Bulk data interception/retention judgments of the CJEU – A victory and a defeat for privacy
Introduction
On 6 October 2020, the Court of Justice of the European Union (CJEU, the Court) delivered its judgments in Case C-623/17, Privacy International, and in Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others (referred to as La Quadrature du Net and Others). Both judgments continue the long line of case-law on the secondary use of personal data by intelligence services and law enforcement agencies, in particular traffic and location data initially collected by service providers for commercial purposes (see in particular Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland, Joined Cases C-203/15 and C-698/15 Tele 2, Opinion 1/15 of the Court on the draft EU-Canada PNR Agreement, Case C-207/16 Ministerio Fiscal).
While the Court in both judgments decides on landmark cases, which have a number of commonalities, and were heard in a joint hearing in 2019, their nature and outcome are quite different. On one hand, Privacy International is an easy victory for the right to privacy and data protection. The Court unequivocally confirms that the state authorities are not allowed to intercept personal data, originating from commercial operators, in bulk. La Quadrature du Net and Others on the other hand, is a complex victory for the law enforcement community and a major step back in the Court’s data retention jurisprudence.
The two-decades-long conflict between the law enforcement and the privacy communities is still ongoing[1]. In what follows, I therefore decided to briefly present the facts of the case and then to divide the main outcomes of the two judgments in three victories for one or the other camp, without pretensions to be exhaustive on every single point of the judgments.
Facts
The case of Privacy International is a preliminary reference from the UK Investigatory Powers Tribunal. Privacy International, a London-based NGO, brought an action before that Tribunal back in 2015 against the British security and intelligence agencies and their respective state secretaries. They questioned the legality of the acquisition and use of bulk communication data by agencies like the GCHQ, MI5 or MI6. The referring court had doubts about whether EU law, and in particular the e-Privacy Directive, is applicable to the matter at hand at all, given that national security falls outside of the scope of EU law, as confirmed by Article 4 of the Treaty on European Union (TEU).
The joined cases in La Quadrature du Net and Others are preliminary references from the French Conseil d’Etat (Council of State) and Belgian Cour Constitutionnelle (Constitutional Court, analysed previously on this blog here) in disputes between the French and Belgian Governments respectively and a number of organisations in the two countries. The latter were questioning the legality of the respective data retention regimes, and in France the legality of some of the surveillance techniques introduced in 2015 and 2016, after the Charlie Hebdo and Bataclan terrorist attacks. Both the Conseil d’Etat and the Cour Constitutionnelle therefore asked whether the general and indiscriminate retention of communications data by the telecommunication service providers could be justified as a measure imposed under Article 15(1) of the e-Privacy Directive. As justifications, the high jurisdictions suggest safeguarding national security or fighting against crime and threats to public security. In addition, such data retention might be necessary to meet the positive obligations of the state under Article 6 of the Charter of Fundamental Rights of the European Union (Charter) (right to liberty and security), but also under Articles 4 (prohibition of torture and inhuman or degrading treatment and punishment) and 7 (respect for private and family life) of the Charter. In the context of positive obligations, the Cour Constitutionnelle focused on the preventive role of national law enforcement authorities, and in particular the fight against sexual abuse of minors.
Furthermore, on the one hand, the Conseil d’Etat questioned whether the data retention of identification data (such as IP addresses and subscriber information), and the real-time collection of traffic and location data of specified individuals would be allowed under the e-Privacy Directive, and how important it is to notify individuals who were subject to a certain surveillance measure. On the other hand, the Cour Constitutionnelle wanted to know whether, in case national data retention laws were deemed incompatible with EU law, such retained data could be used as evidence in national criminal proceedings.
