On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data.
These decisions are relevant in two key areas:
- Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” of third countries to which they are transferring personal data using the European Commission approved Standard Contractual Clauses (SCCs); and
- Brexit: The judgement also gives some clues as to the standard to which the UK will be held as it seeks an EU Commission adequacy finding for its data protection regime when the Brexit transition period ends on 31 December 2020.
The case of Privacy International v Secretary of State for Foreign and Commonwealth Affairs, the Secretary for State for the Home Department and the UK security and intelligence agencies (SIAs) (Case C-623/17) concerns the conditions under which SIAs may process communications metadata (i.e. traffic and location data, not message content) collected by telecommunications providers. The CJEU heard this case jointly with two other related cases – the joined cases C-511/18 and C-512/18 (La Quadrature du Net and Others) from France, and case C-520/18 (Ordre des barreaux francophones et germanophone and others) from Belgium.
What is the background to this case?
Under Directive 2002/58 (the ePrivacy Directive), metadata may be kept by electronic communications service providers for numerous purposes, such as billing, to provide value add services (with consent of user) and for security purposes.
Once the metadata is no longer necessary for these purposes, electronic service providers must delete it or make it anonymous, unless a valid national law derogation applies. These derogations usually concern purposes such as national security and the detection of crime. However, the ePrivacy Directive requires that any such derogations are necessary, appropriate and proportionate. Therefore in order for SIAs to obtain this information and use it for longer periods it is necessary for SIAs to either: (i) have the metadata transmitted to them (as a feed) so they can store it; or (ii) require the electronic communications service providers to retain the metadata on behalf of the SIAs for longer so the SIAs can access it when required.
The UK case
On 5 June 2015, Privacy International brought a case before the Investigatory Powers Tribunal (IPT) against the Secretary of State for Foreign and Commonwealth Affairs, the Secretary for State for the Home Department and the UK SIAs which challenged the lawfulness of the acquisition and use of bulk communications metadata. SIAs were undertaking this practice under UK laws which required electronic communications service providers to transmit the metadata to SIAs.
As part of this case, Privacy International contended that the collection of bulk communications metadata was unlawful under EU law “because it failed to provide various safeguards identified as required in the CJEU judgment Tele2/Watson case” and the rules set out in the ePrivacy Directive.
Conversely, the UK Government argued that the regime was outside the scope of EU law because it relates only to national security which, the Government contended, falls outside of the competencies of the EU. In particular, the UK Government referred to: (1) Article 4(2) in the Treaty of the European Union (TEU) which states that “national security remains the sole responsibility of each Member State”; and (2) Article 1(3) of the ePrivacy Directive which states that the ePrivacy Directive “does not apply to activities that fall outside of the TEU…such as…activities concerning public security, defence, State security”.
The IPT expressed concern that if EU law was applicable it would frustrate the measures taken by the SIAs and put the national security of the UK at risk.
In particular, if the requirements in the Tele2 case were applicable it would: (i) restrict SIAs access to a metadata for a narrow set of purposes; (ii) require only proportionate targeted, rather than indiscriminate, data acquisition; (iii) require prior independent review; and (v) require notification to data subjects once such notification would not jeopardise the investigation. As a fundamental feature of the measures was to discover previously unknown threats by searching through the bulk metadata sets, compliance with these requirements would undermine the primary purpose of the SIAS bulk collection programme. Therefore the IPT referred questions on these issues to the CJEU for a preliminary ruling.
In parallel, similar cases were also brought before national courts in France and Belgium by various privacy rights campaign groups. However, whilst the UK case centred on the transmission of data to SIAs, the French and Belgian cases concerned the retention of data by electronic communications service providers and also on whether internet service providers should retain look up data for the purposes of detecting crime. As the issues were so closely linked, the proceedings were adjoined.
What did the referring courts ask?
The UK case
In essence, the IPT asked:
- whether Article 1(3) of the ePrivacy Directive, read in light of Article 4(2) TEU, means that – national legislation enabling a State authority to require electronic communications services to forward traffic and location data to SIAs falls within the scope of EU law and the ePrivacy Directive; and
- if yes, does Article 15(1) of the ePrivacy Directive, read in light of Article 4(2) TEU and Articles 7 (respect for family life), 8 (protection of personal data), 11 (freedom of expression) and Article 52(1) (scope and interpretation) of the Charter of Fundamental Rights, mean that – national legislation enabling a State authority to require providers of electronic communications service to carry out the general and indiscriminate transmission of traffic and location data to the SIAs for national security purposes is not permissible under EU law.
The French and Belgian cases
In essence, the referring courts asked:
- whether Article 15(1) of the ePrivacy Directive means that national legislation that imposes obligations on electronic communications services providers to retain traffic and location data on a general and indiscriminate basis is not permissible; and
- whether Article 15(1) of the ePrivacy Directive, read in light of Article 4(2) TEU and Articles 7, 8, 11 and Article 52(1) of the Charter of Fundamental Rights, means that national legislation that requires electronic communications services providers to implement, on their networks, measures which allow: (i) the automated analysis and real-time collection of traffic and location data; and (ii) real-time collection of technical data about the location of terminal equipment BUT which makes no provision for the persons whose data is processed as part of that process, is not permissible under EU law?
