The judgments of the Grand Chamber of the EU Court of Justice in Privacy International (C-623/17) and the joined cases of La Quadrature du Net (C-511/18 and C-512/18) and Ordre des barreax francophones et Germanophone (C-520/18) landed with a reverberating thud on the morning of 6 October 2020.
These referrals, from the UK, France and Belgium, posed
questions about the compatibility with EU law of state surveillance legislation
in each country. Although differing from each other in some respects, the cases
all had in common that they concerned retention, processing or transmission to
the authorities not of the content of messages, but contextual ‘communications data’
such as sender, recipient, time of sending, length and type of communication,
kind of device and its location.
Adequacy
From a UK perspective, the main interest is in the potential
effect of these judgments on the expected decision by the European Commission on the
adequacy – or not – of the UK’s regime for protection of personal data. If the UK is to maintain unhindered flows of personal
data from the EU post-Brexit, an adequacy decision will ensure that. Although
the UK has largely replicated the GDPR, the UK’s communications surveillance
regime will still be relevant to an adequacy decision – as the Schrems 2
litigation over the EU-US Privacy Shield has highlighted.
Although none of last week’s CJEU judgments addressed the current
UK communications surveillance framework under the Investigatory Powers Act
2016, the judgments will be closely scrutinised and mapped on to that. The UK
government has described the current surveillance regime at Section H of its Explanatory Framework for Adequacy Discussions, produced for the purposes of negotiation
with the EU.
The CJEU referrals
The three CJEU cases addressed different kinds of activity
that the respective national legislation could authorise and require service
providers to undertake. Although the judgments have generally been reported as
being about mandatory retention of communications data, they are not limited to that. They also address national legislation requiring automated analysis of communications data to
detect terrorism, and real-time feeds to security and intelligence
authorities.
The cases also vary between legislation directly imposing
blanket obligations on all service providers, and legislation conferring
discretionary powers on national authorities enabling them to require
individual service providers to engage in stipulated activities. This is now becoming a critical distinction.
The UK reference concerned Section 94 of the Telecommunications
Act 1984. This enabling legislation conferred a general power on a Secretary of
State to give directions to providers of public electronic communications
networks in the interests of national security or of relations with a foreign
government. In November 2015 the UK government publicly acknowledged for the first time that
this power had been used to require providers to transfer some kinds of
communications data in bulk to the security and intelligence agencies (GCHQ and
MI5). (S.94 has since been repealed and,
for this purpose, is superseded by the bulk communications data acquisition
warrant under the Investigatory Powers Act 2016.)
The Belgian reference concerned mandatory communications
data retention. The Belgian law in
question imposed a blanket obligation on all service providers to retain, for
12 months, various kinds of subscriber, traffic and location data (including
both origin and destination of communications). The law then stipulated
purposes for and conditions under which various kinds of state authority could
issue demands for data to be handed over. Data could be used for a wide variety
of criminal investigations.
The French reference, as it related to communication data
retention, concerned legislation directly imposing a blanket obligation on all
service providers for the purpose of investigating, detecting and prosecuting
criminal offences. The reference also dealt with a series of discretionary statutory
powers enabling the French authorities to instruct providers to carry out a variety
of communications data analysis and reporting activities:
-
For the purpose of preventing terrorism,
real-time transfer of communications data relating to a person previously
identified as potentially having links to a threat, and to associates of such
person believed on substantial grounds to be capable of providing relevant information.
