In July 2020 the CJEU Schrems II judgment invalidated the EU-US Privacy Shield under the provisions of EU data protection law governing transfers of data to third countries. The CJEU decided that, in the light of US state communications surveillance powers, the Privacy Shield arrangements did not adequately protect EU personal data. Now, hard on the heels of Schrems II, have come the 6 October 2020 CJEU judgments in C-623/17 Privacy International and C-511-512/18 La Quadrature du Net (the latter joined with C-520/18 Ordre des barreax francophones et Germanophone). These new judgments address compliance with EU law of various UK, French and Belgian communications data retention and surveillance powers.

The twin streams of third country data protection adequacy and Member State compliance with EU law meet and merge in this trio of judgments. Their origins are found in the 2014 Digital Rights Ireland judgment (C-293/12) striking down the EU Data Retention Directive, and the 2016 Tele2/Watson judgment (C-203/15 and C-698/15), which held the blanket Swedish data retention legislation to be contrary to EU law. They are joined by a tributary, the 2017 CJEU Opinion on the proposed EU-Canada Passenger Names Record Data Agreement (Opinion 1/15).

The October judgments address a variety of bulk communications surveillance activities that one or other of the referring countries (UK, France and Belgium) had imposed on service providers: data retention, computerised analysis of retained data, and transmission to the authorities. The outcomes are more nuanced than the previous judgments, but reiterate that for most kinds of data, in most situations, general and indiscriminate data retention cannot be required. A requirement for general and indiscriminate data transmission to the authorities is never permissible.

The October judgments all concerned communications data: contextual ‘who, when, where, how’ data surrounding communications, as opposed to their content. Whilst in the past content may have been regarded as more sensitive than communications data, the CJEU in these cases stated emphatically that information that may be provided by profiling using traffic and location data is no less sensitive than the content of communications.

The CJEU held that requirements imposed on service providers for national security purposes were within the scope of EU law. That contrasted with the activities of member state national security agencies themselves, which fall outside the scope of EU law so long as they do not impose processing obligations on service providers.

However that distinction, although critical for the scope of EU law applicable to Member States, has no relevance to a European Commission determination of a third country’s data protection adequacy, such as the EU-US Privacy shield that was invalidated in Schrems II. For an adequacy determination there is no national security exclusion.

Although third country adequacy does not require protection of personal data identical to EU law, the protection has to be “essentially equivalent”.

In summary, the CJEU’s main specific conclusions in the October judgments regarding different kinds of processing imposed on service providers were:

Obligations requiring general and indiscriminate data retention remain impermissible as a rule, but now with some exceptions.

Source IP addresses. Legislation requiring general and indiscriminate retention of source IP addresses is permissible for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security. Retention must be limited to a strictly necessary period, although extensible.

Civil identity of users. Legislation requiring general and indiscriminate retention of civil identity data is permissible for the purposes of safeguarding national security, combating crime and safeguarding public security.

Situation presenting a genuine and present or foreseeable serious threat to national security. An instruction to retain traffic and location data generally and indiscriminately is permissible if such a situation exists. It must be limited to a strictly necessary period, although extensible if the threat persists. The decision imposing the instruction must be subject to effective review, either by a court or binding decision of an independent administrative body. The aim of the review is to verify that a situation justifying such a measure exists and that the necessary conditions and safeguards are observed.

The French and Belgian mandatory retention regimes were similar to the Swedish regime considered in Tele2/Watson, in that the legislation directly imposed a mandatory retention obligation on all service providers, covering a wide range of communications data. The CJEU had no difficulty in holding all of those regimes contrary to EU law, as mandating illegitimate general and indiscriminate retention.

Obligations requiring general and indiscriminate automated analysis of traffic data and location data retained by a service provider are permissible where a situation exists presenting a genuine and present or foreseeable serious threat to national security; and on condition that recourse to automated analysis may be subject to effective review, either by a court or binding decision of an independent administrative body. Again, the aim of the review is to verify that a situation justifying such a measure exists and that the necessary conditions and safeguards are observed.

