Category Archives: Comment

ILPC launches new report: ‘Protecting Sources and Whistleblowers in a Digital Age’

front-page-snippet-download-the-reportThe emergence of an everyday digital culture and the increasing use of legal instruments by state actors to collect and access communications data has led to growing concern about the protection of journalistic sources and whistleblowers.

With the support of Guardian News and Media, the Information Law and Policy Centre has published a new report to consider these developments entitled ‘Protecting Sources and Whistleblowers in a Digital Age’. The report is open access and available for download.

Authored by Dr Judith Townend and Dr Richard Danbury, the report analyses how technological advances expose journalists and their sources to interference by state actors, corporate entities or individuals.

The report also looks at how journalists can reduce threats to whistleblowing; examines the rights and responsibilities of journalists, whistleblowers and lawmakers; and makes a number of positive recommendations for policymakers, journalists, NGOs and researchers.

The report’s findings are based on discussions with 25 investigative journalists, representatives from relevant NGOs and media organisations, media lawyers and specialist researchers in September 2016.

Protecting Sources and Whistleblowers in a Digital Age was officially launched on 22 February 2017 at the House of Lords.

Alongside the report, the Information Policy Law and Policy Centre has also published a range of open access resources on journalistic sources and whistleblowing which are available here.

Open letter in the Daily Telegraph: Concerns with ‘information sharing’ provisions in the Digital Economy Bill

Associate research fellow at the Information Law and Policy Centre and lecturer in media and information law at the University of Sussex, Dr Judith Townend, is among the signatories of this letter published on the letters page of the Telegraph on 25/11/2016 [subscription required].

SIR – We wish to highlight concerns with “information sharing” provisions in the Digital Economy Bill.

The Bill puts government ministers in control of citizens’ personal data, a significant change in the relationship between citizen and state. It means that personal data provided to one part of government can be shared with other parts of government and private‑sector companies without citizens’ knowledge or consent.

Government should be strengthening, not weakening, the protection of sensitive information, particularly given the almost daily reports of hacks and leaks of personal data. Legal and technical safeguards need to be embedded within the Bill to ensure citizens’ trust. There must be clear guidance for officials, and mechanisms by which they and the organisations with whom they share information can be held to account.

The Government’s intention is to improve the wellbeing of citizens, and to prevent fraud. This makes it especially important that sensitive personal details, such as income or disability, cannot be misappropriated or misused – finding their way into the hands of payday-loan companies, for example. Information sharing could exacerbate the difficulties faced by the most vulnerable in society.

The Government should be an exemplar in ensuring the security and protection of citizens’ personal data. If the necessary technical and legal safeguards cannot be embedded in the current Bill and codes of practice, we respectfully urge the Government to remove its personal data sharing proposals in their entirety.

Dr Jerry Fishenden
Co-Chairman, Cabinet Office Privacy and Consumer Advisory Group (PCAG)

Renate Samson
Chief Executive, Big Brother Watch

Ian Taylor
Director, Association of British Drivers

Jo Glanville
Director, English PEN

Jodie Ginsberg
Chief Executive Officer, Index on Censorship

Dr Edgar Whitley
Co-Chairman, Cabinet Office PCAG and London School of Economics and Political Science

David Evans
Director of Policy, BCS – The Chartered Institute for IT

Dr Gus Hosein
Executive Director, Privacy International and Member of Cabinet Office PCAG

Rachel Coldicutt
Chief Executive Officer, Doteveryone

Roger Darlington
Chairman, Consumer Forum for Communications

Dr Kieron O’Hara
Associate Professor Electronics and Computer Science, University of Southampton.

Professor Angela Sasse
Head of Information Security Research, University College London and Member of Cabinet Office PCAG

Dr Judith Townend
Lecturer in Media and Information Law, University of Sussex

Dr Louise Bennett
Chairman, BCS Security Group and Member of Cabinet Office PCAG

StJohn Deakins
Chief Executive Officer, CitizenMe

Rory Broomfield
Director, The Freedom Association

Sarah Gold
Director and Founder, Projects by IF

Jim Killock
Director, Open Rights Group

Guy Herbert
General Secretary, NO2ID and Member of Cabinet Office PCAG

Dr George Danezis
Professor of Security and Privacy Engineering, University College London and Member of Cabinet Office PCAG

Jamie Grace
Senior Lecturer in Law, Sheffield Hallam University

Eric King
Visiting Professor, Queen Mary University

Josie Appleton
Director, Manifesto Club

Jen Persson
Co-ordinator, Defend Digital Me

Dr Chris Pounder
Director, Amberhawk and Member of Cabinet Office PCAG

Sam Smith
medConfidential and Member of Cabinet Office PCAG

Briefing: How Brexit might affect EU audio-visual media services policy-making

This brief by Professor Alison Harcourt, University of Exeter, discusses the current issues affecting UK stakeholders in the cross-border audio-visual services sector.

