Advocate General’s Opinion: national security mass retention regimes are incompatible with EU Law

people

Today Advocate General (AG) Campos Sánchez-Bordona of the Court of Justice of the European Union (CJEU), issued his opinions (C-623/17, C-511/18 and C-512/18 and C-520/18) on how he believes the Court should rule on vital questions relating to the conditions under which security and intelligence agencies in the UK, France and Belgium could have access to communications data retained by telecommunications providers.

The AG addressed two major questions:
(1) When states seek to impose obligations on electronic communications services in the name of national security, do such requirements fall within the scope of EU law?
(2) If the answer to the first question is yes, then what does EU law require of the national schemes at issue, which include: a French data retention regime, a Belgian data retention regime, and UK regime for the collection of bulk communications data?

The AG’s short answers to those questions are:
(1) Yes, EU law applies whenever states seek to impose processing requirements on electronic communications services, even if those obligations may be motivated by national security concerns; and
(2) Accordingly, the national regimes at issue must all comply with the CJEU’s previous judgments in Digital Rights Ireland and Others, Cases C-293/12 and C-594/12 (“Digital Rights Ireland”), and Tele2 Sverige and Watson and Others, Cases C-203/15 and C-698/15 (“Tele2/Watson”). None of them do, which leads the AG to advise that none of the regimes are compatible with EU law.

The AG’s opinion is an affirmation of the basic principle at the heart of  Privacy International’s work: national security measures must be subject to the rule of law and respect our fundamental rights.

Privacy International initiated the challenge to the UK bulk communications data regime, and intervened in the challenge to the French data retention law.

Does EU Law apply?

Central to all three opinions is the question of whether EU law applies when member states are acting to protect their national security. The AG concludes that the national security context does not disapply EU law. Instead, one must look to the effect of the proposed requirement - data retention or collection - on electronic communications services. Requiring these service providers to retain and/or transmit data to the security and intelligence agencies (SIAs) falls under EU law because such practices qualify as the “processing of personal data”.

Stating this principle in the negative, the AG says: “The provisions of the directive will not apply to activities which are intended to safeguard national security and are undertaken by the public authorities themselves, without requiring the cooperation of private individuals and, therefore, without imposing on them obligations in the management of business” (UK Case C-623/17, paragraph 34/79) (emphasis in original).

Is the UK Bulk Communications Data Regime compatible with EU law?

In the UK case, Privacy International challenged the bulk acquisition and use of communications data by GCHQ and MI5). That case began in the Investigatory Powers Tribunal (IPT), which referred to the CJEU the questions that the AG is addressing. The IPT asked the CJEU to decide, first, whether requiring an electronic communications network to turn over communications data in bulk to the SIAs falls within the scope of European Union law; and second, if the answer to the first question is yes, what safeguards should apply to that bulk access to data?

As noted above, the AG’s answer to the first question is yes, which brings the second question into play. In short, the AG declares that the UK bulk communications and data retention regime (as implemented under section 94 of the Telecommunications Act 1984) “does not satisfy the conditions established in the Tele2 Sverige and Watson judgment, because it involves general and indiscriminate retention of personal data” (UK Case C-623/17, paragraph 37).

The AG re-emphasises that access to retained data “must be subject to prior review by a court or an independent administrative authority” (UK Case C-623/17, paragraph 139). The value of this authority lies in its commitment “to both safeguarding national security and to defending citizens’ fundamental rights” (Id.).

The AG further endorses the application of the other conditions from the Tele2/Watson judgment, including:

  • the requirement to inform affected parties, unless this would compromise the effectiveness of the measure; and
  • the retention of the data within the European Union.
    (UK Case C-623/17, paragraph 43)

Is the French Data Retention Regime compatible with EU law?

The French case similarly asked whether general and indiscriminate data retention was permissible under EU law for the purposes of combating terrorism.

The AG concluded that the French regime amounts to generalised and indiscriminate data retention and as such it is not compatible with EU law (French Cases C-511/18 and C-12/18, paragraph 111). The French legislation at issue imposes a one-year retention obligation on all electronic communications operators and others with regard to all data of all subscribers for the purpose of the investigation, finding, and prosecution of criminal offenses.

The AG reiterates the conclusion of the Tele2/Watson judgment that the fight against terrorism or similar threats to national security cannot justify generalised and indiscriminate retention of data. He suggests that data retention should be targeted and permissible only if certain criteria are satisfied, e.g. targeting a specific group of people or a particular geographical area (French Cases C-511/18 and C-12/18, paragraph 133). The Belgian opinion elaborates on possible types of targeting criteria. On the question of access to retained data, he advises that access should depend on previous authorisation of a judicial or independent administrative authority following a reasoned request by the competent authorities.

The AG, furthermore, concluded that that real-time collection of traffic and location data of individuals suspected to be connected to a specific terrorist threat would be permissible under EU law so long as it does not impose on the service providers an obligation to retain additional data beyond what it is already required for billing or marketing services. Independent authorisation is also necessary for accessing this data (French Cases C-511/18 and C-12/18, paragraphs 142-3).

Similarly to the UK Opinion above the AG reaffirms the requirement to inform affected parties, unless this would compromise the effectiveness of the measure that was already established in Tele2/Watson case and concludes that the French law is not compatible with the EU requirements (French Cases C-511/18 and C-12/18, paragraph 153).

Are AG’s opinions the judgments of the CJEU?

The AG’s opinions are not binding on the CJEU. The Court will issue its opinion in the coming months.

What comes next?

Following the CJEU judgment, each case will be sent back to each state’s national courts. If the CJEU agrees with the Advocate General, then national courts will have to apply the CJEU judgment and accordingly find domestic regimes incompatible with EU law.

*Photo by Chris Yang on Unsplash