Thursday, 16 November 2017

Minimum Alcohol Pricing is Appropriate & Necessary: Scotch Whisky Association v Lord Advocate [2017] UKSC 76

Angus MacCulloch, Law School, Lancaster University (@AngusMacCulloch)

Lord Mance has handed down the long awaited judgment in SWA v Lord Advocate in the UK Supreme Court finally dismissing the SWA’s appeal, and permitting the Scottish Government to implement its Minimum Unit Pricing (MUP) policy in relation to retail alcohol sales. The scheme to introduce a MUP of £0.50 per unit, under the Alcohol (Minimum Pricing)(Scotland) Act 2012, has been delayed for 5 years by this legal challenge which characterised the scheme as being contrary to EU law; in that it was contrary to both Article 34 TFEU, as it was a measure having equivalent effect to a quantitative restriction on trade, and that it was contrary to the bar on price fixing under the Single CMO Regulation EU/1308/2013 covering wine.  

This is the fourth, and final, substantive judgment in this litigation. At first instance the Outer House of the Court of Session found MUP to be lawful, [2013] CSOH 70, and after receiving a response to a preliminary ruling from the Court of Justice of the EU, Case C-333/14 EU:C:2015:845, the Inner House, [2016] CSIH 77, also upheld the lawfulness of MUP. The SWA’s appeal was perhaps inevitable, but after a hearing in July 2017, the final judgment has largely confirmed the findings of both Scottish courts that the policy could be justified on the basis of the protection of public health.

By the time the case reached the Supreme Court it was largely settled that MUP could be characterised as a measure having equivalent effect to a quantitative restriction under Art 34 TFEU, and would be contrary to the Single CMO Regulation, but any restriction contrary to those provisions could be justified on the basis of public health protection. The majority of the discussion in the Supreme Court surrounded the proportionality of MUP; was there an alternate measure which could achieve MUP’s aim but which be less restrictive of trade or competition?

The Aim and Assessment of the Measure

Much of the Supreme Court judgment contains an, at times detailed, analysis of the public health evidence presented to justify the introduction of MUP. The CJEU addressed the appropriate time frame for the assessment of a measure and Lord Mance similarly adopted a permissive attitude to the question. Flexibility was given to allow the consideration of the most recent health studies, and the respondent, the Scottish Government, was permitted, at [28], to:

‘refine the aims advanced and to demonstrate that, on the material now available, the proposed measure is justified, even if it only meets an aim which is narrower than, but still falls within the scope of those originally advanced’.

Both the AG and the CJEU drew attention to the ‘two fold objective’ (CJEU [34]) of MUP, in relation to problem drinking and the general consumption of alcohol, but this flexibility allowed the Scottish Government to refocus their argument on what the new evidence showed to be the most important benefits of MUP, in relation to problem drinking, and away from the issues of general consumption. That was to their advantage when as it was seeking to justify a more targeted measure - MUP - over a more general one - increased excise duty.

The Test of Proportionality

Lord Mance opened with a consideration of the guidance set out by both AG Bot and the CJEU in relation to justification and the proportionality of restrictions under EU Law. After setting out sections of the AG’s Opinion Lord Mance characterised his approach as being a three part test: is the measure i) appropriate, ii) necessary, and iii) a balancing of the restrictive effects of the measure as opposed to possible alternatives [14]. In his assessment of the CJEU’s ruling on the question of proportionality Lord Mance found the CJEU’s test to be somewhat narrower, only relying on the first two limbs, although he did recognised that the CJEU considered some aspects of third limb within ‘necessity’. On this question of the third limb, or ‘proportionality stricto sensu’, Lord Mance posed the following rhetorical question, at [47]:

‘can it be that, provided an objective is reasonable and can only be achieved in one way, it is irrelevant how much damage results to the ordinary operation of the EU market?’

This task was described as being a comparison, ‘between two essentially incomparable values’ – health and the market [48]. It was also stressed that, ‘it was not for any court to second-guess the value which a domestic legislator may decide to put on health’ [48]. This rejection of a ‘balancing’ approach between the competing values of health and the market was important. It reduced the need for the Scottish Government to produce compelling economic evidence of the impact of MUP on future markets, but, more importantly, because it did not compel the court to weigh up, ‘the number of deaths or hospitalisations … [which were] “proportionate to” the degree of EU market interference’ [48].

The final decision on proportionality – after consideration of the new evidence and argument before the Supreme Court – was clear.

‘A critical issue is, as the Lord Ordinary indicated, whether taxation would achieve the same objectives as minimum pricing. … [T]he main point stands, that taxation would impose an unintended and unacceptable burden on sectors of the drinking population, whose drinking habits and health do not represent a significant problem in societal terms in the same way as the drinking habits and health of in particular the deprived, whose use and abuse of cheap alcohol the Scottish Parliament and Government wish to target. In contrast, minimum alcohol pricing will much better target the really problematic drinking to which the Government’s objectives were always directed and the nature of which has become even more clearly identified by the material more recently available’ [63].

This conclusive finding that MUP is the most effective way of targeting a particular pattern of problem drinking in Scotland reflects the same analysis of the evidence by the Lord Ordinary and Lord President in the Court of Session.

The other key point that Lord Mance went on to make concerned the respective roles of the Scottish Parliament, in setting health policy priorities, and the court, in assessing the proportionality of a measure. As the ‘balancing’ approach, suggested by AG Bot, had ready been rejected it is perhaps not surprising that Lord Mance restricted the role of the court.

‘the Scottish Parliament and Government have as a matter of general policy decided to put very great weight on combatting alcohol-related mortality and hospitalisation and other forms of alcohol-related harm. That was a judgment which it was for them to make, and their right to make it militates strongly against intrusive review by a domestic court’ [63].

But in perhaps the most important passage Lord Mance continued:

‘That minimum pricing will involve a market distortion, including of EU trade and competition, is accepted. However, I find it impossible, even if it is appropriate to undertake the exercise at all in this context, to conclude that this can or should be regarded as outweighing the health benefits which are intended by minimum pricing’ [63].

Given the strength of that conclusion it is difficult to see a circumstance in which a UK court presented with clear evidence of prospective health benefits from an intended public health intervention, which is predicted to prevent mortality and hospitalisations, would decide that such a measure is a disproportionate intervention.

On Evidence

The Supreme Court’s heavily reliance on the evidence base behind the adoption of MUP is unsurprising. The CJEU stressed the importance of evidence to justify a measure in both the SWA reference and Case C-148/15 DPV. There is, however, no better example of the extent to which evidence can become important, but also a significant burden (as indicated at 411) to a court, than BAT v Dept of Health [2016] EWHC 1169 (Admin).

Although the Supreme Court was heavily reliant on the wealth of modelling evidence presented to it, it did recognise that much of the evidence was, as the AG described it, ‘somewhat experimental’, and that it would difficult ‘predicting the precise reactions of markets and consumers to minimum pricing’ [62]. In that regard the Lord Mance appears to have taken comfort that the proportionality of the measure in the longer term would be assured as the Scottish Government had built a sunset clause into the Act, and that a formal review of the actual effects of the legislation would be required or it would cease to be in force after six years.


I have been following this case for a very long time and my initial reaction is that it is a good conclusion. The Supreme Court has made it clear, much more so than the CJEU did, that a convincing and well evidenced public health argument should, and hopefully now will, win out over trade or competition concerns. The proportionality test still has teeth. A Member State seeking to justify a measure must be clear about its aim, and it must have a good evidence base to explain and justify the effectiveness of the intervention it has chosen. But it now appears that the courts, in the UK at least, will now give some deference to the policy choices of the legislature if they stand up to that scrutiny.

