The Grand Chamber of the Court of Justice of the European Union has handed down two highly significant judgments on the compatibility of powers of intelligence agencies of Member States to gather bulk communications data from communications service providers (CSPs) with the Charter of Fundamental Rights and the e-Privacy Directive (Directive 2002/58/EC).
In Case C-623/17 Privacy International (EU:C:2020:790), on a reference from the Investigatory Powers Tribunal, the CJEU rejected the IPT’s view that the provision of such data to the Security and Intelligence Agencies (SIAs) under section 94 of the Telecommunications Act 1984 fell outside the scope of EU law altogether. Although communications data does not include the content of such data, the CJEU held that it was no less sensitive than content data. Despite the clear findings of the IPT that the bulk regime was necessary to secure the UK’s national security, the CJEU nonetheless held that “the transmission of traffic data and location data is carried out in a general and indiscriminate way, it is comprehensive in that it affects all persons using electronic communications services. It therefore applies even to persons for whom there is no evidence to suggest that their conduct might have a link, even an indirect or remote one, with the objective of safeguarding national security and, in particular, without any relationship being established between the data which is to be transmitted and a threat to national security” (paragraph 80) and therefore went beyond what was strictly necessary and could be justified under the Charter.
In three linked references from France and Belgium, Cases C-511, 512, 520/18 La Quadrature du Net & ors (EU:C:2020:791), the CJEU handed down a lengthier judgment finding the Directive precludes national legislation requiring the general and indiscriminate retention by CSPs of communications data as a preventative measure. A link was required between the conduct of the subject and the objective of the legislation; in other words bulk retention and use is impermissible, regardless of its value to the protection of national security and the prevention of serious crime. The CJEU did allow for the possibility that bulk retention might be proportionate for national security reasons if it was for a strictly time limited period and was the subject of effective independent review.
The CJEU confirmed that targeted retention and access was permissible, including on a real-time access basis, but that the full gamut of the safeguards set out in its well-known judgment in Tele2 and Watson were required.
Christopher Knight acted for the UK Government in both proceedings. The judgment in Privacy International is available here