Today we are joined by our Guest Blogger and Data Protection Expert, Owen Sayers.
Where are we now in terms of UK Data Protection?
It is now a little over 2 ½ years since Europe and the UK moved to the General Data Protection Regime (GDPR) and the UK’s specific legislation for its own local interpretations, the UK Data Protection Act 2018 (DPA 18). Collectively, these replaced the previous legislation we had worked under for the previous 20 years, the Data Protection Act 1998 (DPA 98) and were confidently presented by many commentators at the time as both unifying and consolidating different Data Protection (DP) regimes under one simplified model.
Anyone who has been looking at GDPR since it came into force in May 2018, and in particular over the last 8-12 months might have had good cause to query that confidence, because of late the EU and Global DP landscape has been anything but simple.
To understand where we are right now, and what challenges we will need to face in the near and medium term, we first need to wind back a little – to before the GDPR even came into full effect in fact and discuss a name that has become well known recently – Max Schrems.
Max Schrems
Mr Schrems is often painted as a privacy activist, and it’s certainly the case that he has been at the forefront of much of the challenge and changes made to Data Protection law over the past 10 years or so; but back then he was simply a law student who spent an overseas semester studying at Santa Clara University, California and who attended a lecture given by Facebooks lead privacy lawyer (Ed Palmieri).
He was reportedly so surprised at the lack of understanding displayed by Mr Palmieri of EU data protection law that he started to examine Facebook, examined the data they already held on him (which ran to over 1200 pages, that he later published on the Internet), and wrote his term paper on the problems inherent in their model of business with respect to EU legislation.
Many people would have left the matter there, but Mr Schrems is made of more tenacious stuff and using his knowledge of the law, he raised concerns with the Irish Data Protection Commissioner (DPC) in 2011, being the responsible authority for Facebook Ireland (their EU business arm) and escalating them to formal complaints in 2013 when the DPC prevaricated over taking action.
This escalation coincided with the Edward Snowden disclosures around US Government mass surveillance programmes, but again the DPC rejected the complaint and after a long cycle of escalations to Irish High Court and EU courts, the complaint finally found its way to the Court of Justice of the EU (CJEU), who ruled that Mr Schrems’ complaint that the Safe Harbor scheme set up by the European Commission (EC) and US government to enable export of personal data to the US, and which Facebook relied upon, was in fact invalid under EU law.
This landmark case is now called ‘Schrems I’, because with some minor modifications he did the same exercise all over again a few years later to challenge the replacement for Safe Harbor that was hastily put together by the EC and US Government in 2015, called ‘Privacy Shield’.
Schrems II and Privacy Shield
This new case (Schrems II) was heard in June 2020 and this time the CJEU both set aside the new scheme (Privacy Shield) and gave clear indications in their reasoning that a replacement for such a scheme was very unlikely to be acceptable to the court whilst US domestic law continued to allow surveillance and capture of personal data of EU citizens, as it does today.
These laws are in fact nothing new; they have existed in some form going back to President Carter in the late 1970’s, and it was Carter who presided over the introduction of the Foreign Intelligence Surveillance Act (FISA) in 1978; but it was under Ronald Reagan’s tenure, and in the first year of his long presidency in fact, that the US really began to directly monitor communications and collect data on a large scale.
Reagan signed into effect a Presidential order (called an Executive Order or ‘EO’) that set the ball rolling for US Government mass surveillance and the expansion of activities by several US Intelligence agencies, in an innocuous sounding document called EO 12333.
EO 12333 has been modified and expanded a couple of times since, mainly in 2004 and 2008 by President Bush, and FISA itself has been modified a number of times since the 9/11 terrorist attacks in 2001, principally through the introduction of the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism” Act – which we commonly call the PATRIOT Act.
The Importance of History
Understanding this long 50 year plus history of US surveillance legislation and practice is really important when considering to what extent we might be able to negotiate a position of flexibility under the CJEU’s ruling relating to Privacy Shield (the answer being not very much flexibility at all), and when we seek to understand the other big finding of the CJEU in the same Schrems II judgement, which is arguably much more important than the decision to do away with Privacy Shield.
Tomorrow we continue our guest blog with Owen Sayers, where we will cover the complexity of Data Protection Law and continue the story of Max Schrems.
