Press play to listen to this article
Voiced by Amazon Polly
A ruling by the EU’s top court Tuesday morning dealt a serious blow to the prospect of digital information being able to flow freely across the Channel after Brexit.
From January 1, the United Kingdom will lose its automatic status as a safe destination for EU data because it falls out of the EU’s legal system. To keep the data taps flowing after Brexit, the U.K.’s data protection regime needs to get a stamp of approval from the European Commission in what is known as an “adequacy decision.”
The chances of that happening slimmed considerably Tuesday when a ruling by the Court of Justice of the European Union deemed the U.K.’s bulk data collection regime illegal under EU law.
In its decision, the bloc’s highest court said that legislation like Britain’s Investigatory Powers Act — rules that give local national security agencies significant powers to harvest people’s information — fall afoul of the bloc’s fundamental rights.
The ruling poured cold water on U.K. hopes of easily achieving an adequacy decision, which now appears more remote given changing requirements to obtain the EU stamp of approval.
The rulings Tuesday also concern Belgian and French law and will have ramifications across the EU.
In July, the EU’s Luxembourg-based court struck down an adequacy decision it had given to the United States — known as the Privacy Shield — because it deemed U.S. surveillance laws too intrusive for European standards.
That decision also applied to surveillance standards in so-called third-party countries, which the U.K. will become when the transition period ends on December 31.
-
Also On Politico
What happens if there’s no Brexit trade deal?
-
Also On Politico
EU bangs the Brexit negotiating table (but stays in the room)
Given the court’s ruling that the U.K.’s Investigatory Powers Act violates fundamental rights to privacy, data protection and freedom of expression, the EU will be hard pressed to approve U.K. data protection standards without reform of the act.
“Those obligations to forward and to retain such data in a general and indiscriminate way constitute particularly serious interferences with the fundamental rights guaranteed by the Charter, where there is no link between the conduct of the persons whose data is affected and the objective pursued by the legislation at issue,” the ruling said.
Political considerations will come into account in a final decision on U.K. data protection standards.
EU and U.K. officials have been negotiating a potential agreement since March. But Brussels remains concerned about how British security agencies will access EU data and whether they will share it with other countries, notably the United States.
National security exemption
The rulings Tuesday also concern Belgian and French law and will have ramifications across the EU.
National governments, backed by the European Commission, argued that the question of data retention should not be covered by EU law because it’s linked to national security — an area fiercely guarded as the competence of nations.
But the rulings on data retention regimes in the U.K., France and Belgium confirmed that national rules requiring companies to retain or send bulk communications data to security agencies fall within the scope of EU privacy rules.
They suggest that scores of EU data retention rules will need to be reformed. The Luxembourg court held that capitals could not pass laws that restrict the scope of EU privacy rules, especially around the confidentiality of communications data.
Even so, the judgment is not the slam dunk win that privacy campaigners had wished for.
The ruling poured cold water on U.K. hopes of easily achieving an adequacy decision | Alex Pantling/Getty Images
While the Luxembourg court brought many data retention regimes within the scope of EU privacy rules and backed case law safeguards that member countries had tried to have kicked out, it also detailed carve-outs for national security agencies.
For instance, the court held that member countries could — subject to review by a court or independent body — force indiscriminate and bulk retention of data if they face “a serious threat to national security that proves to be genuine and present or foreseeable.”
The court also held open the door to “targeted retention of data” to combat serious threats to public security and to fight serious crime.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.