What did the CJEU say?
The UK case:
- EU law does apply in relation to government bulk data collection regimes
This CJEU clarified that whilst it is the responsibility of Member States to determine their own national security measures, those measures must still be in accordance with EU law.
- National legislation that requires electronic communications services to transmit data to SIAs on a general and indiscriminate basis exceeds what is strictly necessary and cannot be considered to be justified in a democratic society.
In other words, the UK’s cited practices of transmitting traffic and location data to SIAs in bulk for further automated processing contravene EU law. The court said that the interference with the right to family life was “particularly serious” given the sensitive nature of the data and “the possibility of establishing a profile of the persons concerned on the basis of that data”. The CJEU also expressed concern that this type of practice “is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance” and that the mere retention of so much data entails a risk of abuse and unlawful access.
The court recognised that Member States have the option to derogate from the rights and obligations in the ePrivacy Directive by way of legislation. But, this is only permitted if this is done so “in accordance with the general principles of EU law, including the principle of proportionality, and with the fundamental rights guaranteed in the Charter”.
The CJEU stated that the objective of safeguarding national security was the objective that was most capable of justifying a derogation. However, it appears that even this objective can never justify collecting the traffic or location data of all users of a network. A more targeted, independently reviewed process would be required. But how this should be achieved in practice is not discussed in the judgment. In addition, the CJEU suggested that the limits must be ascertainable from the law in advance. And, reading across from the French and Belgian cases, once notifying individuals is no longer likely to jeopardise an investigation, there is even an expectation that the authorities notify data subject individually if they have been profiled.
The French and Belgian cases:
In relation to question one, the CJEU said yes. National legislative measures which requires the general and indiscriminate retention of traffic and location data are not permissible under EU law unless the legislative measures have the following minimum features:
- The objective is the purpose of safeguarding national security. This appears to be the only objective which would allow retention of the communications metadata of all users of a network. Other objectives such as the combating serious crime or public security would need to be limited to the communications of the key suspects, if using traffic data, or to those in narrow geographical area if using location data.
- The threat to national security must be serious and “shown to be genuine and present or foreseeable…and subject to effective review…”, i.e. there must be an objective and non-discriminatory basis for considering the threat as “serious”.
- The retention must be limited in time to what is strictly necessary, i.e. the retention cannot be authorised on an ongoing systematic basis but only temporarily in response to serious specific threats.
- The exercise must be subject to effective judicial review, although the judgment stops short of requiring prior review.
- The rules must contain procedural conditions so that the persons concerned have effective safeguards against the risks of abuse.
The court also found that requiring electronic communications service providers to retain IP addresses as to the source of a connection and the related identity of the user of that connection indefinitely so that authorities can identify publishers and users for the combat of serious crimes (such as child pornography) is permitted provided there are appropriate safeguards as to when such information is accessed.
In relation to question two, the CJEU said no. National rules that require providers of electronic communication services to implement measures for automated analysis and real-time collection of all traffic, location and technical data are permissible where:
- recourse to automated analysis is limited to situations where there is a “serious threat to national security that is shown to be genuine and present or foreseeable…and subject to effective review…”; and
- recourse to the real-time collection is limited to persons where there is a valid reason to suspect they are involved in terrorist activities and is subject to a prior review by a court or similar body.
In a press statement, La Quadrature described the decision as a “defeat” in the sense that “these exceptions reduce the effectiveness of the right to privacy and will inevitably lead to abuses”.
What will happen next?
The cases will now be referred back to the national courts of the UK, France and Belgium for a final decision. The courts will be guided by the CJEU’s findings and will hand down their judgments accordingly. There may also be amendments to the related national legislation.
These decisions will have impact in two very current areas: the application of Schrems II and Brexit.
As explained above, the judgments help to clarify the outer limits of governmental access to personal communications metadata as it is processed by electronic communications services providers. They provide a little more guidance on the granularity as to the standards that must be met when companies using the SCCs make their “case-by-case assessments” of third country’s national security and surveillance laws.
The judgments may be crucial in the European Commission’s assessment of whether the UK is granted ‘adequacy’ for data protection purposes, i.e. whether it will possible for EU/EEA member states to continue transferring personal data to the UK after the transition period without the need for additional safeguards. This is because, as part of its adequacy assessment, the European Commission is required to take into account the national security and surveillance laws of the third country it is assessing. These laws must offer guarantees ensuring an adequate level of protection for personal data that are “essentially equivalent” to EU law. In the UK judgment, the court found that the UK practices complained of, and the then enabling legislation, were invalid.
The UK government will likely argue that the laws that were assessed as part of this judgment have now been repealed and that the current law, the Investigatory Powers Act (IPA), does not provide for general and indiscriminate collection in the ways described in the decision. The current rules provide for the Secretary of State to issue retention and bulk acquisition notices that are subject to prior oversight by a Judicial Commissioner. However, the IPA, dubbed as the “snoopers charter” in the media, has faced significant criticism that it does not go far enough in protecting privacy rights and, in particular, that the scope of retention and bulk acquisition notices can still potentially be very broad. It will be interesting to see if the European Commission agrees.