- A recent CJEU judgment has found bulk data retention laws in the UK, France and Belgium to be incompatible with EU law.
- The judgment could have a negative impact on the UK’s efforts to obtain an adequacy decision from the EU Commission before the end of the year to enable to free flow of personal data between the EU and the UK post-Brexit.
- In light of the recent Schrems II judgment which criticised US authority access to data, even if the UK obtains its adequacy decision, a change to its surveillance laws must surely be required in order to avoid a Schrems-style challenge in the future.
The Court of Justice of the European Union (“CJEU”) recently issued a judgment in favour of various rights advocacy organisations, including Privacy International and La Quadrature du Net in relation to a number of cases that the organisations had brought against bulk data retention schemes run by British, French and Belgian security and intelligence agencies.
In these cases, the rights advocacy organisations raised objections to the intrusiveness of bulk data retention schemes, seeking to rein in the extensive powers exercised by security and intelligence agencies to either:
- retain users’ traffic and location data (“Metadata”) received from providers of electronic communication services; or
- require providers of electronic communication services to retain Metadata on their behalf,
for the purposes of conducting mass surveillance in the interests of protecting national security.
Finding in favour of the rights advocacy organisations, the CJEU made it clear in its judgment that:
- national legislation requiring providers of electronic communications services to retain Metadata or to forward that data to security and intelligence agencies falls within the scope of EU law, including when this is done for the purposes of protecting national security;
- Member States are prohibited from adopting legislation, for national security purposes or otherwise, intended to restrict the scope of rights and obligations provided for in EU law, specifically the obligation to ensure confidentiality of communications and traffic data, unless the legislation is in accordance with the general principles of EU law;
- the general principles of EU law, in particular the principle of proportionality and the fundamental rights guaranteed by the Charter, apply to bulk data collection and preclude Metadata transmission or retention in a “general and indiscriminate manner”, restricting it to what is “strictly necessary” (i.e. requiring member states to authorise retention or transmission on a case by case basis rather than giving blanket authorisations); and
- Member States may only authorise indiscriminate and bulk retention of data where they are faced with a serious threat to national security that proves to be genuine and present or foreseeable, subject to review by a court or independent body.
It is important to note that this judgment runs counter to certain elements of the UK’s Investigatory Powers Act as well as the French Decree on specialised intelligence services from 2015, and the Belgian Law on collection and retention of communication data from 2016, all of which may require reform in order to comply with various aspects of the CJEU ruling.
Impact on Brexit
One of the UK Government’s many objectives ahead of 1 January 2021 (i.e. the end of the transition period following the UK’s departure from the EU) is to obtain an adequacy decision from the European Commission to allow the free flow of data between the UK and EU to continue – any failure to achieve adequacy will lead to logistical challenges and increased costs for organisations engaged in EU-UK data transfers. However, the UK Government will only be granted this adequacy decision if it is able to demonstrate that its domestic laws will provide “essentially equivalent” protection to EU data subjects as they are afforded under EU law when their data is transferred to the UK.
This latest judgment potentially represents a major setback for the UK in relation to obtaining an adequacy decision given the CJEU’s finding that UK security and intelligence agencies’ broad powers to intercept and retain digital communications under the UK’s Investigatory Powers Act, together with the UK’s practices regarding access to and bulk retention of data in general, are essentially incompatible with EU law. The UK Government will need to factor the task of reaching a deal in relation to accessing and retaining Metadata for national security purposes into its Brexit timetable.
Impact on Schrems II
The CJEU’s judgment in the Privacy International case follows its Schrems II judgment, which was handed down earlier this year and served to invalidate the EU-US Privacy Shield, a transatlantic data sharing agreement which allowed organisations to transfer personal data between the EU and the US. Part of the reason for the invalidation of this mechanism was on the grounds that US national security laws were too intrusive and that EU individuals did not have sufficient access to legal redress in the US. In light of this, even if the UK obtains an adequacy decision from the European Commission, a change to UK surveillance laws will surely be needed to avoid a Schrems-style challenge in the future.
Schrems II also placed significant emphasis on the due diligence which exporting controllers and supervisory authorities are expected to undertake in relation to the legal environment of third countries to which personal data is to be transferred in reliance on Standard Contractual Clauses, although there has been scant guidance to supplement this aspect of the judgment to date. By clarifying what it deems to amount to acceptable access and retention of Metadata by security and intelligence agencies in member states, the CJEU’s latest judgment does at least provide an indication of the standard that it expects the national security and surveillance laws of third countries to meet for the purposes of this due diligence.