It is not the courts role to second-guess policy in these areas, but I am sure that we will see new challenges if other jurisdictions attempt to introduce similar policies. Other administrations may see this case as clearing the way, but they should be careful as the decision in this case was tied to a detailed analysis of a particular Scottish problem. It is not the case that the same intervention will be appropriate or necessary everywhere else.

Barnard & Peers: chapter 15, chapter 16

Photo credit: Sky News

Wednesday, 15 November 2017

Dual citizens and EU citizenship: clarification from the ECJ

Professor Steve Peers

One of the basic rules of EU free movement law is that in principle it can only be invoked by EU citizens who are in a Member State other than their Member State of nationality. As a corollary, those EU citizens who are in the Member State of which they are a national cannot invoke free movement law – although ECJ case law in some cases allows them to claim rights on the basis of their EU citizenship instead.

So what happens if someone is a citizen of two Member States? If they are living in one of those two States, at first sight they are Schrodinger’s EU citizen: simultaneously entitled to free movement rights (as they are in a Member State other than their Member State of nationality) and not entitled to those rights (as they are in the Member State of which they are a national). In its 2011 judgment in McCarthy, the ECJ ruled that a dual citizen of two Member States (the UK and Ireland) who had not moved from the UK could not claim rights based on free movement law or EU citizenship. But did that finding rest on the mere fact that Ms McCarthy was a dual citizen of two Member States – or rather upon the fact that she was a dual citizen who had not moved between Member States?

Yesterday’s ECJ judgment in Lounes has clarified this important point. (On the background to the ruling, see Alina Tryfonidou’s analysis). It concerned a Spanish citizen who moved to the UK, who then gained UK nationality and married a non-EU citizen. She invoked free movement rights so that he could stay with her, but the UK government, having changed its law after the McCarthy ruling, argued that she was subject not to EU law, but to the more restrictive family reunion rules applicable to UK citizens.

The ECJ ruled that she was not entitled to invoke the free movement rights (including the family reunion rules) in the EU citizens’ Directive, since she was now a UK citizen in the UK. However, the Court said that she could invoke her EU citizenship based on the Treaties: for that purpose she was still regarded as a Spanish citizen who had moved within the EU. While the Treaty citizenship provisions, unlike the citizens’ Directive, contain no specific rules on family members, the Court said that she should be treated no less favourably than those covered by the Directive, as it would be unjust to treat her worse than a Spanish citizen who had moved to the UK and not acquired UK nationality.

In effect, dual citizens of two Member States who move within the EU therefore form another exception to the rule that EU citizens cannot claim free movement or citizenship rights against their Member State of nationality. They join: EU citizens who move to another Member State and return home (Surinder Singh); EU citizens who live in their State of nationality but who take up economic activity outside it (Carpenter); and EU citizens who live in their State of nationality but would be compelled to leave the EU if their non-EU parent is expelled (Ruiz Zambrano). (The ECJ most recently clarified the status of the first two categories in two 2014 rulings, which Chiara Berneri discussed here; and it most recently clarified Ruiz Zambrano cases in a spring 2017 ruling, which I discussed here).


The Court’s ruling in Lounes raises several questions. First of all, does it apply only where the EU citizen acquired the second nationality after moving to that second Member State? At first sight, the Court’s ruling suggests this. But it would be odd to deny the same rights to those who gained the second nationality earlier, upon marriage to a national of that second Member State, or to those who have had two nationalities since birth, for instance because: their parents have different nationalities; or they were born in one Member State but one or both parents is a national of another Member State; or they obtained both UK and Irish nationality because they were born in Northern Ireland. Of course, in each of those scenarios, the dual citizen would still need to move within the EU to invoke the EU citizenship rights.

What about those who lost the citizenship of one Member State when they acquired the nationality of another one? The earlier case of Scholz suggests that they, too, keep rights – although that case was decided on free movement rather than citizenship rights.

For dual citizens covered by Lounes, do all the rights derived from the citizens’ directive apply by analogy? A particular issue arises with acquiring permanent residence, where the Court previously suggested in Alarape that only those covered by the citizens’ Directive as such could gain permanent residence. (While gaining permanent residence would be irrelevant to Ms. Lounes as a citizen of the UK, it would be important to establish whether her non-EU husband could obtain that status). But that case concerned a comparison between those covered by the EU citizens’ Directive and those covered by a separate Regulation, not those covered by the Treaties. And in Lounes, the Court insisted upon the citizens’ Directive applying by analogy. So it is arguable that the permanent residence rules still apply. (See also the argument on this made in the Free Movement blog).

Finally, what happens after Brexit, for dual citizens of the UK and another Member State? For those who moved before Brexit Day, it will be important to ascertain whether the withdrawal agreement (if there is one) fully guarantees the continuation of ECJ case law on this issue, given that family reunion is still a disputed issue between the UK and EU27 sides. For those who arrive within a transition period (if one is agreed), the issue will be whether the withdrawal agreement also guarantees the full application of EU laws and case law to them. For those who arrive after that transition period ends, the issue will be whether the UK has made any commitments at all on this issue, or whether UK law only will apply – in which case more restrictive family reunion rules will apply. If there is no deal on this issue between the UK and EU27, then the UK’s more restrictive rules will apply – unless those rules change as a consequence of an election that might then follow. (Note that UK citizens living in Spain cannot obtain Spanish nationality at present).

Those who have two nationalities already, and who fall in love with someone who has a third nationality, inevitably bring out the greatest tension between the arid dictates of immigration law and the human need of family members to live their lives together. It remains to be seen whether those whom EU law has joined together, will be split asunder by Brexit. 

JHA4: chapter I:6
Barnard & Peers: chapter 27, chapter 13

Photo credit: thinkSPAIN

Monday, 6 November 2017

The EU and the Spanish Constitutional Crisis

Cecilia Rizcallah, Research Fellow at the Belgian National Fund for Scientific Research affiliated both to Université Saint-Louis Bruxelles and Université libre de Bruxelles


Spain is facing, since more than a month now, a constitutional crisis because of pro-independence claims in Catalonia. These claims resulted in the holding of an independence referendum on 1 October 2017, organized by the Spanish autonomous community of Catalonia’s authorities, led by its President Mr. Carles Puigdemont. According to Barcelona, 90% of the participants voted in favor of Catalonia’s independency on a turnout of 43%.

Several weeks before the holding of the referendum, the Spanish Constitutional Court held that such plebiscite was contrary to the Spanish Constitution, and it was therefore declared void by the same Court. The Spanish central Government moreover firmly condemned this act and suspended Catalonia’s autonomy, on the basis of Article 155 of the Spanish Constitution which allows the central Government to adopt “the necessary measures to compel regional authorities to obey the law” and, thereby, to intervene in the running of Catalonia.

EU’s Incompetency in Member States’ Internal Constitutional Affairs

During these events, a contributor to the New York Times wondered “Where is the European Union?”. The Guardian stated “As Catalonia crisis escalates, EU is nowhere to be seen”. EU authorities’ restraint can yet easily be explained, at least, from a legal point of view. Indeed, the European Union has in principle neither the competence, nor the legitimacy, to intervene in its Member States’ internal constitutional affairs. Article 4.2 TEU incidentally underlines that the EU shall respect Member States’ “national identities, inherent in their fundamental structures, political and constitutional, inclusive of regional and local self-government” and that it “shall respect their essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State”. The President of the Commission, J.-C. Junker stated that it was “an internal matter for Spain that has to be dealt with in line with the constitutional order of Spain” but however noted that in case of separation of Catalonia from Spain, the region would consequently “find itself outside of the European Union”. 

Puigdemont’s  Departure for Brussels

Theoretically, the EU has thus no legal standing to intervene in the Spanish constitutional crisis. Recent events have, however, brought the EU incidentally on stage.

