Click here to read our latest report: Tackling Online Terrorist Content Together

Schrems II and the Future of 3rd Party Security Service Access to Data From the UK

Schrems II and the Future of 3rd Party Security Service Access to Data From the UK
21st July 2021 Dr. Victoria McCloud
In Insights

Happy Birthday Schrems II, but hold back the cake. As the EU’s judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, ECJ Case C-311/18 on cross-border transfers, invalidating the so-called ‘Privacy Shield’, reaches its first birthday with as yet no solution to address its consequences, this paper highlights potential implications for cross-border Counter Violent Extremism (CVE) and Counter Terrorism (CT) measures in the data domain. It asks what this may imply for the UK in its surveillance and intelligence relationship with the US, and for the UK’s relationship with the EU, given the added dimension of Brexit and the potential for regulatory drift by the UK away from the EU’s privacy-centric model.

With the Schrems II case, recall that the ECJ held that the US does not provide for an essentially equivalent, and therefore sufficient, level of protection for citizens’ privacy as guaranteed by the GDPR, and this was in large part because the legal bases of US surveillance programmes in the US were not limited to what was ‘strictly necessary’ and thus would be considered a disproportionate interference with the rights to protection of data and privacy. Schrems II also decided much the same in relation to the US’s claims to be entitled to access intelligence via tapping into undersea cables, a pointed conclusion given the UK’s extensive cable landings on the west coast of Britain and the presence of GCHQ there.

To find the psychological origins of the tension between the US and EU in terms of the sharing of potentially useful CVE or CT data, and the uneasy standing of the UK in that tripartite relationship one only has to look to the European Parliament itself. One publication which arguably provides a backdrop for the whole Schrems issue was the 2013 publication ‘The US surveillance programmes and their impact on EU citizens’ fundamental rights’, document PE 474.405, by the EU Directorate General for Internal Policies. That document gave the EU perspective of the closeness intelligence collaboration between the US and the UK, referencing the EU’s stance towards historic UKUSA arrangements, then recalling the EU’s advice from the early 2000’s to citizens to “use cryptography in their communications to protect their privacy, because economic espionage with ECHELON had obviously been conducted by the US intelligence agencies” and (by way of a perhaps incongruous historic detour via the Watergate scandal) bringing matters up to the date of the leaks by Snowden concerning PRISM and ‘UPSTREAM’ in the US. It is in that atmosphere of counter-reaction to the USA’s programmes of intelligence and the UK’s collaboration with it that arguably the Schrems issues found their birth.

What we see in discussion of Schrems II in the general media tends to focus on the business impact of restricting data transfers, which is central to much commercial activity but less attention has perhaps been paid to the potential side effects in terms of CVE/CT, where access to private data may hold important value.  One such area of concern is in the supply and access to passenger advance information (Passenger Name Records). Schrems II and the tight privacy mindset which it illustrates on the EU side signals uncertainty on the future of existing agreements as to mutual access to screening information from passengers on international flights so that authorities can perform screening (see for example Propp, K (July 2021) “Avoiding the Next Transatlantic Security Crisis: The Looming Clash over Passenger Name Records”. Propp expresses the significance thus “To avoid another trans-Atlantic data transfer crisis—one that would have major consequences for air-line security—the Biden administration needs to devote senior-level attention to the US-EU Passenger Name Record Agreement and to re-engage with the European Union on its future.

A thus far under-considered further issue impinging on future CVE and CT efforts may arise in the case of nuclear-biological-chemical (NBC) attacks, where specialist joint working and scientific and medical intelligence and data sharing may prove crucial in managing impacts and designing countermeasures at pace. Much concern has been expressed in the civilian medical research field on the impact of the localising effects of Schrems in terms of ongoing and future clinical medicine trials: see the report issued by a consortium of European medical research organisations issued in April 2021. But a less obvious side effect may be a slowing or prevention of real-time medical surveillance and data exchange in the face of an emerging crisis arising from an NBC extremist/terrorist incident of possibly unknown type where the exchange of data including personal medical data may be essential.

Still another issue is the scope for exploitation, by competitive or hostile states or actors, of the increasingly tight data privacy regime in the EU by finding local means to encourage challenges by data protection bodies, aiming strategically to disrupt the capacity of the transatlantic US-EU alliance to function efficiently in its CVE and CT efforts.

What, then of the UK? This author recently presented a video lecture at the 2021 American Bar Association Cross Border Institute on the signs and signals of where the UK may be placing itself in the post-Brexit context, between the EU’s assertive privacy stance on the one hand and the more security-based outlook of the US, examining some statements by UK Government as indicators of the direction of travel. The UK has to tread a narrow path between retaining free data exchange with the EU, satisfying the EU’s standards for equivalence in data protection, and an apparent desire to move towards a more facilitative position towards non-EU states such as the US. We see for example a statement by UK Minister for Media and Data, John Whittingdale, in March 2021 to the media:

“We want to shape global thinking and promote the benefits of the secure international exchange of data … Having left the EU, the Secretary of State for the Department for Digital, Culture, Media and Sport now holds powers to make independent UK adequacy arrangements with new partners around the world, making it easier for organisations to send data internationally. He, and the Information Commissioner’s Office, can also deliver innovative alternative mechanisms for international data transfers. There is a huge prize to be won here.”  

Ripples of concern at once arose, calling to mind the 2013 paper referred to above redolent of a deep suspicion of UKUSA collaboration in intelligence affairs ever since World War II, in the form of a “Resolution by Members of the European Parliament calling for adequacy of UK data protection arrangements to be reviewed and amended” on 21 May 2021, which among other things stated that MEPs considered:

“… it unacceptable that the draft adequacy decisions fail to take into account the lack of limitations on the use of UK bulk data powers, or the actual use of UK-US surveillance operations as exposed by Edward Snowden, including the facts that:
(a)     there is no effective substantive oversight by the ICO or the courts over the use of the national security exemption in UK data protection law;…
(d)     the Five Eyes agencies, in particular GCHQ and the National Security Agency (NSA), in practice share all intelligence data;”

15 June 2021 saw the creation of the EU-US Trade and Technology Council (TTC), which among other things will necessarily have to discuss issues such as those mentioned here, but the prospects for mutuality must surely be limited unless there are significant shifts of outlook in relation to what level of risk of interception of ‘innocent’ civilian data in the name of CVE and CT effectiveness is an acceptable one on either side of the Atlantic, or even the English Channel.