Last 6th October, the CJEU ruled on a highly controversial case in the UK regarding e-privacy and national security, focusing on the interpretation of Directive 2002/58/EC, concerning privacy and electronic communications.
In 2015, a report of the Intelligence and Security Committee Parliament came to light, revealing the existence of practices for the acquisition and use of bulk communications data done by the various security and intelligence agencies of the United Kingdom, namely GCHQ, MI5, and MI6. As a result, on 5 June 2015, Privacy International, a non-governmental organisation, brought an action before the Investigatory Powers Tribunal against the Secretary of State for Foreign and Commonwealth Affairs, the Secretary of State for the Home Department and those security and intelligence agencies, challenging the lawfulness of those practices.
But what is bulk communications data?
According to MI5: ‘Bulk communications data is the «who», «where», «when», «how» and «with whom» of communications, but not what was written or said. It includes information such as the subscriber to a telephone service or an itemised bill. Public authorities such as MI5 and the police may acquire this data, which is usually obtained via Communications Service Providers (CSPs)’.
In the UK, Section 94 of the Telecommunications 1984 Act states that the Secretary of State may give providers of electronic communications services such general or specific directions as appear to him —e.g. to provide bulk communications data— to be necessary for the interests of national security or relations with a foreign government. Particularly, the data concerned includes traffic data and service use information, with only the content of communications being excluded. That data is transmitted to the security and intelligence agencies and retained by them for the purposes of their activities.
Well, it is not the first time that the Investigatory Powers Tribunal must deal with this kind of issue…
In a judgment of 17 October 2016, the national court found —subject to certain reserved issues since 2015, concerning the proportionality of those measures and the transfer of data to third parties— that the safeguards surrounding the use of bulk communications data by the security and intelligence agencies were consistent with the requirements of the ECHR. Apparently, GCHQ and MI5 have been acquiring and using, in their activities, sets of bulk personal data —such as biographical data or travel data, financial or commercial information, communications data liable to include sensitive data covered by professional secrecy, or journalistic material— since 2001 and 2005 respectively. I beg your pardon?
Furthermore, regarding the lawfulness of the acquisition and use measures in light of EU law, in a judgment of 8 September 2017, the national court found that as regards bulk communications data, the providers of electronic communications networks were required to provide the security and intelligence agencies, under section 94 of the 1984 Act, with data collected in the course of their economic activity was falling within the scope of EU law. However, that was not the case for the acquisition of other data obtained by those agencies without the use of such binding powers. In this sense, data falling in the scope of EU law must comply with the imposition of the requirements specified by the case-law resulting from the judgment of 21 December 2016, Tele2 Sverige and Watson and Others (C‑203/15 and C‑698/15, EU:C:2016:970; ‘Tele2’), in §119-125.
Coming back to the case at issue…
Privacy International claimed that the regime was unlawful under EU law because it failed to provide various safeguards identified as required in the Tele2 case. The UK government argued that the regime was outside the scope of EU law because it related to national security and, in the alternative, that Article 8 of the ECHR provided sufficient safeguards and the implementation of additional safeguards would jeopardise GCHQ, MI5, and MI6 ability to operate and should not apply.
II. Preliminary ruling questions
The Investigatory Powers Tribunal stated that GCFQ, MI5 and MI6 capabilities to use bulk communications data supplied to them, are essential to the protection of the national security of the United Kingdom. Its principal utility lies in swift target identification and development, as well as providing a basis for action in the face of imminent threat. In this sense, the provider of an electronic communications network is not thereafter required to retain the data —beyond the period of their ordinary business requirements—, which are retained by the State, i.e. the security and intelligence agencies, alone.
However, the national court considered it necessary to address the following questions:
‘(1) Having regard to Article 4 TEU and Article 1(3) of Directive 2002/58, does a requirement in a direction by a Secretary of State to a provider of an electronic communications network that it must provide bulk communications data to the security and intelligence agencies of a Member State fall within the scope of Union law and of Directive 2002/58?
(2) If the answer to Question (1) is “yes”, do any of the requirements applicable to retained communications data, set out in paragraphs 119 to 125 of the judgment of 21 December 2016, Tele2 (C‑203/15 and C‑698/15, EU:C:2016:970)] or any other requirements in addition to those imposed by the ECHR, apply to such a direction by a Secretary of State? And, if so, how and to what extent do those requirements apply, taking into account the essential necessity of the security and intelligence agencies to use bulk acquisition and automated processing techniques to protect national security and the extent to which such capabilities, if otherwise compliant with the ECHR, may be critically impeded by the imposition of such requirements?’