Mr. Puigdemont, the deposed leader of Catalan authorities, left Barcelona for Brussels several days ago, where he declared he was not intended to seek asylum and that he would return in Spain if judicial authorities so request, provided he was guaranteed conditions of a fair judicial process. In the meanwhile, the State prosecutor decided to start proceedings against Mr. Puigdemont and other officials of the ousted Catalan government for rebellion, sedition and embezzlement and demanded to the judge in charge of the processing charges to issue a European arrest warrant (hereafter EAW) for Mr. Puigdemont and four other members of his former cabinet, after they failed to appear at the High Court hearing last Thursday.  The EAW was issued by the Spanish judge last week. EU law has thus been relied upon by Spanish authorities to respond to its internal crisis, because of the departure of several Catalan officials to Brussels, which constituted, at the outset at least, nothing more than a lawful exercise of their free movement rights within the Schengen area.

Mr. Puidgemont and the other people subject to a EAW presented themselves to Belgian authorities, which decided to release them upon several conditions including the prohibition to leave the Belgian territory. A Belgian Criminal Chamber has as of now two weeks to decide if they should be surrendered to Spain or not.

The Quasi-automaticity of the European Arrest Warrant System

According to Puidgemont’s Belgian lawyer, the former Catalan leader will agree to return in Spain provided that he will be guaranteed respect of his fundamental rights, including the right to an impartial and independent trial. He moreover underlined that Puidgemont will submit itself to Belgian judicial authorities which will have to assess whether or not these conditions are met.

The system of the EAW, however, entails a quasi-automaticity of the execution by requested authorities of any Member State. Indeed, because it relies upon the principle of mutual trust between Member States, requested authorities may not, save in exceptional circumstances, control the respect by the requesting State of fundamental values of the EU, including democracy and human rights. The Council Framework Decision 2002/584 of 13 June 2002, which establishes the EAW includes a limitative list of mandatory and optional grounds for refusal which does not include a general ground for refusal based on human rights protection (Articles 3 and 4). Indeed, only specific violations or risk of violations of fundamental freedoms justify the refusal to surrender, according to the Framework Decision. As far as the right to a fair trial is concerned, the Framework Decision does not include possibilities to rebut the presumption of the existence of fair proceedings in other Member States except when the EAW results from an in abstentia decision and only under certain conditions (Article 4a).  

A strong presumption of respect of EU values underlies EU criminal cooperation and the ECJ has, as of now, accepted its rebuttal on grounds of human right not included in the main text of the Framework Decision only where a serious and genuine risk of inhuman and degrading treatment existed for the convicted person in case of surrender (see the Aranyosi case, discussed here). In that respect, the lawyer of the other Catalan ministers who are already in jail has lodged a complaint for mistreatment of them, but more elements will be required to refuse the execution on the EAW on this basis.

Indeed, according to the Court of Justice, “the executing judicial authority must, initially, rely on information that is objective, reliable, specific and properly updated on the detention conditions prevailing in the issuing Member State and that demonstrates that there are deficiencies, which may be systemic or generalised, or which may affect certain groups of people, or which may affect certain places of detention”. Moreover, the domestic judge must also “make a further assessment, specific and precise, of whether there are substantial grounds to believe that the individual concerned will be exposed to that risk because of the conditions for his detention envisaged in the issuing Member State” before refusing the execution of the EAW (Aranyosi, paras 89 and 92).

Furthermore, the possibility to refuse to surrender persons convicted for political offences – which is traditionally seen as being part of the international system of protection of refugees - has been removed from the Convention on Extradition between Member States of the European Union concluded in 1996 – which is the ancestor of the current EAW system - precisely because of Member States’ duty to trust their peers’ judicial system. Interestingly, the removal of this ground for refusal had been required by Spain when it faced difficulties to obtain the extradition of Basque independentists who were seeking for protection in Belgium. The Spanish government pleaded that the ground for refusal for political infractions constituted a hurdle to criminal cooperation within the EU which was at odds with the trust that Member States should express to each other (see E. Bribosia and A. Weyembergh, “Extradition et asile: vers un espace judiciaire européen?”, R.B.D.I., 1997, pp. 69 to 98).

In the current state of EU law, no option for refusal of execution of the EAW concerning Mr. Puidgemont seems thus to exist. It is noteworthy, however, that the EAW system may, as a whole, be suspended, when the procedure provided for by Article 7 TEU is initiated if there is a (clear risk of) violation of the values referred to in Article 2 TEU on which the Union is founded, including human rights, democracy and the rule of law. Although some people have called for the initiation of this mechanism, the reliance on Article 7 is very unlikely to happen politically: it needs at least a majority of four fifths at the Council just to issue a warning, and the substantive conditions of EU values’ violations are very high.

Nonetheless, Belgium has included in its transposing legislation (Federal Law of 19 December 2003 related to the EAW) an obligatory ground of refusal – whose validity regarding EU law can seriously be put into question -  if there are valid grounds for believing that its execution would have the effect of infringing the funda­mental rights of the person concerned, as enshrined by Article 6(2) of the TEU (Art. 4, 5°). Triggering this exception will however result, in my view, in a violation of EU law by the Belgian judge since the ECJ has several times ruled that the grounds for refusal included in the Framework Decision were exhaustive and that a Member State could not rely upon its national human rights protection to refuse the execution of a EAW which respects the conditions laid down in the Framework Decision (Melloni).  Another option for the Belgian judge will be to make a reference to the ECJ for a preliminary ruling in order to ask whether, in the case at hand, the presumption of conformity with EU fundamental rights in Spain may be put aside because of the specific situation of Mr. Puidgemont.

The Quasi-Exclusion of the Asylum Right for EU Citizens

Besides asking for the refusal of his surrender to Spanish authorities, Mr. Puidgmont could - at least theoretically – seek asylum in Belgium on the basis of the Refugee Convention of 1951, which defines as refugees people with a well-founded fear of persecution for (among other things) their political opinion (Article 1.A.2).

However, Spain also requested – besides the removal of the ground for refusal to surrender a person based on the political nature of the alleged crime in the European Extradition Convention of 1996 – the enactment of Protocol No 24, on asylum for nationals of Member States of the European Union, annexed to the Treaty of Amsterdam signed in 1997. This Protocol practically removes the right of EU citizens to seek asylum in other countries of the Union.

Founding itself on the purported trustful character of Member States’ political and judicial systems and the (presumed) high level of protection of fundamental rights in the EU, the Protocol states that all Member States “shall be regarded as constituting safe countries of origin in respect of each other for all legal and practical purposes in relation to asylum matters” (Art. 1). Any application for asylum made by an EU citizen in another Member State shall therefore be declared inadmissible, except if the Member State of which the applicant is a national has decided to suspend temporarily the application of the European Convention on Human Rights in time of emergency (Article 15 of the ECHR; note that it’s not possible to suspend all provisions of the ECHR on this basis) or if this Member State has been subject to a decision based on Art. 7.1. or 7.2. TEU establishing the risk or the existence of a serious and persistent breach by the Member State of EU values referred to in Art. 2 TEU.

A Member State may also decide, unilaterally, to take an asylum demand into consideration at the double condition that it immediately informs the Council and that that the application shall be dealt with on the basis of the presumption that it is manifestly unfounded.  This last derogation has been invoked by Belgium which has adopted a declaration stating that it would proceed to an individual examination of each asylum demand of a EU citizen lodged with it. To comply with EU law, it must however consider each application manifestly unfounded rendering the burden of the proof very heavy for the EU citizen asylum seeker.  Belgian alien’s law provides for an accelerated procedure for asylum when the individual comes from an EU country (Article 57/6 2 of the Belgian Aliens Act) but statistics nevertheless show that about twenty asylum demands from EU citizens where declared founded in 2013 and 2014 by Belgian authorities.

