Paul Bernal: Privacy, Surveillance and Brexit….

paul-bernalAn Englishman’s home is his castle, so the old saying goes, and it might be thought that the implication is that the English place a special importance on privacy. The reverse, however, seems to be the case, when the law is considered – for much of the law that provides protection for our privacy, particularly in relation to surveillance, does not originate in the UK but in Europe. With the perfect storm of possible ‘Brexit’ and the potential repeal of the Human Rights Act (HRA), that might leave our privacy in an even more precarious state than it currently is. The so-called ‘British Bill of Rights’ has yet to see the light of day: one of the key questions could be what provision it makes for privacy, particularly in relation to the internet and other forms of communications.

How our privacy rights are currently protected

As things currently stand, legal protection for privacy is based on a combination of ‘European’ laws and conventions. The Council of Europe’s European Convention on Human Rights (ECHR) – and in particular Article 8, the right to respect for private and family life – is the starting point. The suggestion that David Cameron’s primary reason to wish to repeal the Human Rights Act, which effectively incorporates the ECHR into domestic law, is based on frustration with Article 8 – albeit more about the use of the ‘family life’ part of the article – should be ringing alarm bells as to the prospects for privacy in the UK.

EU law provides further and more sophisticated and specific protection, from the crucial data protection regime (which itself derives from the ECHR to a certain extent) and the E-Privacy Directive (Directive 2002/58/EC), as well as a reinforcement of the ECHR in the EU Charter of Fundamental Rights, which became legally binding through the Treaty of Lisbon in 2009. The Charter not only reaffirms the rights in the ECHR Article 8 with its own Article 7 (‘[e]veryone has the right to respect for his or her private and family life, home and communications’) but in its Article 8 makes data protection a fundamental right in its own right.

These ‘European’ rights, and the ECHR Article 8 in particular, have been the basis for most of the significant developments in privacy law of all kinds in the UK, from the seminal ‘celebrity’ case of Campbell vs MGN Ltd [2004] UKHL 22 onward. The current challenges to the surveillance activities of GCHQ, as shall be seen, are based on both (or either) of the ECHR and EU Charter of Fundamental Rights – so the combination of potential Brexit, repeal of the HRA and ultimately withdrawal from the ECHR could pull the rug out from under those challenges.

Europe isn’t standing still

At the same time, things are moving in Europe, albeit far from fast. The data protection regime, currently governed by 1995’s Data Protection Directive, has been going through a tortuous reform process, one that seems, finally to be reaching a conclusion with the new General Data Protection Regulation looking as though it might actually be agreed either in 2015 or early 2016. Whether the regulation will provide stronger or weaker protection for privacy is still a matter for debate – but in relation to the UK, there is strong anecdotal evidence to suggest that one of the key reasons that a regulation (directly applicable in member states) rather than a directive (which needs transposing into domestic law) has been chosen primarily as a reaction to the contentious implementation of the directive into UK law via the Data Protection Act 1998. The case of Durant v Financial Services Authority [2003] EWCA Civ 1746 in particular, which narrowed down the definition of personal data, seemed to suggest that the Data Protection Act did not provide the kind of protection that was envisaged in the Data Protection Directive: having a regulation this time around should reduce the chances of such mismatches.

The strength of privacy rights in the EU was emphasised in 2014, when in Digital Rights Ireland (Joined Cases C‑293/12 and C‑594/12) the Court of Justice of the European Union (CJEU) declared the Data Retention Directive – the basis of a significant part of the UK’s communications surveillance strategy – invalid, on the basis that it conflicted with those fundamental rights. It was this declaration that led to the rapid passing of the Data Retention and Investigatory Powers Act (DRIPA) in three days of the summer of 2014, and event that could reasonably be described as either farce or tragedy.

Current challenges

DRIPA is the subject of one of the key current challenges to surveillance law – Liberty, on behalf of Labour MP (and candidate for the deputy leadership) Tom Watson and Tory MP David Davis, have just taken the government to the High Court. From Liberty’s press release of 3rd June:

“Liberty will argue on Mr Davis and Mr Watson’s behalf that the Data Retention and Investigatory Powers Act 2014 (DRIPA) is incompatible with the Human Rights Act – in particular Article 8 of the European Convention on Human Rights, the right to respect for private and family life – as well as with Articles 7 and 8 of the EU Charter of Fundamental Rights, respect for private and family life and protection of personal data.”

All the legal instruments that support that challenge – the Human Rights Act, the European Convention on Human Rights, and the EU Charter of Fundamental Rights – have an uncertain future. It is hard not to conclude that this uncertain future is in part because the current government does not see privacy as a fundamental right, as set out in the Liberty, Watson and Davis challenge, but as something of a threat to other, more important factors such as security.