(L.851-2)
-
For the purpose of preventing terrorism,
automated data processing by the service provider designed, within the
parameters laid down in the authorisation, to detect links that might constitute
a terrorist threat; and where data has been detected as likely to point to the
existence of a terrorist threat, a procedure for authorising identification of the
person concerned and collection of the related data. (L.851-3)
-
Real-time transmission to the authorities of
technical data relating to the location of terminal equipment for a wide
variety of, broadly, security-related purposes. (L.851-4)
Principles
The CJEU articulated a number of points of principle. Of especial
relevance are:
- The same issues of compliance with EU law and
the EU Charter of Fundamental Rights that were discussed (for data retention) in Digital
Rights Ireland and Tele2/Watson arise with transmission of data to
third parties and access to data with a view to its use. (C-623/17 [61])
- Information that may be provided by profiling using
traffic data and location data is no less sensitive than the actual content of
communications. (C-623/17 [71]; C-511/18 et al [117], [184])
- Transmission of traffic data and location data
to persons other than users constitutes interference with fundamental rights,
regardless of how that data is subsequently used. (C-623/17 [69] and [70])
- Transmission to public authorities has the
effect of making that data available to them. Legislation which permits general
and indiscriminate transmission of data to public authorities entails general
access. (C-623/17 [79] and [80])
- The ePrivacy Directive requires that exceptions to
confidentiality of communications remain exceptions. Legislation enabling
general and indiscriminate transmission of traffic and location data to the
authorities renders the exception the rule. That is not permissible. (C-623/17
[69], C-511/18 et al [111], [142])
- The Charter requirement that any limitation on
the exercise of fundamental rights be provided for by law implies that the
legal basis which permits the interference with those rights must itself define
the scope of the limitation on the exercise of the right concerned. (C-623/17
[65], C-511/18 [175]) (citing Schrems 2, [175])
- General access to all retained data (including
by general and indiscriminate transmission), regardless of whether there is any
link, at least indirect, with the aim pursued, cannot be regarded as strictly
necessary. (C-623/17 [78], [80], [81])
- The objective of safeguarding national security
is capable of justifying measures entailing more serious interferences with
fundamental rights than might be justified by the other objectives set out in
Article 15(1) of the ePrivacy Directive. (C-623/17 [75], C-511/18 et al [136])
- It is not sufficient for legislation to specify
the purpose for which powers may be exercised. It must, by means of clear and
precise rules, lay down the substantive and procedural conditions governing the
use of the data, thereby ensuring that the interference is limited to what is
strictly necessary. (C-623/17 [68], [77]; C-511/18 et al [132], [133], [155],
[166] to [168], [176])
Applying the principles
How did these and other principles relied upon by the CJEU
translate into EU law compatibility (or otherwise) of the powers under
consideration?
First, a cautionary note. The CJEU style of judgment tends
towards what might be called ‘opaque clarity’: ringing declarations of high principle,
the concrete meaning of which is left for another day. The Court of Appeal has observed: “The CJEU is notorious for making pronouncements resembling those of
the oracle at Delphi…”.
A classic example in the present field is the prohibition on
“general and indiscriminate retention”, contrasted with ‘targeted retention’.
The exact position of the boundary between the two has yet to be discovered.
Not only that, but what might have appeared from previous CJEU judgments to be
a prohibition of general application now turns out to have context-specific exceptions.
This characteristic of CJEU judgments, especially relevant where the EU Charter is concerned, has to be borne in mind when attempting to
extrapolate them to different facts and contexts.
Internal service provider activities versus state access
In these judgments the CJEU drew a high-level distinction between retention
and processing activities internal to service providers, and access to data by
the authorities.
On the service provider side of the boundary, legislation
compelling general and indiscriminate activities is generally precluded.
However, the Court indicated some limited situations and purposes for which legislation
could mandate service providers to engage in general and indiscriminate retention, or limited to some kinds of communications data (source IP addresses and subscriber
identity data), or to undertake automated processing of all communications data
retained by them.
By contrast, in no circumstances – or at least none considered
by the Court – was it permissible for legislation to provide the authorities
with general and indiscriminate access to communications data held by the
service providers, including (as with the UK’s Section 94) by mandatory transmission
to the authorities.
Blanket obligations versus enabling legislation
The CJEU has previously had no hesitation in holding
legislation that directly imposes a blanket data retention obligation on all service
providers to be incompatible with EU law. It did that in Tele2/Watson
for the Swedish legislation in issue in that case. In these latest cases it has
done the same for the French and Belgian blanket data retention legislation.
The position is more nuanced with legislation conferring
discretionary powers. The CJEU in Tele2/Watson set out a series of
principles applicable to data retention legislation, but stopped short of
holding that the then UK data retention legislation (DRIPA) was incompatible
with EU law. That assessment was
returned to the UK court.