The EU Brought on Stage…  

In both cases, the refusal to execute the EAW or the granting of an asylum right to Mr. Puidgemont would result from the consideration that the Spanish judiciary does not present the basic and essential qualities of independence and impartiality to adjudicate the case related to Catalan independence activists. This observation would likely result in a major diplomatic dispute between the two countries and, more widely, in the EU. Indeed, the consideration made by Belgium and/or the ECJ that Spain would not respect fundamental values of the EU in treating the case of Catalonia would jeopardize the essential principle of mutual trust between Member States, which is relied upon in criminal, asylum but also in civil judicial cooperation. The Spanish constitutional crisis could thereby potentially call into question the whole system of cooperation in the European Area of Freedom Security and Justice.

Barnard & Peers: chapter 25, chapter 26
JHA4: chapter I:5, chapter II:3

Photo credit: Pinterest

Friday, 3 November 2017

Who’s responsible for what happens on Facebook? Analysis of a new ECJ opinion

Lorna Woods, Professor of Internet Law, University of Essex

Who is responsible for data protection law compliance on Facebook fan sites? That issue is analysed in a recent opinion of an ECJ Advocate-General, in the case of Wirtschaftsakademie (full title: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht).

This case is one more in a line of cases dealing specifically with the jurisdiction of national data protection supervisory authorities, a line of reasoning which seems to operate separately from the Brussels I Recast Regulation, which concerns jurisdiction of courts over civil and commercial disputes.  While this is an Advocate-General’s opinion, and therefore not binding on the Court, if followed by the Court it would consolidates the Court’s prior broad interpretation of the Data Protection Directive.  While this might be the headline, it is worth considering a perhaps overlooked element of the data-economy: the role of the content provider in providing individuals whose data is harvested.


Wirtschaftsakademie set up a ‘fan page’ on Facebook.  The data protection authority in Schleswig-Holstein sought the deactivation of the fan page on the basis that visitors to the fan page were not warned that their personal data would be collected by the by means of cookies placed on the visitor’s hard disk. The purpose of that data collection was twofold: to compile viewing statistics for the administrator of the fan page; and to enable Facebook to target advertisements at each visitor by tracking the visitors’ web browsing habits, otherwise known as behavioural advertising.  Such activity must comply with the Data Protection Directive (DPD) (as implemented in the various Member States).  While the content attracting visitors was that of Wirtshaftsakademie, it relied on Facebook for data collection and analysis. It is here that a number of preliminary questions arise:

-          Who is the controller for the purposes of the data protection regime;
-          Which is the applicable national law; and
-          The scope of the national supervisory authority’s regulatory competence?



The referring court had assumed that Wirtschaftsakademie was not a controller as it had no influence, in law or in fact, over the manner in which the personal data was processed by Facebook, and the fact that Wirtschaftsakademie had recourse to analytical tools for its own purposes does not change this [para 28]. Advocate General Bot, however, disagreed with this assessment, arguing that Wirtschaftsakademie was a joint controller for the purposes of the DPD – a possibility for which Article 2(d) DPD makes explicit provision (paras 42, 51, 52].  The Advocate General accepted that while the system was designed by Facebook so as to facilitate a data-driven business model and Wirtschaftsakademie was principally a user of the social network [para 53]. The Advocate General highlighted that without the participation of Wirtschaftsakademie the data processing in respect of the visitors to Wirtschaftsakademie could not occur; and he could end that processing by closing the relevant fan page down. In sum:

Inasmuch as he agrees to the means and purposes of the processing of personal data, as predefined by Facebook, a fan page administrator must be regarded as having participated in the determination of those means and purposes. [para 56]

Advocate General Bot further suggested that the use of the various filters included in the analytical tools provided meant that the user had a direct impact on how data was processed by Facebook. To similar effect, a user can also seek to reach specific audiences, as defined by the user.  As a result, the user has a controlling role in the acquisition phase of data processing by Facebook. The Advocate General rejected an formal analysis based on the terms of the contract concluded by the User and Facebook [para 60] and the fact that the user may be presented with ‘take it or leave it’ terms, does not affect the fact that the user may be a controller.

As a final point, the Advocate General referred to the risk of data protection rules being circumvented, arguing that:

had the Wirtschaftsakademie created a website elsewhere than on Facebook and implemented a tool similar to ‘Facebook Insights’ in order to compile viewing statistics, it would be regarded as the controller of the processing needed to compile those statistics [para 65].

A similar approach should be taken in relation to social media plug ins (such as Facebook’s like button), which allow Facebook to gather data on third party websites without the end-user’s consent (see Case C-40/17 Fashion ID, pending).

Having recognised that joint responsibility was an important factor in ensuring the protection of rights, the Advocate General – referring to the approach of the Article 29 Working Party on data protection – clarified that this did not mean that both parties would have equal responsibility, but rather their respective responsibility would vary depending on their involvement at the various stages of processing activities.

Applicable Law

Facebook is established outside the EU, but it has a number of EU established subsidiaries: the subsidiary which has responsibility for data protection is established in Ireland, while the other subsidiaries have responsibility for the sale of advertising.  This raises a number of questions: can the German supervisory authority exercise its powers and if so, against which subsidiary?

Applicable law is dealt with in Article 4 DPD, which refers to the competence of the Member State where the controller is established but which also envisages the possibility, in the case of a non-EU parent company, of multiple establishments.  The issue comes down to the interpretation of the phrase from Art. 4(1)(a), ‘in the context of the activities of an establishment’, which according to Weltimmo cannot be interpreted restrictively [para 87].  The Advocate General determined that there were two criteria [para 88]:

-          An establishment within the relevant Member State; and
-          Processing in connection with that establishment.

Relying on Weltimmo and Verein für Konsumenteninformation the Advocate General identified factors – which are based on the general freedom of establishment approach to the question of establishment looking for real activity through stable arrangements – the approach is not formalistic. Facebook Germany clearly satisfies these tests.

Referring to Article 29 Working Party Opinion 8/2010, the Advocate General re-iterated that in relation to the second criterion, it is context not location that is important. In Google Spain, the Court of Justice linked the selling of advertising (in Spain) to the processing of data (in the US) to hold that the processing was carried out in the context of the Spanish subsidiary given the economic nexus between the processing and the advertising revenue.  The business set up for Facebook here is the same, and the fact that there is an Irish office does not change the fact that the data processing takes place in the context of the German subsidiary.  The DPD does not introduce a one-stop shop; to the contrary, a deliberate choice was made to allow the application of multiple national legal systems (see Rec 19 DPD), and this approach is supported by the judgment in Verein für Konsumenteninformation in relation to Amazon.  The system will change with the entry into force of the General Data Protection Regulation (GDPR), but the Advocate General proposed that the Court should not pre-empt the entry into force of that legislation (due May 2018) in its interpretation, as the cooperation mechanism on which it depends is not yet in place [para 103].

Regulatory Competence

By contrast to Weltimmo, where the supervisory authority was seeking to impose a fine on a company established in another Member State, here the supervisory authority would be imposing German law on a German company.  There is a question, however, as to the addressee of any enforcement measure. On one interpretation, the German regulator should have the power only to direct compliance on the company established on its territory, even though that might not be effective. Alternatively, the DPD could be interpreted so as to allow the German regulator to direct compliance from Facebook Ireland. Looking at the fundamental role of controllers, Advocate General Bot suggested that this was the preferred solution. Article 28(1), (3) and (6) DPD entitle the supervisory authority of the Member State in which the establishment of the controller is located, by contrast to the position in Weltimmo, to exercise its powers of intervention without being required first to call on the supervisory authority of the Member State in which the controller is located to exercise its powers.


The novelty in this Opinion relates to the first question is significant because the business model espoused by social media companies depends on the participation of those providing content, who seem at the moment to take little responsibility for their actions.  The price paid by third parties (in terms of data) is facilitated by them, allowing them to avoid or minimise their business costs.  Should there be a consistency of enforcement applications against such users, this may gradually have an effect on the underlying platform’s business model.  While it is harder to regulate mice than elephants, at least these mice appear to be clearly within the geographic jurisdiction of the German regulator – and will remain so even when the GDPR is in force.

