On January 15, the Court of Justice of the European Union’s (CJEU) Advocate General (AG) Manuel Campos Sánchez-Bordona delivered his Opinion on four references for preliminary rulings on the topic of retention of and access to communications data.
Of the four references, two originated from France, one from Belgium, and one from the Investigatory Powers Tribunal (IPT) in the United Kingdom. The latter arose from a challenge by Privacy International to the UK Security and Intelligence Agencies’ (SIAs) powers under the Telecommunications Act 2014 and the Data Retention and Investigatory Powers Act 2014. SIAs have the power to compel providers of electronic communications services, such as internet service providers, to retain and hand over bulk communications data. Communications data does not include the content of communications but does reveal traffic and location data, as well as information on users’ social, business and financial activities, communications, and travel.
The IPT found as a matter of fact, and specified in its reference for a preliminary ruling, that these powers are “essential to the protection of the national security of the United Kingdom.” The questions referred to the CJEU concerned:
- the applicability of the ePrivacy Directive (ePD) in the context of the use of these powers; and
- whether the requirements specified in the previous CJEU decision Tele2 Sverige/Watson also applied.
The IPT went so far as to specify that the imposition of such requirements would “critically impede” the SIAs’ bulk acquisition and automated processing techniques.
The Advocate General found that the ePD did apply to the retention of data by electronic communications providers and its subsequent transmission to the SIAs. The processing was carried out in connection with the provision of publicly available electronic communications services in public communications networks in the EU, which precisely corresponds to the ePD’s scope of application. While the ePD does not apply to activities undertaken by public authorities themselves in order to safeguard national security, the AG was of the view that such activities should be narrowly defined so as to avoid depriving EU privacy law of its effectiveness in protecting fundamental rights. As a result, he concluded that the legislation providing for the SIAs’ powers in relation to bulk communications data was not compatible with the ePD.
Although this finding meant that it was not necessary to consider whether the Tele2 Sverige/Watson requirements applied to the legislation, the AG set out the features that would be required in the new legislation for it to be compliant with the ePD and the CJEU’s case law on the subject. Legislation should determine, precisely and on the basis of objective criteria, the categories of data that are deemed essential to retain and the circle of persons who are affected, and should establish substantive and procedural requirements governing access by the competent authorities to the retained data. Other than in “duly substantiated cases of urgency,” access to the data must be subject to prior review by a court or an independent administrative authority, whose decision should be made in response to a reasoned request by the competent authorities.
The Data Retention and Investigatory Powers Act 2014 has now been replaced by the Investigatory Powers Act 2016, though the latter has similar provisions on bulk communications data which, according to the AG, must be considered incompatible with EU law. As a result, if the CJEU agrees with the AG, there could be implications relating to the UK’s exit from the European Union.
In the coming months, the European Commission will be assessing the UK’s level of protection of personal data with the goal of concluding an adequacy agreement, which will ensure that personal data can continue to be transferred freely between the EU and the UK following the Brexit transition period. This assessment will cover the legal controls on SIAs’ surveillance capabilities, and the Commission will need to consider any findings by the CJEU in this respect. Ensuring and demonstrating the right balance between safeguarding national security and respecting citizens’ privacy and data protection rights will be essential to achieve the desired outcome.