It is written in light of the replies to the public consultation on Directive 2010/13/EU on Audio-visual Media Services (AVMSD), the Commission’s Regulatory Fitness (REFIT) exercise, the public consultation on the EU Satellite and Cable Directive, national consultations and a possible exit of the UK from the EU. The paper also draws on anonymised responses to an online survey run by the author.

The paper’s findings are considered in the context of current market trends: the increase in high definition channels, decrease in television watching (e.g. DTT, cable, satellite, IPTV) particularly amongst the younger populations, the move towards on-line and on-demand services and changes in content investment.

If the UK were to withdraw from the EU, companies would still be able to broadcast to Europe from the UK under an EEA or possible bi-lateral agreement. However, the UK would no longer have a vote on Single Market decision-making within the Council of Ministers and no representation in the European Parliament. It would cease to have formal representation in soft governance fora such as BEREC and ERGA. Future changes to EU communications policy could affect UK interests and UK-based stakeholders might change their preferences accordingly.

Many in the industry have expressed concerns over Brexit. A survey conducted by Pact found that 85 per cent of its members were in favour of the UK remaining in EU. Enders reports that the advertising market, which is a growth area for the UK, will suffer as “a post-Brexit recession will cause a hyper-cyclical decline in the advertising revenues of broadcasters and publishers”.

This article will look at current European Commission proposals that affect cross-border broadcasting to understand why stakeholders are so concerned about Brexit and tease out different scenarios. The section focuses on European Commission proposals to revise the Audio-visual Media Services and SatCab Directives (AVMSD). The AVMSD proposal is expected in the summer of 2016.

Most UK concerns over Directive revisions relate to a possible change in the definition of the country of origin (COO) principle. The European Commission concluded that there should be no changes to AVMSD for measures on accessibility, the listing of events or the right of reply. However, it stated that there was no consensus on commercial communications, protection of minors and changes to European works quotas.

From its consultation, the EC found that there is no appetite for changing the country of origin principle within AVMSD. However, it does not rule out a change to the definition of the principle as occurred in 1997. The 2015 AVMSD consultation queried whether there should be a derogation to the country of origin principle in the areas of 1) incitement to hatred 2) ‘where editorial decisions on an audio-visual media service are taken’ 3) where broadcasters try to circumvent stricter rules in specific Member States and 4) protection of minors.

The DCMS response the European Commission AVSMD consultation stated that “the country of origin principle (COO) is a fundamental and critical precondition for the generation of a Digital Single Market in content; it is the core of the directive and must not be lost or eroded”. ITV states “we are therefore not convinced that an extension or adaptation of country of origin principle, for example to online VOD, would result in the creation of an internal market for audio-visual content”.

A 2016 COBA report states that “under current proposals for changing the principle, many VoD services would almost certainly cease to be viable”. The lack of appetite for a change in AVMSD may lead to a change to the principle in other Directives. Indeed, the European Commission queried to a possible change in the country of origin principle within the SatCab Directive. In response in the SatCab Directive, Sky responded that “Sky is concerned that the SatCab Directive review, which did not originally form part of the DSM strategy, was included in the strategy at the very last minute, with no prior impact assessment”.

AVMSD is expected to be revised within the next two years before the UK officially would leave the UK if Brexit occurs and might possibly be decided during the UK Presidency of the Council of the EU. However, if Directive revision is delayed, and the UK was to leave the EU and not contribute to AVMSD final revisions, there could be a change to the Directive, which might not be favourable to UK interests. Or the Directive could be updated again after the UK leaves. This could potentially make the UK less attractive as a base for companies’ operation.