The Advocate General went out of his way to explain that there was no difference between the situation in issue here and that in the other relevant pending case, Case C-40/17 Fashion ID.  This case concerns the choice by a website provider to embed third party code allowing the collection of data in respect of visitors in the programming for the website for its own ends (increased visibility of and thus traffic to the website): the code in question is that underpinning the Facebook ‘like’ button, but would also presumably include similar codes from Twitter or Instagram.

If there was any doubt from cases – for example Weltimmo – about whether there is a one-stop shop (ie only one possible supervisory authority with jurisdiction across the EU) in the Data Protection Directive, the Advocate General expressly refutes this point.  In this context, it seems that this case adds little new, rather elaborating points of detail based on the precise factual set-up of Facebook operations in the EU. It seems well-established now that – at least under the DPD - clever multinational corporate structures cannot funnel data protection compliance through a chosen national regime.

It may be worth noting also the broad approach of the Advocate General to Google Spain when determining whether processing is in the context of activities. There the Court observed that:

‘in such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed [Google Spain, para 56]

Here, the Advocate General focussed on the fact that social networks such as Facebook generate much of their revenue from advertisements posted on the web pages set up and accessed by users and that there is therefore an indissoluble link between the two activities.  Thus it seems that the Google Spain reasoning applies broadly to many free services paid for by user data, even if third parties – for example those providing the content on the page visited – are involved too. 

Of course, the GDPR does introduce a one-stop shop. Arguably therefore these cases are of soon to be historic interest only.  The GDPR proposes that the regulator in respect of the controller’s main EU establishment should have lead responsibility for regulation, with regulators in respect of other Member States being ‘concerned authorities’.  There are two points to note: first, there is a system in place to facilitate the cooperation of the relevant supervisory authorities Art 60), including possible recourse to a ‘consistency mechanism’ (Art 63 et seq); secondly, the competence of the lead authority to act in relation to cross-border processing in Article 66 operates without prejudice to the competence of each national supervisory authority in its own territory set out in Article 55.  The first of these two points concerns the attempt to limit regulatory arbitrage and a downward spiral of standards in the GDPR as applied and the broad approach to establishment. The interest of the recipient state in regulating means that there may be many cases involving ‘concerned authorities’.  The precise implications of the second point are not clear; note however that it seems that the one-stop shop as regards Facebook would not stop data protection authorities taking enforcement action against users such as Wirtschaftsakademie.

Photo credit: Deccan Chronicle

Friday, 20 October 2017

The Irony of Brexit for Immigration Control

Daniel Thym, Professor of Public, European and International Law at the University of Konstanz

Immigration was a hot topic throughout the Brexit debate. ‘To take back control’ was a prominent slogan. In her Lancaster speech of January this year, Theresa May was adamant that control of immigration is a central objective of the ongoing Brexit negotiations: ‘The message from the public before and during the referendum campaign was clear: Brexit must mean control of the number of people who come to Britain from Europe. And that is what we will deliver.’

Many readers of this post will remember the ‘breaking point’ poster used by UKIP before the referendum with a picture of migrants and asylum seekers trotting across the Western Balkans. That poster was a tipping point in the debate. The EU was associated with chaos and open borders – both for EU citizens and third country nationals.

From a legal perspective, there is a certain irony in the ‘breaking point’ poster. My argument will be that while Brexit can facilitate legal control over the entry and stay of EU citizens, it need not necessarily make it easier for the UK to control the immigration of third-country nationals, including asylum seekers. It might even, paradoxically, render control of immigration by non-Europeans more difficult to some extent.

Status Quo: Extended Opt-out

The legal background of the irony is easy to explain: from a legal perspective, the UK has always retained widespread control of its external borders insofar as the entry and stay of third-country nationals is concerned, since the UK rejected to participate in the border-free Schengen area. It did not sign up to the Schengen Implementing Convention of 1990 and it secured an opt out when the letter was integrated into the framework of the European Union on the occasion of the Treaty of Amsterdam.

Moreover, successive British governments decided not to participate in most legislative initiatives on immigration, visas and border controls in the so-called area of freedom, security and justice, which have been adopted during the past 15 years and which have substantially reshaped the immigration law systems of countries in continental Europe. The UK does not participate, for instance, in the Family Reunion Directive, the Long-Term Residents Directive, the Blue Card scheme for highly qualified migrants or any other instrument facilitating the entry or stay of third-country nationals. The UK can decide autonomously the nationals of which country are subject to visa requirements, are allowed to take up employment or have to leave the UK. There is little primary or secondary law limiting UK sovereignty in this respect.

The situation is different for the ECHR and corresponding limits to state discretion, on the basis of Articles 3 and 8 ECHR, on the expulsion of those staying illegally, including suspects of terrorism. That is why Theresa May was promoting a departure from the ECHR (or at least a repeal of the Human Rights Act) when she was Home Secretary. Leaving the ECHR (or repealing the Human Rights Act) might have extended UK sovereignty over third-country national somewhat (albeit with a considerable constitutional price-tag attached). By contrast, leaving the EU won’t change much regarding immigration control.

Brexit: Loss of the Opt-in Option

What is more, the UK might even lose regulatory leverage post-Brexit insofar as immigration controls vis-à-vis third-country nationals are concerned. The underlying reason is simple: at the time of the Treaty of Amsterdam, the British government of Tony Blair secured not only an opt out from the Schengen regime. It also won an opt in option for all immigration, visa, asylum and border control measures, which are not inseparably linked to the abolition of border controls. This opt in option of was reinforced by the Treaty of Lisbon which established an hitherto unprecedented option of ‘cherry picking’ in the field of justice and home affairs legislation. The UK has used this opt in option quite extensively – and selectively – over the years, including during the time when Theresa May was Home Secretary.

This selective opt in practice focused on those measures enhancing the control powers of states, such as the Schengen Information System (SIS), in which the UK participates although it never signed up to order-free travel. The UK also subscribed to many EU measures against illegal immigration, while not being bound by the rules on legal migration. Most importantly, the UK participates in the Dublin regulation without, however, contributing to the solidarity measures, such as the relocation decisions on resettling 160,000 asylum seekers from Greece and Italy to other Member States. To be sure, the Dublin system was originally based upon a convention outside the EU framework, but it ceased to exist as an instrument of public international law when it was supplanted by EU legislation in which the UK participated.

In short, British participation in justice and home affairs was highly selective and lopsided: it enhanced state control without promoting the rights of migrants and refugees. As a member of the EU, the UK could use the justice and home affairs Protocols to enhance control of its external borders towards other Member States through à la carte participation. The irony is that Brexit will reverse these dynamics.

The Future: Reversed Dynamics

In the post-Brexit legal environment, the UK will not be able to decide any longer to participate in Dublin and the SIS by means of a simple declaration notifying the Council that it wants to exercise the opt-in option. Instead, the UK will have to negotiate with the EU post-Brexit whether it will be allowed to participate – and these negotiation will be defined, like any negotiation, by a quid pro quo, by reciprocal give-and-take.

Thus, the UK might have to pay a price for being allowed to participate in the Dublin IV Regulation or the Schengen Information System in the future – something it got for free in the past. The EU could demand, for instance, that the UK contributes to the relocation of asylum seekers from Greece or Italy. If that happened, Brexit would entail into the opposite of what UKIP had hoped for when it put up the ‘breaking point’ poster.

That need not happen, of course. The UK could decide, alternatively, to stay out of Dublin or it could negotiate a cross-sectoral package deal. The price the EU may wish to extract from the UK for continued Dublin participation may relate to any other policy field.

