Windrush: Violating data protection law under the guise of protecting it

Matthew White, PhD candidate Sheffield Hallam University.

Introduction

There have been numerous reports of Windrush Generation Commonwealth citizens being denied health care, detained, losing jobs and threats of deportation. Nick Nason describes the Windrush Generation as Commonwealth citizens from the West Indies who were invited to the UK after WWII to address the shortage of workers at the time. There was a time when West Indians enjoyed total freedom of movement. Nason notes that s.2(2)(b) of the Commonwealth Immigrants Act 1962 exempted from immigration controls those who arrived with their parents and were under 16. And this is still true for children who arrived prior to 1 January 1973, as Nason puts it, they are ‘in the UK legally.’   

The issue for the Windrush Generation arises due to successive immigrations laws, the 2014 and 2016 Immigration Acts. Both are designed to create a ‘hostile environment’ to ‘to make life so difficult for individuals without permission to remain that they will not seek to enter the UK to begin with or if already present will leave voluntarily.’ These new Acts required proof of one’s right to be in the UK, and would be denied access to key services (see above) if there was no evidence of this. It is this denial of access to services that has brought this shameful chapter in British history to light to the point where the Prime Minister, Theresa May had to apologise to Caribbean leaders. The sincerity of said apology is open to question given that vital protections for the Windrush Generation were removed from the 2014 Act and were warned about the implications of Act in question.

Destroying personal data on data protection grounds

On 17 April 2018, the Guardian reported that an Home Office ex-employee revealed that it had ‘destroyed thousands of landing card slips recording Windrush immigrants’ arrival dates in the UK, despite staff warnings that the move would make it harder to check the records of older Caribbean-born residents experiencing residency difficulties.’ The decision to do so occurred in 2010 on the grounds that ‘[t]hese slips provided details of an individual’s date of entry but did not provide any reliable evidence relating to ongoing residence in the UK or their immigration status.’

The Home Office then relied upon data protection law to justify deletion by arguing that keeping personal data for longer than necessary was in breach of data protection principles. More specifically, Robert Peston tweeted that the Home Office relied upon the Fourth and Fifth data protection Principles found in Schedule 1 of the Data Protection Act 1998 (DPA 1998).

The actions of the Home Office in relation to the destruction of personal data does not just have implications with regards to the DPA 1998 but also under the European Convention on Human Rights (ECHR), particularly Article 8 which provides that:

1.      Everyone has the right to respect for his private and family life, his home and his correspondence.

2.      There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

According to the European Court of Human Rights (ECtHR) Grand Chamber (GC) in S and Marper (ECHR, 4 December 2008) the ‘protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, as guaranteed by Article 8 of the Convention’ [103]. The mere storage of personal data interferes with Article 8 [67]. The GC continued that ‘domestic law must afford appropriate safeguards to prevent any such use of personal data as may be inconsistent’ with Article 8 [103]. The Home Office’s position on not storing personal data for longer than is necessary is consistent with the ECtHR’s approach [ibid], but this would be classed as subsequent [67, 121] use and thus is still an Article 8 issue.

The first requirement under Article 8 is whether the deletion of personal data was ‘in accordance with the law.’ This requires there to be some basis in domestic law [193]. One could argue the DPA 1998 itself provides the domestic law basis for deletion, but the ECtHR has previously held that it does not have to assess ‘the quality of the applicable data protection framework in the abstract and must rather confine itself as far as possible to examining the particular consequences of application of its provisions in the case before it’ [81]. This is due to the fact that reliance on the DPA 1998 does not guarantee an action to be ‘in accordance with the law’ [207]. The ECtHR has stressed that applicable laws must provide:

[C]lear, detailed rules governing the scope and application of the relevant measures; as well as minimum safeguards concerning, inter alia, duration, storage, usage, access of third parties, procedures for preserving the integrity and confidentiality of data and procedures for their destruction, thus providing sufficient guarantees against the risk of abuse and arbitrariness at each stage of its processing [75].

Therefore, the legal basis for the destruction of personal data in the context to which the Home Office relies becomes severely weakened. The DPA 1998 does not define the scope and application with clear, detailed rules as to when the Home Office is entitled to delete personal data, nor does it provide procedures for said destruction. The arbitrariness of the measure is apparent when it is clear that the Home Office deleted all said personal data en masse.

Moreover, even if one were to consider the DPA 1998 as the correct legal basis that is sufficient in ECHR terms, this does not answer the question as to why the Fourth Principle was used in this manner. The Home Office are essentially arguing that personal data held on Windrush Generation individuals were inaccurate, without actually taking reasonable steps to ensure the accuracy of said data in contravention of Schedule 1, Part II (7)(a) of the DPA 1998. When the domestic authorities do not even observe their own law, this would also violate Article 8 [45-9]

The lawful basis in this context is strongly linked to whether a measure satisfies the ‘quality of the law’ in which a law should be accessible to the person concerned and foreseeable to its effects [50]. This is usually satisfied when a law is published [52-3]. However it has been argued that the vagueness of the DPA 1998 provides an insufficient legal basis for the destruction of personal data in this context. In arguing so, it cannot be said the law is accessible, because there is no law to access, which in and of itself would violate Article 8 [69-70].

Regarding foreseeability, this is described as formulating the law:

[W]ith sufficient precision to enable the individual – if need be with appropriate advice – to regulate his conduct. For domestic law to meet these requirements, it must afford adequate legal protection against arbitrariness and accordingly indicate with sufficient clarity the scope of discretion conferred on the competent authorities and the manner of its exercise [95].

The level of precision ‘depends to a considerable degree on the content of the instrument in question, the field it is designed to cover and the number and status of those to whom it is addressed’ [96]. The DPA 1998 was designed to cover the protection of (sensitive) personal data, but not specifically in the immigration context, thus its Principles are not precise [98]. The DPA 1998 would not indicate to any Windrush Generation individual as to when or under what circumstances their personal data may be deleted by the Home Office, thus not providing sufficient clarify on the scope of their discretion.

Again, the arbitrariness of the Home Office’s actions is apparent when it destroyed thousands of landing card slips in 2010. For example, when would it be necessary to delete landing card slips? Would it be when the Home Office could guarantee that an individual would no longer require it to demonstrate they came as a child before 1973? It would be contrary to the rule of law if the Home Office used its power in an unfettered manner [62]. The exercise of power by the Home Office ‘was arbitrary and was based on legal provisions which allowed an unfettered discretion to the executive and did not meet the required standards of clarity and foreseeability’ thus amounting to a violation [86, 89].

