Privacy, Data Protection and Retention
Data Protection Commissioner v. Facebook (Schrems II)
Closed Expands Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
The Court of Justice of the European Union (CJEU), in two related Grand Chamber judgments, held that EU Law precluded national legislation requiring providers of electronic communications services to carry out general and indiscriminate transmission of traffic data and location data to security and intelligence agencies for the purpose of safeguarding national security. In joined applications by the United Kingdom, France and Belgium, the CJEU sought to determine the lawfulness of national legislation which laid down an obligation for providers of electronic communications services to forward users’ traffic data and location data to a public authority, or to retain such data in a general or indiscriminate way on crime prevention and national security grounds. The Court found that such obligation not only interfered with the protection of privacy and personal data, but was also incompatible with the freedom of expression principle under Article 11 of the EU Charter. The Court, however, laid down that where such a retention is warranted in cases where there is a serious threat to national or public security, the nature of the measure must be ‘strictly’ proportionate to its intended purpose. In addition, the Court also clarified the scope of powers conferred on Member States by the Privacy and Electronic Communications Directive with respect to retention of data for the aforementioned purposes.
Across the EU, retention of and access to personal data in the field of electronic communications for safeguarding national security and combating crime have been a widespread practice among national security agencies. In particular, the CJEU in Tele2Sverige and Watson and Others (C-203/15 and C-698/15, hereafter ‘Tele2’) held that Member States cannot impose on the providers of electronic communication services an obligation of general and indiscriminate retention of data. This was troublesome for Member States who were deprived of an instrument to safeguard national security. On this basis, four separate proceedings were brought against national legislations in United Kingdom, France and Belgium concerning the lawfulness of a general and indiscriminate retention obligation imposed on providers of electronic communication services. Details of these proceedings are given below:
Case C-623/17 (United Kingdom)
On June 5, 2015, an action was brought before the Investigatory Powers Tribunal (UK) by Privacy International, a UK-based advocacy group, concerning the legality of legislation authorising the acquisition and use of bulk communications data by security and intelligence agencies (namely GCHQ, MI5 and MI6). Notably, in a judgment dated October 17, 2016, the defendants had acknowledged the use of bulk personal data (such as biographical, travel, financial, commercial information and communications data) for analysing by means of cross checking and automated processing, as well as disclosing to other persons/authorities and foreign partners. This data, acquired from public electronic communications networks, was being used by GCHQ and MI5 since 2001 and 2005 respectively.
While analysing the lawfulness of these practices, the referring court found that the measures for the acquisition and use of data were consistent with national law [p. 6 of Judgment 1]. Notably, the electronic communication networks were required to provide security and intelligence agencies with data collected in the course of their economic activity, however, the same was not the case with respect to the acquisition of other data obtained by those agencies without the use of binding powers. The Court, thus, deemed convenient to refer to the CJEU whether (a) the national legal regime fell within the scope of the EU law and (b) whether and in what way the requirements in Tele2 applied to that regime.
Case C-511/18 (France)
By applications dated November 30, 2015 and March 16, 2016, various advocacy groups and non-profit organisations lodged applications for annulment of decrees before Conseil d’État which required electronic communication operators and technical service providers to ‘implement on their networks automated data processing practices designed … to detect links that might constitute a terrorist threat’ in accordance with the French law [p. 25]. The applicants claimed that the decrees infringed the French Constitution, European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) and Directives 2000/31 and 2002/58 (concerning the protection of personal data and privacy).
Even though the referring court concluded that an obligation to retain data and the access of the administrative authorities to that data fell within the scope of EU law, it took the view that it did not extend to provisions of national law which relate directly to intelligence gathering techniques applied directly by the State. Nevertheless, the Court deemed fit to stay the proceedings and referred three questions for interpretation to CJEU.
Case C-512/18 (France)
By an application dated September 15, 2016, the aforementioned advocacy groups brought a separate action against an implied rejection decision to their application to repeal legislative texts that allegedly infringed privacy by imposing an obligation of general and indiscriminate retention of communications data for judicial purposes. The referring court considered that the obligation to retain and hold data, as applied to the present case, did not fall within the ambit of EU law as its scope was limited to the provision of publicly available electronic communications services in public communication networks in the EU. Given that the EU law did not establish an express prohibition on retaining such data, it also saw fit to refer the case to CJEU.
Case C-520/18 (Belgium)
By applications lodged in January 2017, various actions were brought before the Constitutional Court, Belgium for annulment of the Belgium law requiring retention of data. The applicants contended that the law failed to provide for adequate guarantees of protection for the retained data and entailed a risk that personality profiles could be compiled and misused by competent authorities. They claimed that the provisions violated the Belgian constitution, several provisions of the ECHR, the ICCPR (International Covenant on Civil and Political Rights) and the Treaty of European Union (TEU). Drawing similarities between the Belgian national law and the EU law on the retention of data generated in connection with public communication networks, the Constitution Court of Belgium decided to refer the case to CJEU for a preliminary ruling.
