In a long anticipated ruling, the Court of Justice of the European Union (CJEU) confirmed on October 6, 2020 (joint-cases C-623/17 and C-511/18 et seq., “Ruling”) that general and indiscriminate transmission or retention of traffic and location data for law enforcement and national security purposes breaches EU law.
Background
The Ruling addressed complaints introduced by “Privacy International,” “La Quadrature du Net (LQDN),” and other civil rights organizations seeking the invalidation of several of their countries’ laws and decrees pertaining to data retention. The Privacy International case was initiated in June 2015 and the LQDN one in March 2016; the national courts stayed their proceedings and requested a preliminary ruling from the CJEU in October 2017 and March 2018, respectively. In its Ruling, the CJEU investigated the lawfulness of the retention and transmission of traffic and location data for combatting crime and terrorism by the national law enforcement and intelligences services of the UK, France, and Belgium. The Ruling reiterates CJEU’s criticism in Schrems II of potentially broad access by the U.S. surveillance services to EU personal data.
The CJEU had previously addressed similar concerns in its Tele2/Watson decision (joint-cases C-203/15 and C-698/15). In that case, the CJEU ruled that sovereignty over issues of national security did not preclude the application of the ePrivacy Directive and fundamental rights. Furthermore, the CJEU set out the following safeguards that member states must guarantee to justify access to traffic and location data by law enforcement and intelligence services: i) retention must be limited to what is strictly necessary for the purpose of fighting crime; ii) the collected data must be retained within the EU; iii) data subjects must be informed when their data has been accessed as soon as such notification would no longer jeopardize the authorities’ investigations; iv) and all such measures must be subject to effective judicial review. The CJEU’s current judgment further builds on these requirements.
Conditions for Law Enforcement and Intelligence Services’ to Access Data
First, the CJEU confirmed, once again, that the ePrivacy Directive applies to Electronic Communications Service Providers that are subject to data retention obligations and/or obligations to disclose data to national intelligence services for national security and crime prevention purposes. The CJEU had already reached this conclusion in Tele2/Watson and confirmed it in Ministerio Fiscal (C-207/16).
Further, the CJEU found that general and indiscriminate retention and transmission of traffic and location data by law enforcement and intelligence services does not, in principle, satisfy the Tele2/Watson conditions. The collection and retention of traffic and location data by law enforcement and intelligence services are lawful only in three exceptional scenarios:
- To counter “serious,” “genuine,” and “present or foreseeable” threats to national security. The CJEU does not define these terms, however retention and access to the data must be time-limited to what is strictly necessary, and subject to judicial review. Prior approval by a court or an independent administrative body is necessary in terrorism matters, especially for real-time collection.
- To combat “serious crime” and “serious threats to public security.” Again, the CJEU does not define these terms. The retention of data not only needs to be time-limited to what is strictly necessary and subject to judicial review by a court or an independent administrative body, but it also needs to be based on “objective and non-discriminatory factors” so that certain groups of individuals are not disproportionately targeted.
- For the collection of IP addresses and “civil identities.” The bulk retention of IP addresses is allowed if limited in time to what is strictly necessary. Civil identities (names, surnames, etc.) are not subject to any retention limitation.
Implications
The CJEU continues to embrace a restrictive approach in allowing government and law enforcement access to data for national security. In addition, we expect that Supervisory Authorities will require companies to use the aforementioned criteria when assessing national surveillance laws in the context of third country data transfers based on Standard Contractual Clauses (SCCs) (to read more about the Schrems II Decision, see our blog post, ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses). According to this ruling, data exporters and importers using SCCs should ensure that they can comply with their contractual obligations, particularly in light of the surveillance laws of the country of data import.
This decision may also be an omen in light of the European Commission’s (commission) consideration of an adequacy decision for the UK before the end of the Brexit transition this year. The CJEU sets strict standards regarding data retention, and the commission would need to be convinced that the UK surveillance services can comply with these requirements. Companies that transfer data from the EU to the UK may consider preparing for a non-adequacy scenario, meaning that they would need to execute SCCs, or find an alternative mechanism for international data transfers.