CJEU Puts Limits On Electronic Communications Surveillance

The EU’s highest court rules against three nations that tried to require that communications providers  hand over location data and traffic data in bulk.

The Court of Justice of the European Union (CJEU) handed down a pair of rulings (here and here) on the extent to which European Union (EU) nations may engage in bulk, indiscriminate collection of two types of data related to electronic communications. The CJEU found that while EU member nations may conduct these activities to combat crime or national security threats during periods limited by necessity and subject to oversight, nations may not generally require the providers of electronic communications to store and provide indiscriminate location data and traffic data in response to an actual national security danger or a prospective one. The CJEU combined three cases into two rulings that came from the United Kingdom (UK), France, and Belgium to elucidate the reach of the Privacy and Electronic Communications Directive in relation to foundational EU laws.

First and foremost, the CJEU found that the “Directive on privacy and electronic communications” (Directive 2002/58/EC) does indeed apply to situations where EU nations are directing telecommunications companies and similar providers to hold and turn over bulk data. Some EU nations had tried to argue that such practices fell outside the scope of the Directive, and the CJEU found the opposite. The CJEU went on to state the Directive does not generally allow for an exception to the general principle that the confidentiality of communications must be safeguarded and that any permitted abridgement of this and associated rights are subject to related EU law principles of proportionality (more on this below).  Consequently, the CJEU found that EU member nations may not require endless bulk transmission of location data and traffic data for national security reasons. Likewise, the court is also barring legislation requiring a communications provider to hold these data in case they are needed in the future by law enforcement or intelligence authorities. The CJEU went further and explicated a provision in the General Data Protection Regulation (GDPR) as barring EU nations from requiring that entities providing “online public communications services” and “hosting services” must retain and hand over data on people using those services.

The other side of the CJEU’s ruling is that EU nations may order just such bulk collection and retention of location data and traffic data if there is an imminent or foreseeable national security threat. This strikes me as the exception that will devour the rule. In any event, a court or an administrative body must be able to review whether such a national security threat exists and whether the collection is limited in both time and necessity. The reviewing entity must be able to render a binding decision that can shut down unlawful or unnecessary orders to providers to hand over such information.

The CJEU also found that targeted, limited orders for traffic and location data derived from objective and non-discriminatory bases targeting certain classes of people or a geographic location may be used. Real-time location data and traffic data may be collected as well if a court or administrative body has authorized the surveillance according to EU law. The CJEU spells out a few other exceptions EU nations may use regarding location data and traffic data. The CJEU, however, ruled that EU nations may not have provisions in laws allowing for the temporary suspension of the bar on providers being required to collect and turn over traffic data and location data to an EU government. Finally, the CJEU added that evidence of crimes gained through the bulk collection of the two types of data are inadmissible in the courts of EU nations.

The CJEU summarized the beginning of the case out of the UK:

  • At the beginning of 2015, the existence of practices for the acquisition and use of bulk communications data by the various security and intelligence agencies of the United Kingdom, namely GCHQ, MI5 and MI6, was made public, including in a report by the Intelligence and Security Committee of Parliament (United Kingdom). On 5 June 2015, Privacy International, a non-governmental organisation, brought an action before the Investigatory Powers Tribunal (United Kingdom) against the Secretary of State for Foreign and Commonwealth Affairs, the Secretary of State for the Home Department and those security and intelligence agencies, challenging the lawfulness of those practices.

The CJEU also summarized the two other cases combined into one:

  • By application lodged on 1 September 2015, French Data Network, La Quadrature du Net and the Fédération des fournisseurs d’accès à Internet associatifs brought an action before the Conseil d’État (Council of State, France) for the annulment of the implied rejection decision arising from the Prime Minister’s failure to reply to their application for the repeal of Article R. 10-13 of the CPCE and Decree No 2011-219, on the ground, inter alia, that those legislative texts infringe Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 of the Charter. Privacy International and the Center for Democracy and Technology were granted leave to intervene in the main proceedings.
  • By applications lodged on 10, 16, 17 and 18 January 2017, joined in the main proceedings, the Ordre des barreaux francophones et germanophone, the Académie Fiscale ASBL and UA, the Liga voor Mensenrechten ASBL, the Ligue des Droits de l’Homme ASBL, and VZ, WY and XX brought actions before the Cour constitutionnelle (Constitutional Court, Belgium) for the annulment of the Law of 29 May 2016, on the ground that it infringes Articles 10 and 11 of the Belgian Constitution, read in conjunction with Articles 5, 6 to 11, 14, 15, 17 and 18 of the ECHR, Articles 7, 8, 11 and 47 and Article 52(1) of the Charter, Article 17 of the International Covenant on Civil and Political Rights, which was adopted by the United Nations General Assembly on 16 December 1966 and entered into force on 23 March 1976, the general principles of legal certainty, proportionality and self-determination in relation to information and Article 5(4) TEU.

Given the state of Brexit negotiations, it may have given the CJEU some pleasure to administer this swift kick to the UK and its surveillance apparatus at its security and intelligence services before it leaves the bloc at year’s end. But, more substantially, this decision may well have repercussions on the adequacy decision the UK would need so companies could transfer personal data from the EU to the UK. Moreover, privacy and civil liberties advocates will be sure to point to his ruling as evidence the EU is against bulk collection of metadata and other facets of electronic communications unlike some other nations, like the United States (U.S.), which have historically collected vast troves of data on electronic communications.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Arek Socha from Pixabay

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s