By decisions dated September 25, 2018 and July 9, 2020, the Court joined cases C-511/18, C-512/18 and C-520/18. It heard C-623/17 separately. In three separate opinions delivered by the Advocate General Campos Sánchez-Bordona dated January 15, 2020, the Advocate General held that activities conducted by public authorities of Member States on grounds of national security which require cooperation from private parties are not outside the scope of Directive 2002/58 on privacy and electronic communications. Thus, where electronic communication service providers are required by law to retain data and allow access to such data to public authorities, the provisions of the Directive (in particular the principle of confidentiality of communications under Article 5(1)) is applicable. According to the AG, the national regimes must align with CJEU standards set in Tele2 and Digital Rights Ireland and Others, Cases C-293/12 and C-594/12 (“Digital Rights Ireland”), even in cases related to national security.
While Member States are allowed to adopt legislative measures in the interest of national security, the Advocate General also held that the limitations under Article 5(1) must be interpreted ‘strictly’. He recommended limited retention and access to data for the effective prevention of crime and safeguarding national security, but also added that in cases warranting imminent threat or extraordinary risk, national legislation was allowed to impose general and extensive obligations to retain data [p. 16 of Opinion in C 511/18 and C 512/18]. The Advocate General indicated that those obligations which retain data in a general or indiscriminate way in view of serious or persistent threats to national security interfered with fundamental rights enshrined in the EU Charter on Fundamental Rights. Arguing that the fight against terrorism was not a matter of practical effectiveness but legal effectiveness [p. 5 of Opinion in Case C 623/17], he held that a notification to data subjects was a necessary precondition to retention of data, unless doing so jeopardised the action of national authorities.
The Advocate General also declared that real time collection of traffic and location data was not precluded under the Directive, as long as it is it is carried out with established procedures and safeguards mentioned above. This obligation was held to be not merely applicable to serious crimes, but also to less serious crimes provided in Article 23(1) of GDPR [p. 9 of Opinion in Case C-520/18]. With respect to whether the national court may maintain the effects of a domestic law in case of incompatibility with EU law, the Advocate General considered that it is possible, only if maintaining those effects was justified and so long as strictly necessary to correct the incompatibility with EU law.
The Grand Chamber of the Court delivered a preliminary ruling in two judgments dated October 6, 2020. The primary issue before the Court was the problem of the application of the Directive on privacy and electronic communications to activities relating to national security and combating terrorism. CJEU framed five questions for consideration:
Article 5(1) of Directive 2002/58 on privacy and electronic communications enshrines the principle of confidentiality of both electronic communications and the related traffic data and provides that persons other than users be prohibited from storing, without those users’ consent, those communications and that data. However, Article 15(1) of the Directive enables member states to introduce exceptions to the principle under Article 5(1), where such a restriction is necessary to safeguard national security.
With respect to the first question, the Court initially ruled that Directive 2002/58 on privacy and electronic communications is applicable to national legislation requiring the collection and retention of personal data. Responding negatively to the defendants’ claim that activities of security and intelligence agencies are essential State functions and thus, sole responsibility of Member States outside the ambit of the Directive, CJEU held that the scope of the Directive extends not only to legislative measures requiring collection and retention of data, but also to legislative measures requiring service providers to grant access to such data. This was because such legislative measures required necessarily processing of data by electronic communication providers and thus, cannot be regarded as activities characteristic of States. The Court cited GDPR to note that the disclosure of personal data by transmission (such as storage or otherwise making data available) constituted ‘processing’ (GDPR designates the concept of ‘processing of personal data’ as any operation on personal data which constitutes collection, storage, use, consultation, disclosure by transmission, dissemination or otherwise making data available). [p. 15 of Case C-623/17].
By contrast, CJEU declared that the only circumstance where the protection of data of persons is not covered within the ambit of EU law is where Member States directly implement measures without imposing processing obligations on providers of electronic communication services.
After deciding on the applicability of the Directive 2002/58 in the present set of cases, the Court delved into the impact of the right to security enshrined in Article 15(1) of Directive 2002/58 and the Charter of Fundamental Rights of EU (Article 6 – Right to Liberty and Security). Specifically, the referring courts were uncertain whether the retention of data provided for in the national legislations interfered with Article 7 (Respect for Private and Family Life) and 8 (Protection of Personal Data) of the Charter. By confirming the judgment in Tele2 and Watson and Others, CJEU held that the Directive 2002/58 does not permit exception to the obligation of principle to ensure the confidentiality of electronic communications and the related data and to the prohibition on storage of such data to become the rule (laid down in Article 5(1)). Consequently, the Court concluded that the Directive does not authorize the member states to adopt legislative measures that restrict the scope of rights for the purposes of national security, unless such measure complies with the general principles of EU law, such as the principle of proportionality and fundamental rights guaranteed under the Charter. [p. 35]
Importantly, the Court agreed that imposing obligations by way of national legislations on electronic communication services providers to retain traffic data not only interfered with the protection of privacy and personal data, but was also incompatible with the freedom of expression principle under Article 11 of the EU Charter. Not only did the Court reiterate the importance of privacy and freedom of expression while interpreting Article 11 of the Directive, it also held that retention of data, in itself, constituted a derogation of the principle of confidentiality under Article 5(1) as it barred any other person other than the user from storing that data. The Court did not deem it relevant to make a distinction between sensitive and non-sensitive data or the fact that retained data had been used subsequently or not.