One thing, however, seems certain: the UK will not get Dublin for free any longer – like Switzerland, which was allowed to join Dublin under the condition that it subscribed to border free travel within the Schengen area at the same time. Ever since, border controls have been abolished between Germany and Switzerland. That, to me, is the irony of Brexit for immigration law sensu stricto: it might become more difficult for the UK to control the entry and stay of third-country nationals.

Barnard & Peers: chapter 27, chapter 26, chapter 13
JHA4: chapter II:6
Photo credit: Horizon magazine

Tuesday, 10 October 2017

Daddy’s gonna pay for your crashed car? The ECJ clarifies the vertical direct effect of Directives

Albert Sánchez Graells, Reader in Economic Law, University of Bristol*

One of the great complications of EU law is that EU Directives – unlike Regulations – do not have ‘direct effect’ horizontally, meaning that a private party cannot rely on them as such against another private party. However, there are other means of enforcing Directives, and in any event they do apply vertically, ie an individual can invoke a Directive against the State. This distinction between vertical and horizontal direct effect means that it is necessary to define exactly what is the ‘State’ for this purpose, given that there are many types of complex public-private relationships in each EU country.

More precisely, EU case law has indicated how to determine if a particular legal body is an ‘emanation of the State’, which is therefore covered by the principle of vertical direct effect. The key authority on this issue is the case of Foster and Others v British Gas, C-188/89, EU:C:1990:313. While some later judgments have touched on this definition, the Court of Justice of the European Union (CJEU) today clarified the position more thoroughly in its judgment in Farrell, C-413/15, EU:C:2017:745, broadly following the Opinion of AG Sharpston (here) – just in time for the start of many law students’ study of EU law.

The test for defining an ‘emanation of the State’, as applied in Foster, was formulated in the following terms: 

... a body, whatever its legal form, which has been made responsible, pursuant to a measure adopted by the State, for providing a public service under the control of the State and has for that purpose special powers beyond those which result from the normal rules applicable in relations between individuals is included in any event among the bodies against which the provisions of a directive capable of having direct effect may be relied upon (C-188/89 at [20], emphasis added).

However, also in Foster, the CJEU had offered a broader formulation of the test, indicating that:

a directive [capable of direct effect] could be relied on against organisations or bodies which were subject to the authority or control of the State or had special powers beyond those which result from the normal rules applicable to relations between individuals (C-188/89 at [18], emphasis added).

The interpretation of the Foster-test has been a relatively contentious issue in EU scholarship since its formulation in 1990. In particular, there have been opposing views on whether the conditions in which the test breaks down are cumulative (ie, a body needs to satisfy both criteria to be an emanation of the State) or not and, in case they are cumulative, whether they include three conditions (entrustment of public service, State control and special powers), or only two (thus suppressing the requirement to provide a public service) [cfr eg M Bobek, 'The effects of EU law in the national legal systems', in C Barnard & S Peers (eds), European Union Law, 2nd edition (Oxford, OUP, 2017) 154 (two conditions, non-cumulative), TC Hartley, The Foundations of European Union Law, 7th edn (Oxford, OUP, 2010) 232 (identifying four conditions, cumulative, but indicating that the test is non-exhaustive), K Lenaerts & P Van Nuffel, European Union Law, 3rd edn (London, Sweet & Maxwell, 2011) 903-04 (two conditions, including public service provision, cumulative), or R Schütze, European Union Law (Cambridge, CUP, 2015) 100 (equally, two conditions, including public service provision, cumulative)].

Uncertainty about the exact limits and implications of the Foster-test have remained for a surprisingly long time, and the CJEU had so far only provided limited and piecemeal clarifications--most recently, in its Judgment of 12 December 2013 in Portgás, C-425/12, EU:C:2013:829, where the CJEU still referred in less than clear-cut terms to 'bodies which, under the control of [the] authorities [of a Member State], have been given responsibility for a public-interest service and which have, for that purpose, special powers' (at [34], for discussion, see here).

In Farrell, concerning who was liable for failure to implement an EU motor insurance Directive properly following a car accident, the CJEU has clarified that the conditions set out in the so-called Foster-test are not cumulative (ie, a body does not need to satisfy both criteria to be an emanation of the State) and, in any event, that it suffices for an entity (even a private law one, not necessarily subjected to State control) to have been delegated the performance of a task in the public interest by the Member State and to possess for that purpose special powers.

According to the CJEU, in Foster, 'the Court was not attempting to formulate a general test designed to cover all situations in which a body might be one against which the provisions of a directive capable of having direct effect might be relied upon' (at [26]) and, consequently, that '[p]aragraph 20 of [Foster] must be read in the light of paragraph 18 of the same judgment, where the Court stated that such provisions can be relied on by an individual against organisations or bodies which are subject to the authority or control of the State or have special powers beyond those which result from the normal rules applicable to relations between individuals' (at [27]). Ultimately, then, the CJEU has clarified that the Foster-test is actually formulated at [18] (see also Farrell at [33]) and, consequently, that

... the conditions that the organisation concerned must, respectively, be subject to the authority or control of the State, and must possess special powers beyond those which result from the normal rules applicable to relations between individuals cannot be conjunctive (C-413/15 at [28], emphasis added).

Adding some further clarity, the CJEU explained that the 'emanations of the State' that are relevant for the purposes of ensuring direct effect of EU Directives after the expiry of their transposition period

... can be distinguished from individuals and must be treated as comparable to the State, either because they are legal persons governed by public law that are part of the State in the broad sense, or because they are subject to the authority or control of a public body, or because they have been required, by such a body, to perform a task in the public interest and have been given, for that purpose, such special powers.

Accordingly, a body or an organisation, even one governed by private law, to which a Member State has delegated the performance of a task in the public interest and which possesses for that purpose special powers beyond those which result from the normal rules applicable to relations between individuals is one against which the provisions of a directive that have direct effect may be relied upon (C-413/15 at [34]-[35], emphasis added).

In my view, this is a welcome clarification and one that can potentially catalyse a higher level of effectiveness of secondary EU law. It comes to clearly establish three prongs for the test of whether an entity is an emanation of the State (shall we re-label it the Farrell-test, for clarity?), which the entity will be if either (1) it is governed by public law, (2) it is subject to the authority or control of a public body, or (3) it performs a public interest task on the basis of special powers. This can have interesting implications in areas other than general EU law (eg in State aid law, to the effect of reducing the scope of the Judgment of 30 May 2013 in Doux Élevages and Coopérative agricole UKL-AREE, C-677/11, EU:C:2013:348--as criticised here) and, more generally, follows a welcome functional approach.

I envisage that the next potential frontier for litigation will concern what should be considered special powers, and whether they have to be substantial for an entity carrying out tasks in the public interest by delegation of the State to be considered 'emanations of the State' for these purposes. In Farrell, the special powers consisted in statutory powers 'to require [private entities] to become members of [the entity considered an emanation of the State] and to contribute funds for the performance of the task conferred on it by the [the Member] State' (C-413/15 at [40]). This seemed like a clear instance. However, there may be more difficulties in drawing clear lines where the powers are exercised in the context of a situation of a relationship of special dependence from the State, where the special powers form part of the task delegated to the entity. This can be particularly relevant in the context of contracted-out public services in sectors such as care, corrections or education, where the existence or not of special powers (eg to discipline) will trigger complex issues in the future.

On the whole, however, it seems to me that Farrell resolves one of the important areas of uncertainty in the area of the effectiveness of EU secondary legislation. It should thus be welcome.

Barnard & Peers: chapter 6
Photo credit:

*Reblogged from the ‘How to Crack a Nut’ blog

Tuesday, 26 September 2017

Brexit and Data Protection: The Tale of the Data Protection Bill and UK-EU Data Transfers

Elif Mendos Kuşkonmaz, PhD student at Queen Mary, University of London[*]


A Bosnian folk song tells the death of a severely ill Ottoman Pasha. After hearing of the Pasha’s death, his wife also passes away from sorrow. Now that the UK voted to leave the European Union (EU) on 23 June 2016, will data protection laws also pass away from sorrow after the UK leaves the EU?

