Institute Blog.