Privacy International: a triumph or loss for privacy?

Privacy International shows that a general and indiscriminate law may not demand the transfer of communications data to public agencies. This is a win for the right to privacy. However, could it be the beginning of picking this right apart? Such transfers may still be possible, if the law establishes objective criteria.

Privacy International: what was it about?

On 6 October 2020, the Court of Justice (Court) ruled on the Privacy International case. The dispute involved national law ordering electronic communications service providers (ECS providers) to transfer communications data to British national agencies. The Court had to explain whether national legislation, safeguarding national security, falls under Article 15(1) ePrivacy Directive. This Article allows the restriction of citizens’ right to data protection for the purpose of national security.

National security laws fall under the ePrivacy Directive

The Court’s reasoning to include the national law within the Directive’s remit was twofold. Firstly, the Court agreed that Article 1(3) ePrivacy Directive removes laws on national security activities from the Directive’s scope. Such national legislation may only concern State actions and not those of individuals. In this case, the law also deals with ECS providers. This argumentation is in line with Article 3 Directive, which explains that the Directive applies to transfers of personal data by ECS providers. The Court further stated that national laws based on Article 15(1) ePrivacy Directive restrict the right to data protection. This is only allowed, provided the law complies with certain requirements. Secondly, the Court held that giving communications data to State authorities is processing personal data, as mentioned in Article 3 Directive. Excluding national security laws would strip Article 15(1) ePrivacy Directive of its function, which only allows restrictions of data subjects’ rights under strict conditions.

National security: no ground for blanket provisions

The Court looked whether the national law based on Article 15(1) Directive was necessary, suitable and proportionate to the objective of safeguarding national security. This objective may justify more restrictive rules. However, the national law interfered with the right to respect for private and family life and the right to protection of personal data in a manner that was not strictly necessary. Unsurprisingly, the general and indiscriminate phrasing of the national law allows national authorities to obtain unrestricted access to everyone’s communications data held by ECS providers. This also includes people who may not potentially be a threat to national security. The Court called for safeguards by demanding objective criteria to determine when national agencies may access communications data.

The Court shows its teeth for the sake of privacy

As demonstrated – yet again – by this ruling, the Court does not shy away to ensure a high level of protection of the right to privacy. Especially the last years, the Court has shown the lengths it is willing to go. In Digital Rights Ireland, the Court invalidated EU legislation demanding to store communications data and giving national authorities access. Further, in the Tele2 case, the Court prohibited national law demanding the storage of communications data in a general and indiscriminate manner, in other words without objective criteria. In Schrems I and Schrems II, the Court also invalidated two Adequacy Decisions, which allowed the free flow of personal data between businesses from the EU to those in the U.S. The Court held that U.S. authorities could get a hold of EU citizens’ personal data. Protecting the right to privacy has run like a thread through all these cases, including this one. It comes as no surprise that the Court did not allow the adoption of generic national laws providing national agencies access to communications data. Looking at Digital Rights Ireland, the Court held that EU law asking to keep communications data and giving national authorities access is a serious interference with the right to privacy. In the Tele2 case, the Court clearly expanded its far-reaching level of protection of the right to privacy to national law calling for the storage of communications data. In Privacy International, the Court now also extended these high standards to national laws allowing national agencies access to such data.

A win for privacy or a threat in disguise?

Despite the expected outcome, this judgment should be applauded since the Court – once more – firmly showed its stance on the right to privacy. The Court did away with catch-all provisions allowing the collection of communications data by national agencies. Further, the Court managed to carefully strike a balance between two interests, namely the right to privacy and national security. However, the Court explicitly left the door open for national security laws, provided they establish objective criteria. In other words, ECS providers may need to hand over such data if the national law sets objective requirements. Undoubtedly, Member States will now bring their laws in line with the Court’s ruling. Unfortunately, the Court does not explain what these objective criteria may include. A call for further guidelines and clarifications is likely to emerge.

tl;dr

In its Privacy International ruling, the Court of Justice did away with national laws demanding in a general and indiscriminate manner the transfer of communications data to national authorities. The Court reached this conclusion seeing that the right to privacy was at stake. However, the Court allowed a leeway for such national laws, as long as they provide objective criteria permitting such transfers.

Sarah de Heer is a lecturer at the Faculty of Law at Maastricht University, the Netherlands. She has an interest in IP and ICT law. Sarah has been involved in teaching courses on international and European law at Maastricht University and UHasselt, Belgium. Before becoming a lecturer, she was a Blue Book trainee at DG CONNECT and worked at a law and policy consultancy based in Brussels.