The CJEU also emphasised the care that should be taken to ensure that pre-established models, criteria and databases are specific, reliable, non-discriminatory, not based on sensitive personal data in isolation, and subject to regular re-examination; and that any positive result should be subject to individual manual re-examination before being acted upon.

Obligations requiring general and indiscriminate transmission of traffic and location data to the security and intelligence agencies for the purpose of safeguarding national security are impermissible. (It follows that the same would apply to such transmission for less weighty purposes.)

Targeted real-time access to retained traffic and location data (which would enable real-time tracking of online activity and physical movements) is not precluded for persons in respect of whom there is a valid reason to suspect that they involved in one way or another in terrorist activities. Such access must be subject to prior review either by a court or binding decision of an independent administrative body, or within a short time afterwards in the case of duly justified urgency. The aim of the review is to ensure that real-time collection is authorised only within the limits of what is strictly necessary.

The CJEU drew a distinction between a threat to national security (activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself, such as terrorist activities) and a threat to public security (the general risk that tensions or disturbances, even of a serious nature, affecting public security will arise).

Throughout the judgments the CJEU emphasised the need for clear and precise rules laying down the substantive and procedural conditions governing the use of the data, thereby ensuring that the interference is limited to what is strictly necessary. It repeated its statement in Schrems II that the legal basis which permits the interference with fundamental EU Charter rights must itself define the scope of the limitation on the exercise of the right concerned.

From a UK perspective, the judgments have implications for any contemplated adequacy determination by the European Commission once the UK becomes a third country. The UK legislation considered by the CJEU (Section 94 Telecommunications Act 1984) has now been superseded, as far as bulk transmission of communications data to intelligence agencies is concerned, by the bulk communications data acquisition warrant under the Investigatory Powers Act 2016. The 2016 Act also contains the UK’s mandatory communications data retention regime, superseding the DRIPA powers that were the subject of the CJEU reference in Tele2/Watson. Under the 2016 Act the Secretary of State can issue retention notices to individual service providers or categories of service providers.

Both these provisions, and similarly other bulk powers in the 2016 Act such as interception and equipment interference (which cover both content and communications data), are hedged around with more safeguards than was Section 94. Most notably, they are all subject to the ‘double-lock’ of prior approval by an independent Judicial Commissioner. The UK can be expected to rely heavily on that as a sufficient safeguard; and on the fact that the Secretary of State issuing the warrant is required to consider that the notice or warrant is necessary and proportionate.

However, the question now is whether safeguards around broadly drawn discretionary powers are enough. The CJEU repeatedly referred to substantive conditions and limitations as well as safeguards. It has also now drawn lines demarcating when, and for what purposes, different kinds of communications surveillance technique may be utilised. These judgments may be leaning towards an expectation that hard limits will be set out in legislative instruments, rather than being left to soft limits such as factors to be taken into account and case by case assessments of necessity and proportionality by the authorities, combined with the safeguards of independent approval and oversight mechanisms.

The distinction between hard and soft limits is well illustrated by the April 2018 decision of the English High Court, in the case brought by Liberty challenging (among other things) the 2016 Act mandatory retention powers. On the court’s reading of the Tele2/Watson decision it was sufficient if the legislation permitted decisions to be taken that were (a) sufficiently connected with the objective being pursued (b) strictly necessary and (c) proportionate, coupled with safeguards so as to achieve effective protection against the risk of misuse of personal data.

The court commented that the obligation on the Secretary of State to exercise the power only if she considered it both necessary and proportionate for one or more of the purposes listed in the Act “enshrines in the statute the essence of the tests propounded in Watson”.

That decision may end up being considered by the Court of Appeal. The question of how far legislation must contain substantive limits is likely to come under scrutiny not only in that context, but also – as it did in Schrems II for the USA – in the context of a European Commission decision on the adequacy of UK protection of personal data.