When Britain can deport EU citizens – according to the law

File 20171109 13303 1nzjnvi.jpg?ixlib=rb 1.1
via shutterstock.com

Adrienne Yong, City, University of London

The article was originally published on The Conversation.

Despite the fact that EU citizens enjoy the right to move to and live in other member states, the UK government has recently ramped up efforts to deport them.

In the year ending June 2017, 5,301 EU citizens were deported from the UK, a 20% rise compared to the previous year. This is a troubling figure, especially considering that the law supposedly protects EU citizens from deportation. The charity, Bail for Immigration Detainees, has noticed a rise in EU nationals involved in deportations.

As many EU citizens remain anxious about their future in the UK after Brexit, the government has unfortunately sent mixed messages as to whether EU citizens will enjoy the same rights in the UK once it leaves the EU, or if they will simply be deported.

Debate already exists in the UK about whether certain individuals “deserve” to be expelled, from people who are not working but seeking welfare benefits, to people who are convicted of criminal activity. Now more questions are arising about whether just about anyone can be deported.

Adding to the distress is a recent government letter, sent on behalf of the Home Office, to a Romanian national. It advised him to consider leaving the UK to “avoid becoming destitute” after he was refused emergency accommodation.

The UK’s refusal to provide him with emergency accommodation should not on its own amount to him being asked to leave, especially not under EU law which states that citizens are given the right to live and reside freely in any member state. By suggesting he leave, it appears that the Home Office was trying to restrict his freedom to move and reside. The letter added to the already hostile political atmosphere in the UK, and does nothing to allay concerns for worried EU citizens.

EU law on deportation

The law surrounding deportation in the EU comes from Article 28 of Citizens’ Directive 2004/38 which states that EU citizens can only be deported from another member state for reasons of public policy or public security. There are only three situations in which deportation is allowed.

The first requires that alongside the public policy or public security reasons, deportation can only be allowed if adequate consideration of various factors are taken into account. These include how long the person has been living in the country, their age, health, family and financial situation, and how well they’ve integrated into society.

The second situation concerns permanent residents, those who have have lived in a member state for five years or more (you are not required to have documents proving this, though it is necessary for British citizenship applications).

For permanent residents, only serious grounds under public policy or public security will justify expulsion. What a “serious” ground is must be justified by the member states, but there is no guidance in the directive as to what constitutes “serious”. It must relate to a fundamental interest of society. These include preventing unlawful immigration, maintaining public order, preventing tax evasion, countering terrorism and preventing repeat criminal offences.

The third situation is for those who have been in a member state for the last ten years – or minors. In these cases, only imperative grounds of public policy or public security will be accepted. Again, “imperative” grounds are up to the member states to justify and the directive offers no definition. However, it is clear that they are stricter than “serious” grounds. Therefore, the longer you have been in a country, the more difficult it becomes to deport you. Case law has accepted being involved in a drug dealing organisation as an imperative ground of public security, but the general meaning of “imperative” remains unclear.

Despite the fairly high level of protection under these provisions, the UK has been known to interpret the public policy and public security reasons for deportation quite broadly, in some cases arguing that rough sleeping counts. This decision is now being challenged before the High Court. The EU has also not taken kindly to this behaviour. The European Commission is currently investigating whether the UK is actually targeting EU nationals and if so, the UK would be in breach of its obligations as an EU member state.

Human rights and deportation

In its letter to the Romanian national, the Home Office suggested he leave so as to “enjoy access to all your ECHR [European Convention on Human Rights] without interference”. But this seems a strange suggestion, given that the UK is also bound by the ECHR and the government stated earlier this year that are “no plans to withdraw” after Brexit. It should, therefore, also be committed to conferring such rights without interference.

Article 8 of the ECHR protects the right to private and family life and deportation has previously been deemed an interference in this. The Home Office’s suggestion that EU citizens should go elsewhere to seek better protection makes it appears as if the UK wants to wash its hands of anyone burdensome in their territory, and certainly of its obligations under the ECHR.

The ConversationLaws exist to protect EU citizens from being deported. Yet, the Home Office seems to want to downplay the obligations that it is bound to ensure under EU law, but also under the ECHR. Attempting to shirk its responsibilities even before Brexit has occurred does not set a positive precedent for the protection of EU citizens’ rights going forward.

Adrienne Yong, Lecturer at The City Law School, City, University of London

This article was originally published on The Conversation. Read the original article.



CJEU Advocate General opines on the definition of a data controller, applicable national law, and jurisdiction under data protection law

Henry Pearce
Lecturer in Law, University of Hertfordshire, and Doctoral Researcher at the Institute for Law and the Web at the University of Southampton.

This article was originally posted on the Peep Beep!, a blog dedicated to privacy and information law.


