Ashfords commercial associate Christopher Coughlan maps out the thorny terrain for the United Kingdom's Digital Economy Bill in light of the recent CJEU judgement on the Data Protection and Investigatory Powers Act 2014.
Following the recent CJEU judgment in relation to the United Kingdom's Data Protection and Investigatory Powers Act 2014 ("DRIPA"), the Digital Economy Bill is likely to face opposition if it achieves Royal Assent and gives government bodies the right to access and share individuals’ private information. Mass indiscriminate surveillance will be challenged.
On 21 December 2016, the Court of Justice of the European Union ("CJEU") gave its judgment in the Tom Watson MP case (which had been merged with the Tele2 case). The issue before the CJEU was a request by both the Administrative Appeal Court of Stockholm and the Court of Appeal, for a preliminary ruling concerning the interpretation of Article 15(1) of the ePrivacy Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector.
The CJEU ruled that Article 15(1) precludes national legislation:
- Which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication; and
- Governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority.
The CJEU, in a similar vein to the Schrems judgment, objected to mass indiscriminate surveillance.
The Digital Economy Bill
Having sailed through the legislative procedure so far, with only the Lib Dems voicing any real objections, will the Digital Economy Bill be affected by the DRIPA judgment?
The supposed aim of the Digital Economy Bill is to make the UK "a place where technology ceaselessly transforms the economy, society and government". However there is concern about Part 3 (Online Pornography) and Part 5 (Digital Government).
Part 3 requires any website containing pornographic material to require age verification so that anyone under the age of 18 cannot access the content. Whilst preventing minor's accessing unsuitable content on the internet is important this Part 3 has the inadvertent effect of profiling users of pornographic sites. It also creates databases that will contain sensitive personal data as the individual’s sexual orientation will be ascertainable from this data. Many privacy commentators view this as a return to pre internet censorship and a restriction on freedom of speech and facilitates state surveillance.
In addition to this, Part 5 of the Bill is controversial as it could significantly increase the amount of personal data that is shared between government and public authorities. Although the Bill does contain safeguards for protecting individuals' identities and mandates compliance with the Data Protection Act 1998 in numerous places, there have been concerns that the safeguards are not strong enough.
In particular, there are concerns about the new rights contained in paragraph 39 for civil registration officials to bulk share civil registration data as long as the authority or civil registration official receiving the information 'requires the information to enable the recipient to exercise one or more of the recipient's functions'. This purpose is very broad and the data protection safeguards under this section will be contained in a code of practice that has not yet been produced, rather than the actual Bill itself.
A number of experts have criticised the Bill for having vague information-sharing provisions and not being transparent enough on safeguards. These experts believe that the Bill is changing the relationship between the citizen and the state by 'putting government ministers in control of citizens’ personal data', and it means that 'personal data provided to one part of government can be shared with other parts of government and private-sector companies without citizens’ knowledge or consent'.
It is argued that, with the impending General Data Protection Regulation ("GDPR") and the increased public awareness of data protection issues, the government should be strengthening, not weakening, the protection of personal information. The approach under the Bill does not appear to align with the DRIPA judgments requirement "that national legislation must…lay down clear and precise rules governing the scope and application of such a data protection measure and imposing minimum safeguards, so that the persons whose data has been retained have sufficient guarantees of the effective protection of their personal data".
Although the Bill is arguably less overtly and publically controversial than DRIPA it enables authorities to access personal data in a way that is not subject to the limitations and safeguards contained in the CJEU judgment. In particular, it is not restricted to cases of serious crime and there is no requirement to gain prior approval or inform the data subject about which data is being accessed and for what purpose.
There is obviously a clear purpose to protecting children under Part 3 however there are many that object to mass indiscriminate surveillance that could arise as a consequence of the Bill and as a result we are likely to see it challenged.