On 6 October 2020, the CJEU issued its judgment in case Case C-623/17, Privacy International, and in Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others, regarding the EU's privacy and electronic communications directive (the "E-privacy Directive").
In its ruling, the CJEU has confirmed that EU law prevents Member States from imposing national legislation that requires electronic communications service providers, such as internet service providers ("ISPs"), to carry out the general and indiscriminate transmission or retention of traffic and location data, for the purpose of combating crime in general, or of safeguarding national security.
In the UK, the Investigatory Powers Act 2016 (the "IP Act") - dubbed the 'snoopers charter' - requires ISPs and mobile phone operators to store internet connection records ("ICR") for up to 12 months. ICR is the metadata associated with an internet connection, such as IP addresses used and internet activity timestamps. The IP Act permits ISPs and mobile phone operators to forward ICR to the security and intelligence agencies for the purposes of safeguarding national security.
In recent years, the CJEU has ruled, in several judgments, on the retention of and access to personal data in the field of electronic communications. The resulting case-law has held that EU Member States could not require electronic communications service providers to retain traffic and location data in a general and indiscriminate way. These rulings inevitably caused concerns and prompted challenges from certain EU Member States, including the UK, France and Belgium, who considered that their domestic legislation was necessary to safeguard national security and combat crime. It was against that backdrop, proceedings were brought before the CJEU by, inter alia, Privacy International, concerning the lawfulness of domestic legislation adopted by EU Member States in this field.
The CJEU Decision
The CJEU ruled that:
- the E-privacy Directive must be interpreted as meaning that national legislation requiring electronic communications service providers to forward traffic and location data to the security and intelligence agencies for the purpose of safeguarding national security, falls within the scope of that directive. The CJEU also noted that while Article 2(2)(d) of the General Data Protection Regulation ("GDPR") does not apply to processing operations carried out ‘by competent authorities’ for the purposes of, inter alia, the prevention and detection of criminal offences, including the safeguarding against and the prevention of threats to public security, it is apparent from Article 23(1)(d) and (h) of the GDPR that the processing of personal data carried out by individuals for those same purposes falls within the scope of GDPR. The CJEU held that its interpretation of the E-Privacy Directive was consistent with the definition and scope of the GDPR.
- the E-privacy Directive does not authorise EU Member States to adopt legislative measures intended to restrict the scope of rights and obligations provided for in those directives, unless such measures comply with the general principles of EU law, including the principle of proportionality and the fundamental rights guaranteed by the Human Rights charter; and
- in that context, EU law precludes domestic legislation requiring an electronic communications services provider to carry out the general and indiscriminate transmission or retention of traffic and location data, for the purpose of combating crime in general, or of safeguarding national security.
However, the CJEU held that in situations where an EU Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable, the E-privacy Directive does not preclude recourse to an order requiring electronic communications service providers to retain, generally and indiscriminately, traffic data and location data.
The CJEU clarified that the E-privacy Directive does not prevent EU Member States from adopting legislative measures that allow recourse to the targeted retention, limited in time to what is strictly necessary, of traffic and location data, which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion. The judgment also provided that the E-privacy Directive does not preclude legislative measures that allow recourse to the expedited retention of data available to service providers, where situations arise in which it becomes necessary to retain that data beyond statutory data retention periods in order to shed light on serious criminal offences or attacks on national security.
In addition, the CJEU held the E-privacy Directive does not preclude national legislation which requires electronic communication service providers to have recourse to the real-time collection of, traffic and location data, among other things, where that collection is limited to persons in respect of whom there is a valid reason to suspect that they are involved in (one way or another) terrorist activities and is subject to a prior review carried out either by a court or by an independent administrative body whose decision is binding, to ensure that such real-time collection is authorised only within the limits of what is strictly necessary.
The effect of the CJEU's ruling means that it will make it much more difficult for the security services to use bulk surveillance technology for the purposes of crime prevention and national security. While data retention is permitted in some circumstances, the CJEU's ruling makes it clear that the UK domestic legislation needs adjustment to align with EU data protection laws.
This decision is also likely to raise questions as to whether the UK will be able to secure an adequacy decision, pursuant to the GDPR, once the UK leaves the EU on 31 December 2020. An adequacy decision is a decision by the European Commission that a given country can ensure an adequate level of protection for personal data and thus permits cross-border data flows outside the EU, without any further safeguards being necessary. If the UK is not able to obtain adequacy status, this will inevitably have wider implications for UK business – and especially sectors that process a lot of personal data such as the UK financial services sector - as personal data transferred between the UK and EU would cease to be automatically compliant with the GDPR's rules on data transfers.
Data flows from the EU to the UK would then need to relay on another mechanism to render them legal. The most common method used for flows of personal data is the use of the so-called standard contractual clause or model clauses in a data sharing contract. However this decision when taken together with the recent decision of the CJEU in Schrems II, casts doubt on the efficacy of this method.
In Schrems II, in relation to the use of standard contractual clauses, the CJEU ruled that data can be transferred to a third country using this method but only if the personal data is subject to safeguards under domestic law, that guarantee a level of protection equivalent to GDPR . The view from many commentators in Brussels appears to be that UK domestic law does not guarantee such safeguards including as a result of the powers of the UK Government to intercept and store bulk communications . If the specific issue of the legality of standard contractual clauses relating the flow of data from the EU to the UK is raised before the CJEU (or the national courts of member states), irrespective of whether a deal is reached with the EU on Brexit, a negative finding could mean the SCCs cannot be used to facilitate the transfer of data from the EU to the UK, which will have huge implications for commerce and industry. If this occurs, businesses operating in the EU after 1 January 2021 may not have an easily available mechanism to transfer personal data to the UK.
 The full text of the judgment can be found here: (http://curia.europa.eu/juris/documents.jsf?num=C-623/17). The CJEU press release can be found here: ( https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-10/cp200123en.pdf)
 Directive on Privacy and Electronic Communications (2002/58/EC)
 In this regard, the court clarified that the decision in imposing such an order, for a period that is limited in time to what is strictly necessary, must be subject to effective review, either by a court or by an independent administrative body, in order to verify that one of those situations exists and that the conditions and safeguards laid down are observed.
© 2020 Brown Rudnick LLP
Prior results do not guarantee a similar outcome.
Brown Rudnick is a tradename of both Brown Rudnick LLP, a limited liability partnership organized under the laws of the Commonwealth of Massachusetts ("BR-USA"), and its affiliate Brown Rudnick LLP, a limited liability partnership registered in England and Wales with registered number OC300611 ("BR- UK"). BR-UK is a law firm of Solicitors and Registered Foreign Lawyers authorized and regulated by the Solicitors Regulation Authority of England and Wales, and registered with the Paris Bar pursuant to the 98/5/EC Directive. A full list of members of BRUK, who are either Solicitors, European lawyers or Registered Foreign Lawyers, is open to inspection at its registered office, 8 Clifford Street, London W1S 2LQ, England (tel. +44.20.7851.6000; fax. +44.20.7851.6100). Information contained in this Alert is not intended to constitute legal advice by the author or the lawyers at Brown Rudnick LLP, and they expressly disclaim any such interpretation by any party. Specific legal advice depends on the facts of each situation and may vary from situation to situation. Distribution of this Alert to interested parties does not establish a lawyer-client relationship. The views expressed herein are solely the views of the authors and do not represent the views of Brown Rudnick LLP, those parties represented by the authors, or those parties represented by Brown Rudnick LLP.