The Court of Justice of the European Union (‘CJEU’) has recently delivered a number of rulings that examine the legality of the mass surveillance of electronic communications. This article summarises the case Privacy International v Secretary of State for Foreign and Commonwealth Affairs C-623/17. The joined cases of La Quadrature du Net and Others C-511/18 and C512/18also involved questions relating to the same subject matter and was delivered on the same day.
Privacy International v Secretary of State for Foreign and Commonwealth Affairs
On 12 March 2015, the United Kingdom’s Intelligence and Security Committee of Parliament published a report that revealed the practices of the intelligence community in relation to bulk communications data. Privacy International brought proceedings against the Secretary of State for Foreign and Commonwealth Affairs, the Secretary of State for the Home Department and the security agencies before the Investigatory Powers Tribunal (‘the IPT’), challenging the lawfulness of the practices. For the IPT’s ruling click here.
The IPT examined the acquisition and use of bulk personal data such as biographical data, travel data, financial or commercial information, and communications data. These were divided into ‘bulk personal datasets’ and ‘bulk communications data’. Bulk communications data is provided by telecommunications providers to the intelligence agencies under section 94 of the Telecommunications Act 1984 (‘section 94’). It does not include the content of the communications data, but the information surrounding the transmission of data.
For example, the source and destination of the communications, the date, length and type, the hardware used, and the location of the terminal equipment. It also includes the name and the address of the user, the telephone numbers of the persons making and receiving the calls, IP addresses and the addresses of websites visited. This data is then accessed by the intelligence agencies either to look for something specific, or to electronically ‘trawl’ through the data to search for a potential threat to national security.
The Respondents argued that the collection of such data does not fall within the scope of European Union (EU) law because it concerns matters of national security. They pointed to the case of The European Parliament v Council of the European Union  3 CMLR 9 which concerned the supply of passenger name record data by air carriers to the US authorities for the purposes of investigating and preventing terrorism. The Grand Chamber found that such processing fell outside of the scope of Directive 95/46 (‘the Data Protection Directive’) pursuant to Article 3(2).
However the later judgment of the CJEU in the joined cases of Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Watson and Others C-203/15 and C-698/15, which involved an assessment of the Data Retention Investigatory Powers Act 2014 and Directive 2002/58/EC (‘the e-Privacy Directive’), came to a different conclusion.Tele2/Watson concerned the legal obligation on commercial telecommunications operators to retain data so that it could be made available not only to intelligence agencies, but also to other public bodies. The ruling established the following:
- Non-targeted access to bulk data is restricted.
- There must be prior authorisation before any data is accessed.
- There must be provision for subsequent notification of those affected.
- All data must be retained within the EU.
The Respondents distinguished the current challenge from Tele2/Watson on the basis that the use of the bulk communications data acquired under section 94 is for national security, and not for the investigation of ordinary crime. However, for the IPT, the question remained on whether it fell within EU law, because even though the data was used for the purposes of national security, it was initially collected in the course of commercial activity. Accordingly, the IPT requested a preliminary ruling on the interpretation of Article 1(3) and Article 15(1) of the e-Privacy Directive.
The e-Privacy Directive governs the confidentiality of electronic communications and covers the processing of personal data by providers of electronic communications services. Article 1(3) states that the Directive does not apply to activities that fall outside the scope of the Treaty on the Functioning of the European Union (‘TFEU’), and to activities concerning State security. Article 15(1) permits Member States to adopt legislation that restricts the scope of certain rights and obligations of the e-Privacy Directive where it is a ‘necessary, appropriate and proportionate’ measure to safeguard national security.
The CJEU’s Ruling
Does the processing fall within EU law?
The CJEU, noting its judgment in Ministerio Fiscal C-207/16, concluded that Article 1(3) of the e-Privacy Directive excludes activities related to State security matters only where those activities are ‘unrelated to fields in which individuals are active’. It highlighted Article 3, which states that the directive applies to the processing of personal data in electronic communications services and thus regulates the activities of the providers of such services. On Article 15(1), the court made the following conclusions:
- It necessarily presupposes that the national legislative measures adopted fall within the scope of the directive.
- Read in conjunction with Article 3, it must be interpreted as meaning that the scope of the directive extends not only to legislative measures that require electronic communications services providers to retain the data, but also to those legislative measures that require them to grant the national authorities access to the data.
The CJEU considered the case of The European Parliament v Council and noted that it had been found by the court that the transfer of personal data in that case did not fall within the scope of the Data Protection Directive. However, the CJEU was of the view that the finding did not extend to the case at hand, and the interpretation of Article 3(2) of the Data Protection Directive could not be transposed to the interpretation of Article 1(3) of the e-Privacy Directive. This was because Article 3(2) excluded, in a general way, the data processing operations for public security and defence ‘without drawing any distinction according to who was carrying out the data processing operation concerned’.
Furthermore, the Data Protection Directive (and accordingly Article 3(2)) has been repealed by Regulation 2016/670 (‘the GDPR’). The equivalent provision in the GDPR – found in Article 23(1)(d) and (h) – falls within the scope of the GDPR, such that there is no exclusion, and is consistent with the above interpretation of the e-Privacy Directive. The CJEU concluded that the processing falls within the scope of the e-Privacy Directive and therefore must be considered in the light of Articles 7, 8, 11 and 52(1) of the Charter.
Interpretation in the context of the Charter rights.