DRIPA was structured as enabling legislation, empowering the
Secretary of State to issue notices to service providers for up to 12 months.
DRIPA required the Secretary of State to consider that issuing a data retention
notice was necessary and proportionate for one of the purposes enumerated in
the Act. The current IP Act is in similar terms, although additionally requiring
the Secretary of State to take into account a number of factors set out in the
legislation. A retention notice under the IP Act is also subject to prior
approval of an independent Judicial Commissioner.
The question then arises whether, as a matter of EU law, it
is sufficient for Member State legislation to require the relevant authorities
to exercise a discretionary power in accordance with necessity and
proportionality principles, accompanied by safeguards aimed at ensuring that
this is achieved. Or must the statute itself set out substantive limits on the
exercise of the power?
Two distinct points are in play here: first, could the power
in question be exercised in a way that strays into requiring the service
provider to undertake illegitimate general and indiscriminate activities?
Second, does legislation that relies primarily on obligating observance of
principles and establishing safeguards, in preference to setting hard limits on
the exercise of a power, satisfy the EU law requirement for clear and precise
rules?
Taken to the extreme, could an otherwise insufficiently circumscribed
general discretionary power be saved by a provision requiring it to be
exercised in accordance with the EU Charter on Fundamental Rights? If the answer to that is ‘No’, then how far must the legislation go in setting
substantive limits?
The requirement for clear and precise rules is nominally the
same as the European Convention on Human Rights ‘prescribed by law’ test. However, there are indications that the CJEU may be open to taking a stricter approach
than does the Strasbourg court. The CJEU at paragraph [124] of the La
Quadrature decision refers to taking account of the ECHR as establishing a
‘minimum threshold of protection’.
The IP Act in the English courts
By the time the Watson case returned to the English Court of Appeal, DRIPA had been superseded by the IP Act. Separately, Liberty had
commenced proceedings challenging the data retention and bulk powers provisions
of the IP Act. The question of compatibility
with EU law was therefore left to be determined in the Liberty
proceedings. In April 2018 the
Divisional Court held that the IP Act data retention powers were compatible
with EU law.
As to the second point (hard limits), the court did not read the Watson decision as requiring detailed factors (as it described them) to be listed in domestic legislation. It was sufficient if the legislation permitted decisions to be taken that were (a) sufficiently connected with the objective being pursued (b) strictly necessary and (c) proportionate ([124]), coupled with safeguards so as to achieve effective protection against the risk of misuse of personal data. ([125])
The obligation on the Secretary of State to exercise the
power only if she considered it both necessary and proportionate for one or
more of the purposes listed in the Act “enshrines in the statute the essence of
the tests propounded in Watson”. ([128])
The court found that the limits suggested by the CJEU in Watson
(by reference to categories of persons and geographical areas) were not
exhaustive or prescriptive. The suggested limits were examples of parameters
that could be used according to the facts of a particular situation. ([123]) It would
be impractical and unnecessary to set out in detail in legislation the range of
factors which might fall to be applied according to the circumstances of
different cases ([124]).
As to the first point (general and indiscriminate retention), the court said that it was difficult to conceive how a notice encompassing all communications data in the UK could satisfy the statutory necessity and proportionality tests ([129]); and that it could not possibly be said that the legislation required, or even permitted, a general and indiscriminate retention of communications data ([135]).
Must the Member State make a list?
This approach prompts the question: does the fact that the
criteria suggested by the CJEU were not prescriptive or exhaustive mean that a Member
State does not have to list in its own legislation a set of conditions constraining
the exercise of a discretionary power, so that their compliance with strict
necessity can be gauged? Is it sufficient to lay down factors to be taken into
account when exercising the power? Would the latter enable the scope of the
power to be tested objectively against connection with the objective pursued?
Although the CJEU in Watson observed at [110] that
the conditions might vary according to the nature of the measures taken for the
purposes of prevention, investigation, detection and prosecution of serious
crime, it referred to “substantive conditions which must be satisfied by national
legislation”. It went on that such conditions must be shown to be such as
actually to circumscribe, in practice, the extent of that measure and, thus,
the public affected.