The UK Government attitude to privacy

A whole range of government actions in relation to privacy supports that conclusion. Theresa May has been attempting to push for greater surveillance powers for a considerable time – the Communications Data Bill, dubbed by many the ‘Snoopers’ Charter’ in 2012 was perhaps the pinnacle, and its re-emergence in the yet-to-be detailed Investigatory Powers Bill is no surprise. Privacy advocates have often been accused of having blood on their hands. Malcolm Rifkind, former chair of the Intelligence and Security Committee showed the way many politicians frame the debate when he introduced the ISC’s inquiry into surveillance by saying that “[t]here is a balance to be found between our individual right to privacy and our collective right to security.” This framing oversimplifies the debate – not just by setting up a false dichotomy but by hinting that privacy is essentially selfish and should acquiesce gracefully to the altruistic societal need for security.

It is not just in the field of surveillance that this dismissal of privacy has been evidenced. Sajid Javid, then the culture minister, suggested that the so-called ‘right to be forgotten’ was being used by terrorists, despite there being no evidence to suggest it could be, let alone was. In his denigration of the right to be forgotten (as determined in the Google Spain ruling) he was following in a long line of British attempts to undermine data protection and that right in particular – Kenneth Clarke in 2011 was part of what looked like a concerted effort to stave off the strengthening of privacy rights.

Privacy rights after Brexit?

All this makes it hard to be optimistic about what kind of privacy rights might be included in a British Bill of Rights. Some kind of separate and new British Data Protection Law would almost certainly be required. Whether Brexit happened before or after the new European Data Protection regime came in might determine its precise form, but it is hard to imagine it would provide anything more than the minimum necessary to convince the EU to continue to let data flow relatively freely between the UK and the EU. One of the eight principles of European data protection law is that

“[p]ersonal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

Whether the UK could remain in the EEA (European Economic Area) whilst leaving the EU is another can of worms, but if it did not, there would have to be an agreement to allow it to happen. The US gets past this barrier with its ‘Safe Harbor’ agreement, by which businesses agree to abide by certain rules about protecting data – but the US Safe Harbor agreement is subject to significant debate as a result of the actions of the NSA. This might mean that the EU would find a UK Safe Harbour agreement similarly unenticing as a result of GCHQ’s surveillance, particularly if Theresa May’s plans for extending GCHQ’s surveillance go ahead.

As for treating privacy as a fundamental right, it appears likely that the words of any provision in a British Bill of Rights would be similar to those in the ECHR and the EU Charter of Fundamental Rights (and indeed in the Universal Declaration of Human Rights before them) but that the interpretation and the balances maintained by our Supreme Court might be somewhat different to those found by the European Court of Human Rights (for the ECHR) or the CJEU (for the EU Charter of Fundamental Rights). The CJEU in particular seems to have been increasingly emboldened to intervene on behalf of privacy in the aftermath of the Snowden revelations – from the aforementioned declaration of invalidity of the Data Retention Directive to the Google Spain ruling on the right to be forgotten.

That in itself should provide pause for thought – in practice, those two courts have provided key protection for privacy, and though the words may be similar in a British Bill of Rights, the effect could be quite different given the nature of the British and European courts.

In the end, though, there is a question as to whether it really matters at all. The security services in the UK, unlike those in the US, seem highly unlikely to change their behaviour. Even when they have been found to behave unlawfully – as the Investigatory Powers Tribunal found in February 2015 in relation to the Prism and Upstream programmes – that finding has related to their past activities, while their present actions were found to be lawful. It would be naïve to think that much will change for the better, and the prime function of any proposed laws, as and when we see them, may well be to legitimise existing practice rather than instigate new forms of surveillance.

The prospects for privacy

That may, however, be a little too cynical. Either way, should Brexit, the repeal of the Human Rights Act and withdrawal from the ECHR happen, the British commitment to privacy will be seriously tested. Privacy advocates and privacy lawyers should be watching very carefully for what is and what is not included in any proposed British Bill of Rights. Weakened laws and tentative or even unwilling courts would not make for the best of protection. A further weakening of our already beleaguered privacy rights may well be one of the less foreseen consequences of Brexit.

Paul Bernal is a Lecturer in Information Technology, Intellectual Property and Media Law in the UEA School of Law and a member of media@UEA. He blogs at: and tweets as @paulbernalUK.

(Suggested citation: P. Bernal, ‘Privacy, surveillance and Brexit….’ UK Const. L. Blog (18th Jun 2015) (available at