This discussion on the unlawfulness of the Home Office’s reliance could have stopped at the end of the last paragraph, but it is important to consider the case of Kurić and others v Slovenia (ECHR, 13 July 2010) as it shares similarities with the Windrush Generation scandal. The applicants in this case complained before the ECtHR that the erasure of their names from the Register of Permanent Residents made them aliens overnight which denied them ‘civil, political, social and economic rights’ [319].

The applicants had been living in Slovenia for years, and most of them decades, some were even born there [356]. The applicants did not enter Slovenia as immigrants but as settled citizens [357]. Moreover, the applicants had a stronger residence status than long-term migrants and those seeking to enter or remain [357]. Although not identical, the erasure of landing cards made it more difficult for Windrush Generation individuals to prove they had a right to live in the UK, and due to this lack of proof they could be denied healthcare, jobs, bank accounts etc.

In that case, the ECtHR reiterated previous case law in that Article 8 is interfered with when the ‘persons concerned possess strong personal or family ties in the host country which are liable to be seriously affected by application of the measure in question’ [351]. They continued that the right to establish and develop relationships, embracing social identity, having social ties with the community all fall within the meaning of Article 8 [352]. Moreover, Article 8 is interfered with when one faces expulsion and having their citizenship arbitrarily denied [352-3]. Finally, the UK Government has positive obligations to respect Article 8 [354].

Due to the cumulative failings of Slovenia, the ECtHR concluded there was a violation of Article 8 [376]. The ECtHR did not decide whether the Article 8 violation was due to the measures not being ‘in accordance with the law’ pursued a legitimate aim or was ‘necessary in a democratic society,’ so the same approach will be taken to argue that in the cumulative, Article 8 has been violated. When one considers that landing cards had been destroyed arbitrarily in 2010, the Home Office claimed these had no impact on the rights of the Windrush Generation. This claim is contested by two Home Office whistle blowers arguing that the landing cards had been a useful resource. The whistle blower’s account is supported by the Border Force where its notes state that ‘Information from a landing card may be used by an entry clearance officer in making a decision on a visa application.’ Destroying landing cards allowed Home Office staff to tell those concerned that they had no record of arrival dates which would lead to the denial of services and at worst, deportation.

Moreover, citing data protection law as a reason for the destruction of personal data appears cynical due to the amount of personal data that is kept anyway and the fact that the same Government is seeking to create an immigration exemption in the new Data Protection Bill (Schedule 2, Part 1, (4). The Home Office also explained that it considers alternative evidence such as tax records, utility bills and tenancy agreements as evidence of ongoing residency. However, if one can be denied work, have bank accounts frozen and be denied tenancy, then this evidence could also be difficult to provide. The cumulative effect of denial of services to the threat of (or actual) deportation, the deletion of flying cards and the spurious reasoning behind it would amount to a violation of Article 8.

The racist elephant in the room

Nason asked whether the overt racism from the 1960s-80s has simply been replaced ‘by a more insidious, state-endorsed hostility in the name of immigration control.’ A group of NGOs published a report on the ‘hostile environment’ noting that its very nature is discriminatory and thus encourages discriminatory or even racist behaviour. Former Home Office employees detail how the ‘hostile environment’ changed the attitude of staff to the point where they enjoyed catching out Windrush individuals without evidence. James Moore argues that this is what happens when you let dog-whistle racism go mainstream.

Article 14 of the ECHR details how the enjoyment of rights contained in the ECHR must be protected in a non-discriminatory manner. The grounds for discrimination are non-exhaustive but include race, colour, national or social origin and birth. Any one of these can be relevant to the Windrush Generation. Article 14 only works in combination with another substantive Convention Right, in this instance Article 8 [84]. Article 14 requires a difference in treatment to those in an analogous or similar situation [66]. The ECtHR have maintained that:

[A] difference in treatment may take the form of disproportionately prejudicial effects of a general policy or measure which, though couched in neutral terms, discriminates against a group…may amount to “indirect discrimination”, which does not necessarily require a discriminatory intent [184].

The Windrush Generation have as much right to be here as any other UK citizen, yet they are the ones that a targeted under the ‘hostile environment.’ Given that the Home Office destroyed landing cards, removed key protections that could have avoided this. One could argue the actions of the UK Government are more than just indirect discrimination because the discriminatory intent arises for the poor reasoning for destruction of flying cards to the lack of reasoning for removing key protections. The Government has no objective reasonable justification for this difference in treatment and thus amounts to discrimination [196]. Moreover, the Windrush Generation are being treated as though they are immigrants. This engages a different type of discrimination issue under Article 14, a Thlimennos discrimination which notes that:

The right not to be discriminated against in the enjoyment of the rights guaranteed under the Convention is also violated when States without an objective and reasonable justification fail to treat differently persons whose situations are significantly different [44].

There is no objective reasonable justification on any of the discriminatory grounds and thus amounts to a violation of Article 14 in conjunction with Article 8 [208-210]. Thus, under the ECHR, the racist and discriminatory elephant in the room is glared upon with distain.

Conclusions

This post has highlighted that the dubious reasoning as to why the Home Office destroyed crucial information that could have helped prevent some of the tragedies of the Windrush Generation is flawed, logically and legally. Not only is it flawed, reliance on data protection grounds in ECHR terms would amount to using Article 8 as a shield, and for the UK Government to do so would raise serious questions regarding Article 17 (the abuse of rights). Not only is the Home Office’s actions and reasoning in violation of Article 8, it violates Article 8 on the ground of defending it. There is a bigger issue which highlights the resurfacing of racism and discrimination in a new form which violates Article 8 in conjunction with Article 14. The ‘hostile environment’ has provided a platform and has legalised discrimination and racism, the destruction of landing cards in 2010 can be seen as the first steps towards this, and the removal of key protections for the Windrush Generation in the 2014 Act  is no accident either. The ‘hostile environment’ is the problem and the recent outrages shows that there are ‘resources of hope, but time is running out – we are at five minutes to midnight.’

Photo credit: www.sas.ac.uk

Data protection and smart meters: the GDPR and the ‘winter package’ of EU clean energy law

Alessandra Fratini and Giulia Pizza, FratiniVergano, European Lawyers - a Brussels-based law firm specialising in European and international law

Introduction

On 30 November 2016, the Commission launched the “Clean Energy for All Europeans” legislative package, aimed at modernizing the European electricity market and facilitating the transition to more decentralized, clean energy solutions. “Decentralization” is seen as a driver for innovation and the key factor for rebalancing energy actions in favour of a demand-driven policy, where consumers are equipped with the right tools to actively participate in this paradigm shift. Smart metering systems are one of the “right tools” for consumer empowerment, as they allow users to make decisions about their energy consumption by reacting to real-time tariffs.