Schrems 2 appears
At the time of the Divisional Court’s Liberty
decision the CJEU had not held any enabling legislation to be incompatible with
EU law. That has now changed. First, the Schrems 2 decision, albeit
considering essential equivalence of US laws with EU personal data protection rather
than compatibility of a Member State’s laws, held that certain US enabling provisions
did not provide adequate protection of personal data. The limitations on
personal data protection were not: “circumscribed in a way that satisfies
requirements that are essentially equivalent to those required, under EU law” ([185]).
Schrems 2 emphasised that:
“the requirement that any
limitation on the exercise of fundamental rights must be provided for by law
implies that the legal basis which permits the interference with those
rights must itself define the scope of the limitation on the exercise of
the right concerned…” [175] (emphasis added)
Like previous CJEU judgments it distinguished between the
legislation itself and a measure that it empowered:
“the legislation in question
which entails the interference must lay down clear and precise rules
governing the scope and application of the measure in question and imposing
minimum safeguards … . It must, in particular, indicate in what circumstances
and under which conditions a measure providing for the processing of
such data may be adopted, thereby ensuring that the interference is limited to
what is strictly necessary.” [176] (emphasis added)
These points were repeated in the recent CJEU judgments,
emphasising also that the legislation must be legally binding under domestic
law (La Quadrature [132]).
The emphasis on clear and precise conditions set out in the
legislation itself raises anew the question whether an approach based primarily
on safeguards and oversight of a broad discretionary power is compatible with
EU law.
If it remains possible for the discretion to be exercised in a way that results in impermissible general and indiscriminate retention, then EU law is not complied with.
Further, the more is left to discretion, the less likely it would
seem that the criterion of practical effect resulting from substantive conditions would be satisfied:
“the substantive conditions which
must be satisfied by national legislation … must be shown to be such as
actually to circumscribe, in practice, the extent of that measure and, thus,
the public affected.” Tele2/Watson [110]).
This is illustrated by the holdings in Schrems 2 regarding the two specific US surveillance programmes under consideration. The programmes authorised collection of both communications data and content.
The CJEU held that S702 FISA did not itself define the scope
of the limitation on the exercise of the right concerned and lay down clear and
precise rules governing the scope and application of the measure in question (nor
impose minimum safeguards). S702 authorised surveillance programmes rather than
individual surveillance measures. The supervisory role of the FISC was designed
to verify whether surveillance programmes related to the objective of acquiring
foreign intelligence information, not whether individuals were properly
targeted to acquire foreign intelligence information.
Similarly it held that PPD‑28,
which allowed, in the context of the surveillance programmes based on E.O.
12333, access to data in transit to the United States without that access being
subject to any judicial review, did not, in any event, delimit in a
sufficiently clear and precise manner the scope of such bulk collection of
personal data. It allowed for bulk collection … of a relatively large volume of signals intelligence
information or data under circumstances where the Intelligence Community could not
use an identifier associated with a specific target to focus the collection.
In those circumstances, the CJEU held that limitations on
the protection of personal data arising from the domestic law of the United
States on the access and use by US public authorities of such data were not
circumscribed in a way that satisfied requirements essentially equivalent to
those required under EU law ([185]).
Section 94 - EU law versus ECHR
In the Privacy International case the CJEU's findings appear unavoidably to lead to the conclusion that the UK S.94 enabling legislation was contrary to EU law.
Two points are noteworthy:
First, Section 94(2A) stipulated that “The Secretary of State shall not give a direction … unless he
believes that the conduct required by the direction is proportionate to what is
sought to be achieved by that conduct.” Similar provisions are contained in the IP Act.