‘Cruise control for the social media age, or stuck in second gear?’ The issue of defining data controllership is “particularly thorny” says AG, and looking to become thornier as complete control is becoming less and less common in practice

Last month, Advocate General (AG) Bot of the Court of Justice of the EU (CJEU) delivered an opinion which, although non-binding in nature, could potentially have far-reaching consequences for the development of data protection law in the EU. The non-binding opinion concerns a number of questions brought before the CJEU in relation to case C-210/16, which concerns a dispute between a regional German data protection authority (DPA) and a private education company, Wirtschaftsakademie Schleswig-Holstein GmbH (an education company). The main issue for the AG to consider was whether the German DPA was entitled to utilise its powers of intervention under the Data Protection Directive (DPD) against the education company, despite the fact that the latter was considered by the German courts not be a ‘data controller’ for the purposes of the definition of this concept under Article 2(d) DPD (“the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”).

The request for a preliminary ruling concerned the legality of an order made by the DPA against the education company, which required the latter to deactivate a fan page hosted by Facebook Ireland, the entity that Facebook Inc has designated the controller of personal data processing by it in the EU. (A Facebook fan page is a special Facebook user account that individuals and businesses to set up in order to promote themselves, usually for the purposes for commercial purposes).

The DPA had alleged that, by failing to inform end users visiting the fan page that their data would be automatically collected by Facebook via cookies installed on their computing equipment, the fan page infringed a variety of provisions of German data protection law implementing the DPD. These data were collected via Facebook for the purposes of compiling anonymous statistical information, which would benefit the education company, and for the purposes of refining Facebook’s targeted behavioural advertising endeavours. By contrast, the education company argued that it was not responsible for the activities carried out by Facebook, including the automatic installation of cookies on end users’ computing equipment, and therefore it was not a data controller in respect of such personal data processing, and so it should not be subject to the exercise of the powers of the German DPA.

After being contested in the German Administrative Court and the Higher Administrative Court, the German Federal Administrative Court agreed that the education company was not a controller because, it concluded, the organisation had no power to influence the collection of personal data or the purpose of any subsequent processing in this context. However, in its request for a preliminary ruling to the CJEU, the Court asked for clarification on six questions, which can be summarised as follows:

  1. Are data controllers the only parties capable of incurring liability and responsibility for data protection violations? Alternatively, do DPAs have jurisdiction to exercise their powers of intervention under Art.28 DPD in relation to undertakings that are not data controllers per the DPD’s definition?
  2. Under Art.17(2) DPD, is it possible to infer a possible duty for making the same careful choice in respect of other multi-tiered information provider relationships, other than those between controllers and processors? (This provision specifies that in sub-contractual relationships, where a data controllers delegates data processing activities to a dedicated data processor, the controller is under a duty to choose a processor which provides sufficient guarantees in respect of technical security and organisational measures in respect of the processing to be carried out).
  3. Where an undertaking is primarily based outside the EU (e.g. Facebook), but has subsidiaries established within the territories of the EU (e.g. Facebook Germany and Facebook Ireland), is the DPA of one EU Member State entitled to use its powers of intervention against a subsidiary based in its territory but not responsible for making determinations in respect of the purposes of the collection and processing of personal data throughout the EU, whilst another subsidiary of the same undertaking based in another Member State has this responsibility?
  4. Where a controller has an establishment in one Member State responsible for determining the purposes of acts of personal data collections and processing (e.g. Facebook Ireland), and another legally independent establishment in another Member State whose responsibilities are restricted to marketing activities targeted at the inhabitants of that Member State (e.g. Facebook Germany), is the DPA of the latter Member State entitled to exercise its powers of intervention against the establishment in its territory, or are such powers exercisable only by the DPA of the Member State where the determinations regarding the collection and processing of personal data are undertaken?
  5. In cases where the DPA based in one Member State exercises its powers of intervention against a person/entity in its territory (on the grounds of failing to exercise due care in choosing a third party located in another Member State to be involved in personal data processing activities due to that third party being an infringer of the DPD), is the DPA bound by the appraisal of a DPA from the Member State where the third party is based, or can the DPA of the first Member State come to its own independent conclusion?
  6. Where the DPA of a Member State is in a position to conduct an independent investigation, does Art.28 DPD permit it to exercise its powers of intervention against a person/entity established in its territory on the grounds of an alleged data protection violation for which they are jointly responsible with a third party established in another Member State, or must it first request that a DPA of the Member State where the third party is based exercise its own powers before it is permitted to act?

In response to the first two questions, the AG argued that both were premised on the mistaken belief that a Facebook fan page could not be a controller for the purposes of the DPD. This, he suggested, was fundamentally wrong. Whilst acknowledging that, first and foremost, the administrator of a Facebook fan page is an individual end user of Facebook, the AG said that this in itself is not enough to preclude it being responsible for the collection of user data by Facebook itself. Drawing on the definition of controller contained in Art.2(d), the AG argued that so long as the administrator of a fan page has influence over, or can “determine”, the purpose and means of any data collection and processing linked to end users visiting the page, they will be a controller for the purposes of the DPD.

So why exactly, on the facts of this case, did the AG conclude that the administrator of this particular fan page was definitely a controller? In short, this conclusion was primarily based on two main factors.