The proper functioning of smart meters requires that a significant amount of sensing data be collected and processed by eligible parties and made available to entitled stakeholders. That generates data protection challenges and creates new risks for the data subjects with a potential impact in areas (e.g. price discrimination, profiling, household security) previously absent in the energy sector. While the General Data Protection Regulation (GDPR) provides the general legal framework for ensuring privacy and data protection of final consumers in the context of the smart meters’ roll-out, the Commission’s proposal for a recast of the Electricity Directive (which is part of the “Clean Energy for All Europeans” package and specifically regulates smart meters’ deployment) includes detailed provisions to ensure that data protection issues are properly tackled. It is understood that, once adopted, the latter would act as lex specialis with reference to the generally applicable GDPR provisions.

After an overview of the evolution of smart meters in EU law, this article reviews the challenges that smart metering systems pose to the protection of personal data and how these can be addressed under the GDPR provisions, read in conjunction with the specific requirements on data protection foreseen in the recast Electricity Directive.

Smart Metering Systems in EU law

Smart meters are electronic devices that record real-time production and consumption of electricity and communicate that information to the utility operator for monitoring and billing. Smart meters allow consumers to adapt their consumption – in time and volume - to real-time energy prices, thereby helping them to manage their usage more effectively and, conceivably, save money.

The deployment of smart meters is expected to improve customer service, with more accurate billing, easier and quicker switching between payment methods. It will also increase the opportunities for consumers who produce their own energy to respond to prices and sell excess to the grid.

The idea of equipping consumers with intelligent systems allowing them to manage their energy consumption was developed in the 2006 Energy Service Directive (ESD) and later taken up in the (still in force) 2009 Third Energy Package, which marked a turning point in the energy market integration process within the EU. With the third package, in fact, the focus shifted to the development of an effective retail market, with specific measures being designed to grant energy consumers a number of rights, such as the right to switch energy providers and receive clear energy bills. It is exactly from the perspective of consumer empowerment that the 2009 Electricity Directive strongly promotes the use of intelligent metering systems for the long-term benefit of consumers.

In line with the same spirit, the 2012 Energy Efficiency Directive (EED) includes a comprehensive set of measures on metering and billing with a view to extending the scope and further clarifying the provisions foreseen in the Third Package and in the ESD. In addition, for the first time, the EED touches upon data privacy and security in the installation of smart meters and foresees, among the obligations imposed on Member States, compliance with relevant Union data protection and privacy legislation.

Finally, the 2016 Clean Energy Package, also known as the “Winter Package”, further fits into this picture. The Commission acknowledged that it was time to update the existing framework to make it compatible with the higher levels of flexibility and decentralisation of today’s energy sector, and to create the enabling environment to facilitate the “paradigm shift” to a more competitive and consumer-centred market structure.

In particular, the proposal for a recast of the Electricity Directive introduces new rights to empower and better protect end users, such as the right to clearer billing information and certified comparisons tools, the entitlement to a dynamic price contract, the possibility to engage in demand-response and in self-generation of electricity. Smart meters are the essential tools to allow for an effective exercise of these rights. In this context, the recast Directive provides specific definitions for smart metering systems and interoperability and devotes a specific section (Articles 19-24) to smart meters’ functionalities, deployment, and data management issues.

Article 20 of the proposal sets out seven principles to be applied when rolling out smart meters. Out of those seven principles, four relate to the protection of personal data, including consumers-data subjects’ rights. In particular, points b) and c) state that security of data communication and data protection of final consumers shall be ensured in compliance with relevant Union security and data protection legislation. On data subjects’ rights, point e) stipulates that energy consumers are entitled to access metering data on their electricity input and off-take in an easily understandable format, while point f) requires Member States to ensure that consumers are duly informed at the time of installation of smart meters of the collection and processing of their personal data. 

Besides the abovementioned principles, a more specific set of provisions (Articles 23 -24 and Annex III) focuses on energy data access and management and reiterates the need to ensure the highest level of cyber-security and data protection by applying the best available techniques in the field.

Key data protection issues in smart metering systems under the GDPR and the Winter Package

A smart meter is supported by a communications network that collects and processes an increasingly high quantity of personal data and makes it available to entitled stakeholders and systems. These data are collected everywhere in the smart electricity system, including consumers’ homes and, possibly, electric vehicles. In this respect, final consumers’ trust and confidence are crucial: without proper guarantees on data protection, consumers are likely to be reluctant to take risks and might possibly dismiss innovation in favour of conventional meters.

Being the development of standards for data protection and security key to realising the full potential of smart metering in the EU, an express reference to the recently adopted GDPR is included in the section on smart meters (Article 23) of the recast Electricity Directive. Investments in smart metering technology also depend on consumer’s trust in the utilities and network operators. The draft Directive aims at stimulating consumer involvement with attractive incentives, while at the same time creating an indissoluble bond between smart meters’ technical implementation and compliance with EU data privacy and security standards.

The specificities of smart meters raise some key specific issues in relation to the application of the GDPR and the (future) recast Electricity Directive, such as the qualification of “energy data”, the allocation of responsibilities in energy data management and the rights of the data subjects.

 Qualification of “Energy data”

Smart metering systems process huge amounts of data as part of their routine technical operations. The first issue that arises is thus whether all of those data shall be regarded as personal data.

Nulla questio for registration data provided by the data subject when entering a contract for the roll-out of a smart meter, i.e. name, address and information on consumer’s billing data and payment methods, which are unquestionably “personal data”. The conclusion is less undisputable when it comes to consumer’s “energy data”, which are identified by the recast Electricity Directive as metering and consumption data, and data required for consumer switching. While these data, at first sight, might be considered as technical data and, as such, deemed to fall outside the scope of the GDPR, they are actually – and inextricably - linked with the natural person who is responsible for the metering account via a unique identifier, such as a meter identification number. These data are therefore to be regarded as personal data because they are associated with an identified or identifiable user and disclose information on his/her energy usage, thereby providing insights on the daily life of the data subject. When the data subject is a “prosumer”, i.e. a small or medium-sized agent which both consumes and produces electricity, the “energy data” refer to the amount of energy and power injected into the grid, which in turn provide information on the amount of available energy resources of the data subject.

The above reading of “energy data” as personal data would be in accordance with the GDPR, whose definition of personal data includes information revealing the economic situation of the data subject. That is all the more true, if one considers that energy data may be more or less detailed based on the consumer’s needs, as they can be designed and tailored accordingly. “Energy data” represent therefore an increasingly valuable asset not only for final consumers, who can adjust their behaviour to variable tariffs to reduce their energy expenditure, but also and especially for policy makers who have a precious instrument (consumers’ real-time feedback) at their disposal to effectively target, monitor and evaluate measures and actions in the field.

