National Security Certificates: Broad exemptions from the data protection regime will have consequences for our data protection rights and for adequacy
This piece was written by PI Legal Office Millie Graham Wood.
“The UK is leading the way on modern data protection laws and we have worked closely with our EU partners to develop world leading data protection standards”[1] according to, Matt Hancock MP, Minister of State for Digital. However, the proposals in the UK Data Protection Bill continue and expand a highly secretive system which allows processing of personal data to be exempt from key safeguards and fundamental protections on unspecified grounds of national security and defence. A Minister can sign a certificate, in general terms and with future effect, exempting processing with no transparency or oversight.
In the context of big promises from Matt Hancock MP, to make our data protection laws fit for the digital age in which an ever-increasing amount of data is being processed and to empower people to take control of their data, the replication of section 28 of the Data Protection Act 1998[2] is deeply troubling. This clause, which established the National Security Certificate regime, is just one of the concerning provisions that makes a mockery of Hancock’s aspirations. The government has failed to address the opaque and undemocratic regime of National Security Certificates, which in Part 2 of the Bill can be relied upon by entities who are not law enforcement or intelligence agencies.
Privacy International has proposed amendments[3] to National Security Certificate provisions. These fall in the section of the Data Protection Bill due to be debated on Monday in the House of Lords. The Bill present an opportune moment to shine light on this regime and implement key reforms. We hope it is seized upon.
How does it work?
There is little evidence of anything in the way of a procedure or format for certificates. According to clause 25 of the Bill, a certificate signed by a Minister of the Crown is “conclusive evidence of [the] fact” that exemption is required for the purpose of safeguarding national security. No equivalent certification process is provided for in respect of exemptions on defence-related grounds.
The certificate can exempt what is noted by the House of Lords Select Committee on the Constitution[4] as ‘An extensive range of measure [which] may be dis-applied’ in reliance upon the national security or defence purposes exemption[5].
Who can benefit?
Despite the name, the provisions for National Security Certificates in Part 2 Clauses 24, 25, and 26 of the draft Bill do not relate to law enforcement (Part 3) or intelligence agency (Part 4) processing of data. This begs the obvious question, who will these provision apply? The powers lie in the so-called ‘applied GDPR’ (Part 2, Chapter 3) being processing which falls ‘outside the scope of EU law’. Until Brexit, processing that falls within the scope of EU law will be covered by the General Data Protection Regulations (“GDPR”). However, once we leave the European Union, the ‘applied GDPR’ will become the source of our data protection rights, and thus include for all general processing the ability to rely upon national security certificates and exempt data protection safeguards.
We do not know what types of data controllers/ processors may benefit from these exemptions, whether private security firms to telecommunications companies, or what certificates currently exist. This makes it impossible to evaluate the necessity, proportionality and risk posed by these provisions. In turn, as Parliamentarians consider the Bill, it undermines their ability to effectively debate whether organisations, which are not law enforcement or intelligence agencies should, as a matter of principle, be able to exempt fundamental data protection safeguards.
In addition, the clauses introduce a new defence purposes exemption which is an expansion on the Data Protection Act 1998. It is not explained, defined or elaborated as to what the purpose of this addition is and what it covers and the Department of Culture, Media and Sport who are responsible for the Bill have been unable to provide us with anything other than a vague definition that it relates to ‘defence activities’.
Opaque, timeless and open to abuse
There has been a marked absence of public Parliamentary or independent scrutiny of national security certificates since the Data Protection Act 1998 came into force. Certificates are timeless in nature and there is a near total lack of awareness as to what certificates currently exist, how broad are the exemptions from data protection principles and who benefits. Whether Ministers are aware of certificates signed by their predecessors is yet to be seen.
The timeless nature of the Certificates is illustrated Privacy International’s ongoing litigation in relation to bulk personal datasets and bulk communications data[6] where certificates signed in 2001 covered bulk surveillance activities that commenced five years later. The only other certificates we understand are publicly available relate to Transport For London[7].
