On October 6, 2020, the Court of Justice of the European Union (the “Court”) ruled that principles of EU law prevent Member States from requiring a provider of electronic communications services to indiscriminately retain traffic and location data or transmit the data to security agencies, even when the purpose of the transmission is to combat crime or safeguard national security. The results of this case are long-awaited and have been widely discussed. In January, Advocate General Campos Sánchez-Bordona, an advisor to the Court, offered his nonbinding opinion taking the view that mass surveillance regimes in the United Kingdom were in breach of the fundamental privacy rights of EU citizens. At least in part, the Court ruled in line with its advisor. This ruling may endanger the UK’s ability to freely transfer data from the EU post-Brexit.
In recent years, the Court has maintained a line of case law on retention of and access to personal data, including the landmark judgment rendered in December of 2016, Tele2 Sverige and Watson and Others, interpreting Directive 2002/58/EC on Privacy and Electronic Communications (the “ePrivacy Directive”). The main proceedings before the Court concern the acquisition by the United Kingdom’s Security and Intelligence Agencies (“SIAs”) of bulk communications data from operators of public electronic communications networks. The data in question identifies who is using the telephone or internet, the location of the device used, and information on users’ financial activities, communications, and travel. Once the data is obtained by the SIAs, it is filtered and aggregated as necessary such that the content of the communications, which may only be obtained under a court order, is not retained.
Privacy International, a non-governmental organization, commenced proceedings on the grounds that use of the data by the SIAs is in breach of the respect for private life included in the European Convention on Human Rights and contrary to EU law generally. In response, the UK argued that acquisition of the contested data is “lawful and essential, in particular, to protect national security.”
Several Member States submitted written observations to the Court, expressing diverging opinions on whether the ePrivacy Directive usurps the power of Member States to employ national legislation to safeguard national security, a responsibility held by, and presumably controlled by, Member States alone. In its opinion, the Court explained that the ePrivacy Directive does apply, “in principle,” when electronic services providers are required by law to retain their subscribers’ data and to allow public authorities access to such data. According to the Court, “[t]his position remains unchanged where the requirements are imposed on providers for reasons of national security.”
In reaching this conclusion, the Court relied in large part on Article 3(1) of the ePrivacy Directive, which defines the scope of the ePrivacy Directive as all “processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the [European] Community.” Requiring providers to transmit or retain traffic and location data falls squarely within the plain language of Article 3(1), the Court reasoned, and national security concerns cannot, as suggested by the referring courts, prevail over this conclusion.
The Court continued its analysis by noting that the exception found in Article 15(1) (i.e., the national security exception) cannot be read so broadly as to exempt legislation requiring transmission and retention of communications data from the scope of EU law guaranteeing the right to privacy. This means, the Court noted, that Member State legislation that attempts to restrict rights of confidentiality and privacy offered by the ePrivacy Directive must also comply with the general principles of EU law, including the principle of proportionality and the rights guaranteed by the Charter of Fundamental Rights of the European Union.
The range of public authority activities that are exempt from the general regime governing the processing of personal data, the Court reasoned, must be interpreted narrowly. Although national security is the sole responsibility of each Member State, the Court reminded Member States that national security cannot be allowed to extend to other sectors of public life.
Brexit provides a contentious backdrop to the Court’s decision. On January 31, 2020, “Brexit Day,” the UK left the EU and entered an eleven-month transition period. Once the transition period ends, the UK will become a “third country” for purposes of the General Data Protection Regulation (the “GDPR”), that is, a state that falls outside of the European Economic Area. Under the GDPR, there are three scenarios in which an entity can legitimately transfer personal data to a so-called “third country”: (1) the receiver is located within an area covered by an adequacy decision; (2) appropriate safeguards have been established to protect individuals’ rights to their personal data; or (3) an exception, such as explicit consent, covers the transfer.
An adequacy determination from the European Commission under the GDPR, if secured by the end of the transition period, would allow for the free flow of personal data to the UK from the EU to continue uninterrupted. The Court’s decision may place the UK’s adequacy determination in jeopardy. The Court’s decision comes less than three months after the Court invalidated the EU-U.S. Privacy Shield in Schrems II on the grounds that surveillance programs within the United States violate principles of international law. In many ways, the Court’s more-recent observations on the activities of the SIAs in the UK mirror concerns raised by the Court around surveillance activities in the United States.
Tuesday’s decision may signal an increased diligence on the part of the Court to uphold privacy principles of EU law (not just the text of the legislation), including the right to respect for private life and to the protection of personal data. The decision also comes at a time when the EU is working to finalize its newly updated ePrivacy regulation, thought by some to be the missing piece needed to round out the EU privacy landscape. Although the contents of the new regulation are still in flux, companies who operate in the EU should use today’s decision as an indicator of the direction of laws in the EU — that is, toward the protection of the privacy rights of EU citizens, rather than away.
As with many other matters surrounding Brexit, companies operating in or transacting business with the UK should monitor this space closely. Companies that anticipated relying on a UK adequacy decision should consider taking preliminary steps to establish alternative methods of legitimatizing data transfer, including, for example, data subject consent or standard contractual clauses with required due diligence.