However, data gathered from smart meters can also be used for other purposes. Energy data allow for a better understanding of customer segmentation, customer behaviour and how pricing influences usage. As such, those data might be used for specific profiling exercises, e.g. to gather sensitive information on the end-user’s energy-based footprint in his/her private environment, his/her behavioural habits and preferences by analysing the information collected through the meters. Smart meters will likely have an impact on the competitive pressure within energy supply markets, as the provision of accurate and reliable data flows by the smart metering infrastructure will enable easier and quicker switching between suppliers. Accessing consumers’ data on energy preferences will therefore constitute a significant advantage for energy utilities. That is why adequate levels of protection shall be ensured during both the transmission and the processing phase, to avoid unauthorised consumer profiling based on the detailed meter readings and other possible “further” uses of those data.

In addition, the potential risks associated with the collection of detailed consumption data are likely to increase in the context of the so called “internet of things”, where energy data can be combined with data from other sources, such as geo-location data, data available through tracking and profiling on the internet, video surveillance systems and radio frequency identification (RFID) systems. The critical issue is in fact that smart meters could constitute the entrance gate to get a privileged access to the digital domain of a household.

Data management and allocation of responsibilities

As clearly established by Article 23 of the recast Electricity Directive on data exchange and management in the context of smart meters’ roll-out, any issues relating to energy data handling are to be tackled at national level. It follows that Member States, or the competent authorities, “shall organise the management of data in order to ensure efficient data access and exchange” including specifying the eligible parties which may have access to data of the final customer, provided that explicit consent is given in accordance with GDPR provisions. Eligible parties shall include at least customers, suppliers, Transmission system operators (TSOs) and Distribution system operators (DSOs), aggregators, energy service companies, and other parties which provide energy or other services to customers. This list is understood to be purely indicative and non-exhaustive, considering the highly dynamic environment of the energy sector.

The GDPR identifies characteristics and responsibilities of data controllers, processors and third parties authorised by controllers and processors to collect and process personal data. The controller is the sole responsible, alone or jointly with others, for determining the purposes and means of the processing of personal data while the processor performs the processing of personal data on behalf of the controller. The third party processes personal data under the direct authority of the controller or processor and solely if authorised to do so by those. Finally, recipient is the party to which the personal data are disclosed, whether a third party or not.

As the implementation of smart meters involves a number of actors in the processing of personal data, it is crucial to identify who, in that context, should be regarded as data controller, processor or simply an authorised third party. The allocation of roles and responsibilities might not be straightforward, since the arrangements for smart metering deployment - and consequently the data management model - are a matter to be addressed at Member States’ level and no clear guidance exists at EU level. Given the number and complexity of relationships, it is likely that there will be difficulties in applying the relevant definitions.

Nevertheless, based on the GDPR, the following set of roles and responsibilities can be identified. The controller could be defined as the “metered data responsible”, who handles metered, contractual and network data. Its responsibilities are collecting, validating, analysing and archiving historical data as well as ensuring that customers have at their disposal their consumption data and giving, by explicit agreement and free of charge, any registered supply undertaking access to its metering data. The role of the processor can be associated with that of the “metered data collector” or of the “metered data aggregator”, who are respectively responsible for meter reading and quality control of the reading and for the establishment and qualification of metered data from the metered data responsible or controller. The recast Electricity Directive proposes that the parties which are managing data be authorised and certified by the national competent authorities in order to ensure compliance with the data protection requirements. This is in line with the GDPR, which encourages Member States to establish certification mechanisms and codes of conduct to demonstrate the existence of appropriate safeguards provided by controllers or processor.

In most Member States, the DSO is the metering operator and, as such, it is the data controller in the first phase of the metering data process. The DSO´s process ends with creating a bill for network usage; in a second step, the metering data are passed on to the electricity supplier, who is responsible for billing and serving consumers, thus acting as the data controller in this final phase of the processing operation. As a matter of fact, DSOs are already involved in the processing of personal data because they have detailed information on the status of network components, generators connected to the network and energy flows throughout the network. In some cases, the DSO outsources parts of its metering business to a metering operator (MO), an entity which offers services to install, maintain and operate metering equipment related to supply. This role might be further split into two entities, one responsible for managing the meter and another responsible for managing the metering data. In this case, the MO performs the role of the processor based on a contractual arrangement with the DSO. However, in the majority of Member States the metering sector is considered part of the distribution business, with the DSO being both the owner and the responsible party for smart meters’ roll-out and granting accessing to metering data.

Notwithstanding the leading role of DSOs in smart meters’ data management, some Member States have opted for a separate entity (central communication hub), which shall provide third parties access to metering data, decoupling the processing of data from the physical meter. In such a system, consumers’ data are stored on the smart meter installed at their premises and the central hub entity is responsible for routing (but does not store) data, gathering those from the equipment in the consumer’s premises and delivering the same to energy suppliers, DSOs and other third parties. Such a transmission can occur, pursuant to the GDPR, further to consent appropriately expressed by the data subject.

A similar allocation could apply in those Member States, who have instead adopted a communication structure based on a middleware (the “data concentrator”, or “data aggregator”), located at medium voltage/low voltage substations, which works as a communication gateway between the data management system and the smart meters. The data concentrator collects information and data, often from multiple meters, in a particular geographical area before communicating the data to a central database for billing, troubleshooting and analysing. Concentrators are heavily used in densely-populated areas.

Rights of the Data Subject

The GDPR includes a wide range of rights for data subjects, some brand new, some existing already under the Data Protection Directive but enhanced by the reform.

Amongst the existing rights, the right to be informed when personal data are being collected and processed, the right of access as well as the right to object to certain processing activities (including profiling) and to automated individual decision-making are relevant in the smart metering systems’ context. Amongst the new rights, the right to data portability is also likely to be of relevance when smart meters are fully operational.

Article 20 (1) f) of the recast Electricity Directive reflects Article 14 of the GDPR listing the information to be provided by the data controller where personal data are collected from the data subject. In particular, appropriate information on the energy consumption and on the collection and processing of personal data shall be given at the time of installation of the smart meter. As regards the minimum details of the information notice, the provision explicitly refers to applicable Union data protection legislation.

Article 20 (1) e) of the Directive establishes the right for the customer to access his/her metering data on electricity input and off-take, while Article 23 (4) specifies that such access should be free of charge for final customers. Article 20 describes the minimum principles to be observed when smart metering systems are designed and implemented. Data protection measures enabling provision of information and availability of metering data constitute therefore a set of minimum functionalities to be integrated in all smart metering systems. That is a clear reference to the “data protection by design” principle under the GDPR.