The Data Protection Act 1998 (DPA), which is the UK’s current key regulatory regime for data protection, implements the EU’s Data Protection Directive of 1995 into the UK national law. This Directive is replaced by the General Data Protection Regulation (GDPR) adopted in April 2016, which introduces a task force (European Data Protection Board), new responsibilities for data controllers and processors, and new rights for data subjects such as right to transfer data from one server to another and right to be forgotten. All EU Member States have to transpose this Regulation by 25 May 2018 (before the UK is due to leave the EU). Accompanying the GDPR, a new Directive in relation to data protection in the field of police and justice sectors was also introduced at the EU level. This Directive creates a comprehensive framework for data processing activities performed for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. All EU Member States have to transpose this Directive into their national laws by 6 May 2018.

As an EU regulation, the GDPR will be directly applicable in the UK without the need for an Act of Parliament from 25 May 2018 forwards as the UK is expected to leave the EU officially some point after March 2019 and its EU membership continues until then. Still, there exists some provisions under the GDPR that Member States can adapt in their national laws such as permitted derogations from data protection principles (Article 23 on derogations from transparency obligations and data subject rights for purposes of national security, defence, public security etc., and Articles 85-91 on derogations for specific data processing situations such as necessary for freedom of expression, employee data, and scientific and historical research purposes). So, in anticipation of dealing with these issues, first, a statement of intent was published by the UK Government on 7 August 2017 as a form of commitment to the GDPR. Then, the Data Protection Bill was introduced to the House of Lords on 13 September 2017. (Also, see here for the House of Lords’ report on Brexit and data protection). This Bill will replace the Data Protection Act 1998, and will regulate the areas where the UK has competence to do so such as the permitted derogations mentioned above and areas that fall outside the scope of the GDPR like data processing for law enforcement purposes or for national security interests. So, in light of these recent developments, it is clear that the data protection in the UK will not experience an immediate death.

The Data Protection Bill in a nutshell

As a whole, the Data Protection Bill contains the general definitions under the GDPR and the derogations from data protection principles provided under it. These derogations include data processing for journalism, for research, and by employees under certain conditions.

It also covers the areas that are not covered by the GDPR. The first area is the data processing in the context of law enforcement (Part 3 of the Data Protection Bill), which is in fact covered by the Data Protection Directive on processing of personal data for law enforcement purposes (the ‘Law Enforcement Directive’). Unlike the GPDR, this Directive is not directly applicable in the UK.

Therefore, with the inclusion of the data processing by competent public authorities in relation to law enforcement purposes, the Data Protection Bill transposes the Law Enforcement Directive into UK law. It is said that the principles for such processing resembles the 2014 Regulations, through which the UK transposed the previous EU data protection rules for data processing in the context of law enforcement. On the basis of the broad definition of a competent authority for data processing under the Bill, data can be processed not only by criminal justice agencies in the UK, but also other organisations with law enforcement functions such as such as Her Majesty’s Revenue and Customs, the Health and Safety Executive and the Office of the Information Commissioner. The competent authority definition under the Law Enforcement Directive provides for such broad definition (Article 3(7) of the Law Enforcement Directive). Another area that is covered by the Bill and not by the GDPR is data processing for intelligence services (Part 4 of the Data Protection Bill). It is said that the provisions on this processing are based upon the Council of Europe’s Convention on automatic processing of data (Convention 108) and changes which are being made to that Convention [note 40 of the Explanatory Notes for the Data Protection Bill]. This part of the Bill is complementary to the other legislation in relation to intelligence services such as the Investigatory Powers Act 2016 (discussed below) [note 47], and therefore constantly refers to this legislation. It also provides for national security exemptions for certain provisions it sets forth for data processing by intelligence services (Chapter 6 of the Part 4 of the Data Protection Bill).

Consequently, when the Data Protection Bill receives Royal Assent (in principle, in May 2018 on the same day the GPDR is due to be applicable) the GDPR, which will be converted to UK law with the EU (Withdrawal) Bill upon Brexit, has to read alongside the Data Protection Bill. For references in the GDPR such as ‘Union law’ and ‘Member State law’ that will be no longer relevant after Brexit, Schedule 6 of the Data Protection Bill introduces amendments.

The Data Protection Bill has received both positive and negative comments. The positive ones hinged on the relief it has brought to data controllers based in the UK. That said, it is argued that the Bill contains some complex and legally questionable provisions, like this sentence: ‘Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR’ (Section 4). Or this sentence: ‘GDPR applies to the processing of personal data to which this Chapter applies but as if its Articles were part of an Act extending to England and Wales, Scotland and Northern Ireland’ (Section 20(1)). Nevertheless, the second reading of the Data Protection Bill in the House of Lords is due on 10 October 2017 and there might be further changes to it before it becomes law.

What is at stake for the future of UK-EU cross-border data transfer after Brexit?

For the importance of the UK-EU cross-border data transfers the numbers speak for themselves. 43% of EU tech companies are based in the UK and 75% of the UK’s data transfers are with the EU Member States. It is for this reason that the UK Government has consistently referred to the importance of maintaining the data flow between the UK and the EU after Brexit [note 8.38]. However, even if one assumes that the Data Protection Bill successfully aligns UK law with the EU data protection framework, this does not mean that the Bill is a panacea for the future of this flow post-Brexit. This point was also accepted by the UK Government in their position paper on the exchange and protection of personal data after Brexit [note 4]. Upon the UK’s exit from the EU, the UK will be considered as a third country within the meaning of the abovementioned framework and any data transfer from the EU to there will have to comply with the rules on data transfer to a third country under the same framework.

Like the Data Protection Directive of 1995, the GDPR allows for transfer of personal data outside the EU/EEA, for instance if the European Commission decides that third country to which data are transferred ensures an ‘adequate level of protection’ for those data (Article 45 of the GDPR) or if the UK businesses (either as data processors or controllers) individually adopt other adequacy mechanisms such as standard contractual clauses and binding corporate rules (Articles 46 and 47 of the GDPR). In its position paper on the exchange and protection of personal data after Brexit, the UK Government referred to the Article 45 adequacy finding and mentioned that the future UK-EU data transfers could built upon this adequacy model [paras. 22, 32-41]. Moreover, it noted that the UK should be found as compliant with EU data protection framework as it introduced the Data Protection Bill, which implemented the GDPR and the Law Enforcement Directive [ibid, para. 23]. As discussed below, achieving a positive adequacy decision for the UK is not as uncontentious as the UK Government think it is.

At the outset, the UK should be found to afford an adequate level of data protection, which was defined in the CJEU’s Schrems decision (discussed here) as ‘essentially equivalent’ data protection to that of afforded under EU law. The crux of this decision is that in the Court’s view, US law failed to offer that level of protection because it included expansive national security derogations for the use of personal data by the US intelligence agency, which in turn meant that EU citizens were stripped of their privacy and data protection rights once their data reached the shores of the US under the then valid Safe Harbour principles scheme. It is evident from this decision that the activities of intelligence agency of a third country with respect to personal data transferred from the EU comes under the scrutiny of the European Commission in its quest for an adequacy decision for that country. Indeed, the GDPR requires the European Commission to consider a wide array of issues such as the rule of law, respect for fundamental rights, and legislation on national security, public security, and criminal law in that country (Article 45(2) of the GDPR). So, the UK Government’s assumption that the implementation of the GDPR will suffice for a positive adequacy finding for the UK is false because UK laws on data processing by intelligence agencies’ for national security purposes will come under the scrutiny of the European Commission.

