EU Approves of UK’s Data Protection Standards, Despite RIPA Human Rights Violations

Following the end of the Brexit transition period there was a six-month grace period (until the end of June 2021) allowing personal data to continue to flow freely between the EU and the UK. In June, the European Commission announced that the member states of the European Union had agreed that the United Kingdom’s standards for the protection of personal data are high enough such that the information can continue to be transferred between the EU and the UK.

The EC has previously adopted similar adequacy decisions for other countries, including Argentina, Canada, Israel, Japan, New Zealand, and Switzerland. However, the UK decision is unique in that there is no end-date, with the state of the UK’s personal data protection standards being subject to continuing review. Although many affected by the decision will have given a sign of relief there is the potential for uncertainty going forwards as illustrated by the fact that June also saw the European Court of Human Rights (ECtHR) find that the UK’s old surveillance regime violated Articles 8 and 10 of the European Convention on Human Rights (ECHR), in the case of Big Brother Watch and others v United Kingdom.

In September 2018, a Chamber of the ECtHR found that the bulk interception of communications under section 8(4) of the Regulation of Investigatory Powers Act 2000 (RIPA) did not comply with Articles 8 and 10 of the ECHR, these being the right to respect for privacy and family life, and the right to freedom of expression, respectively. The case was then referred to the Grand Chamber of the ECtHR.

As might be assumed from the name, bulk interception of communications involves state intelligence services collecting very large amounts of communications data as part of a broad approach to seeking out potential criminal or terrorist plots. The Grand Chamber found that there were four stages to the bulk interception process, with the interference with individuals’ Article 8 rights increasing at each stage:

• Interception and initial retention of communications and traffic data.
• Application of specific “selectors” to the retained data.
• Examination of the selected data by analysts.
• Subsequent retention and use of the data, including sharing with third parties.

Further, the Grand Chamber also found that a state operating a bulk interception regime must have domestic law setting out, with sufficient clarity, the grounds on which bulk interception must be used and the circumstances in which an individual’s communications might be intercepted. This legislation should set out what the Grand Chamber referred to as “end-to-end safeguards”, meaning:

• An assessment should be made at each stage of the process as to the necessity and proportionality of the measures being taken.
• From the outset of an operation, bulk interception should be subject to authorisation from an independent body.
• Following an operation involving bulk interception, the operation should be subject to supervision and an independent ex post facto review.

The Grand Chamber made clear that these fundamental safeguards would be essential for any bulk interception regime seeking compliance with Article 8.

In considering whether RIPA’s bulk interception regime was compliant with Articles 8 and 10 of the ECHR, the Grand Chamber accepted that bulk interception was an important element of modern nation security. However, while the RIPA regime did have safeguards, these were not “end-to-end” and did not provide sufficient protection against the potential for abuse of bulk interception. The Grand Chamber identified three particular deficiencies with the RIPA regime:

• The lack of independent authorisation.
• The failure to include the categories of selectors in applications for bulk interception warrants.
• In relation to selectors linked to individuals, the failure to subject these selectors to prior internal authorisation.

Because of these shortcomings, section 8(4) of RIPA fell short of Article 8’s requirement for lawfulness, such that the interference with individuals’ Article 8 rights went beyond what was necessary in a democratic society. As such, the Grand Chamber found that Article 8 had been violated.

While section 8(4) of RIPA has already been replaced, following the introduction of the Investigatory Powers Act 2016 (IPA), there are concerns that the IPA replicates many aspects of the old surveillance regime that the Grand Chamber found to be non-compliant. As such, the UK will need to ensure that the appropriate “end-to-end” safeguards are put in place for the current surveillance regime to comply with the ECHR. Of course, the EU’s member states have already approved of the UK’s data protection standards, with the Commission adopting the UK-EU adequacy decisions. But given that the ECtHR’s decision is a rather damning indictment of data privacy in the UK, it remains to be seen whether the EU may take a more cynical view of the UK’s standards when it comes to reviewing the adequacy decision.