On October 6, 2020, the Court of Justice of the European Union (“CJEU”) handed down Grand Chamber judgments determining that the ePrivacy Directive (the “Directive”) does not allow for EU Member States to adopt legislation intended to restrict the scope of its confidentiality obligations unless they comply with the general principles of EU law, particularly the principle of proportionality, as well as fundamental rights under the Charter of Fundamental Rights of the European Union (the “Charter”).
The cases stem from challenges to EU Member State national security law brought in the UK, France and Belgium by privacy activists Privacy International (Case C‑623/17), La Quadrature du Net and others (C-511/18), French Data Network and others (Case C-512/18) and Ordre des Barreaux francophones et germanophones and others (Case C-520/18), the latter three of which were joined by the President of the CJEU. The challenges related to laws obliging providers of electronic communications services (“providers”) to forward the traffic and location data (i.e., bulk communications data) of individuals to public authorities, or to retain such data in a general and indiscriminate way.
Privacy International Case
In the case brought by Privacy International, several EU Member States, including the UK, contended that the activities of security and intelligence agencies are essential state functions and the sole responsibility of Member States, and therefore the Directive should not apply to national legislation that safeguards national security. The CJEU disagreed and determined that such laws do fall within the scope of the Directive, commenting that according to settled case law: “although it is for the Member States to define their essential security interests and to adopt appropriate measures to ensure their internal and external security, the mere fact that a national measure has been taken for the purpose of protecting national security cannot render EU law inapplicable and exempt the Member States from their obligation to comply with that law.”
The Directive requires Member States to ensure the confidentiality of communications and traffic data through national legislation, but also allows for Member States to adopt legislation restricting the scope of this obligation when necessary, appropriate and proportionate to safeguard national security. In its judgment, the CJEU made clear that such deviation from the Directive’s confidentiality obligations should be the exception rather than the rule, and that the Directive does not allow for Member States to adopt legislation intended to restrict the scope of the confidentiality obligation unless they comply with the general principles of EU law and are proportionate.
The CJEU set out limitations on Member States’ ability to restrict the Directive’s scope, stating: “it should be borne in mind that the protection of the fundamental right to privacy requires […] that derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary.” The CJEU determined that the Directive precludes national legislation enabling authorities to require providers to carry out general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.
The Three Joined Cases
With regards to the second judgment involving the three joined cases, the CJEU assessed four specific points.
First, the CJEU considered that the Directive precludes national provisions that require providers to retain general and indiscriminate traffic and location data as a preventive measure to safeguard national security and combat crime. However, the CJEU also provided several carve outs to this preclusion, where Member States may derogate from the Directive’s general confidentiality requirements for the purposes of safeguarding national security, combatting serious criminality and preventing serious threats against public security, provided that (1) rules outlining these derogations are clear and precise; (2) material and procedural requirements are implemented; and (3) the individuals concerned have effective guarantees against any abuse. In particular, the CJEU authorized orders that require providers to undertake general and indiscriminate retention of traffic and location data where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable, so long as the order is subject to effective review by a court or independent administrative body. Such an order may only be imposed for a period of time that is considered strictly necessary. In addition, the CJEU also held as acceptable the targeted retention of traffic and location data, as long as it is limited in time and limited to what is strictly necessary for the purposes of national security or crime prevention, as well as the general and indiscriminate retention of IP addresses for a strictly necessary period of time. Similarly, the CJEU considered the general and indiscriminate retention of the civil identity of users of electronic communications (without time restrictions) acceptable. Lastly the requirement for providers to retain traffic and location data after the end of an initial retention period in order to shed light on serious crimes or acts affecting national security (i.e., expedited retention) is acceptable for purposes of combatting serious crime when authorized by a decision from the competent authority, subject to effective judicial review.
Second, the CJEU ruled that the automated analysis and real-time collection of traffic data, location data, or the real-time collection of data relating to the location of devices is authorized if (1) the automated analysis is limited to cases where a Member State is facing a serious, genuine and present or foreseeable threat to national security; and (2) the real-time collection is limited to persons validly suspected of being involved in terrorist activities. In both cases, the seriousness of the threat and the danger posed by the suspected individual must be subject to a prior review carried out by a court or independent administrative body whose decision is binding.
Third, the CJEU insisted that national law may not require providers of access to online public communication services and hosting services providers to retain data in a general and indiscriminate way.
Finally, the CJEU was asked whether it is possible to temporarily maintain the effects of a national provision that breaches EU Law in order to avoid legal uncertainty and to use data previously been collected and retained. On this issue, the CJEU held that the Directive, read in light of the Charter, does not allow a national court to temporarily apply a provision of national law that is otherwise incompatible with EU Law. In particular, the CJEU prohibited national courts from applying a national provision requiring providers to retain in a generalized and indiscriminate manner traffic and location data, even if the objective of the contested provision is to safeguard national security and prevent serious crimes. With this, the CJEU reaffirmed the principle of EU law primacy over Member State law, which may not undermine the effects of EU law. The CJEU further confirmed the obligation for national courts to apply EU law and set aside any national provisions in breach of EU law without awaiting the prior decision of a legislative or judicial body. The CJEU added that only the CJEU itself is able to suspend in exceptional circumstances the application of an EU provision in favor of national law for overriding considerations of legal certainty. Consequently, the use of information and evidence resulting from general and indiscriminate retention in the context of criminal proceedings was raised and the CJEU re-affirmed that national law currently has the role of determining rules of admissibility regarding evidence gathered in breach of EU law. As such, evidence collected in breach of EU law is potentially admissible, with the CJEU emphasizing that under established case law, evidence must be set aside when it contravenes the right to a fair trial.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code