Second, the incompatibility ruling applies to S.94 after
avowal, publication of Handling Arrangements and commencement of independent
oversight in November 2015. For the period following that, the IPT had held that s.94 complied
with the ECHR 'provided by law' requirement:
“The ICC concluded … that the
relevant agencies had introduced comprehensive procedures, in accordance with
the Handling Arrangements, to ensure that they only acquired and retained bulk
communications data, and then accessed and undertook analysis of that data, in
order to pursue their functions under SSA 1989 or ISA 1994. The essential
protection against a potential abuse of power under s.94, namely a requirement
that the BCD may only be obtained and used for proper purposes, is thus
provided by law, and subject to effective oversight.” [91]
This approach (echoed in the Divisional Court judgment in Liberty
discussed above) stands in apparent contrast to the CJEU’s stipulation that:
“legislation cannot confine
itself to requiring that authorities’ access to the data be consistent with the
objective pursued by that legislation, but must also lay down the substantive
and procedural conditions governing that use”. (Privacy International
[77], also see La Quadrature [176])
This suggests that legislation should specify the
criteria that the authorities must satisfy, and the authorities must decide
whether, in a particular situation, the criteria are met – if necessary, backed
up by verification and approval by an independent authority.
The CJEU appears to regard the criteria to be met as
gateways to be passed through, rather than as factors to be taken into account
by the authorities when exercising their discretion. At the least, the
judgments appear to lean in the direction of requiring concrete limits to be
spelled out in the legislation, rather than left to surrounding safeguards.
It is an open question how far the CJEU’s approach might encompass instruments such as statutory Codes of Practice within ‘legislation’. The answer may depend both on whether they lay down sufficiently clear and precise rules and on whether they pass the ‘legally binding under domestic law’ test. If so, then it would be a question of whether the constraints imposed were sufficient to bring the powers within the relevant substantive limits identified by the CJEU .
The Investigatory Powers Act
How does this approach map on to the Investigatory Powers
Act? Looking beyond the end of the Brexit transition period, the significant question
will not be compliance with EU law as such, but whether the UK regime provides
“essentially equivalent” protection for personal data. However, the two are
closely related. Furthermore, the IP Act’s compliance with EU law is one aspect
of the pending domestic judicial review by Liberty, which (as regards general and indiscriminate data
retention at least) may in due course be considered by the Court of Appeal.
Two aspects of the IP Act that overlap with the CJEU
judgments are data retention (Part 4) and the bulk communications data
acquisition warrant (Part 6 Chapter 2). The latter is for these purposes
the IP Act replacement for Section 94 TA.
However, bulk communications data (known as secondary data)
is also collected by means of bulk interception warrants under Part 6 Chapter
1). Even the targeted warrantry regime could be relevant, given the possibility
of obtaining ‘thematic’ warrants.
For the sake of simplicity I will focus on two powers: data
retention and the bulk communications data acquisition warrant. Both of these are enabling provisions, rather than blanket requirements.
Hard versus soft limits
Although hedged around with more safeguards than either
DRIPA (for data retention) or Section 94 (for bulk communications data acquisition) -
including prior approval by a Judicial Commissioner of a notice or warrant
respectively - both powers adopt the model of a broad power exercisable for
broadly defined purposes.
The data retention power enables the Secretary of
State (subject to Judicial Commissioner approval), if she considers the
requirement necessary and proportionate for one or more of the purposes set out
in the Act, to require a telecommunications operator by notice to retain
certain categories of communications data. The notice must not require
retention for longer than 12 months. It can specify either a single operator or
description of operators, the data to be retained and the retention period.
The power cannot be exercised solely on the basis that the
data relates to the activities in the British Islands of a trade union.
The Secretary of State is required to take into account a
number of factors before giving a retention notice, including the likely
benefits of the notice and the likely number of users (if known) of any telecommunications
service to which the notice relates.
The bulk communications data acquisition power is one
of several bulk powers grouped under Part 6 of the IP Act. The Secretary of
State may (subject to Judicial Commissioner approval), if she considers it
necessary on various national security grounds, issue an intelligence service
with a warrant authorising bulk acquisition of communications data. She must
consider that the conduct authorised by the warrant is proportionate to what is
sought to be achieved by the conduct.
She must also consider that examination of acquitted
communications data is or may be necessary for each operational purpose specified
in the warrant, in addition to the grounds on which she considered the warrant
to be necessary.