Regarding derogation to the COO based on hate speech, this could be interpreted in many ways by Member States particularly in Central and Eastern Europe which have historically had stricter interpretations of hate speech than the UK. Regarding, a change to the definition of COO in relation to editorial control, this could affect operators like MTG which takes editorial decisions on programming in Stockholm. For example, if the COO was redefined based upon editorial decision-making, licensing for MTG would be changed to Italy and Germany respectively and Sweden.

Regarding derogation to the COO based on the protection of minors, this could affect UK operators that provide children’s channels to Nordic states. The Nordic states have long lobbied for an opt-out for jurisdiction over children’s programming on the grounds of the protection of minors. There are many UK operators that provide children’s programming from the BBC to Disney and Discovery whose channels might no longer be licensed in the UK. Another effect could be a loosened of advertising restrictions to channels broadcasting to the UK. The UK has concerns about looser advertising restrictions particularly in regard to protecting minors against  the advertising of foods high in fat, salt and sugar (HFSS) and watersheds for linear content (or parental controls for non-linear services).

On other advertising issues, UK stakeholders are divided. Some want looser advertising restrictions on advertising techniques and electronic programme guides (EPGs) e.g. the UK has prioritised public service broadcasters and people with disabilities. Others want tighter restrictions. There is also mixed response to whether there should be access obligations for all delivery platforms.

The European Commission also queried whether it should apply a “dominance test” for content providers and distributors. Although this proposal has been framed in the context of media pluralism, ultimately, this could potentially move competition decisions on media markets to the European level. What this could eventually mean is that the subsidiarity opt-out, long supported by the UK, which permits Member States to apply lowered thresholds and public-interest tests in national competition decisions on media mergers and acquisitions could be lost. A potential change to competition law has potential implications for BBC provision of public service broadcasting under state aid rules.

Lastly, there is mixed UK stakeholder response to the extension of AVMSD rules to on-demand content provision. The Commission has proposed that AVMSD should be extended to online content (e.g. audio-visual user-generated content or audio-visual content within social media), including non-audio-visual content (e.g. still images). For example, Youtube or Facebook increasingly provide streaming services and existing providers view them as direct competitors.

What is clear is that the European Commission is most likely going to propose that on-line services based in non-EU states are blocked and must establish an EU base e.g. from services such as Google Play, Microsoft Store, Youtube and Vimeo registered in the United States and other channels broadcasting into Europe (e.g. from Russia and the Middle East). The feasibility of these proposals must be considered in the context of on-going TTIP negotiations and (more widely) general bilateral relations between non-EU and EU Member States.

About the author

Professor Alison Harcourt (University of Exeter) specialises in regulatory change in communications markets.  Currently, among other roles, Alison is an ESRC Senior Fellow on the ESRC UK in a Changing Europe programme with the project “The impact of a proposed UK Brexit from the EU: the UK communications industries“.

This post originally appeared on the Oxford University Politics Blog and it is re-published here with permission and thanks.

Please note: This site provides general information only and does not contain legal advice. It is not responsible for the content of third party sites. Posts reflect the views of individual authors.

Comment: The not-so-secret life of ‘Generation Tagged’

In this post, Marion Oswald, Helen James & Emma Nottingham from the Centre for Information Rights, University of Winchester consider the issues for children’s privacy, in light of the recent case of PJS v News Group Newspapers, being considered in the Supreme Court this week. 

The damage has already been done, said the Court of Appeal in the recent ‘celebrity threesome’ decision (PJS). Those who want to know probably already know, so the injunction preventing the identification of the individuals must be set aside. The internet and social networking ‘have a life of their own’ and the Court has its hands up in defeat when faced with publications by foreign media combined with the information retrieval power of digital technology. The individual can still claim damages for breach of confidence or misuse of private information, the Court added but this is cold comfort to those who wish to take pre-emptive steps to protect their privacy. The case demonstrates that when personal information is ‘out there’, there can be no guarantee that any privacy in such information will endure.

And that information could be about a child. This is a pressing issue for ‘Generation Z’ (a term used to categorise young people who have grown up with technology and the Internet, and who regard use of social media websites as an integral part of their private and social lives). In our research, we are concerned with the youngest members of Generation Z. These young children are often very adept at using technology, but have little awareness of the impact of social media. They will appear on social media because of the actions of others, such as parents posting photographs on a Facebook or Instagram page, or even opening a Twitter account for their baby.

Where young children feature in fly-on-the-wall reality documentaries on broadcast media, however, they can become the target of comment on social media outside of their immediate friends and family. This content is discoverable long after the original broadcast by means of the inevitable hashtag.   We might call them ‘Generation Tagged.’

