Those following the legal debate following the Schrems-II decision, are well aware that one of the main arguments on the U.S. side is that the European Union should not only look at third countries’ surveillance practices, but also at their own. The typical response is that this is not possible, because national security is excluded from the competences of the EU and thus cannot be legislated by the European Commission. A series of new judgments from the Court of Justice of the European Union (CJEU) shed some new light however.
The judgments, released on 6 October 2020, relate to four cases*, criticising legislation allowing the national security agencies in the United Kingdom, Belgium and France to collect communications traffic data, on the basis of an exception in the ePrivacy Directive from 2002. Following the terrorist attacks in Madrid and London in 2004 and 2005, the European Union created a general data retention scheme for telecommunications data, that was since struck down by the CJEU for not complying with the fundamental rights to privacy and data protection. Also national laws creating a similar scheme, either based on the EU scheme or on the own initiative of an EU Member State, have been annulled by the CJEU. In the current cases, the questions put to the Court included if it was possible at all to collect telecommunications traffic data in bulk, and if so, under what conditions?
The judgment of the CJEU
Most importantly, the CJEU has confirmed in both judgments that the transmission of personal data from a communications service provider (i.e. a telecom or internet service provider) to a government authority, including to the national security services, is covered by data protection law. In this specific case, it is the ePrivacy Directive that applies, but read in the light of the GDPR. Since a transmission constitutes a data processing operation, the Court explains, it means that the communications service provider – the data controller – would need to comply with the requirements of the ePrivacy Directive and its national implementations. That includes the general aim of ePrivacy to ensure the confidentiality of communications. It is not relevant in this instance that national security is excluded from the remit of EU legislation, according to the Court, since national security is not the main reason the ePrivacy Directive exists.
National security could however be a good reason for limitations to the confidentiality requirement of the ePrivacy Directive. According to the Court, this is possible as long as the essence of the fundamental rights to privacy and data protection, among others, continue to be respected. An unlimited and continuous collection of telecommunications data is not allowed, since that goes beyond what can be seen as strictly necessary in a democratic society, and could also have detrimental effects on the life people want to live. They may stop doing things for fear of being under constant surveillance, thus causing a chilling effect.
What would be allowed, is a time-restricted collection of telecommunications data in case of a genuine and present or foreseeable grave threat to national security. In theory, the Court would allow the data collection under these circumstances to be indiscriminate (i.e. covering everyone), but it makes clear it prefers if the government authorities put in place objective criteria to narrow the scope of data collection, for example to a specific group of people or a specific geographical location. As to the time restrictions, the Court explains the duration of the collection of data should be such that it is foreseeable, and that regular reauthorizations – based on a renewed necessity check – should take place. For such collections of telecommunications data, governments should ensure that there is a possibility for a judicial or administrative review, with binding effect, especially with regard to the existence of the genuine and present or foreseeable grave threat to national security.
As long as the data collection is limited to the registration of the IP address at the source of a communication – but without the link between IP addresses being documented – the Court provides more leeway, but still imposes a time restriction. The documentation of the personal information (name and address) of electronic communications users is even less restricted, and can generally take place, since it would not really contribute to the chilling effect. These two data types could therefore also be processed for other purposes, such as the fight against serious crime.
Why is this relevant?
The judgment of the Court is mainly directed at the governments putting in place legislation on the collection and use of telecommunications data. So why is it relevant for companies?
In the first place, this is the first time since the Schrems-II decision that the Court has assessed laws against its own threshold. Paragraph 65 of the Privacy International judgment states that “the requirement that any limitation on the exercise of fundamental rights must be provided for by law implies that the legal basis which permits the interference with those rights must itself de?ne the scope of the limitation on the exercise of the right concerned”. In other words: if mass data collection is taking place, the same law should also provide for the safeguards for individuals. In the Privacy International case, the Court held this criterion was not met, since there is no limitation to the data collection – not in time, not in location, nor in the group of people whose data are transmitted to the security services.
Secondly, both judgments show that the CJEU does not only criticize the legislation of the United States, but holds the EU Member States to the same standards. Unlimited data collections without access to binding judicial or administrative review is also prohibited in the EU Member States, because this interferes with the fundamental rights to privacy and data protection beyond what can be seen as necessary in a democratic society. In addition, in these cases the Court has provided further clarity on the assessment criteria for government interference. It has made clear that in case of a serious and immediate threat to national security, for example because of a suspected imminent terrorist attack, much more would be allowed when it comes to data processing than for regular law enforcement or other government interests. In short: the data collection should be necessary and proportionate, and be accompanied by safeguards to protect the rights and freedoms of individuals.
* The CJEU released two judgments. One in the case Privacy International v. Secretary of State for Foreign and Commonwealth Affairs and others (C-623/17), and one in the joint cases La Quadrature du Net v. Premier Ministre and others (C-511/18 and C-512/18) and Ordre des barreaux francophones et germanophone v. Conseil des Ministres and others.