Necessity on national security-related grounds cannot be
established solely on the basis that the data relates to the activities in the
British Islands of a trade union.
A bulk acquisition warrant can be issued for up 6 months,
subject to renewal.
A telecommunications operator served with a copy of the
warrant is under a duty to take steps to implement the warrant, subject to
reasonable practicability.
Various safeguards regarding use of acquired data are
stipulated.
The policy of the IP Act
The structure of these powers reflects an underlying policy to draw the
powers widely, then apply safeguards. David
Anderson QC (now Lord Anderson) observed in his August 2016 Bulk Powers Review:
“I have reflected on whether
there might be scope for recommending the “trimming” of some of the bulk
powers, for example by describing types of conduct that should never be
authorised, or by seeking to limit the downstream use that may be made of
collected material. But particularly at this late stage of the parliamentary
process, I have not thought it appropriate to start down that path. Technology
and terminology will inevitably change faster than the ability of legislators
to keep up. The scheme of the Bill, which it is not my business to disrupt, is
of broad future-proofed powers, detailed codes of practice and strong and
vigorous safeguards.”
If the effect of the CJEU decisions is, as already discussed,
that a safeguards-heavy and limitations-light approach is not permissible, so that
legislation must spell out concrete conditions for the exercise of the power rather
than obligations to observe necessity and proportionality and factors to be
taken into account, then the scheme of the IP Act bulk communications data
retention and acquisition powers, and the arguments that succeeded in the
Divisional Court in Liberty, appear to be at risk. For what it may be worth, in 2016 I
suggested some limitations that could be applied to the then Bill’s bulk
powers.
Beyond that, it should not be forgotten that the UK bulk powers extend to bulk interception of the content of communications. The CJEU
in Digital Rights Ireland suggested that a data retention obligation
relating to content might adversely affect the essence of the right of privacy
under Article 7 of the Charter. The Schrems 2 decision, on the other
hand, drew no distinction between content and communications data.
General and indiscriminate?
Do the IP Act data
retention and bulk communications data acquisition powers amount to general and
indiscriminate data retention and transmission? A blanket requirement directly
imposed by legislation on all providers clearly amounts to that. In the context
of a power exercisable case by case, what amounts to ‘general and
indiscriminate’?
It is evident from the La Quadrature judgment ([172]) that an instruction to a single service provider is capable of being general and indiscriminate if it involves, at the request of the competent national authorities, screening all the traffic and location data retained by a provider. The same is true of the Privacy International judgment, as regards transmission. Equally, the Court endorses the principle of a power that can be exercised only in a sufficiently targeted manner.
What amounts to indiscriminate? At least, lack of objective
criteria establishing a connection between the data to be retained, analysed or
transmitted and the objective pursued. (La Quadrature [133])
The CJEU suggests that a geographic criterion is capable of amounting
to targeted retention, if there is an objectively justifiable reason for
selecting the area:
“The limits on a measure
providing for the retention of traffic and location data may also be set using
a geographical criterion where the competent national authorities consider, on
the basis of objective and non-discriminatory factors, that there exists, in
one or more geographical areas, a situation characterised by a high risk of
preparation for or commission of serious criminal offences … .
Those areas may include places
with a high incidence of serious crime, places that are particularly vulnerable
to the commission of serious criminal offences, such as places or
infrastructure which regularly receive a very high volume of visitors, or
strategic locations, such as airports, stations or tollbooth areas.” La
Quadrature [150]
If selecting such an area is objectively justified, then presumably
it could in principle be legitimate to require all the communications of a purely
local provider within that area to be retained. That would not be true if there
were no objectively justifiable reason to select that area, in which case the
same retention would presumably be indiscriminate.
Whatever the legitimacy of the overall legislative approach
adopted, if a Member State (or the UK) wishes to avail itself of the different
kinds of power that the CJEU has now held are permissible in certain situations,
for certain purposes, in certain factual situations (see further, below), or for certain kinds of
data (such as source IP addresses or user identity data), then it seems unavoidable that the state should legislate separately for
each variety of power, setting out the conditions that apply to each one.