However, the right of access to consumer’s data shall be also guaranteed to all eligible third parties under the Directive, in a non-discriminatory manner and simultaneously, so as to ensure that the system works properly. Eligible parties’ access finds its legal basis in Article 23 (2), which stipulates that, independently of the data management model chosen by the Member State, the party or parties responsible for data management shall provide any eligible party access to the data of the final customer, subject to the latter’s explicit consent. Access to consumers’ data by eligible parties may not be free of charge according to paragraph 4. Nevertheless, the Directive places an obligation on Member States to set the relevant access costs in order to ensure that regulated entities that provide data services do not profit from that activity.

Finally, Article 20 (1) GDPR defines the right of data portability as “the right to receive the personal data, which the data subject has provided to a controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller to which the data have been provided”. Accordingly, data portability is the right of the data subject to receive a subset of the personal data processed by a data controller concerning him/her, and to store those data for further personal use. In addition, that right allows data subjects to transmit personal data from one data controller to another “without hindrance”. As regards the type of personal data concerned, the first condition for the exercise of this right is that the data pertain to the data subject, while the second condition is that the data have been provided by the data subject to the data controller.

The Article 29 Data Protection Working Party (WP29) has clarified in its Guidelines that data that fall within the definition of data “provided by” the data subject are not only the “data actively and knowingly provided by the data subject” but include also those personal data that are observed from the activities of users such as raw data processed by smart meters. In the smart meters’ context, the data subject is therefore entitled to exercise his/her right to data portability only with respect to his/her usage data regularly generated by the metering system and simply collected by the data controller, without being processed or manipulated by the latter. As a result, data that are created by the data controller using the data observed or directly provided as input, such as a user profile designed by analysis of the raw smart metering data collected, do not appear to fall within the definition of data “provided by” the data subject.

The GDPR places some requirements on data controllers for the format to be used in data transfers to other data controllers when the data subject exercises his/her right of portability. More specifically, personal data must be provided “in a structured, commonly used and machine-readable format”. The terms “structured”, “commonly used” and “machine-readable” are a set of minimal requirements that should facilitate the interoperability of the data format provided by the data controller. Given the wide range of data types that might be processed and the specificities of each sector, the GDPR does not provide specific recommendations as to the data format, thus leaving it to each industry to develop the common set of interoperable standards and patterns to deliver the minimum requirements of the right to data portability.

Welcoming the industry-focus approach, the recast Electricity Directive outlines the minimum features the format for metering data transmission should have. Article 20 (1) e) stipulates that “metering data on electricity input and off-take shall be made available via a local standardised interface and/or remote access in an easily understandable format, allowing customers to compare deals on a like-for-like basis”. Here the primary aim of data portability seems to be price comparability, to facilitate service switching and enhance competition between services. This provision closely mirrors Article 24 of that Directive, which requires Member States to develop a common data format and a transparent procedure for eligible parties to have access to the consumers’ data. Here too, competition is the driver since the data format is conceived to ensure that energy utilities active on the retail market get simultaneous and non-discriminatory access to final costumers’ data. However, the Directive does not establish a minimum set of specifications for eligible parties’ access data format. That shall be defined by the Member States and then by the Commission, who is explicitly called on to determine a common European Data format that will replace the ones adopted at national level.

DPIA in Smart Meters’ roll-out

The Data Protection Impact Assessment (DPIA) is a tool designed to describe the envisaged processing operations carried out by an organisation during its activities in order to evaluate the origin, nature, particularity and severity of risks of these operations to the rights and freedoms of the data subjects. The outcome of the assessment helps to determine the appropriate measures to be taken to mitigate the risks and demonstrate that the processing of personal data complies with data protection requirements.

In its first Recommendation on the roll-out of smart metering systems issued in 2012, the Commission called on Member States to adopt and apply a template for DPIA that should be developed by the Commission and submitted to the WP29 for its opinion. In 2013, the Commission submitted to the WP29 the first version of the DPIA template prepared by a dedicated expert group under the Smart Grid Task Force. In its opinion, the WP29 welcomed the objectives identified by the template but expressed concerns on various parts and invited the Commission to revise it. A new version of the template was subsequently submitted to the WP29. The WP29’s final opinion issued in December 2013 recognized the improvements with respect to the previous version and recommended to organise a test case with some real cases. After having taken into account these final comments of the WP29, the Commission issued a Recommendation to promote the adoption of the template.

While having been issued before the formal adoption of the GDPR, both the Commission Recommendation and the Opinion of the WP29 are fully in line with it. However, no obligation to ensure that a DPIA is carried out is imposed on the Member States, given that the Data Protection Directive established the discretional nature of performing a smart meter’s DPIA. On the contrary, the GDPR renders the DPIA mandatory under certain conditions and calls on competent supervisory authorities to impose fines in case of failure to carry out a DPIA when required. According to the GDPR, a DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. In order to ensure a consistent interpretation of the circumstances in which a DPIA is mandatory, the WP29 Guidelines, adopted in April 2017 and further revised in October 2017, clarify this notion and provide criteria for the development of a common EU list of processing operations for which a DPIA is obligatory.

The more criteria the processing meet, the more likely it is to present a high risk to data subjects and therefore to require a DPIA. Of the nine criteria identified by the 2017 Guidelines in this respect, at least three seem applicable to the operation of smart meters. In particular, the evaluation or scoring criterion, including profiling and predicting, is fully applicable to smart meters insofar metering data help utility companies building behavioural or marketing profiles based on consumers’ energy usage. Data processed on a large-scale criterion is also likely to be relevant in the smart meters’ context. Smart meters register consumption data at short, regular intervals and ensure their timely transmission to the data controllers or concentrators which, in turn, organise the huge volume of data received from users in a specific geographical area in aggregated forms for the efficient maintenance of the grid and for allowing energy utilities to adjust their energy production accordingly. Finally, the innovative use/application of new technological or organisational solutions criterion is undoubtedly of relevance in the deployment of smart metering systems, to the extent that this can involve novel forms of data collection and usage that have unknown, significant impacts on individuals’ daily lives, depending on the data management model adopted at national level.   

In addition, still in the context of the new technology product criterion, another privacy concern that might trigger the need to carry out a DPIA may be the case of a piece of hardware or software, where this is likely to be used by different data controllers to carry out various processing operations. The data controller remains certainly obliged to carry out its own DPIA with regard to the specific implementation of the new product, but this can be informed by a DPIA prepared by the product provider. In smart meters, the above applies to the relationship between manufacturers of smart meters and DSOs or utility companies. Each product provider or processor should share useful information with neither compromising secrets nor leading to security risks by disclosing vulnerabilities.