We might call these young children featured in broadcast and social media ‘Generation Tagged

Recently, reality programmes have begun to feature ever younger children, often under the mantle of behavioural advice or social experimentation. Examples include ‘Boys and Girls Alone’, ‘Three Day Nanny’, ‘My Violent Child’, ‘Born Naughty?’, ‘Child Genius’ and ‘The Secret Life of 5 Year Olds’. Such programmes are now less ephemeral than in the past. They are available for long after original broadcast on the Internet via on-demand services or repeated on various spin-off channels. The associated social media interaction makes that broadcast part of the online record.

How is it that we have sleepwalked to a position where this type of privacy-intrusive programming has been accepted as the norm? Many of the dramas exposed in the programme ‘The Secret Life of 5 Year Olds’ for instance, are intensely personal: expressions of love; kisses; grief. The comments made by the professionals about the children’s characters and how their behaviour should change would, in a medical or educational context, be subject to degrees of confidentiality. The publication of a hashtag invites negative comment (as our analysis of Twitter messages demonstrated). Such comment could adversely affect the privacy and dignity of the child, particularly so if other information released about the children and their families creates a risk of jigsaw identification. Harm might occur if, for instance, a future employer sees that as a child, a job applicant was regarded as autistic or a bully.

We wonder how child welfare considerations which apply in ‘real-world’ care, education and medical environments can be so easily overcome in the world of broadcast programming. Our freedom of information requests to the educational and health bodies linked to ‘The Secret Life of 5 Year Olds’ revealed that no ethics committees or similar had considered the involvement of the staff in the programme, because the work had been done outside normal working time and/or the data associated with the programme had not been accessed by the institution for research purposes. Channel 4 relied on the so-called journalistic designation – which excludes information about journalism and creative output from the Freedom of Information Act – to refuse to confirm the details of how compliance with welfare considerations under the Ofcom broadcasting code had been achieved.

The children featured in these programmes become mini-minor celebrities in their own right but they become so due to the actions of others. Despite the unstoppable nature of social media, they should not suffer the same fate as the not-so-mysterious PJS. It cannot be acceptable that such children may be left only with the options of claiming damages after the event, or of attempting to exercise their ‘right-to-be-forgotten’ in later life. We should as a society step back and consider whether we want private childhood moments to become eternal public entertainment and the subject of public social media comment. If not, then we need a more effective way of ensuring that the ‘best interests of the child’ is hard-wired into the ethical and legal process before the privacy intrusion occurs. We call for the creation of an ‘amicus brief’ for young children in the position of those in ’The Secret Life of 5 Year Olds’. This independent expert would be required to consent to the involvement of the child in the programme (in addition to the consent of the parents being obtained) and tasked with considering not only the immediate risks but those that could arise in the future.

With thanks to the authors for sharing this piece on our blog. Please note that posts reflect the views of individual authors.

Further resources

  • The Centre for Information Rights at the University of Winchester will be hosting the Third Winchester Conference on Trust, Risk, Information and the Law on 27th April 2016 – details here.
  • Oswald, Marion and James, Helen and Nottingham, Emma, ‘The Not-so-Secret Life of Five Year Olds’: Legal and Ethical Issues Relating to Disclosure of Information and the Depiction of Children on Broadcast and Social Media (April 3, 2016). Available at SSRN: http://ssrn.com/abstract=2758503

CJEU AG suggests that free Wi-Fi providers may not be ordered to password protect their networks

Christina Angelopoulos is a post-doc researcher at the Information Law and Policy Centre of the University of London. She wrote her PhD on intermediary liability in copyright at the Institute for Information Law (IViR) of the University of Amsterdam. In the following piece, she analyses the Opinion of the Advocate General Szpunar recently handed down in Mc Fadden. The post was originally published on the Kluwer Copyright Blog.

On 16 March 2016 the CJEU’s Advocate General Szpunar handed down his Opinion in case C-484/14, Mc Fadden. The case concerns the liability of Tobias Mc Fadden, the owner of a business selling lighting and sound systems in Munich. Mr Mc Fadden operates a Wi-Fi hotspot on the business’ premises, deliberately left unprotected by a password, so as to enable free public access to the internet. In September 2010, that internet connection was used for the unlawful download of a musical work by one of the network’s anonymous users. The owner of the relevant copyright, Sony Music, decided to bring an action against Mc Fadden, seeking both damages and an injunction. [To continue reading the rest of the post on the Kluwer Copyright Blog, click here.]

