There are some decisions of the Court of Justice of the European Union (CJEU) that are going to continue to have consequences for the UK after we leave the transition period at the beginning of next year, regardless of the outcome of the Brexit negotiations. One of the affected areas is data protection, given the data traffic between the UK and the EU. 

Jonathan Goldsmith

Jonathan Goldsmith

There have been two recent CJEU decisions of great importance for our future data relationship. One was Schrems 2, about which I wrote recently. And the second came last week: Case C-623/17, brought by Privacy International against our government and security agencies (GCHQ, MI5 and MI6).

Privacy International, unsurprisingly, is an NGO which promotes the right to privacy around the world. It brought this case five years ago against the government’s and security agencies’ general and indiscriminate collection and retention of citizens’ data. Eventually, the Investigatory Powers Tribunal referred questions to the CJEU, principally about the collection of citizens’ data from private communications services.

Readers of the judgment will doubtless have conflicting emotions as they battle with its complexity. First, it raises issues of Brexit. It seems strange that, after we have left the EU, the CJEU is still opining on our practices. But there will be more such cases in the coming years, as the backlog of cases involving the UK is cleared.

Some of the future cases will be of a more academic impact, given that we are no longer members. But this one on data collection is not academic. We need to come to an arrangement with the EU from the beginning of next year about how data will be transferred between our two regimes, and this judgement directly impacts the assessment the EU will make of the adequacy of our domestic arrangements, with potentially significant consequences for law firms and their clients.

The next emotion relates to the subject matter, which concerns the security agencies. We complain when they don’t keep us safe. And we complain when they snoop illegally into our data in order to keep us safe. Where is the balance between those two emotions? The CJEU was trying to see where the balance lies in the law, a particularly tricky topic since the collection and retention of data are EU competences, but national security questions are not.

Finally, as lawyers, we should be alarmed to read the following sentence in the judgement: ‘In a judgment of 17 October 2016, that court [the Investigatory Powers Tribunal] held that the defendants in the main proceedings had acknowledged that those agencies acquired and used, in their activities, sets of bulk personal data, such as biographical data or travel data, financial or commercial information, communications data liable to include sensitive data covered by professional secrecy, or journalistic material.’

In other words, our security agencies admitted that they had acquired and used material subject to professional secrecy. We and our professional bodies should not accept that. To be clear, it was not the content of messages that was in question, since they were not requisitioned. It was communication data, such as traffic, location and subscriber data - the who, what, when, and where, including map searches and visited websites. The CJEU reports that such data can provide sensitive information like sexual orientation, political opinions, religious, philosophical, societal or other beliefs and state of health. The data can also in some circumstances fall within the scope of the rights and duties of lawyers’ professional secrecy.

The Privacy International case was heard alongside other similar cases from Belgium and France (Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others). In the Belgian case, it was the bar which was one of those bringing the case, partly out of concern for professional secrecy.

To cut through the complexity of the Privacy International judgment, the CJEU decided that legislation which compels private communications providers to forward data to the security agencies falls within EU data protection law. In follow up to that conclusion, it decided that EU law precludes national legislation from enabling the government to require private providers to forward general and indiscriminate transmission of traffic and location data to the security agencies for national security purposes. The emphasis is on general and indiscriminate transmission. There are permitted exceptions where there is a serious threat to national security that is genuine and present or foreseeable, so long as data retention in that context is temporary.

This judgment will pose a problem for our government when it negotiates a data adequacy agreement with the EU for the start of next year, since our current collection policies for security agencies are not consistent with EU standards.


Jonathan Goldsmith is Law Society Council member for EU matters and a former secretary general of the Council of Bars and Law Societies of Europe. All views expressed are personal and are not made in his capacity as a Law Society Council member nor on behalf of the Law Society