Of notable importance to the Court was the risk of profiling – the possibility of the use of traffic and location data to obtain information on aspects of private life (such as political opinions, sexual orientation, religious beliefs, state of health, social relationships etc.) and draw precise conclusions on private lives of persons whose data has been retained was a direct threat to right of privacy. As a result, first, the retention of data for policing purposes was in itself a violation of right to respect for communications, and second, the mere retention of data in significant quantities by electronic communication providers entailed a risk of abuse and unlawful access.
In that context, the Court answered the second question in the affirmative, holding that the EU Directive precluded national legislation requiring providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security. Moreover, it also declared that doing so, even as a preventive measure, is precluded under EU law, particularly so for those obligations that retain data in a general or indiscriminate way and where there is no link between the conduct of the persons whose data is affected and the objective pursued by the legislation at issue.
The Court, however, laid down that where such a retention is warranted in cases where there is a serious threat to national or public security, the nature of the measure must be ‘strictly’ proportionate to its intended purpose. An objective of general measure may not be pursued unless it is reconciled with fundamental rights (interpreting Article 15(1)). More importantly, the Court specified that a decision imposing such an order must be subject to effective review either by the Court or by an independent administrative body with binding authority. The Court also called for a clear and precise national-level rules governing the scope and application of retention of data to safeguard against risk of abuse.
A point of distinction, however, was made by the Court for retention of data relating to the civil identity of users of electronic communication systems. Since it is not possible to ascertain the date, time, duration and recipients in such cases, it is not possible to profile private lives. For such targeted retention on the basis of objective or non-discriminatory factors (according to categories of persons concerned or a geographic criterion), a legislative measure requiring electronic communication providers to retain such data is permitted even in the absence of a connection between all users of electronic communications systems and the objectives pursued [p. 42]. Similarly, retention of IP addresses assigned to the source of communication, is also permissible if it is limited to what is strictly necessary. Finally, where retention of data beyond statutory data retention periods is necessary and offences have already been established or their existence is reasonably suspected, a legislative measure is not precluded by the Directive.
On the third question, the referring court had observed that automated intelligence gathering techniques and real time collection of technical data were legal only with an intent to prevent terrorism and not otherwise. As a preliminary point, CJEU noted that data for which automated analysis for terrorist screening purposes is done constitutes ‘personal data’ under GDPR, as the information can still be identifiable to a specific person. On this basis, the Court concluded that such automated analysis of traffic and location data was contrary to the principle of confidentiality under Directive 2002/58 as well as fundamental rights under the EU Charter, and was likely to have a deterrent effect on the exercise of freedom of expression.
Even here, the doctrine of ‘strict’ proportionality was applicable, if an interference was deemed to be necessary in respect of a serious threat to national security. The caveats to meet the test of proportionality were: (a) the threat to national security must be genuine and present or foreseeable and (b) the duration of that retention is limited to what is strictly necessary. Preestablished models or criteria for purposes of an automated analysis (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or information about a person’s health or sex life) with an intent to prevent terrorism, thus, cannot be based on sensitive data in isolation [p. 47]. The Court applied similar reasoning for real time collection of personal data. Collection of such data is not precluded by Directive only if it is limited to persons in respect of whom there is a valid reason to suspect that they are involved in a terrorist activity and is subject to a prior review by a court or binding independent administrative authority.
With respect to the fourth question, the Court interpreted Article 23(1) of GDPR (which provides for restrictions on the processing of personal data) along with the Charter to preclude national legislation requiring providers of access to online communication services and hosting service providers to retain, generally and indiscriminately, personal data relating to those services. The Court applied the findings in the context of aforementioned questions to Article 23 of GDPR as well.
Finally, CJEU decided on the last question, on the issue of maintaining the temporal effects of national legislation held to be incompatible with EU law. It ruled that national courts may not apply a provision in national law empowering it to limit the temporal effects of a declaration of illegality which it is bound to make under that law. This was based on the EU primacy principle, which establishes the pre-eminence of EU law over the law of the Member States. However, CJEU also held that it is for national law to determine the rules relating to admissibility and assessment of information obtained by retention of data in breach of EU law, in criminal proceedings against suspected persons [p. 53]. National criminal courts are, nevertheless, required to disregard information or evidence obtained by means of general or indiscriminate retention of traffic data and location data in breach of EU law – where persons suspected of having criminal offences are unable to comment effectively on that information (based on the principle of effectiveness). CJEU, thus, answered the final question in the negative as well.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
Mass surveillance has a chilling effect on expression. CJEU’s decision in this case is a significant step ahead in the efforts towards protection of fundamental rights to freedom of speech and expression in the European Union. In all four cases, the Court used “strict” scrutiny as a standard for legislative action, which requires Member States to exercise collection and retention of data to serve compelling state interests only, unrelated to the suppression of ideas. The case reaffirms that exchange of ideas and free exercise of expression are positive and important values – not merely to those exercising rights, but to all society.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.