Needles on top of haystacks and reporting the courts in a digital age

An update on developments in digital court reporting by the Information Law and Policy Centre’s Judith Townend

How should courts be reported in the digital age? It’s a question that’s been preoccupying me for a number of years. My understanding of the technology, law and potential reforms are constantly challenged as I encounter new examples and people with varying experiences in different areas of legal work. For example, Penelope Gibbs of Transform Justice has drawn my attention to important work on the rights of children involved in judicial processes.

This week I’ve been looking at the ruling in BBC & Eight Other Media Organisations, R (on the application of) v F & D [2016] EWCA Crim 12 (11 February 2016), published following the conviction and sentencing of two 15 year old defendants for the murder of Angela Wrightson in December 2014.

In an unusual order issued by the Court of Appeal, the media was prohibited, until the verdicts in the criminal trial or further order, from placing reports on Facebook profile pages, and was instructed to disable the comment facilities on any report of the criminal trial. This was to prevent the media giving prominence to public comments on their Facebook pages – which the trial judge Globe J described as placing ‘a lot of needles’ on top of a haystack – and risk prejudicing proceedings.

In a piece for the Justice Gap (re-published on the Transparency Project) discussing the case I argue that our contemporary systems for judicial information control are lacking and muddled with serious consequences for freedom of expression, which affects both the public and media right to impart information, and the right to receive information.

I made a similar point in a paper co-authored with Dr Henry Irving for History and Policy, looking at the Incedal terrorism-related trials in 2014 and 15.

We need more guidance and clarity on how open courts should look, given the reality of digital and hybrid media of the 21st century. This will help us design fairer and more practical systems that give appropriate weight to and recognition of important rights: not only freedom of expression and open justice, but also those relating to the welfare of children, private and family life and the rehabilitation of offenders.

Further reading

MTE v Hungary: New ECtHR Judgment on Intermediary Liability and Freedom of Expression

Christina Angelopoulos is a post-doc researcher at the Information Law and Policy Centre of the University of London. She wrote her PhD on intermediary liability in copyright at the Institute for Information Law (IViR) of the University of Amsterdam. In the following piece, she analyses the recent judgment of the ECtHR in MTE v Hungary. The post was originally published on the Kluwer Copyright Blog.

On 2 February 2016, the European Court of Human Rights (ECtHR) delivered its first post-Delfi judgment on the liability of online service providers for the unlawful speech of others. Somewhat puzzlingly, the Court reached the opposite conclusion from that of last summer’s controversial Grand Chamber ruling, this time finding that a violation of Article 10 of the European Convention on Human Rights (ECHR) had occurred through the imposition of liability on the applicant providers. While in principle therefore the judgment is good news for both internet intermediaries and their end-users, the ruling does little to dispel the legal uncertainty that plagues the area: attempting to reverse and head off in the right direction, the Court still finds itself falling over the stumbling blocks it set out for itself last year. [To continue reading the rest of the post on the Kluwer Copyright Blog, click here.]

Steve Goodrich: FOI is under attack when it should be strengthened

stevegoodrichIn this guest post, Transparency International UK’s Steve Goodrich considers UK citizens’ right to access information, arguing that public money should be put towards examining how the Freedom of Information regime can be improved, not weakened

The right to access information held by the state, public officers and providers of state services is an essential part of a functioning democracy. It provides citizen-led checks and balances on concentrations of power, without which corruption would be allowed to thrive; allows citizens to make informed judgements about the efficacy of governments and elected representatives; and helps hold institutions and officials to account for their actions. It is, therefore, perplexing why the UK Government – with its welcome and newfound interest in tackling corruption – appears intent on watering down the Freedom of Information Act.

In July this year, Lord Hodges announced that the UK Government was establishing an ‘independent Commission’ to review whether the Act provided ‘safe space’ for Ministers and civil servants to develop and discuss policy. This might sound very well and reasonable – why shouldn’t a law be reviewed after it’s been in operation for a decade – however, the announcement missed out some important pieces of detail.

