‘General and indiscriminate’ data transmission and retention for national security purposes is not justified
‘General and indiscriminate’ data transmission and retention for national security purposes is not justified
National security concerns do not exempt Member States from EU law designed to protect the fundamental rights and freedoms of users of publicly available electronic communications services.
In its 06/10/2020 judgment in Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others Case C-623/17, the Court of Justice of the European Union has held that national legislation that enables a state to require the providers of electronic communications services to carry out the general and indiscriminate transmission of users’ communication traffic and location data to its security and intelligence agencies is precluded under the Directive on Privacy and Electronic Communications (2002/58/EC). Given that UK law potentially enables such, the ruling may affect the UK’s ability to obtain an adequacy decision from the EU for the free flow of personal data between the two when the Brexit transition period ends.
The 2002/58/EC Directive aims to protect the fundamental rights and freedoms of users of publicly available electronic communications services and in particular their right to privacy and confidentiality. Article 5 provides that Member States shall prohibit the listening to, tapping, storage or other kinds of interception or surveillance of users’ communications and related traffic data without the consent of the users concerned, except in accordance with Article 15(1). Article 15(1) provides that Member States may adopt legislative measures to restrict the scope of the rights and obligations provided, where the restriction is necessary, appropriate and proportionate within a democratic society to safeguard national security, defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.
In this reference for a preliminary ruling, several Member State governments, as well as the UK, contended that the rights and obligations enshrined in Directive 2002/58/EC did not apply to national legislation which had as its purpose the safeguarding of national security. In the UK, such legislation included section 94 of the Telecommunications Act 1984, as was at issue at the time in the main proceedings. This allowed a Secretary of State to direct providers of public electronic communications networks to provide bulk communications data relating to their users to the UK’s security and intelligence agencies. It also arguably includes the UK’s Investigatory Powers Act 2016, which provides powers to intercept and retain digital communications data to these and other bodies. As the Court’s judgment notes, the existence of practices for the acquisition and use of bulk communications data by GCHQ, MI5 and MI6 has been public knowledge since 2015.
While the Court observed in its judgment that it is for Member States to define their essential security interests and to adopt appropriate measures to ensure their internal and external security, it stated that the mere fact that a measure has been taken for the purpose of protecting national security cannot render EU law inapplicable and exempt a Member State from their obligation to comply with that law. In the Court’s assessment, national legislation that enables a state authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for national security purposes falls within the scope of the Directive.
The Court noted that the option to derogate from the rights and obligations laid down in the Directive must be the exception and not the rule, given the importance of the principle of confidentiality enshrined in Article 5 and that the storage of communications and related traffic data is prohibited by that Article. It also held that legislative measures which restrict the scope of the rights and obligations provided cannot be adopted unless they accord with the general principles of EU law, including the principle of proportionality, and the fundamental rights guaranteed in the Charter, although derogations from the principle that communications and related traffic data are to be confidential are permissible where strictly ‘necessary, appropriate and proportionate … within a democratic society’. When enacting measures for the retention of communications data to combat crime or to safeguard national security, states must therefore take into account the importance of the right to privacy guaranteed in Article 7 of the Charter, the right to the protection of personal data guaranteed in Article 8, and the right to freedom of expression guaranteed in Article 11.
The Court noted that, to satisfy the requirement of proportionality, national legislation must also lay down clear and precise rules governing the scope and application of the measure in question. In addition, it must impose minimum safeguards so that users whose personal data is affected have sufficient guarantees that their data will be effectively protected against the risk of abuse.
The UK legislation at issue in the main proceedings enabled the general and indiscriminate transmission or retention of traffic and location data for processing by the UK’s security and intelligence agencies. It applied even to persons for whom there was no evidence to suggest their conduct might have a link with the objective of safeguarding national security. The Court held that such legislation exceeds the limits of what is strictly necessary and cannot be considered justified within a democratic society as required under Article 15(1) of the Directive. While the relevant section of the UK’s Telecommunications Act 1984 has been repealed, similar concerns have been raised by privacy groups in respect of the replacement powers set out in the Investigatory Powers Act 2016.
When the Brexit transition period ends, the UK will be considered a third country by the EU. Measures will then be needed to allow for the continued free flow of personal data between the two, such as under the General Data Protection Regulation. To this end, the UK set out its case for an adequacy decision for the UK in March this year.
If an adequacy decision is adopted by the European Commission for the UK, personal data may flow between the UK and EU without further safeguards. However, judgments such as that delivered by the CJEU in the instant matter, which raise questions about the laws that govern the processing of personal communications data in the UK, may yet present obstacles to the UK securing one.