For instance, as described below the CJEU has set out
different conditions applicable to real-time and non-real-time access to data
held by service providers. The UK’s Section 94 (and now the bulk communications data
acquisition warrant) appear capable of covering real-time, near-real-time and
non-real-time transmission, but do not differentiate between them. The CJEU
commented on that in the Privacy International judgment:
“Such a disclosure of data by
transmission concerns all users of means of electronic communication, without
its being specified whether that transmission must take place in real-time or
subsequently.” ([52])
Following the Privacy International and La Quadrature CJEU judgments it appears less likely that such
lack of differentiation would pass muster.
As to the different kinds of power under consideration, the CJEU findings in the French and Belgian references (The UK's Section 94 is discussed above) were as follows.
Mandatory data retention
Permissible general and indiscriminate retention For mandatory
data retention, the Court reaffirmed the general rule that legislation
providing, as a preventive measure, for general and indiscriminate retention of
traffic and location data is impermissible.
However, the Court identified certain exceptions. In each
case these measures must ensure, by means of clear and precise rules, that the
retention of data at issue is subject to compliance with the applicable
substantive and procedural conditions and that the persons concerned have
effective safeguards against the risks of abuse.
1. Serious threat instruction for the purposes of safeguarding national security. An instruction for this purpose to retain traffic data and location data generally and indiscriminately is permissible, provided that a situation exists in which the Member State concerned is confronted with a serious threat to national security that is shown to be genuine and either present or foreseeable. The instruction may be given only for a period limited to what is strictly necessary, but which may be extended if that threat persists. The decision imposing such an instruction must be subject to effective review, either by a court or by an independent administrative body whose decision is binding.
2. Source IP addresses for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security. Legislation for these purposes providing for the general and indiscriminate retention of IP addresses assigned to the source of an internet connection is permissible, if the retention is limited to a period limited to what is strictly necessary.
3.
Identity data for the purposes of
safeguarding national security, combating crime and safeguarding public
security. Legislation for these purposes providing for the general and
indiscriminate retention of data relating to the civil identity of users is
permissible.
Targeted retention The Court also elaborated on its
observations in Tele2/Watson regarding permissible mandatory retention,
for the purposes of combating serious crime and preventing serious threats to public
security, targeted according to categories of persons and geographic criteria.
Targeted preservation It also addressed expedited
targeted preservation. For the purposes of combating serious crime and, a
fortiori, safeguarding national security it is permissible to allow recourse to
an instruction requiring service providers, by means of a decision of the
competent authority that is subject to effective judicial review, to undertake,
for a specified period of time, the expedited retention of traffic and location
data in their possession.
As with the permissible categories of general and
indiscriminate retention, these targeted measures are subject to the
requirement for clear and precise rules and effective safeguards against the
risks of abuse.
Automated analysis of traffic and location data
This part of the Court’s judgment relates to French L.851-3,
mandating automated processing of traffic data and location data by the service
provider for the purpose of detecting links that might constitute a terrorist
threat. The Court held that such automated analysis, although general and
indiscriminate (see para [172]), is permissible provided that a situation
exists in which the Member State concerned is facing a serious threat to
national security that is shown to be genuine and either present or foreseeable;
and that recourse to automated analysis may be the subject of an effective
review, either by a court or by an independent administrative body whose
decision is binding.
In the course of its judgment the Court expanded, in the
context of the French legislation, on steps that should be taken to ensure that
pre-established models, criteria and databases are:
- specific and reliable, making it possible to achieve
results identifying individuals who might be under a reasonable suspicion of
participation in terrorist offences;
- non-discriminatory;
- not based on sensitive personal data in isolation; and
- subject to regular re-examination to ensure they are
reliable and up to date.
Further, any positive result should be subject to individual
manual re-examination before being acted upon.
Real-time access
The French measures L.851-2 and L.851-4 both enabled
real-time access to traffic and location data: a variety of data in the case of
L.851-2 for prevention of terrorism purposes, and technical device location
data in the case of L.851-4 for a wide range of, broadly, security purposes.
