Europe: CJEU rules mass surveillance must be brought in line with EU law

The Court of Justice of the European Union (“CJEU”) has handed down its judgment in two landmark decisions (case C-623/17, Privacy International, and in joined cases C-511/18, La Quadrature du Net and others, C-512/18, French Data Network and others, and C-520/18, Ordre des barreaux francophones et germanophone and others), concerning the lawfulness of legislation in certain Member States requiring providers of electronic communications services to forward users’ traffic data and location data to a public authority or to retain such data.

The 6 October 2020 judgments saw the CJEU confirm that the directive on privacy and electronic communications (“the ePrivacy Directive“) applies to national legislation which requires that providers of electronic communications services (e.g. telecommunications companies and internet service providers, (“Providers“)) retain or transmit personal data to intelligence authorities. The Court also held that Member States cannot restrict the scope of the ePrivacy Directive unless such restrictions comply with the general principles of EU law, are proportionate, and preserve the fundamental rights guaranteed under the Charter of Fundamental Rights of the European Union (“Charter”).

The Court held that the ePrivacy Directive, read in line with the Charter, prohibits national legislation from requiring that Providers carry out the “general and indiscriminate” transmission of traffic and location data to national security agencies for the purpose of national security (C-623/17). Similarly, in the joined cases of C-511/18 and C-520/18, the CJEU decided that EU law precludes national legislation requiring Providers to carry out the “general and indiscriminate retention of traffic data and location data as a preventative measure“. These transmission and retention activities were held by the CJEU to be “particularly serious interferences with the fundamental rights guaranteed by the Charter” in circumstances where there is no link between the individuals whose data is affected and the objective pursued by the national legislation in question.

Notwithstanding the above, the Court did clarify a number of points concerning the scope of the ePrivacy Directive. The CJEU held that the ePrivacy Directive does not prevent:

  1. an order requiring Providers to retain, generally and indiscriminately, traffic and location data in circumstances where the Member State is facing “a serious threat to national security that proves to be genuine and present or foreseeable“, providing that the order in question is limited to what is “strictly necessary” and must be subject to “effective review” by a court or independent body;
  2. legislative measures allowing the targeted retention of traffic and location data which is limited both (i) “on the basis of objective and non-discriminatory factors according to the categories of persons concerned or using a geographical criterion” and (ii) to what is “strictly necessary“;
  3. legislative measures allowing the expedited retention of data where it is necessary to retain such data to shed light on established or reasonably suspected “serious criminal offences or attacks on national security“;
  4. legislative measures which require real-time collection of traffic and location data which is limited to persons against whom there is, following a review having been carried out by a court or independent body, a “valid reason to suspect” they are involved in terrorist activities; and
  5. on the issue of maintaining the temporal effects of national law incompatible with EU law, national courts may not rely on such national legislation to “limit the temporal effects of a declaration of illegality which [they are] bound to make” in respect of national legislation requiring Providers to generally and indiscriminately retain traffic and location data.

The Court concluded by clarifying that, in the context of criminal law proceedings, it is for national courts to determine the admissibility and assessment of evidential data collected “against persons suspected of having committed serious criminal offences” which was obtained by way of a retention of such data contrary to EU law. The same however cannot be said for evidential data which is obtained by means of a “general and indiscriminate retention of traffic and location data in breach of EU law“.

The CJEU press release is available here, the judgment in Case C-623/17 here, and the judgment in joint Cases C-511/18, C-512/18, and C-520/18, only available in French, here.

By Tom Fitzpatrick (London). For further information, please contact us at data.privacy@dlapiper.com.