The Court of Justice of the European Union continues to make things interesting in the data protection world. First came the court’s “Schrems II” decision last July, and this week, the CJEU issued a ruling that could spring a leak and potentially sink adequacy negotiations between the U.K. and EU.
The latest twist came as the CJEU ruled to restrict surveillance activities on phone and internet data by EU member states but specifically to regimes in Belgium, France and the U.K. The decision means governments have limited grounds for mass data retention unless they face a “serious threat to national security.” Additionally, access to phone and internet data, as well as the duration of that access, should be determined based on necessity.
In comments to The Privacy Advisor about this week’s decision, Fieldfisher Partner Phillip Lee, CIPP/E, CIPM, FIP, said, “In the wake of ‘Schrems II,’ a criticism commonly leveled at the EU was that it was being hypocritical — that, when it came to surveillance for national security purposes, the EU was holding the U.S. (under Privacy Shield) to higher standards than those of its member states. This ruling might serve to quell some of that criticism.”
The U.K. is chief among those affected by the court’s ruling as the clock winds down on its Brexit transition period, which is set to expire with or without an adequacy decision from the EU Dec. 31. Doubts about an adequacy agreement already loomed, but the latest CJEU ruling further clouds a potential deal.
“If interlocutors in the EU considering the U.K.’s adequacy decision conclude that the powers applied by the U.K. government exceed those permitted under this judgment, then there could be a question as to whether essentially equivalent protection can be provided to EU data subjects where their data is transferred to the U.K.,” Promontory Senior Principal John Bowman, CIPP/E, CIPM, FIP, said.
In particular, the U.K. Investigatory Powers Act now stands as a potential roadblock for negotiations. Adequacy focuses on foreign governments avoiding interference with EU fundamental rights. Following the CJEU decision, the Investigatory Powers Act and its provisions for bulk data collection firmly impede EU citizens’ guaranteed rights to privacy and data protection.
“Although the Investigatory Powers Act contains safeguards, such as prior independent approval, on the use of such powers these CJEU judgments appear to set limits on their permissible scope, which may not necessarily be overcome just by adding safeguards,” Bird & Bird Counsel Graham Smith said. “Nevertheless, an adequacy determination does not require that a non-EU country’s legal regime for the protection of personal data be the same as that of the EU. The test is whether it provides essentially equivalent protection.”
The key to adequacy talks going forward will be…
2023 brings US state privacy law preparedness into focus
Chatter regarding comprehensive U.S. state privacy law picked up steam once again as the c…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