Three wins for privacy and data protection
Starting with the victories for privacy, its biggest win is the Court’s clear statement in paragraphs 78 to 81 of Privacy International. At the outset, it is merely a reiteration of the Court’s position already expressed in both Tele 2 (analysed previously on this blog here) and EU-Canada PNR Agreement opinion (analysed previously on this blog here), prohibiting bulk interception by state authorities of all individuals’ data. National legislation allowing the authorities’ interception of personal data collected by service providers must develop objective criteria for both the acquisition of a particular dataset from a service provider and its actual use by those authorities. However, the importance of the Court’s confirmation in Privacy International cannot be over-emphasized for two reasons. Firstly, if intelligence agencies, which normally get the biggest margin of appreciation from European courts, cannot acquire and use personal data in bulk, no public authorities can. Secondly, the Chamber of the European Court of Human Rights (ECtHR) concluded in a very similar case, Big Brother Watch and Others vs UK (analysed previously by me here and on this blog here), that bulk interception of communications by intelligence agencies is per se acceptable (paragraph 314). However, the case is now being re-examined by the Grand Chamber, and if the message from Luxembourg reaches Strasbourg, the highest European courts might agree to simply declare the bulk interception of personal data by state authorities illegal as such.
The second victory for privacy may be found in both judgments. They clarify in a transparent manner that any processing of personal data by service providers, be it the mere disclosure or the transmission of personal data to state authorities, falls within the scope of the General Data Protection Regulation (GDPR) and, in the particular case of electronic communications data, the e-Privacy Directive. By extension, the protections afforded to such processing in the Charter fully apply. And generally speaking, EU law applies – to much disappointment of the referring courts, judging from the way they formulated their questions. This conclusion (see in particular paragraph 46 of Privacy International and paragraph 101 of La Quadrature du Net and Others) should help close a long debate about the limits of EU law in the area of national security. Article 4 TEU does exclude national security from the scope of EU law. However, this exemption is narrowly applicable to the activities of intelligence agencies for the purposes of safeguarding national security. Article 4 TEU does not cover the activities of service providers where requested or obliged, by national laws adopted in the implementation of Article 23 GDPR and/or Article 15 e-Privacy Directive, to restrict a number of individuals’ rights for the purposes of safeguarding national security.
The third win for privacy is the Court’s rejection of the alleged need to balance the ‘right to security’ stipulated under Article 6 of the Charter against the rights to privacy and data protection in Articles 7 and 8 of the Charter. Interestingly enough, this debate was launched six years ago by the Court itself, with a rather unfortunate sentence at the end of paragraph 42[2] of the Digital Rights Ireland (analysed previously on this blog here). Now, paragraphs 125-127 of La Quadrature du Net and Others clarify that Article 6 of the Charter protects individuals against arbitrary deprivations of liberty by public authorities, and therefore cannot impose a positive obligation on the State to prevent or punish certain criminal offences. Admittedly, such positive obligations could stem from Articles 4 or 7 of the Charter, but the Court now provides an authoritative rebuttal of a flawed argument on the existence of a collective ‘right to security’ enshrined in the Charter and the necessity to reduce protections provided for by Articles 7 and 8 in order to strike a proper balance with Article 6.
Three wins for the law enforcement community
On its face, it may seem that the principle established in Tele 2, on the prohibition of a general and indiscriminate retention of traffic and location data for the purposes of fighting serious crime and safeguarding against serious threats to public security, is maintained in La Quadrature du Net and Others. The first reading of the judgment, in particular paragraph 141, might lead to the conclusion that data retention is still dead and that the Court still allows only targeted retention (whatever this may mean). However, contrary to the welcomed straight-forwardness and judicial simplicity in Privacy International, La Quadrature du Net and Others is a far more complicated text, composed of a series of rather political compromises than judicial decisions, and face-saving exercises. A deeper reading of the judgment turns the Tele 2 principle into a mirage.
The greatest victory for the law enforcement community, and the most important exception to the Tele 2 principle, may be found in paragraphs 136-139 of La Quadrature du Net and Others. In my view, this is where the Court implicitly overrules its previous case-law. All of a sudden, the general and indiscriminate retention of traffic and location data is allowed, in case there is a ‘serious threat to national security’. Although such retention should be ‘limited in time to strictly necessary’, subject to safeguards and conditions and ‘not systematic in nature’, it may be renewed due to an ‘ongoing nature of the threat’. As a consequence, the Court opened the doors for Member States to reform their national data retention laws, while preserving the essence of what was clearly illegal after Tele 2. For example, Member States might start issuing time-limited, but renewable general and indiscriminate data retention warrants, with the objective of safeguarding national security, under an ongoing specific threat. What is more, the objective justifying the general and indiscriminate data retention should be distinguished from the conditions imposed on the access to such retained data. In fact, the Court remains silent on access, and therefore does not limit it to intelligence agencies for the purposes of safeguarding national security. To my mind, the conditions for access to retained data that national law must meet, laid down in paragraphs 115-123 of Tele 2, remain valid. Hence, by combining the conditions for general and indiscriminate data retention from La Quadrature du Net and Others and the conditions for access from Tele 2, Member States could first demonstrate and specify a threat to national security, then order the general and indiscriminate retention of traffic and location data, and finally allow access to such retained data to law enforcement authorities for the purpose of fighting serious crime.