Firstly, there has already been post-legislative scrutiny of the Act. The Justice Select Committee did a thorough job back in 2012, which involved taking 140 pieces of written evidence and oral evidence from 37 witnesses during 7 evidence sessions. After talking to a range of individuals and organisations, the Committee concluded that there are sufficient protections for deliberation within public bodies. The Information Commissioner and Information Tribunal are both mindful of the need to ensure this ‘safe space’ exists – which is already provided for in the Act – and Cabinet minutes are not routinely outed. Considering this, it’s slightly baffling why the government wants this looking at again, and so soon after the last review.

Secondly, one of the reasons cited for re-examining the Act is the Supreme Court’s recent decision in the case of the Prince Charles ‘spider memos’. After the Upper Tribunal had ordered the government to disclose these documents the Attorney General, Dominic Grieve, tried to issue the Ministerial veto – something intended for rare and limited circumstances. However, on appeal the Supreme Court ruled that the veto could not apply because it was never intended to be an executive override for a judgment of the judiciary. As the Supreme Court’s judgment notes, it is a long-standing principle of the rule of law that the executive should only be allowed to do this in very specific circumstances where the power to do so is clear and explicit. This is not the case within the FOI Act.

Essentially, the review seems to be partly inspired by sour grapes. The government lost in a disagreement with the courts and its solution is to make the case for re-writing the law so it can ignore them in the future when it suits them. The public interest is noticeably absent from its motivations.

Thirdly, the composition and conduct of the Commission has raised some eyebrows. Members include Jack Straw, who has publicly criticised the Act, and Michael Howard whose expenses for gardening services were revealed through FOI. There are no major advocates of the Act on the panel.

The Commission has also adopted some opaque practices during the initial stages of its inquiry, including providing anonymous briefings to members of the press and considering anonymising evidence. Until civil society expressed concerns about the Commission in September, it wasn’t even planning to take external evidence and had the suspiciously ambitious deadline of November 2015 to report to government. Since then, it has opened itself up to submissions and its deadline for reporting appears to have disappeared. However, the damage has already been done – Transparency International UK has no confidence in the impartiality and independence of the Commission.

The saddest thing about this whole episode is that it’s been a missed opportunity. If public money is going to be spent on reviewing the Act it should be put towards examining how it can be improved, not weakened. For example, there are growing transparency gaps in our public institutions, with the private sector providing an increasing amount of goods and services. Although there are some circumstances where these companies can be subject to information requests, these are limited. This is why the Act should be extended to the private sector where they are providing public services.

Recently, Labour has announced that it intends to set-up its own Commission on FOI that will look at the Act as a whole, including how it can be strengthened. This is a welcome development. However, as with the government’s Commission, its members and their actions must gain the confidence of civil society and government if its findings are ever to be realised.

Steve Goodrich is  Transparency International UK’s (TI-UK) Senior Research Officer. He is responsible for leading on TI-UK’s research into lobbying open data and state accountability. He spoke at ‘Freedom of Information: Extending Transparency to the Private Sector‘ on 28 September 2015, an event co-organised by the Bingham Centre for the Rule of Law and the IALS Information Law and Policy Centre.

  • For other resources on FOI and the private sector please follow this link
  • Our blog posts give the view of the author, and do not represent the position of the Information Law and Policy Centre or the Institute of Advanced Legal Studies.

Eduardo Ustaran: Life after Safe Harbor – an action plan

In this piece that originally appeared in the Internet Newsletter for Lawyers, ,  partner at Hogan Lovells, considers the implications of the CJEU’s recent decision in the Schrems case and sets out an action plan for companies previously reliant on Safe Harbor for EU to US transfers 

On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the EU–US Safe Harbor framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful and could have serious implications for transfers of personal data both within multinationals and to global service providers.

Background

Safe Harbor was jointly devised by the European Commission and the US Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. However, since its adoption, Safe Harbor was fraught with challenges. Although the data protection requirements set out in the Safe Harbor Privacy Principles were meant to match the standards of protection of European law, its self-certification nature and the non-European style of its provisions have attracted much criticism over the years. In particular, the revelations triggered by Edward Snowden in 2013 about the US intelligence surveillance operations led the European Parliament to adopt a resolution seeking its immediate suspension. The European Commission had no choice but to reopen the dialogue with the US government to find a way of strengthening the framework and restoring its credibility.