III. CJEU preliminary ruling
A. Question 1
First of all, the CJEU reminds that Article 1(1) thereof, Directive 2002/58 provides, inter alia, for the harmonisation of the national provisions in the EU required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, concerning the processing of personal data in the electronic communications sector.
The Court stresses that Article 1(3) of that Directive excludes from its scope ‘activities of the State’ in specified fields, including activities in areas of criminal law and in the areas of public security, defence, and State security. However, Article 3 states that the Directive is to apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the European Union, including public communications networks supporting data collection and identification devices.
In that context, Article 15(1) states that Member States may adopt, subject to conditions, ‘legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of the Directive. In this sense, Article 15(1) necessarily presupposes that the national legislative measures referred to therein fall within the scope of that Directive.
It is in the light of those considerations that the Court concludes that Article 15(1) of Directive 2002/58, read in conjunction with Article 3 thereof, must be interpreted as meaning that the scope of that Directive extends to a legislative measure such as Section 94 of the Telecommunications 1984 Act.
Regarding Article 4(2) TEU, it cannot invalidate that conclusion. According to the settled case-law of the Court, although it is for the Member States to define their essential security interests and to adopt appropriate measures to ensure their internal and external security, the mere fact that a national measure has been taken to protect national security cannot render EU law inapplicable and exempt the Member States from their obligation to comply with that law.
B. Question 2
The second question addressed specifically case-law Tele2 (C‑203/15 and C‑698/15, EU:C:2016:970). That judgment found that EU law precludes national laws that allow for the indiscriminate retention of all electronic communications data of all subscribers and users. It also found that national laws must put parameters around the circumstances in which authorities can access the retained data, and established the following requirements to access this kind of data in the EU:
- restricted solely to fight serious crime;
- subject to prior review by a court or an independent administrative authority; and
- subject to a requirement that the data so accessed should be retained within the European Union.
Regarding the provision at issue, Section 94 of the Telecommunications 1984 Act covers, inter alia, the data necessary to (i) identify the source and destination of a communication, (ii) determine the date, time, length and type of communication, (iii) identify the hardware used, and (iv) locate the terminal equipment and the communications.
The CJEU highlights that the referred court indicated that ‘such disclosure of data by transmission concerns all users of means of electronic communication, without its being specified whether that transmission must take place in real-time or subsequently. Once transmitted, that data is, retained by the security and intelligence agencies and remains available to those agencies for their activities, as with the other databases maintained by those agencies. In particular, the data thus acquired, which is subject to bulk automated processing and analysis, may be crosschecked with other databases containing different categories of bulk personal data or be disclosed outside those agencies and to third countries. Lastly, those operations do not require prior authorisation from a court or independent administrative authority and do not involve notifying the persons concerned in any way’.
Given that the transmission of traffic data and location data is carried out in a general and indiscriminate way, it applies even to persons for whom there is no evidence to suggest that their conduct might have a link, even an indirect or remote one, to safeguard national security and, in particular, without any relationship being established between the data which is to be transmitted and a threat to national security.
As a result, the CJEU considers that national legislation requiring providers of electronic communications services to disclose traffic data and location data to the security and intelligence agencies, through general and indiscriminate transmission, exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society, as required by Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the ECHR, and therefore it is subject to comply with the requirements applicable to retained communications data in the EU, in addition to those imposed by the ECHR.
This preliminary ruling confirms once more that EU law does not allow the indiscriminate collection of electronic communications data and requires controls on access to retained data, since even national security and intelligence bodies need specific reasons and targets in order to perform their activities. This preliminary ruling is a victory for the e-privacy of UK citizens.
However, having BREXIT in mind, should we consider this preliminary ruling as a bittersweet victory? Would this judgment become a dead letter in the future?
Let’s not lose sight of this issue!
Last but not least! On the very same day, the CJEU issued another judgment addressing the same matter —the scope of Directive 2002/58 and legislative measures to safeguard national security— in joined cases C-511/18, C-512/18 and C-520/18. This time, the preliminary ruling was requested by the Conseil d’État (Council of State, France) and the Cour Constitutionnelle (Constitutional Court, Belgium). The conclusion was the same: EU Law is opposed to national regulations requiring providers of an electronic communications service to retain, in a general and undifferentiated manner, traffic data and subscriber location data.