Data Protection Day 2017 – marking a year of dramatic change

Data Protection Day is marked on 28th January every year to raise international awareness of information privacy issues.  In the year since the last Data Protection Day in 2016 there have been several significant developments:

  • The new Data Privacy Shield arrangement between the EU and the United States was launched
  • The wording of the General Data Protection Regulation or GDPR (European Commission 2012) was finalised
  • Britain voted to leave the European Union
  • The EU Court of Justice (ECJ) ruled on the indiscriminate retention of metadata about private communications by service providers (Court of Justice of the European Union 2016)

In the current atmosphere of political upheaval, national security and individual human rights have come into focus.  Solove (2011) argues that security and privacy are not necessarily incompatible.  He counters the commonly-argued case that we have to give up some of our personal privacy in order to be more security, especially in the face of war or terrorism.  Vigilance is also needed against the creeping encroachment of personal liberties by the state.  The ECJ ruling on 21st December 2016 against the Home Office and the Swedish Post and Telecom Authority has reasserted the importance of protecting information privacy.  The ruling precluded the indiscriminate retention of traffic and location data relating to electronic communication under the provisions of the Investigatory Powers Act 2016, also known as “The Snoopers’ Charter” (UK Parliament 2016).  The ECJ went on to rule that national authorities should only have access to retained telecoms data subject to review by a court or “an independent administrative authority”.  In other words, there has to be due process before retained communications data can be examined.  The ruling is a generic ruling about oversight and due process that applies to any national legislation.  The ruling was originally triggered by the Data Retention and Investigatory Powers Act 2014, and was superseded by the Investigatory Powers Act 2016 which came into force on 1st January 2017.

The ECJ ruling is a significant milestone, because it reasserts the principle that personal data should not be retained and accessed indiscriminately or without review by competent authorities.  The Investigatory Powers Act 2016 specifies the conditions under which public authorities can access data about communications via public services.  This secondary data (metadata) may relate to phone calls, post, and e-mails.  This secondary data or metadata specifically excludes data about the content of the communication, but not data about the recipient, sender, date and duration of communication.  The ECJ ruling cites the Max Schrems case which in October 2015 struck down the Safe Harbor Agreement between the EU and the United States – on the basis that US authorities could require companies to hand over personal data to the National Security Agency (ECJ 2015).  The Safe Harbor Agreement was replaced by the EU-U.S. Privacy Shield, which in many respects is the same as Safe Harbor, being self-regulatory and with very little enforcement by Federal agencies (Haynes 2016).

The ruling will require the UK government to ensure that there is some independent oversight of data retention orders and control over who has access to data about communications.  If the ruling is upheld, it is likely that the changes would be made by means of a statutory instrument to clarify the scope and provisions of the act and its implementation.  Telecommunication service providers such as telephone companies and ISP (Internet Service Providers) will have to ensure that any requests for access to retained telecoms data are compliant with EU law. It is unlikely to change their practice on retaining communications data – this is accepted – but it will change their access policy and procedures for allowing access.  The real test will be whether there are any challenges to the government as the Act is rolled out, and whether any precedents are set by the Courts.

The Brexit vote in June may have a long-term impact on privacy legislation although current thinking is that the UK will adhere to current legislation in order to continue to have access to the European market.  EU legislation including the General Data Protection Regulation (due to come into force in 2017) will apply to the United Kingdom until its departure from the EU in 2018.  After Brexit is completed it is not clear whether the UK will continue to maintain EU regulations by incorporating them into UK law, or whether it will go the way of the United States by trying to set up an arrangement similar to EU-U.S. Privacy Shield.  If it chooses to comply with EU regulations then the GDPR will continue to have a profound effect on companies.  Gone will be the requirement to register personal data collections and their purposes, but they will have a responsibility for reporting breaches and they will be required to have a nominated individual to act as Data Protection Officer.  The ‘right to be forgotten’ will be a part of EU law, so that users can require their names are not associated with the results of particular searches (Haynes 2014).

The developments over the last year highlight the need for a way of reconciling national security with personal privacy.  Security considerations have tended to dominate the debate in light of recent terrorist attacks in Europe and the Middle East.  It is important to balance this against encroachment of human rights.  After all, if we destroy the freedoms of the society that we are striving to protect, are we not forwarding the terrorists’ agenda?



Court of Justice of the European Union, 2016. Tele2 Sverige AB (C203/15) v Post-och telestyrelsen, and Secretary of State for the Home Department (C698/15) v Tom Watson, Peter Brice, Geoffrey Lewis,

ECJ, 2015. The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid. Press Release. Available at: [Accessed January 20, 2016].

European Commission, 2012. General Data Protection Regulation, European Union: European Commission. Available at:

Haynes, D., 2014. Forget the Right to be Forgotten, Other Means Exist. The Conversation. Available at: [Accessed June 23, 2016].

Haynes, D., 2016. Privacy Shield Replaces Safe Harbour, but Only the Name has Changed. The Conversation. Available at: [Accessed February 22, 2016].

Solove, D.J., 2011. Nothing to Hide: the false tradeoff between privacy and security, New Haven, CT: Yale University Press.

UK Parliament, 2016. Investigatory Powers Act, United Kingdom. Available at:


About the author

David Haynes

David Haynes

David is a Director of Aspire². His interests lie in metadata, information taxonomies and information governance. He is an experienced PRINCE2 practitioner. David leads courses on his specialist areas and is author of ‘Metadata for Information Management and Retrieval’. Currently he is researching on the regulation of information at City University, London.