Edoardo Celeste (Dublin City University)
The data protection community is anxiously waiting for a verdict from the European Data Protection Board on the validity of the draft UK adequacy decisions that the EU Commission published on 19th February 2021. UK national security law, once solidly considered a stronghold of sovereign competence, is now sifted through in order to check its compliance with the EU acquis. The new status of third country acquired by the UK after Brexit makes the uncomfortable exercise of looking into the bag of the EU’s formerly unsuspicious travel mate necessary, even requiring the opening of some pockets that the EU would not have had the right to access during the golden times of their friendship. However, the recent decisions of the CJUE in Commission v. Spain and H. K. v Prokuratuur sound like a warning for the EU along the line of the biblical ‘Why do you look at the speck of sawdust in your brother’s eye and pay no attention to the plank in your own eye?’
Indeed, while we (legitimately) criticise the UK national security framework – certainly not a mere ‘speck of sawdust’ in our neighbour’s eye – the CJUE condemned an EU member state for failing to transpose the Directive on the protection of personal data for the purposes of the prevention and detection of criminal offences (so-called Law Enforcement Directive), and had to reaffirm that national authorities can access individual metadata only to contrast ‘serious’ crimes and upon authorisation of a court or independent administrative body – a principle that has been the Court’s mantra for the past seven years, from the Digital Rights Ireland case to the recent La Quadrature du Net.
The CJUE decision in Commission v. Spain imposed a heavy fine of 15 million Euro after Madrid failed to transpose the GDPR’s twin directive, which was supposed to enter into force in May 2018 and offer a complementary protection to EU personal data in the field of law enforcement. During the Commission’s investigations and the judicial proceedings, Spain defended itself pointing out the extraordinary circumstances that characterised its recent political history, including the Catalan secessionist referendum, the political instability that followed, and the corruption scandal that invested the Partido Popular. What is important to highlight is that the failure to transpose the Law Enforcement Directive does not only represent a potentially serious violation of the right to data protection within Spain, but has also to be appraised from a cross-border perspective. Indeed, the aim of the Directive was to harmonize the level of protection of personal data across member states in order to ensure homogenous guarantees in the context of cross-border cooperation between national law enforcement authorities. Unavoidably, absent one component of the protection chain, the whole EU system of data protection safeguards in this sector is compromised.
K. v Prokuratuur is another decision that shows that EU member states have still to work to enhance their level of protection of personal data in the law enforcement sector. In the case at stake, Estonian legislation allowed law enforcement authorities to access individual metadata without restricting this possibility to the fight against serious crimes. The CJUE reiterated that metadata are susceptible of violating one person’s rights to privacy and data protection not less than communications’ content. Access to these data from law enforcement authorities represents a compression of such rights that can be justified only to contrast serious crimes or serious threats to public security. Furthermore, the Court clarified that the Estonian public prosecutor cannot be considered as an independent judicial or administrative body and thus cannot be vested with the power of authorising the access to communications metadata.
K. v Prokuratuur represents the last episode of the EU data retention saga, which started in 2014 with the invalidation of the Data Retention Directive in the case Digital Rights Ireland. It reiterates the findings that the Court adopted in its recent decisions in Privacy International and La Quadrature du Net, and directly complements the decision in Ministerio Fiscal, where the CJUE held that the access to data merely related to the identity of a user can also be tolerated in the context of the fight against non-serious crimes. H. K. v Prokuratuur exposes a persisting tension between the practices of national law enforcement authorities, the reluctance of national legislators to deprive their police bodies of useful and effective tools to tackle crimes, and the principled approach of the CJUE that has so far pushed towards a more proportionate balancing between national security and data protection. The frequency with which cases in this area are emerging witnesses that the data retention question in Europe is far from settled and that much still needs to be done in order to put national law enforcement practices in line with EU fundamental rights.
Certainly, the persistence of issues related to the application of the EU data protection framework should not let us desist from adopting a strict approach when it comes to assessing the adequacy of the level of protection offered by third countries. Yet, this must remind us to take a humbler and self-critical attitude when looking at our neighbours’ eyes.
Edoardo Celeste is Assistant Professor of Law, Technology and Innovation at the School of Law & Government of Dublin City University. He is one of the founders of the Cross-Border Data Protection Network (www.crossdpn.org).