The second law enforcement victory may be found after the Court moves beyond its previous data retention case-law and opens a discussion about additional types of personal data other than traffic and location data (paras 152-159). We thus learn about the less sensitive types of data, necessitating only a lower threshold of protection. The Court, therefore, allows the general and indiscriminate retention of IP addresses of the sources of a communication in relation to email and internet telephony, for the objective of fighting serious crime and preventing serious threats to public security. And, somewhat in line with Ministerio Fiscal, the general and indiscriminate retention of subscriber information (in the Court’s words, data about ‘civil identity’) may be justifiable even for the objective of fighting any crime and the prevention of any threats to public security. Hence, the Court accepts the request of the law enforcement community to utilise more efficient tools in a crucial phase of any investigation: identifying an unknown suspect or a perpetrator of a criminal offence.
Finally, the law enforcement community can rest assured that, even if national data retention laws were violating the EU law, national courts would not have many difficulties in accepting such retained data as evidence in criminal proceedings. From paragraphs 223-228, it transpires that the admissibility of evidence will largely depend on the national procedural rules. In some Member States, a number of convictions were already re-examined, and prisoners were released after the reliability of location data was seriously brought into question. But this remains a national matter and, according to the Court, there is nothing in EU law that would trigger a violation of the right to a fair trial in criminal proceedings as a direct and automatic consequence of the violation of the right of privacy and data protection.
Conclusion
While both judgments, and in particular La Quadrature du Net and Others, contain many more important points[3] that would merit further academic and societal debate, the presented wins for both camps are landmark conclusions of the Court, with major repercussions beyond the underlying ‘security v. privacy’ clash.
Privacy International not only puts pressure on the ECtHR and on any national surveillance laws providing for ‘data hoovering’ by intelligence agencies. Read together with the Court’s judgment in Schrems II (analysed previously on this blog here, here and here) the judgment sets the scene for the upcoming decision of the European Commission on the UK’s (in)adequacy as a third country regarding personal data transfers from the EU under the GDPR. It also solidifies the requirements that must be met by any future successor of the annulled Privacy Shield.
At the same time, the compromise judgment in La Quadrature du Net and Others not only reanimates the ‘walking dead’ (general and indiscriminate data retention), it also puts online anonymity to a zombie-like coma. What is more, the judgment reduces the hopes of organisations fighting another system where personal data are collected initially for commercial purposes and subsequently processed for law enforcement purposes – Passenger Name Records[4]. And finally, it will certainly strengthen the law enforcement community arguments in the ongoing reform of the Budapest Convention on Cybercrime and in the discussions on the European Commission’s e-evidence package (analysed previously on this blog here, here and here).
[1] For the overview of the origins of this clash, see more in Privacy surrenders to patriotism: The PATRIOT act (2001). (2018). In Grey House Publishing (Ed.), Opinions throughout history: National security vs. civil & privacy rights. Grey House Publishing. Available from: Grey House [Accessed 20 October 2020].
[2] ‘It is apparent from the case-law of the Court that the fight against international terrorism in order to maintain international peace and security constitutes an objective of general interest (see, to that effect, Cases C‑402/05 P and C‑415/05 P Kadi and Al Barakaat International Foundation v Council and Commission EU:C:2008:461, paragraph 363, and Cases C‑539/10 P and C‑550/10 P Al-Aqsa v Council EU:C:2012:711, paragraph 130). The same is true of the fight against serious crime in order to ensure public security (see, to that effect, Case C‑145/09 Tsakouridis EU:C:2010:708, paragraphs 46 and 47). Furthermore, it should be noted, in this respect, that Article 6 of the Charter lays down the right of any person not only to liberty, but also to security.’ (Emphasis added.)
