Summary of the CJEU Decision on Legality of Bulk Surveillance in the Electronic Communications Sector
On October 6, 2020 the Court of Justice of the European Union (Court) decided that national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies, for the purpose of safeguarding national security, falls within the scope of Directive on privacy and electronic communications 2002/58 (Directive).
The Court has also concluded that the national legislation requiring providers of electronic communications services to disclose traffic and location data to the security and intelligence agencies by means of general and indiscriminate transmission exceeds the limits of what is strictly necessary and cannot be considered to be justified in a democratic society.
Background of the case
At the beginning of 2015, the existence of practices for the acquisition and use of bulk communications data by the various security and intelligence agencies of the United Kingdom was made public, in a report by the Intelligence and Security Committee of Parliament. Privacy International, a non-governmental organisation, brought an action before the Investigatory Powers Tribunal (Tribunal) against the Secretary of State for Foreign and Commonwealth Affairs, the Secretary of State for the Home Department and those security and intelligence agencies, challenging the lawfulness of those practices. The Tribunal found that collection and use of data were consistent with national law and it stated that evidence had been submitted to it concerning the applicable safeguards, in particular in regard to the procedures for accessing and disclosing data outside the security and intelligence agencies, the arrangements for retaining data, and independent oversight arrangements. The Tribunal added that the security and intelligence agencies' databases are used for bulk, unspecific, automated processing, with the aim of discovering unknown threats. To that end, the Tribunal stated that the sets of metadata should be as comprehensive as possible, so as to have a ‘haystack’ in order to find the ‘needle’ hidden therein. The Tribunal also stated that, according to Privacy International, the regime at issue in the main proceedings is unlawful in the light of EU law, while the defendants in the main proceedings consider the obligation to transfer data provided for by that regime, access to the data and its use do not fall within the competences of the European Union, in accordance with the Treaty on European Union, according to which national security remains the sole responsibility of each Member State. The Tribunal decided to refer the following questions to the Court of Justice for a preliminary ruling:
(1) Having regard to Article 4 TEU and Article 1(3) of Directive on privacy and electronic communications 2002/58, does a requirement in a direction by a Secretary of State to a provider of an electronic communications network that it must provide bulk communications data to the [security and intelligence agencies] of a Member State fall within the scope of Union law and of the Directive
(2) If the answer to Question (1) is “yes”, do any of the [requirements applicable to retained communications data, set out in paragraphs 119 to 125 of the judgment of 21 December 2016, Tele2 (C-203/15 and C-698/15, EU:C:2016:970)] or any other requirements in addition to those imposed by the ECHR, apply to such a direction by a Secretary of State? And, if so, how and to what extent do those requirements apply, taking into account the essential necessity of the [security and intelligence agencies] to use bulk acquisition and automated processing techniques to protect national security and the extent to which such capabilities, if otherwise compliant with the ECHR, may be critically impeded by the imposition of such requirements?
Decision of the Court in the first question
Governments of the United Kingdom, Czechia, Estonia, Ireland, France, Cyprus, Hungaria, Poland and Sweden argued that the Directive does not apply to the national legislation whose purpose is to safeguard national security. They argued that the activities of the security and intelligence agencies are the sole responsibility of the Member States, and fall into their jurisdiction. It is worth noting that Article 1(1) of the Directive prescribes the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communications sector. Article 1(3) of the Directive excludes from its scope ‘activities of the State’ in specified fields, including activities in areas of criminal law and in the areas of public security, defense and State security including the economic well-being of the State when the activities relate to State security matters. Previous Court's case-law confirms that it is for the Member States to define their essential security interests and to adopt appropriate measures to ensure their internal and external security.
Article 3 of the Directive states that the directive is to apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the European Union, including public communications networks supporting data collection and identification devices. It the light of those provisions, the Court has held that Article 15(1) read in the light of Article 3 of the Directive must be interpreted twofold: that the scope of that directive extends not only to a legislative measure that requires providers of electronic communications services to retain traffic data and location data, but also to a legislative measure requiring them to grant the competent national authorities access to that data. Such legislative measures necessarily involve the processing by those providers, of the data and cannot, to the extent that they regulate the activities of those providers, be regarded as activities of Member States, referred to in Article 1(3) of the Directive. Transmitting, storing or otherwise making available of data, constitutes processing for the purposes of Article 3 of the Directive and falls within the scope of the Directive.
The mere fact that a national measure has been taken for the purpose of protecting national security cannot render the EU law inapplicable and exempt the Member States from their obligation to comply with that law. Where member States directly implement measures derogating the rule that electronic communications are to be confidential, without imposing processing obligations on providers of electronic communications services, the protection of the data of the persons concerned is not covered by the Directive, but by national law only, subject to the application of Directive on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, with the result that the measures in question must comply with national constitutional law and the requirements of the ECHR. As an example, the Court held that the transfer of personal data by airlines to the public authorities of a third country for the purpose of preventing and combating terrorism and other serious crimes did not, pursuant to Article 3(2) of Directive 95/46, fall within the scope of that directive, because such transfers fell within a framework established by the public authorities relating to public security.
The Court has concluded that Article 1(3), Article 3 and Article 15(1) of the Directive, read in the light of Article 4(2) of the Treaty of European Union, must be interpreted as national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies, for the purpose of safeguarding national security, falls within the scope of that directive.
Decision of the Court in the second question
Section 94 of the UK Telecommunications Act 1984 permits the Secretary of State to require providers of electronic communications services to forward bulk communications data to the security and intelligence agencies if he finds it in the interest of the national security. Data includes the name and address of the user, the telephone number of the person making the call and the number called by that person, the IP addresses of the source and addressee of the communication and the addresses of the websites visited. The data is retained by the security and intelligence agencies and remains available for further processing, in particular it may be cross-checked with other databases containing different categories of bulk personal data or be disclosed outside those agencies and to third countries. It is worth noting that those operations do not require prior authorisation from a court or independent administrative authority and do not involve notifying the persons concerned in any way.
The Directive provides that ‘Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation’. The objective of general interest must be balanced against the individual’s rights. The Directive prescribes that the Member States may adopt a measure derogating the principle that communications and the related traffic data are to be confidential where such a measure is ‘necessary, appropriate and proportionate … within a democratic society’. In addition, the Directive specifies that a measure of that nature must be ‘strictly’ proportionate to the intended purpose. In order to satisfy the requirement of proportionality, the legislation must lay down clear and precise rules governing the scope and application of measures and impose minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees data will be effectively protected against the risk of abuse. The Court has already concluded in its earlier decision that transmission of traffic data and location data to a third party constitutes interference with the Respect for private and family life and Protection of personal data, regardless of how that data is subsequently used. The interference with the right to Respect for private and family life caused by the transmission of traffic data and location data to the security and intelligence agencies must be regarded being particularly serious, due to the possibility of establishing a profile of the persons concerned on the basis of that data. Retention of that data by the providers of electronic communications services may pose a risk to individuals in case such data is abused and unlawfully accessed.
The Court has confirmed that national security remains the sole responsibility of each Member State. However, national legislation governing access to traffic data and location data must rely on objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the traffic data and location data, in particular by means of general and indiscriminate transmission. The Court has reiterated that transmission of traffic and location data carried out in a general and indiscriminate way affects persons for whom there is no evidence to support any link with the objective of safeguarding national security, in particular with a threat to national security.
Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.
The decision is available here.
The text represents the author's interpretation of the said decision and should not be construed as legal advice.