The data that could be collected under L.851-2 would enable
the authorities to monitor “continuously and in real time, the persons with
whom those persons are communicating, the means that they use, the duration of
their communications and their places of residence and movements. It may also
reveal the type of information consulted online.” [184].
As regards L.851-4, the technical data would appear to allow
“the department responsible, at any moment throughout the duration of that
authorisation, to locate, continuously and in real time, the terminal equipment
used, such as mobile telephones.”
The Court emphasised the seriousness of the interference
with privacy involved in real-time collection of traffic and location data:
“It must be emphasised that the
interference constituted by the real-time collection of data that allows
terminal equipment to be located appears particularly serious, since that data
provides the competent national authorities with a means of accurately and permanently
tracking the movements of users of mobile telephones. To the extent that that
data must therefore be considered to be particularly sensitive, real-time
access by the competent authorities to such data must be distinguished from
non-real-time access to that data, the first being more intrusive in that it
allows for monitoring of those users that is virtually total … . The
seriousness of that interference is further aggravated where the real-time
collection also extends to the traffic data of the persons concerned.” [187]
The Court therefore distinguished between the limits and
safeguards applicable to real-time and non-real time access to data. Real-time
collection is not precluded for persons in respect of whom there is a valid
reason to suspect that they are involved in one way or another in terrorist
activities.
That must be subject to a prior review carried out either by
a court or by an independent administrative body whose decision is binding in
order to ensure that such real-time collection is authorised only within the
limits of what is strictly necessary. In cases of duly justified urgency, the
review must take place within a short time.
In this case the Court used the specific language of ‘prior’
review, as opposed to ‘effective’ review.
The Court also emphasised, in the body of its judgment, that
a decision authorising the real-time collection of traffic and location data
must be based on objective and non-discriminatory criteria provided for in the
national legislation and requiring the court or other independent
administrative body carrying out the prior review to satisfy itself, inter
alia, that such real-time collection is authorised only within the limits of
what is strictly necessary.
Non-real-time access
Although not forming part of the operative part of the
judgment, the Court commented on the conditions that should apply to non-real
time collection. As described in Tele2/Watson: “access can, as a general
rule, be granted, in relation to the objective of fighting crime, only to the
data of individuals suspected of planning, committing or having committed a
serious crime or of being implicated in one way or another in such a crime”.
However: “in particular situations, where for example vital
national security, defence or public security interests are threatened by
terrorist activities, access to the data of other persons might also be granted
where there is objective evidence from which it can be deduced that that data
might, in a specific case, make an effective contribution to combating such
activities.”
Thus, the Court in this case observed that non-real-time
collection would be permissible for persons not suspected of involvement in one
way or another in terrorist activities, but only where there is objective
evidence from which it can be deduced that that data might, in a specific case,
make an effective contribution to combating terrorism.
Conclusion
Back in 2017 (updated in January 2020) I wrote a piece entitled ‘Visions of Adequacy’,
in which I suggested that:
“Although concerned with bulk
data retention rather than interception or interference, Watson/Tele2
provides pointers to the possible future direction of CJEU decisions. As did Schrems,
Watson/Tele2 emphasises the need for differentiation, limitation and exceptions
in the light of the objective pursued. This suggests that while appropriately
focused and granular bulk powers may be acceptable, blanket bulk powers may not
be.
If that is to be the future
direction of CJEU caselaw then the IP Act’s bulk powers, which are longer on
safeguards than they are on limitations, may be in trouble. …
Statutory bulk powers could be
differentiated and limited. Distinctions could be made between, for instance,
seeded and unseeded data mining. If pattern recognition and anomaly detection
is valuable for detecting computerised cyber attacks, legislation could focus
its use on that purpose. Such limitations could prevent it being used for
attempts to detect and predict suspicious behaviour in the general population,
precrime-style.
Under the Act these distinctions
are left to assessments of necessity and proportionality by Ministers and
Judicial Commissioners when issuing and approving warrants, buttressed by after
the event oversight. These are soft limits, rather than the hard limits that
may in future be required for bulk powers to pass muster.”