The Schrems case

One particular individual, Austrian law student Max Schrems, decided not to wait for the outcome of the re-negotiation of Safe Harbor. He lodged a complaint with the Irish Data Protection Commissioner requesting the termination of any transfers of personal data by Facebook Ireland to the USA. However, the Irish Commissioner rejected the complaint on the basis that the adequacy of Safe Harbor had already been determined by the European Commission and therefore, it was not open to the Irish Commissioner to challenge the European Commission’s “adequacy finding”. This was not accepted by Schrems who sought judicial review of the Commissioner’s decision by the High Court of Ireland, which then referred the case to the CJEU.

In its ruling, the CJEU confirms that a national data protection authority is always empowered to challenge the adequacy of data transfers. More importantly, the ruling goes beyond this specific question by declaring that Safe Harbor does not in fact provide an adequate level of data protection, because it is unable to prevent large-scale access by the US intelligence authorities to data transferred from Europe.

The practical effect of Schrems

The decision invalidating Safe Harbor has the following immediate consequences:

  • Transfers of personal data from the EU to the US currently covered by Safe Harbor will be unlawful unless they are suitably authorised by data protection authorities or fit within one of the legal exemptions.
  • Multinationals relying on Safe Harbor as an intra-group compliance tool to legitimise data transfers from EU subsidiaries to their US parent company or other US-based entities within their corporate group will need to implement an alternative mechanism.
  • US-based service providers certified under Safe Harbor to receive data from European customers will need to provide alternative guarantees for those customers to engage their services lawfully.

It is also critical to appreciate that the CJEU did not rule on whether the Safe Harbor principles were sufficiently close to the European data protection standards. The CJEU ruled that Safe Harbor is no longer a valid mechanism to legitimise data transfers because it does nothing to address the potentially excessive interference of US law with the fundamental rights to privacy and data protection that exist under EU law. Therefore, any alternative mechanisms being relied on will need to address this specific point by ensuring that they refer to this potential conflict in a data protection compliant way.

Consent

Data transfers can lawfully be made with the consent of the individual. However, consent must be freely given and while it is possible to make consent a condition for the provision of a non-essential service, consent is unlikely to be valid if the individual has no real choice. This is particularly the case in the context of employment where, if an existing employee is required to agree to the international transfer of personal data any consent given is unlikely to be valid if the penalty for not agreeing is dismissal.

Consent must also be specific and informed. This means that the individual must know and understand what such consent will amount to. Individuals should be informed of the reasons for the transfer and, if possible, the countries involved. In addition, any identified risks involved in the transfer should be brought to the individual’s attention. As a result, in practice it will be very difficult to make a valid argument that consent provides a lawful basis to legitimise international data transfers.

The EU authorities’ position

The EU Article 29 Working Party issued a statement following the CJEU decision emphasising that affected businesses should start to put in place legal and technical solutions in a timely manner to meet EU data protection standards. The statement gave a January 2016 deadline for companies to come into compliance with the ruling, at which point EU data protection authorities would be “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”

Therefore, the EU data protection authorities have made it clear that they expect companies to ensure an adequate level of protection for European data at all times. In the meantime, the Working Party will continue to analyse the available transfer tools, such as the Standard Contractual Clauses and Binding Corporate Rules, but these transfer mechanisms can be subject to investigation by data protection authorities to protect individuals in “particular cases,” for instance on the basis of complaints.

Action plan

Before the January 2016 enforcement deadline, companies that previously relied on Safe Harbor for their EU to US transfers should follow this process:

  • Carry out a data transfers assessment to identify which data transfers from the EU to the US had been legitimised by Safe Harbor.
  • Prioritise key transfers for the business by reference to the nature of the data and its use.
  • For intra-group transfers, identify all of the entities involved and assess the most suitable alternative to Safe Harbor. In the short term, this is likely to involve an interim contractual solution whilst more permanent mechanisms – such as BCR – are considered.
  • For transfers to service providers, review any existing contracts for references to Safe Harbor and determine whether the relevant vendor is offering a suitable contractual option or is able to rely on a Processor BCR.
  • US-based service providers should consider the most appropriate legal mechanism to enable customers to continue to use their services lawfully.
  • Finally, whatever the mechanisms used, ensure that they include suitable measures to deal with requests for disclosure of personal data by law enforcement authorities.

Eduardo Ustaran is a partner in the Privacy and Information Management practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran. This piece originally appeared on the Internet Newsletter for Lawyers and is shared with the author and publisher’s permission.