[3] For example, on targeted retention, expedited retention, real-time data collection and automated data analysis, and types of services covered by the e-Privacy Directive.
[4] Currently pending before the CJEU are cases in which the PNR regimes of Belgium and Germany, introduced by way of transposing the EU PNR Directive 2016/681, have been challenged. See https://eucrim.eu/news/german-court-asks-cjeu-about-compatibility-pnr-legislation/ and https://www.statewatch.org/media/documents/news/2019/nov/belgium-constitutional-court-PNR.pdf
5 comments
Thank you for this interesting analysis. However, I’d like to voice my disagreement with two key aspects of your analysis of the rulings, which, to my mind, misrepresent what the Court has decided.
1) I do not share your view that the Court has implicitly overruled its previous case-law, namely the Tele2 judgment. Tele2 did not deal with questions of national security and was only ever concerned with data retention to combat serious crimes. So far, it had only held that indiscriminate data retention was disproportionate in the fight against serious crime and that is still true – the Court did not overrule this at all, but rather reiterated this position. Also, the Court left in place a ban on general (i.e. not tailored to a specific occasion) indiscriminate data retention.
It held now that indiscriminate data retention can in certain situations and under certain conditions be proportionate to combat certain threats to national security. And there are two central aspects to the way the Court framed the conditions.
First, the Court gave quite a narrow definition of what constitutes national security in pt. 135 (“the primary interest in protecting the essential functions of the State and the fundamental interests of society and encompasses the prevention and punishment of activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself, such as terrorist activities.“).
Second, the Court does not allow to indiscriminately retain data for the general goal of combatting threats to this narrowly defined national security, but allows indiscriminate data retention only in situations in which a genuine, present or foreseeable threat to national security exists, subject to judicial review. Thus, it must be proven in a specific situation that this kind of threat exists and persists. Your article even mentions that the Court does not allow systematic retention, which is an additional clarification that the Court does not allow through the backdoor what it banned in Tele 2 (i.e., systematic retention, no matter the security situation).
Not only did the Court not change Tele2, instead upholding it in its entirety. Rather, it allowed indiscriminate retention measures only for specific threats to (narrowly defined) national security, subject to judicial review, the extension of which also would need to withstand judicial scrutiny, verifying that the threat persist. These measures need to cease once the specific threat no longer exists. Member states cannot just slap “national security” on data retention laws and continue business as usual – indiscriminate data retention is tied to the judicially reviewable persisting existence of a real threat to narrowly defined national security. And only with these limiting principles did the Court find that national security could justify indiscriminate data retention. A finding that does not contradict Tele2 at all and is quite narrowly tailored.
2) The judgment explicitly contradicts your fear that the data collected to combat threats to national security could be used to combat serious crime. In pt. 166 of the Quadrature du Net judgment, the Court says that: “access to traffic and location data retained by providers in accordance with a measure taken under Article 15(1) of Directive 2002/58 may, in principle, be justified only by the public interest objective for which those providers were ordered to retain that data.” The “in principle” refers to situations in which data collected to combat serious crime is accessed to combat threats to national security, which the Court allows for reasons of proportionality. But it is not allowed to access data retained to combat national security threats to combat serious crimes. National rules to access retained data must be subject to the safeguards the Court develops (pt. 167). In any event: the rules for access in Tele2 were (again) only ever concerned with data retention in order to combat serious crime and cannot as easily be transposed to questions of national security, because (again) the balancing exercise of proportionality the Court engages in is a different one.
Dear M.K.,
thank you for your comment. Let’s agree to disagree 🙂
Kind regards,
Juraj
Regarding admissibility, one of the judgements acknowledges that the evidence in principle is up to national rules. But further goes on that introduction of such evidence is now allowed as it would cause the accused to face an unfair trial in light of ‘effectiveness’ such that the accused or other parties may not be in a position to comment on them due to the jurisprudence in the area. However you have taken this to mean that evidence can be introduced. Can you elaborate
Dear Morialis,
thank you for your comment. My point is that the Court does not enter into a discussion on the (in)admissibility of evidence obtained through data retention, and rather leaves that to the national criminal law system. The Court does require that the accused should be able to challenge such evidence, but these are procedural requirements. The Court does not enter into the substantive discussion on the quality/admissibility of evidence.
Juraj