ECJ: no unlimited access to communication data for security and intelligence agencies

The ECJ held that the access for security and intelligence agencies to communication data shall be restricted according to the principle of proportionality. That derives from the fact that an unlimited access to communication data by security and intelligence agencies would turn the basic principle of Directive 2002/58, that communication data shall be confidential, into its opposite.

Data access is restricted by the principle of proportionality

In several cases1 the ECJ further clarified its the case law for the access of security and intelligence agencies to communication data in three Member States.

According to Art. 52 EU-Charter the Right to Data Protection allows limitations and requires balancing against the objectives prevention of crime and national security.

However, the “traffic data“ (e.g. who communicated with whom, when, how often, where, with which equipment) is capable to build a specific profile of for the user. This information is not less sensitive than the content of the communication, which doesn’t form part of the data being accessed. According to the court, the data storage is capable to provide its users a “feeling that their private lives are subject of to constant surveillance“.2 All citizens of the Member State are affected, without having any relation to the threat of national security. Such data access is not limited as to be strictly necessary in the perspective of the court. The general and indiscriminate transmission of communication data to the said agencies is deemed to be disproportionate in respect to the underlying criterium of which can be justified within a democratic society.

Applicability of Directive 2002/58

One key aspect, which is essential to understand when it comes to court decisions is the question of applicability of Directive 2002/58.

Moreover, Art. 1 (3) Directive 2002/58 clarifies, that the directive does not apply to activities which fall outside the scope of EU Law. Consequently public security, state security and criminal law would not be covered by the Directive and the measures of security and intelligence agencies would not fall within the scope of the Directive.

Nevertheless, Art. 5 Directive 2002/58 constitutes the principle, that communication data shall only be processed by other persons with the consent of the user – or on basis on the exceptions of Art. 15 Directive 2002/58. Whereas, Art. 15 grants the right to restrict certain measures of Directive 2002/58 to the Member States for the purpose to safeguard – inter alia – national security and the prevention and investigation of criminal offences. However, the precondition of such a limitation is that the restriction by Member State Law is necessary, appropriate and proportionate within a democratic society.

The court held that Art. 15 Directive 2002/58 constitutes firstly, an exception to the Member States to restrict certain guarantees of the Directives. Although secondly, Art. 15 Directive 2002/58 sets a specific framework which shall be met by the Member States when implementing these exceptions into national law. Therefore, the court regards Directive 2002/58 as applicable for security and intelligence agencies while limiting the access to communication data of these agencies by requiring the principle of proportionality.

ECJ: the systematic approch to protect of personal data

According to ECJ, the ratio of applicability of Directive 2002/58 is consistent with the approach of GDPR. Likewise, GDPR grants exceptions to Member States for – inter alia – national security and the prevention and investigation of criminal offences according to Art. 23 GDPR. Similarly, GDPR defines a frame for the Member States that these restrictions shall be limited to the principle of proportionality. Therefore, GDPR is also applicable for the data processing of security and intelligence agencies.

In addition, Directive 2016/680 completes the European Data Protection Law for Police and Criminal Justice Authorities with the effect, that the ECJ will similarly require the principle of proportionality for the data access of these Authorities. That derives of the fact, that the Right to Privacy and the Right to Data Proection of the EU-Charter are binding on Directive 2016/680 in the same way as for GDPR and for Directive 2002/58.

Following this ratio, the court requires a limitation of the access of state agencies according to the principle of proportionality when data is being transferred outside the EU, since the level of protection within third countries has to be essentially equivalent to that within the EU.3

Nevertheless, the ECJ acknowledges that EU law does not apply in any area of law. Sofar, the Member States implement national law derogating from the confidentiality of electronic communication, without imposing obligations on providers, Member States law shall be consistent with national constitutional law. However, national constitutional law can be reviewed by the European Court of Human Rights (ECHR) according to the European Convention of Human Rights. Since Art. 8 of the Convention protects the private life and the correspondence of the citizens, a derogation may be admissable sofar it “is necessary in a democratic society“. While the wording of Art. 8 is corresponding with the wording of the derogations of Art. 15 Directive 2002/58 and Art. 23 GDPR, the case law of the ECHR is not as narrow as the case law of the ECJ. Whereas, the ECHR similarly refers to the principle of proportionality, the court grants a wider margin of discretion than the ECJ to the Member States, in choosing on how to achieve the protection of national security.4

Assessment

The restriction of access to communication data of security and intelligence agencies by the principle of proportionality is a significant contribution of the strategic legal efforts by several NGOs – like for example Privacy International, La Quadrature du Net and the French Data Network and the Fédération des fournisseurs d’accès à Internet associatifs. The NGOs were taking these cases to the ECJ and the ECHR as reaction of the revelations of Edward Snowden.5



1 ECJ C-623/17, Privacy International, and in Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others

4 ECHR 299 (2018), 13 September 2018, CASE OF BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM, paragraph 314.