  • Firstly, the collection and subsequent processing of user personal data by Facebook would not have been possible if the administrator had not created the fan page. Accordingly, the creation of the fan page by the administrator represented an agreement to Facebook’s means and purposes of processing personal data, and therefore signified that the administrator had participated in the “determination” of those ways and means.
  • Secondly, due to technological insight tools offered by Facebook, fan page administrators are able to influence the specific way in which Facebook itself uses its data collection tools in relation to visitors to their fan page. This can allow the administrator to effectively define a personalised audience, and designate categories of users whose personal data will be collected. This, according to the AG, must also be considered as participating in the “determination” of the means and purposes of an act of data processing.

In circumstances similar to the immediate case, therefore, Facebook fan page administrators, as well as administrators of fan pages on similar platforms, must be considered joint data controllers along with Facebook. In reaching this conclusion the AG drew an analogy to help support his conclusion: if an undertaking were to make its own website and utilised similar tools to those made available through Facebook for the purposes of managing fan pages, it would undoubtedly be considered a controller. Accordingly, he argued, as there was no “fundamental difference” between the two scenarios, it would be wrong for the law to treat them differently!

In response to the third and fourth questions, the AG drew attention to the fact that, as mentioned, Facebook Ireland was Facebook’s designated data controller in the EU, whereas Facebook Germany was only responsible marketing endeavours aimed at German users. He then suggested that in order to answer the question of whether a DPA based in one Member State is entitled to exercise its powers of intervention in relation to processing activities for which a party in another Member State is responsible, it is necessary to first determine whether the DPA in the first Member State has the right to apply its own national law to the data processing in question.

Turning to the facts of this case, the AG opined that the German DPA was indeed entitled to exercise its powers of intervention against Facebook Ireland, despite the latter being based in another Member State. Specifically, he alluded to Art.4(1)(a) DPD specifying that acts of personal data processing will be governed by the law of the Member State in which said processing is carried out in “the context of the activities of an establishment” of a controller on the territory of that Member State. In other words, the applicability of the national law of any Member State to an act of personal data processing requires the controller 1) to have an “establishment” in that Member State, and 2) the processing must be carried out “in the context of the activities of that establishment”. With both these points in mind, the AG argued that as Facebook Germany has a registered office in Hamburg through which it carries out its business, it undoubtedly should be considered an establishment for the purposes of Art.4(1)(a).

In reaching this conclusion, the AG also drew on previous decisions of the CJEU in the Google Spain and Weltimmo cases (to reminder readers, posts about the latter decisions on this blog can be found here and here). The AG laid emphasis on the fact that – as Facebook Germany was responsible for marketing to German Facebook users – the personal data processed by it in relation to this must be considered as being “in the context” of Facebook Germany’s engagement with its users.

So, what does this mean for DPAs who find themselves in this context? The AG concluded that that the German supervisory authority indeed had the power to apply its own national law to the proceedings and could exercise all its powers of intervention to ensure that German law was applied by Facebook on German territory. In other words, neither the place where the processing is carried out nor where the controller is established are decisive in determining which national law applies to data processing activities.

Moreover, he argues that the suggestion that Art.4(1)(a) should be interpreted as requiring data controllers to have regard for the legislation of one Member State only was contrary to the wording of the DPD (specifically Recital 19, which mentions the possibility of the application of multiple national legislations to data processing activities), but also:

  • an inability for DPAs to target data controllers in other Member States would neuter their competency under Art.28 to uphold data protection law (as it is only through targeting the controller in a particular data processing operation through which any alleged infringements could be effectively combatted), and
  • allowing DPAs to impose measures on controllers that are not established in their own Member State would not represent the DPA overstepping its power, as the purpose of all DPAs is to ensure compliance with data protection law in all Member States.

Regarding the fifth and sixth questions, the AG concluded that a DPA must be able to use its powers of intervention in an autonomous way unfettered by any obligations to first correspond with, or defer to, another DPA.

The AG’s opinion is noteworthy for a number of reasons. Most strikingly, it perhaps represents a notable broadening of the notion of a data controller, a concept that already enjoys wide definition. If the AG’s approach were to be followed in the final CJEU judgement due imminently and adopted by the CJEU in future case law, this would seemingly open the door further to the possibility of individual users of social networking sites like Facebook to be categorised as controllers (a door the possibility of which has become to be wedged open under EU law in recent years), and therefore be made subject to the substantive tenets and provisions of the European data protection framework.

More generally, the AG’s expansive approach to the powers and abilities of DPAs regarding cross-border effects of personal data activities in the EU, as well as the applicability of national data protection law, may also raise interesting questions in relation to conflicts of laws and jurisdiction. What must also be kept in mind, however, is that after the GDPR replaces the DPD next May, the ‘One-Stop-Shop mechanism’ (discussed here by the influential Article 29 Working Party) will ensure that any regulatory action in relation to an alleged infringement of data protection law will be driven and overseen by the DPA located in an undertaking’s main EU establishment.

Meaning – after all that – if adopted, AG Bot’s approach on jurisdiction may be short-lived!