Regretfully, the surveillance practices of UK intelligence services may imperil a positive adequacy decision. The discussions surrounding the Investigatory Powers Act (IPA), and its predecessor the Data Retention and Investigatory Act 2014 (DRIPA) is illustrative in this matter. The latter Act provided for the storage of telecommunications’ data for later to be used by police and security agencies. Following the CJEU’s Digital Rights Ireland decision (discussed here) finding practices of indiscriminate data retention in the context of fight against terrorism and transnational crime incompatible with EU fundamental rights of privacy and data protection, the DRIPA was challenged in the joined cases of Tele2 and Watson before the CJEU on the ground that it provided for such practices, and thus violated the mentioned rights. Consequently, the CJEU found the DRIPA unlawful as the data retention scheme established under it exceeded the limits of what is strictly necessary and was not justified. (See here for Prof Lorna Woods’s take on the Tele2 and Watson decision).

The IPA, which took the place of DRIPA, retains the contested provisions of the DRIPA, and in some situations provides for more controversial data processing. For example, the IPA provides for the retention of telecommunications data for preventing or detecting crime or preventing disorder (Article 87(1) of the IPA), which does not comply with the CJEU’s finding in Tele2 and Watson that ‘only the objective of fighting serious crime is capable of justifying such access to the retained data [para. 172]’. Therefore, the IPA sits at odds with the CJEU’s finding in Tele2 and Watson.

In fact, a legal challenge to the IPA in this matter has already been brought before the UK High Court by the UK based civil liberties organisation Liberty. Equally relevant is that Investigatory Powers Tribunal referred the question on the compatibility of the acquisition and use of bulk communications data under s.94 of the Telecommunications Act 1984 with EU law to the CJEU. (See here for Matthew White’s review on the matter).

Here, the status of the EU Charter of Fundamental Rights (Charter) and the jurisdiction of the CJEU after Brexit requires further attention. The EU (Withdrawal) Bill provides that pre-Brexit case-law of the CJEU stays binding after Brexit with certain exceptions (Clause 6. When departing from pre-Brexit case-law of the CJEU, the Supreme Court must apply the same test it applies when deciding whether to depart from its own case law, and Parliament or the executive can override that prior CJEU case law). However, the EU (Withdrawal) Bill in its current form excludes the Charter (Clause 5(4)), and puts an end to the jurisdiction of the CJEU (Clause 6) after Brexit. Still, this does not mean that the UK can ignore the decisions of CJEU given after Brexit because the EU data protection framework, which the European Commission will refer to when considering the adequacy question, will be interpreted in light of those decisions. The UK Government, on the other hand, seems to sweep these issues under the carpet in its post-Brexit paper because neither the discussions surrounding the IPA nor the case-law of the Charter after Brexit were mentioned in its position paper on the exchange and protection of personal data. Only when dealing with the UK-EU model of data exchange, it referred that such model should ‘respect UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection [note 22.] This statement might be read as a reference to the IPA, or any future law on surveillance practices and the end of the direct jurisdiction of the CJEU.

Alternatives to the adequacy finding under Article 45 of the GDPR include subjecting the data transfers to safeguards under Article 46, which include Binding Corporate Rules under Article 47. The Government already noted that these alternatives are not its primary target due to their limited scope [Annex A]. Still, as the ongoing challenge against the standard contractual clause scheme for data transfers under the Data Protection Directive of 1995 shows, neither alternative is immune from a legal challenge before the CJEU.

One might ask whether all these will be relevant for the data transfer during the transitional period should there be a transitional period after Brexit. The short answer is: yes, they will be. Despite the UK Government’s discontent, if the transitional period is based on the UK’s joining of the European Economic Area (EEA) and the European Free Trade Association (EFTA)– the so-called Norway option-, the data will continue to flow from the EU without an adequacy decision by way of retaining the GDPR as parts of UK law after Brexit since the GDPR has EEA relevance (ie, non-EU EEA states will apply the GDPR as such).

Other than that, the UK may seek to conclude a transitional agreement as part of the Article 50 negotiations, as indicated in the Prime Minister’s recent Florence speech (discussed here). That agreement will not be immune from the adequacy requirements discussed above because it will have to match the EU standards, and particularly the EU data protection framework and its rules on data transfers.

Data Protection in the field of police and justice sectors

As mentioned above, the UK aims to transpose the Law Enforcement Directive in to UK law with the Data Protection Bill. Yet, as in the case of GDPR, maintaining the data exchange between law enforcement authorities in the UK and in the EU will not be undisputed upon Brexit.

Any obstacle to this data exchange after Brexit has been considered as a gift for criminals and as a threat for public safety. So, it should not come as a surprise that the UK Government highlighted the importance of facilitating this data exchange for cross-border law enforcement cooperation in its position paper on security, law enforcement, and criminal justice [note 21]. Just like the GDPR, the Data Protection Directive on law enforcement requires an adequate level of data protection standards for data transfers to a third country (Article 36 of the Law Enforcement Directive). So, any future agreement between the EU and the UK on law enforcement information exchange would have to comply with these standards. The UK Government voiced its intention to ‘build on’ the adequacy scheme for the future of data exchange for law enforcement. Still, it was of the opinion that the implementation of the Law Enforcement Directive through the introduction of the Data Protection Bill is enough for the UK to secure a positive adequacy decision. I discussed earlier the scope of the adequacy assessment and the matters that may affect the likelihood of securing such decision. Besides, in the recent judgment by the CJEU on the compatibility of the EU-Canada Agreement on transferring passenger information in the fight against terrorism with the EU Treaties and Charter, the Court set a list of procedural requirements for the transfer of information in that context. In this regard, these requirements must be met for law enforcement data transfers to be compatible with the Charter. (See here Prof Lorna Wood’s review of Opinion 1/15.)

What is the EU’s position on data protection?

While all these developments and discussions are unravelling in the UK, the EU’s position on the matter focuses on the use and protection of personal data obtained or processed before Brexit for good reason – the need to determine what happens to data processed before Brexit Day. Accordingly, the EU Commission published a position paper as part of its approach to Article 50 negotiations in relation to such use and protection, updated on 21 September 2017. On the whole, the paper provides for the continuity of the application of the general principles of the EU data protection framework in force on Brexit day to personal data in the UK processed before that day. It also notes the continuity of the principal data subject rights’ such as right to be informed, right of access, and right to rectification. Moreover, it seeks the confirmation that the personal data with specific retention periods under sectorial laws must be erased upon the exhaustion of those periods, and that the ongoing investigations in relation to compliance with data protection principles on the Brexit day should be completed. It does not go unnoticed that the paper mentions to the CJEU as the legal authority to interpret the general principles that it refers to. As a whole, the position paper indicates that amidst the ambiguousness and the complexity that the future partnership with the UK on data protection holds, the EU Commission seeks to secure that this uncharted water will not be detrimental to data subjects whose data were transferred to the UK before Brexit.


The UK Government introduced the Data Protection Bill, which seeks to adjust its national laws on data protection with the GDPR and the Law Enforcement Directive. This development may mean that at least some EU data protection requirements will be implemented in UK law on the day the UK leaves the EU. Still, it should not be read as a solution for the issue of maintaining the UK-EU data transfer after Brexit because the GDPR’s and the Directive’s provisions on third country data transfer will be relevant for such transfer. After the CJEU’s Schrems decision, an adequacy finding and other legal mechanisms to enable that movement could trigger the extent of national security derogations and their interferences with fundamental rights of the persons whose data are transferred from the EU to the UK. Certain provisions of the IPA and the CJEU’s findings in Tele2 and Watson cannot be reconciled, and this may hinder a positive adequacy finding for the UK. The same conclusion can be drawn for any future EU-UK data transfer deal for law enforcement purposes.

Barnard and Peers: chapter 27
Photo credit: Cyberadvice

[*] Many thanks to Prof Steve Peers for his valuable comments.