The CJEU highlighted recitals 6 and 7 of the e-Privacy Directive that states that its purpose is ‘to protect users of electronic communications services from risks for their personal data and privacy resulting from new technologies and, in particular, from the increasing capacity for automated storage and processing of data’ and affords the protection required by Articles 7 and 8 of the Charter. According to Article 5(1) of the e-Privacy Directive, Member States will ensure the confidentiality of such communications and prohibit tapping, or other kinds of interception or surveillance, except where legally authorised in accordance with Article 15(1).
Whilst Article 15(1) permits Member States to introduce legislation that derogates from the principle of confidentiality and make provisions for the retention of communications data for a limited period of time, the exception cannot be applied in such a way that it becomes the rule.
Article 52(1) of the Charter allows Member States to place limits on Articles 7, 8 and 11, so long as they are provided for by law, respect the essence of those rights, comply with the principle of proportionality, are necessary and genuinely meet the objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
As was concluded in Facebook Ireland and Schrems C-311/18 (see my blog article here), any limitation on a right must be provided for by law, which must define the scope of the limitation on the exercise of the right. Any legislation introduced must be strictly proportionate to the intended purpose, include minimum safeguards, indicate the circumstances and conditions in which it applies, and ensure that the interference with fundamental rights is limited to what is strictly necessary.
The court concluded that s94 operates in a general and indiscriminate way and ‘has the effect of making the exception to the obligation of principle to ensure the confidentiality of data the rule’ in contradiction to the provisions of the e-Privacy Directive. The transmission of electronics communications data to a third party, regardless of how the data is subsequently used, represents an interference with Article 7 of the Charter.
The view of the CJEU was that this interference is particularly serious in this context, because it is possible to establish a profile of a person based on the data that could reveal sensitive information and ‘is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance’. Further, it has consequences for the exercise of the freedom of expression and in particular may deter whistle blowers and those obligated to professional secrecy. The fact that the amount of traffic and location data is vast also means that ‘the mere retention of that data by the providers of electronic communications services entails a risk of abuse and unlawful access’.
The CJEU found that general access to all retained data, regardless of whether there is any link to the pursued objective of protecting national security, ‘cannot be regarded as being limited to what is strictly necessary’. There must be an objective criteria to define the circumstances and conditions under which access to the data may be granted. The indiscriminate way in which section 94 operates ‘exceeds the limits if what is strictly necessary and cannot be considered justified, within a democratic society’ as required by Article 15(1) of the e-Privacy Directive, taken with Article 4(2) TEU and Articles 7, 8, 11 and 52(1) of the Charter.
In the joined cases of La Quadrature du Net and Others the same issue arose. La Quadrature du Net, the French Data Network, and Fédération des fournisseurs d’accès à Internet associatifs challenged France’s intelligence and surveillance laws. The laws required electronic communications services providers to implement automated processing on their networks to detect links that might constitute a terrorist threat, to permit ‘real-time’ access to location and traffic data, and for the indiscriminate retention of that data for judicial authorities to review.
The court reiterated its conclusions in Privacy International , Tele2/Watson, and Ministerio Fiscal. Namely, that the preventative retention of data, on an indiscriminate basis, must be limited to what is strictly necessary, cannot be indefinite, cannot be systematic in nature, and must be subject to limitations and safeguards. The targeted retention of traffic and location data to prevent serious crimes or serious threats to public safety is permitted where there are limits applied on the basis of objective and non-discriminatory factors. Real-time access and automated analysis are limited to situations where a Member State is facing a serious threat to national security that must be genuinely present and foreseeable. A decision authorising such methods must be based on objective criteria provided for by national legislation and it must be subject to review by a court or administrative body.
The conclusions of the CJEU are not entirely surprising given the direction of travel of the court’s recent rulings. However, the court’s distinction between ordinary crime, serious crime, and serious threats to public safety is not entirely clear. Further cases are pending. In H.K. v Prokuratuur C-746/18 the referring court has posed questions relating to the admissibility of electronic communications data in criminal proceedings, and the independence of the administrative authority providing oversight. The Opinion of Advocate General Pitruzezlla is available here.
There is also Federal Republic of Germany v Telekom Deutschland GmbH C-794/19 which asks the CJEU about the scope of retention of IP addresses, and G.D. v The Commissioner of the Garda Síochána, Minister for Communications, Energy and Natural Resources, Attorney General C-140/20, which asks further questions about general data retention schemes and for clarification on declarations of inconsistency in this context.
If you would like any further information or advice, I can be contacted at: email@example.com
 6 October 2020, CJEU ECLI:EU:C:2020:790.
 French Data Network, Fédération des fournisseurs d’accès à Internet associatifs, Igwan.net v Premier minister, Garde des Sceaux, ministre de la Justice, Ministre de Ministre de l’Intérieur, Ministre des Armées (interveners: Privacy International, Center for Democracy and Technology), 6 October 2020, CJEU ECLI:EU:C:2020:791.
 National security is excluded from the scope of European Union Law under Article 4(2) TEU.
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
 2 October 2018, ECLI:EU:C:2018:788.
 Paragraph 35 of the Privacy International judgment, my emphasis.
 Ibid., paragraph 36.
 Ibid., paragraph 38.
 Ibid., paragraph 39.
 Ibid., paragraph 46.
 Ibid., paragraph 53.
 Ibid., paragraph 59, referring to paragraph 111 of the La Quadrature du Net judgment.
 Ibid., paragraphs 66 and 68.
 Ibid., paragraph 69.
 Ibid., paragraph 71.
 Ibid., paragraph 72.
 Ibid., paragraph 73.
 Ibid., paragraph 78.
 Ibid., paragraph 81.
 La Quadrature du Net judgment, paragraphs 137 to 139.
 Ibid., paragraph 150.
 Ibid., paragraphs 176 to 179 and 188 to 189.