On 6 October 2020, the Court of Justice of the European Union (CJEU) made an important ruling that may affect the many of the cases arising out of the EncroChat ‘hack’ this year.

The CJEU gave a preliminary ruling concerning the interpretations of Article 1(3)1 and Article 15(1)2 of Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002. This concerns the processing of personal data and the protection of privacy in the electronic communications sector.

The request for this preliminary ruling was made in proceedings between Privacy International and the Secretary of State for Foreign and Commonwealth Affairs (UK), Secretary of State for the Home Department (UK), Government Communications Headquarters (GCHQ) (UK), Security Service (MI5) (UK), and Secret Intelligence Service (MIG) (UK). These proceedings concern the legality of legislation authorising the acquisition and use of bulk communications data by the security and intelligence agencies.

The CJEU determined that Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 must be interpreted as meaning that national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security falls within the scope of that Directive.

Also, Article 15(1) of that Directive must be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.

This case is important because it sets out that EU law applies to mass surveillance in the UK. It applies when the UK government compels providers of electronic communications services to process data (forwarding traffic and location data), even when it is done for the purposes of national security. 

The first question determined by the court was as follows:

Question 1: Having regard to Article 4 TEU and Article 1(3) of [Directive 2002/58], does a requirement in a direction by a Secretary of State to a provider of an electronic communications network that it must provide bulk communications data to the [security and intelligence agencies] of a Member State fall within the scope of Union law and of [Directive 2002/58]?

This asks whether Article 1(3) of Directive 2002/58 (read in light of Article 4(2) TEU33) means that national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security falls within the scope of EU law and Directive 2002/58.

Privacy International argued:

  • Having regard to the guidance derived from the case-law, both the acquisition of data by the security and intelligence agencies from those providers under section 94 of the 1984 Act and the use of that data by those agencies fall within the scope of that directive, whether that data is acquired by means of a transmission carried out in real-time or subsequently.
  • The fact that the objective of protecting national security is explicitly listed in Article 15(1) of that directive does not mean that the directive does not apply to such situations, and that assessment is not affected by Article 4(2) TEU. 

United Kingdom, Czech and Estonian Governments, Ireland, and the French, Cypriot, Hungarian, Polish and Swedish Governments argued:

  • Directive 2002/58 does not apply to the national legislation at issue in the main proceedings, as the purpose of that legislation is to safeguard national security.
  • The activities of the security and intelligence agencies are essential State functions relating to the maintenance of law and order and the safeguarding of national security and territorial integrity, and, accordingly, are the sole responsibility of the Member States, as attested to by, in particular, the third sentence of Article 4(2) TEU.
  • Directive 2002/58 cannot therefore be interpreted as meaning that national measures concerning the safeguarding of national security fall within its scope.
  • Article 1(3) of that directive defines the scope of that directive and excludes from that scope, as was previously provided in the first indent of Article 3(2) of Directive 95/46, activities concerning public security, defence, and State security. 
  • Those provisions reflect the allocation of competences laid down in Article 4(2) TEU and would be deprived of any practical effect if it were necessary for measures in the field of national security to meet the requirements of Directive 2002/58.
  • The case-law of the Court derived from the judgment of 30 May 2006, Parliament v Council and Commission (C-317/04 and C-318/04, EU:C:2006:346), concerning the first indent of Article 3(2) of Directive 95/46 can be transposed to Article 1(3) of Directive 2002/58.

The CJEU’s answer to the question: Article 1(3), Article 3 and Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU, must be interpreted as meaning that national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security falls within the scope of that directive.

The second question determined by the court was:

Question 2: If the answer to Question (1) is “yes”, do any of the [requirements applicable to retained communications data, set out in paragraphs 119 to 125 of the judgment of 21 December 2016, Tele2 (C-203/15 and C-698/15, EU:C:2016:970)] or any other requirements in addition to those imposed by the ECHR, apply to such a direction by a Secretary of State? And, if so, how and to what extent do those requirements apply, taking into account the essential necessity of the [security and intelligence agencies] to use bulk acquisition and automated processing techniques to protect national security and the extent to which such capabilities, if otherwise compliant with the ECHR, may be critically impeded by the imposition of such requirements?

This asks whether Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter, precludes national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.

The CJEU’s answer to the question: Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.

On those grounds, the Court (Grand Chamber) hereby rules:

“Article 1(3), Article 3 and Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Article 4(2) TEU, must be interpreted as meaning that national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security falls within the scope of that directive.

Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.”

We now await the implementation of this case in the UK.

References:

1 “This Directive shall not apply to activities which fall outside the scope of the Treaty establishing the European Community, such as those covered by Titles V and VI of the Treaty on European Union, and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.”

2 “Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of [Directive 95/46]. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of [EU] law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.”

3 The Union shall respect the equality of Member States before the Treaties as well as their national identities, inherent in their fundamental structures, political and constitutional, inclusive of regional and local self-government. It shall respect their essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.

Alexandra Wilson is a barrister specialising in criminal and family law. In her criminal law practice, she represents a variety of clients charged with serious matters and specialises in young and vulnerable clients. Her family law practice includes private children, public children, domestic abuse and finance cases.