Adequacy
The inadequacies of this regime are relevant not only for those concerned about these broad unchecked exemptions, but also for those worried about the impact upon data flows between the UK and Europe post Brexit — if the UK is judged not to offer an adequate level of protection for data to the European Union[8]. As the House of Lords have stated,
“once the UK is no longer a member of the EU, national security concerns “could be used as a reason for arguing the UK ought not to be adequate””.[9]
The national security exemption has the potential to undermine a decision on granting adequacy to the UK (see GDPR Article 45, 2(a)) in its current form.
What changes are needed
Basic safeguards are required such as an oversight mechanism and restriction on the provisions of the Bill which can be exempted by clauses 24 and 25. However, Parliament must first consider whether such an exemption has a place at all in the applied GDPR.
A fundamental and basic safeguard is to introduce a procedure for a Minister of the Crown to apply to a Judicial Commissioner for a certificate who must review the Minister’s conclusions as to necessity and proportionality. To ensure oversight and safeguards are effective, sufficient detail is required in the certificate application. We note that an oversight role may be performed by the Investigatory Powers Commissioner’s Office.
Finally, Parliament must seek disclosure of all Certificates currently in existence and extant in order to effectively scrutinise this secretive regime and take advantage of the opportunity presented by the draft Bill. Going forward, the Bill should make provision to address the current opaque nature of national security certificate by publishing all certificates.
Conclusion
Broad and unchecked exemptions to the data protection principles; the rights of data subjects; responsibilities of data controllers and processors; and to safeguards for transfers of personal data to third countries and international organisations undermines public trust in effective data protection.
Whilst recognising that “our digital economy is creating mind-boggling quantities of personal data” and that “with the increasing volumes of personal data there is an increasing need to protect it”[10], the Government has failed to introduce anything to remedy this opaque national security regime and instead expanded it to undefined ‘defence’ exemption in the applied GDPR section of the Bill.
If the scope of certain principles needs to be limited for national security purposes, then this must be debated by Parliament and justified by the Government which seeks them. It is not acceptable in a democratic country to permit such broad unchecked exemptions from data protection, and it is unlikely to will be acceptable to the EU based on the unpredictability of using the Brexit card these days.
[1] https://www.gov.uk/government/news/uk-outlines-proposals-for-shared-approach-on-data-protection
[2] The Data Protection Act 1998 (“DPA”) provided an extremely wide exemption from the DPA where a national security certificate has been made under section 28 of the DPA. This is replicated in the draft Data Protection Bill. The provision for ‘national security certificates’ exists in Part 2 Chapter 3 (‘applied GDPR’ §24–25), Part 3 Law Enforcement Processing (§77) and Part 4 Intelligence Services Processing (§108–109).
[3]https://privacyinternational.org/sites/default/files/Privacy%20International%20briefing%20on%20DPB%20General%20Processing%20Cttee%20stage%20%20%5BHL%5D%2027%20Oct%2017.pdf
[4] House of Lords, Select Committee on the Constitution, 6th Report of Session 2017–2019, Data Protection Bill
[5] See Privacy International’s submission Annex B https://privacyinternational.org/node/1543
[6] In 2016 the Investigatory Powers Tribunal found that UK’s intelligence agencies were secretly and unlawfully collecting bulk data on people in the UK without adequate safeguards or supervision for over a decade https://www.privacyinternational.org/node/938
The Agencies relied upon certificates signed by David Blunkett and Jack Straw thirteen years previously (in 2001) to show for bulk data (Bulk Personal Datasets and Bulk Communications Data), key obligations in the Data Protecting Act were exempt.
The Security Service relied on these Certificates from 2001 to exempt their collection of bulk communications data, which commenced in July 2005; The Security Service and Secret Intelligence Service relied on Certificates from 2001 to exempt their collection of bulk personal datasets which commenced around 2006/2007.
[7] http://amberhawk.typepad.com/files/blog-s.28-smith-tfl-certificate-2007.pdf | http://amberhawk.typepad.com/files/blog-s.28-may-tfl-certificate-2011.pdf
[8] Article 45 of the General Data Protection Regulations states:
“2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:
(a) Rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data.”
[9]https://publications.parliament.uk/pa/ld201719/ldselect/ldeucom/7/7.pdf
[10] Statement of Intent, 7 August 2017, ‘A New Data Protection Bill: Our Planned Reforms’