Lorna Woods: Safe Harbour – Key Aspects of the ECJ Ruling

On Tuesday (6 October) the Court of Justice of the European Union (ECJ) declared that the Safe Harbour agreement that allows the movement of digital data between the EU and the US was invalid. The case was brought by Max Schrems, an Austrian student and privacy campaigner who, in the wake of the Snowden revelations of mass surveillance, challenged the way in which technology companies such as Facebook transferred data to the US. In this guest post, which originally appeared on the LSE Media Policy Project blog, Professor Lorna Woods of the University of Essex explains some key aspects of the judgment.

This case arises from a challenge to the transfer of personal data from the EU (via Ireland) to the United States, which relied on a Commission Decision 2000/520 stating that the Safe Harbour system in place in the United States was ‘adequate’ as permitted by Article 25 Data Protection Directive. While the national case challenged this assessment, the view of the Irish data protection authority (DPA) was that it had no freedom to make any other decision – despite the fact that the Irish authorities and courts were of the view the system did not meet the standards of the Irish constitution – because the European Commission decision was binding on them. The question of the validity and status of the Decision were referred to the Court of Justice of the European Union (ECJ).

The Advocate General, a senior ECJ official who advises on cases, took the view that the Commission’s decision could not limit the powers of DPAs granted under the directive and that the US system was inadequate, particularly as regards the safeguards against mass surveillance (a more detailed review of the AG’s Opinion can be found here). The ECJ has now ruled, following very swiftly on from the Opinion. The headline: the Commission’s decision is invalid. There is more to the judgment than this.

Powers of DPAs and Competence

The ECJ emphasised that the Commission cannot limit the powers granted by the Data Protection Directive, but at the same time Commission decisions are binding and benefit from a presumption of legality. Nonetheless, especially given the importance of the rights, individuals should have the right to be able to complain and ask a DPA to investigate. DPAs remain responsible for oversight of data processing on their territory, which includes the transfer of personal data outside the EU. The ECJ resolves this conundrum by distinguishing between the right and power of investigation and challenge to Commission decisions, and the declaration of such decisions’ invalidity. While the former remains with DPAs, the latter – following longstanding jurisprudence, remains with the ECJ.

Validity of Decision 2000/520

The ECJ noted that there is no definition of what is required by way of protection for the purposes of Article 25 of the Data Protection Directive. According to the ECJ, there were two aspects to be derived from the text of Article 25. There is the requirement that protection be ‘adequate’ in Article 25(1) and the fact that Article 25(6) refers to the fact that protection must be ensured. The ECJ agreed with the Advocate General that this Article is ‘intended to ensure that the high level of that protection continues where personal data is transferred to a third country’ (para [72], citing the Advocate’s General’s Opinion para [139]), which seems higher than ‘adequate’ might at first suggest. That requirement does not however mean that protection in third (non-EU) countries must be identical but rather that it is equivalent (para 73]) and effective (para [74]). This implies an on-going assessment of the rules and their operation in practice, where the Commission has very limited room for discretion.

The Court concluded that the Decision was unsound. It did so on the basis that mass surveillance is unacceptable, that there was no legal redress and that the decision did not look at the effectiveness of enforcement. It steered clear of determining whether the self-certification system itself could ever be fit for purpose, basing its reasoning on only elements of the Commission’s decision (but which were so linked with the rest that their demise meant the entire decision fell).

Implications

This is a judgment with very far reaching implications, not just for governments but for companies the business model of which is based on data flows. It reiterates the significance of data protection as a human right, and underlines that protection must be at a high level. In this, the ECJ is building a consistent line of case law – and case law that deals not just with mass surveillance (Digital Rights Ireland) but activities by companies (Google Spain) and private individuals (Rynes).

At a practical level, what happens today with the Decision declared invalid? Going forward, will there be more challenges looking not just at mass surveillance but at big data businesses self-certifying? What will happen to uniformity in the EU? Different Member States may well take different views. This should also be understood against the Weltimmo judgment of last week, according to which more than one Member State could have the competence to regulate a multinational business (irrespective of where that business has its registered office in the EU). Finally, what does this mean for the negotiation of the Data Protection Regulation? The political institutions had agreed that the Regulation would not offer lower protection than the Data Protection Directive, but now we might have to examine this directive more closely.