CJEU rules that the UK’s “mass surveillance” regime is out of line with EU law

Do national security concerns exclude EU member states from strict data protection law?

The key takeaway

Domestic national security legislation, including the UK’s Investigatory Powers Act 2016 (IPA), must not require telecommunication service providers to indiscriminately retain traffic and location data for the purposes of national security. Any such provision would be out of line with the Privacy & Electronic Communications Regulations (PECR).

The background

In October this year, the Court of Justice of the European Union (CJEU) ruled in two separate cases that mass surveillance by national security agencies (in this case, French, Belgian and UK agencies) does not align with EU law, which allows for only specific data retention schemes with adequate safeguards.

The CJEU’s decision relates to the case brought by Privacy International, a UK charity that claims to defend and promote the global right to privacy, which argued that the surveillance regimes in the UK, France and Belgium, contravened the PECR through their mass retention and collection of telecommunications data.

The cases were referred to the CJEU by the domestic courts to obtain a formal opinion on when EU law should be applied. The UK case concerned bulk data collection by the security agencies, while the French and Belgian cases concerned data retention schemes, whereby telecommunications providers are required to retain metadata on their customers’ activities (eg who is calling who and when) in case it is required by government agencies.

The development

The CJEU confirmed that EU law precludes any national legislation which requires providers of electronic communications to retain traffic or location data for the purpose of preventing crime or for safeguarding national security.

Under EU law, member states are required to adhere to privacy safeguards in relation to the collection and retention of data by national governments. The courts have indicated that derogations – such as temporary bulk data collection and retention – may be permitted in the face of a “serious threat to national security”, in which case the state may make an order for telecommunications providers to retain data. However, such emergency provisions must be limited in time, capped to what is “strictly necessary” and subject to review by an independent body. The CJEU found that, in the case before it, the three surveillance schemes complained of “constitute serious interferences with the fundamental rights guaranteed by the Charter”.

The CJEU has made it clear that a Member State’s national security concerns will not exempt it from compliance with the EU legal requirements such as freedom of expression, right to privacy and proportionality. The cases will now return to each individual country’s courts for implementation of the judgment.

The UK’s IPA is incompatible with EU law as it gives government agencies the power to intercept and retain digital communications. This issue may therefore be a sticking point in the data protection sphere, as the UK and EU seek to negotiate their new relationship following the end of the Brexit transition period on 31 December 2020.

The CJEU’s judgments highlight the EU’s legal principles in relation to the collection and retention of personal data by national governments, but also serve as a timely reminder more generally about the EU’s strict approach to the collection and retention of data. Either way, these decisions coupled with the wider fallout from Schrems II have left the UK Government with a right proverbial data headache as we screech towards the end of the transition period without a UK adequacy decision yet in sight.