Once the assessment of the criteria has been completed and the existence of an obligation to carry out a DPIA has been ascertained, the process can be initiated, possibly according to the procedure identified in the DPIA template developed by the Smart Grid Task Force. The generic iterative process consists of several procedural steps going from the identification of necessary resources and constitution of the DPIA team, to the description of the smart grid/metering systems and the identification and assessment of relevant and residual risks to be concluded with the drafting of the DPIA report and the development of measures for reviewing and maintenance.

Conclusions

Smart metering systems are becoming one of the primary tools to promote participatory processes and decentralization which are at the heart of the energy transition and the development of new energy services. A massive deployment of smart meters is expected in the near future, after the Third Energy Package made the roll-out compulsory, should the economic assessment be positive, and the Winter Package put it at the centre of its reform as a key instrument to empower energy consumers. The potential privacy risks posed by their implementation need to be tackled with highest priority. It is in fact essential that consumers have access to trusted mechanisms to manage their energy data and create value with it, while being in complete control of their private environment and behavioural habits.

For years, there was no specific binding legislation devoted to data protection in smart metering systems, while a number of soft-law instruments were adopted to balance energy policy goals with data protection concerns. In recent years, the EU legislator has started paying special attention to personal data protection in smart meters’ deployment, and some important progress has been made as a result, starting with the development of the DPIA template.

Today, the development of standards and safeguards for data protection and security in smart meters’ roll-out is a major objective in the EU. Against the background of the recently adopted GDPR, a specific data protection and security framework for smart meters has been proposed in the recast Electricity Directive. The aim is to embed relevant GDPR provisions in the new text and tailor those to the needs and specificities of smart meters’ implementation and functioning. It follows that a new, comprehensive legal framework to ensure high level of personal data protection in smart metering systems is being shaped, which is expected to lead to greater trust and confidence of energy consumers and, in turn, to their increased participation in the decentralisation process.

Photo credit: Utility Week

Privacy and data protection in universities: recent ECJ and ECtHR rulings

Professor Steve Peers, University of Essex

Privacy and data protection are different legal concepts, derived from different legal instruments, applied by different courts at European level. But the two concepts often overlap, and the relevant courts (the ECJ, interpreting the EU data protection Directive and other relevant EU laws, and the European Court of Human Rights, interpreting the right to privacy in the ECHR) sometimes make reference to the other’s case law and legal texts.

In the last month, each court has given a ruling on the respective rights in the context of universities or other academic institutions. This is a good opportunity to contrast the two courts’ different approaches in comparable cases, and to draw broader conclusions about the importance of these rights in the context of education.

Students and exam scripts: the Nowak case

In today’s judgment in Nowak, the ECJ ruled on the application of the EU’s current data protection Directive to exam scripts. The Directive will be replaced by the General Data Protection Regulation – the ‘GDPR’ – from next May, but the outcome of this judgment would likely be the same under the Regulation, especially since (as noted below) the Court makes some mention of the GDPR already in this judgment. 

Mr Nowak is a trainee accountant in Ireland who failed a crucial exam four times. He applied for all personal data held on him by the Institute of Chartered Accountants of Ireland, but it refused to send him a copy of the exam script. He complained to the Irish data protection supervisory authority, but it ruled that exam scripts were not personal data; moreover his complaint was vexatious. He challenged the authority through four levels of Irish courts, losing at every stage until the Supreme Court ruled that his complaint was inadmissible. But since that Court was uncertain as to whether exam scripts were personal data, it decided to ask the Court of Justice to interpret the relevant EU law.

The ECJ began its ruling by applying the Directive’s definition that ‘personal data’ is ‘any information’ relating to an identified or identifiable person. A student is either identified by name or necessarily identifiable via an examination number. (It’s fortunate that the Court confirmed the latter point, since I’ve used it in classes for years as an example of when an individual is ‘identifiable’).

According to the Court, it’s not relevant whether the examiner can identify the person at the time of marking, and it’s possible for the means of identification to be split up between different people, because the administrative staff will match the exam marks to each student later. This confirms the practice of anonymous marking – as well as many other aspects of life where registration numbers are used when processing data to preserve confidentiality.

But is the exam script (and the examiner’s comments on it) information relating to such a person? The Court reiterates that the Directive has a wide scope in general, and then confirms that the notion of ‘any information’ has a wide scope in particular: ‘not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions or assessments, providing that it ‘relates’ to the data subject’.

Applying that definition, exam candidates’ answers are linked to them personally, since they show (among other things) each candidate’s intellect, knowledge and judgment. The purpose of collecting the answers is to assess the candidate’s abilities and suitability, and the use of the answers can affect the candidate’s rights or interests, for instance to access a profession. All this is equally true if (as in this case) the exam is open book.

More significantly for academics, comments on the exam are also personal data. They constitute an opinion relating to the candidate, in particular an evaluation of the candidate’s abilities, and have an effect upon that candidate. It doesn’t matter that these comments are also personal data relating to the examiner, since information can constitute personal data relating to more than one person.

Nor does it matter that the rules on access and rectification of the data apply, once information is defined as ‘personal data’. The Court anxiously points out that rectification can’t mean that an exam candidate can alter incorrect exam answers, since the right to rectify is linked to the purpose why the data was collected – in this case, to assess the candidate’s abilities. What could be rectified is errors like a missing cover sheet, or one candidate’s exam script being confused with another candidate’s script. Moreover, exam sheets might have to be destroyed once they are no longer relevant, as a consequence of data protection law.

Furthermore the Court usefully points out that the candidate does not have a right to the exam questions (!) – presumably meaning access in advance of the exam – since those questions as such are not personal data in respect of the candidate.

The Court’s final – and very vague – point is that restrictions can be placed upon access to data, both under the Directive and (under more circumstances) the GDPR. Frankly, it’s not clear what point the judges are trying to make here, since this observation is not then applied to the facts of the case.

Comments

The practical outcome of the judgment is that markers of scripts will have to be careful what they write on them. Peevishly sniping “I’m sick of this student already” would be a bad idea; so would angrily scribbling “f*@! the Vice Chancellor!”. Rather the comments should relate to a fair assessment of the content of the script.

While some academics will be understandably concerned about their workload, there’s no reason why data protection law should impact on how detailed such comments should be – or indeed if there are any comments at all. That’s an issue for universities and other educational institutions to determine.  Having worked in a legal environment where exam scripts and comments are available to students for many years, in my experience at least there are no particular problems.

Data protection law judgments are often criticised for a lack of common sense, but there’s some sign of that uncommon commodity here: the Court rules out the obvious absurdities of students correcting an exam paper after it has been handed back, or having a right to advance knowledge of the exam questions. It does not mention some of the broader educational policy arguments for its judgment though: the accountability of markers to students, and the potential usefulness of comments on exam scripts as feedback for students, which is perhaps what the frustrated Mr Nowak was seeking here. Of course, the latter point is dependent on how detailed the comments are: the judgment does not rule out markers simply writing the infamous phrase "Good as far as it goes".

Privacy in lecture theatres: the Antovic and Mirkovic v Montenegro case

So professors must be accountable to students in the context of exam marking; but to what extent can their privacy be affected by attempts to make them accountable to university management? In this case, the Dean of the mathematics school in a university decided to start taping university lectures, for the twin reasons of protecting university property and ‘surveillance of teaching’.

It’s not known if professors responded by writing “f*@! the Dean!” on exam scripts. Rather more pragmatically, some of them complained to the data protection supervisory authority, which ruled, after initial hesitation, that the university had breached data protection law. (Comparing this to the Nowak case, it’s striking that the watchdog based outside the EU barked louder than the watchdog based inside it).

The professors then challenged the university in court for breaching their right to privacy as regards the period when the video surveillance was applied. They lost in the national court, so challenged the state before the European Court of Human Rights (ECtHR) instead.

The ECtHR ruled in the professors’ favour by a 4-3 margin, although on the crucial issue – whether a right to privacy even existed, and if so, why – they split three ways, with no one view commanding a majority. In light of this close result, it remains to be seen whether Montenegro might ask the ECtHR Grand Chamber to review this ruling.

All judges agreed that the key question was whether there was a ‘reasonable expectation of privacy’. In this case, the majority ruled that in light of previous ECtHR judgments (most notably the recent Barbulescu ruling on employer monitoring of employee Internet use, discussed here), such an expectation usually applied to workplace spaces.

That meant there was an interference with privacy rights, which could be justified under Article 8(2) ECHR if the interference was in accordance with the law and had a specified legitimate aim. Here the interference was not in accordance with the law, since the law did not lay down the possibility for surveillance of teaching and set a condition (which was not met here) that surveillance could be used for surveillance of property only if no other means was possible. So there was no need to assess whether a legitimate aim existed.

For two concurring judges, the conclusion that there was an interference with the right to privacy was correct, but should have been reached on other grounds. Rather than focus on the surveillance taking place in the workplace, the key issue should have been the activities being carried out. Lectures are an occasion to discuss ideas and interact with students, and formed part of the expression of academic freedom. (Note that the applicants did not argue a breach of Article 10 ECHR, setting out the freedom of expression).

For the dissenting judges, there was no interference with the right to privacy at all. The case law, in their view, only protected a reasonable expectation of privacy in some circumstances, which did not apply here in light of certain safeguards: there was no audiotape; the professors were not identifiable due to blurring of faces; and there was limited further use of the tapes.

Comments

The ECtHR did not discuss EU data protection law, but EU rules would likely have led to a comparable result (adapted to dats protection law), for yet another different set of reasons. In its judgment in Rynes (discussed here), the ECJ ruled that the data protection Directive applies to CCTV recordings unless they only record activities inside a home (the ‘household exception’ in the Directive). That would suggest that recordings of lecture theatres are covered by the Directive. The dissenting judges’ analysis of whether the professors were ‘identifiable’ seems, with respect, superficial in light of the Nowak judgment: was there really no way to deduce, in light of time stamps for instance, who would have been lecturing at that time?

Of the two lines of reasoning in the judgment supporting the application of the right to privacy, the concurring judges’ analysis is more convincing. ‘Surveillance of teaching’ is a notion that excites authoritarians in general, and hard Brexiteers in particular. Given that the exceptions to Article 8 ECHR can apply only if necessary in a ‘democratic society’, it makes sense to take account specifically of the importance of academic freedom when assessing whether the right to privacy has been interfered with – and more broadly of a worrying shift toward illiberal democracy in too many countries across Europe. It would also have been useful to state that ‘surveillance of teaching’ is not a legitimate ground for interference with the right to privacy.

Regardless of the safeguards in place, the announcement of an intention to place teaching under surveillance has a chilling effect on professors and students alike. While university management has a legitimate interest in ensuring that professors turn up to teach, and do so competently, there are many other routes to this end – student complaint or feedback procedures, for instance. Indeed, judgments like Nowak, as I noted already, help to ensure academics’ accountability to students. It’s unfortunate that this judgment missed the opportunity to directly confirm the importance of academic freedom as one of the pillars of democracy – rejecting the ever-louder screeching of those denouncing those with different opinions as ‘enemies of the people’.

Barnard & Peers: chapter 9

JHA4: chapter II:7

Photo credit: ZDnet

Privacy at work: the Strasbourg Grand Chamber clarifies the law

Lorna Woods, Professor of Internet Law, University of Essex

Background

The case of Bărbulescu concerned the extent to which employers could track employee communications, including Internet use, when those communications might include private correspondence rather than business communications. Here, an employer dismissed an employee for failing to respect a prohibition on the use by employees of work equipment for private reasons. The employee sued his employer in the Romanian courts but lost, so brought a claim under Article 8 ECHR, which protects the right to private and family life, home and correspondence. In particular, Bărbulescu objected to the fact that, to find that he had violated the policy, his employer monitored his communications. This he claimed was contrary to the jurisprudence of the European Court of Human Rights in Copland v UK.  The Fourth Section of the Strasbourg court held, at the beginning of 2016, that the legal situation in Romania did not give rise to a violation of Article 8. While the media tended to summarise the position as the court permitting entirely unrestricted monitoring, this was not entirely the position as noted by Steve Peers here. The matter was in any event referred to the Grand Chamber and it is with this judgment that this note is concerned. The Grand Chamber came, albeit not unanimously, to the opposite conclusion from the Fourth Section, finding that there had been a violation of Article 8 ECHR.  So, why has it come to this conclusion?

Judgment

The Grand Chamber first considered the applicability of Article 8 to the situation in issue.  Re-iterating a long list of previous cases, it emphasised that Article 8 should not be understood narrowly and includes both the right to develop relationships with others and professional activities or activities taking place in a public context. The Court noted two further separate points. First it commented that:

[r]estrictions on an individual’s professional life may fall within Article 8 where they have repercussions on the manner in which he or she constructs his or her social identity by developing relationships with others [para 71].

In this context work is important in providing the possibility for individuals to develop relationships with others. Secondly, while ‘life’ in the list of interests protected by Article 8 is qualified by the adjective ‘private’, the term ‘correspondence’ is not so limited [para 72]. The Court noted that while the test of a reasonable expectation of privacy has been used to determine the scope of Article 8, it here re-iterated that is a significant though not necessarily conclusive factor [para 73]. The Court concluded that while the employee was aware of the ban, he was not aware of the monitoring; that some of the content was intimate in nature; that he alone had the password to the account. The Court left open the question of whether Bărbulescu had a reasonable expectation of privacy in the light of the employer’s policy (of which Bărbulescu was aware), but then held that ‘an employer’s instructions cannot reduce private social life in the workplace to zero. Respect for private life and for the privacy of correspondence continues to exist …’ [para 80]. Both the right to private life and the right in relation to correspondence were therefore engaged.

The Court then considered whether there had been a violation. In this the Court was faced with the question of whether there was a positive obligation, given that the employer was not a public body. The Court noted that the monitoring of the communications could not be regarded as “interference” with Bărbulescu’s right by a State authority [para 109]. Nonetheless, the measure taken by the employer was accepted by the national courts, thus engaging the State’s positive obligations [paras 110-111]. It re-stated that the test was that of whether a fair balance had been struck between the competing interests. The Court noted that labour law has specific characteristics which allows for a wide margin of appreciation. This is not, however, unlimited; States must ensure that there are safeguards in respect of the monitoring of communications. It identified a number of issues:

-          Clear advance notification of the possibility of monitoring;

-          The extent of the monitoring and the degree of intrusion, taking into account the difference between monitoring ‘flow’ of communications and their content;

-          The justification for the monitoring;

-          Whether less intrusive mechanisms for monitoring exist;

-          The consequences for the employee;

-          Whether adequate safeguards were in place.

Further, there should be the possibility of a domestic remedy. The Grand Chamber took the view that the domestic courts did not consider or did not give appropriate weight to all the issues identified [para 140]. Notably, it did not appear the employer had given Bărbulescu sufficient advance notice of "the extent and nature of [its] monitoring activities, or of the possibility that [it] might have access to the actual content of his messages". The Court was also sceptical of the national courts acceptance of the justification for the intrusion. There was therefore a violation of Article 8.  There was dissent, however, on the assessment of the national courts’ approach to the matter.

Comment

The headline news from this is that the Grand Chamber came to a different determination on the issue of breach from the Fourth Section. It should be noted, however, that even that chamber did not suggest that unlimited monitoring would be permissible (see e.g. Steve Peers’ analysis). Nonetheless in purely practical terms, the Grand Chamber judgment provides a clear statement that workplace privacy cannot be reduced to zero, as well as a list of considerations that will be useful not just for national courts but also employers in considering policies regarding personal communications in the workplace. Note that this case concerned a private employer not – as in Halford and Copland – a public body as employer so the considerations highlighted will be of relevance to all employment relationships. In this, the Grand Chamber seemed to respond to some of the concerns expressed by Judge Pinto de Albuquerque in his dissent from the Fourth Section judgment regarding the factual specificity of the case. The judgment also seems to recognise the importance of work as part of daily life, an important point given the blurring of boundaries in the ‘always on’ culture of smart devices in which work-related information and communications co-habit with those of life outside work.

There are some further points to consider. The first is the scope of Article 8 and in particular the ‘reasonable expectation of privacy’.  Article 8 lists a number of aspects protected: ‘private and family life’ – usually seen as two separate elements ‘private life’ and ‘family life’ – ‘home’ and ‘correspondence’. As written, it seems that these are distinct elements yet the reasoning of the Court does not always treat them as separate; arguably the Court’s previous approach in making the matter one of a ‘reasonable expectation of privacy’ blurs any boundaries between these elements and in so doing, limits the scope of protection as far as ‘correspondence’ is concerned. The Grand Chamber seemed alive at least in some regards to this point: it specified that there is no requirement that correspondence be private. If that is the case, however, why is the issue of reasonable expectation of privacy relevant? Indeed, the Grand Chamber noted that the test of reasonable expectation of privacy is not the be all and end all of Article 8 (see para 78). Despite this recognition, the Grand Chamber still turned the question into one of a reasonable expectation of privacy:

It is open to question whether – and if so, to what extent – the employer’s restrictive regulations left the applicant with a reasonable expectation of privacy [para 80].

Is the Court here suggesting that correspondence is protected by Article 8 only when there is a reasonable expectation of privacy? Seemingly so, yet the Grand Chamber continued to state:

…. an employer’s instructions cannot reduce private social life in the workplace to zero. Respect for private life and for the privacy of correspondence continues to exist, even if these may be restricted in so far as necessary [para 80].

The position is consequently somewhat unclear. It would be more straightforward were the Court to recognise that correspondence constitutes a separate class aside from private life however broadly understood, and to deal with scope of Article 8 as a separate issue from that of interference and justification.  The current position unfortunately seems to be embedded in a long line of case law.

Bărbulescu is distinct from previous case law on employee monitoring in that it involved the State’s positive obligations. The Court has tended to adopt a different approach in regard to positive obligations than negative obligations. Rather than look at Article 8(2) and the tests of legitimate objective, lawfulness and necessity (in a democratic society), it adopts a fair balance test within which the State has a broad margin of appreciation. On this basis, the side-lining of the Copland ruling – which fell at the lawfulness stage in a standard Article 8(2) analysis – is understandable.  The Court seems to suggest, however, that there are parallels between positive and negative obligations:

[i]n both contexts regard must be had in particular to the fair balance that has to be struck between the competing interests of the individual and of the community as a whole, subject in any event to the margin of appreciation enjoyed by the State [para 112].

It is questionable whether the derogation from an individual’s rights by state actors really should be seen as being about a fair balance, a stance which arguably nudges the focus of protection away from human rights as paramount. Nonetheless, here the Court brings in factors from the standard Article 8(2) state surveillance case law aimed at preventing abuse of secret surveillance capabilities to provide guidance in finding the fair balance. It is noticeable that Copland is not considered but instead the State surveillance cases of Klass and Zakharov. 

It might be that the Grand Chamber accepted the referral because it wished to deal with failure of the Fourth Section to consider the EU Data Protection Directive, which protects against the collection of personal data without the explicit consent of an individual (or justified grounds for such collection).  This point was highlighted by Judge Pinto de Albuquerque. If so, the judgment fails to engage with EU data protection law in any meaningful way. The Grand Chamber noted that the national courts had considered the directive, but did not consider those rules themselves. Insofar as the Court does refer to international and European standards, it specifies the ILO standards and Council of Europe Recommendation CM/Rec(2015)5, rather than the Directive. It seems then that there has not been any direct engagement with the substantive EU data protection rules.

Photo credit: Aird and Berlis LLP