Skip to content
tingey-injury-law-firm-veNb0DDegzE-unsplash
18 November 2020| doi: 10.5281/zenodo.4275662

Privacy International: a triumph or loss for privacy?

Privacy International shows that a general and indiscriminate law may not demand the transfer of communications data to public agencies. This is a win for the right to privacy. However, could it be the beginning of picking this right apart? Such transfers may still be possible, if the law establishes objective criteria.


Privacy International: what was it about?

On 6 October 2020, the Court of Justice (Court) ruled on the Privacy International case. The dispute involved national law ordering electronic communications service providers (ECS providers) to transfer communications data to British national agencies. The Court had to explain whether national legislation, safeguarding national security, falls under Article 15(1) ePrivacy Directive. This Article allows the restriction of citizens’ right to data protection for the purpose of national security.

National security laws fall under the ePrivacy Directive

The Court’s reasoning to include the national law within the Directive’s remit was twofold. Firstly, the Court agreed that Article 1(3) ePrivacy Directive removes laws on national security activities from the Directive’s scope. Such national legislation may only concern State actions and not those of individuals. In this case, the law also deals with ECS providers. This argumentation is in line with Article 3 Directive, which explains that the Directive applies to transfers of personal data by ECS providers. The Court further stated that national laws based on Article 15(1) ePrivacy Directive restrict the right to data protection. This is only allowed, provided the law complies with certain requirements. Secondly, the Court held that giving communications data to State authorities is processing personal data, as mentioned in Article 3 Directive. Excluding national security laws would strip Article 15(1) ePrivacy Directive of its function, which only allows restrictions of data subjects’ rights under strict conditions.

National security: no ground for blanket provisions

The Court looked whether the national law based on Article 15(1) Directive was necessary, suitable and proportionate to the objective of safeguarding national security. This objective may justify more restrictive rules. However, the national law interfered with the right to respect for private and family life and the right to protection of personal data in a manner that was not strictly necessary. Unsurprisingly, the general and indiscriminate phrasing of the national law allows national authorities to obtain unrestricted access to everyone’s communications data held by ECS providers. This also includes people who may not potentially be a threat to national security. The Court called for safeguards by demanding objective criteria to determine when national agencies may access communications data.

The Court shows its teeth for the sake of privacy

As demonstrated – yet again – by this ruling, the Court does not shy away to ensure a high level of protection of the right to privacy. Especially the last years, the Court has shown the lengths it is willing to go. In Digital Rights Ireland, the Court invalidated EU legislation demanding to store communications data and giving national authorities access. Further, in the Tele2 case, the Court prohibited national law demanding the storage of communications data in a general and indiscriminate manner, in other words without objective criteria. In Schrems I and Schrems II, the Court also invalidated two Adequacy Decisions, which allowed the free flow of personal data between businesses from the EU to those in the U.S. The Court held that U.S. authorities could get a hold of EU citizens’ personal data. Protecting the right to privacy has run like a thread through all these cases, including this one. It comes as no surprise that the Court did not allow the adoption of generic national laws providing national agencies access to communications data. Looking at Digital Rights Ireland, the Court held that EU law asking to keep communications data and giving national authorities access is a serious interference with the right to privacy. In the Tele2 case, the Court clearly expanded its far-reaching level of protection of the right to privacy to national law calling for the storage of communications data. In Privacy International, the Court now also extended these high standards to national laws allowing national agencies access to such data.

A win for privacy or a threat in disguise?

Despite the expected outcome, this judgment should be applauded since the Court – once more – firmly showed its stance on the right to privacy. The Court did away with catch-all provisions allowing the collection of communications data by national agencies. Further, the Court managed to carefully strike a balance between two interests, namely the right to privacy and national security. However, the Court explicitly left the door open for national security laws, provided they establish objective criteria. In other words, ECS providers may need to hand over such data if the national law sets objective requirements. Undoubtedly, Member States will now bring their laws in line with the Court’s ruling. Unfortunately, the Court does not explain what these objective criteria may include. A call for further guidelines and clarifications is likely to emerge.


tl;dr

In its Privacy International ruling, the Court of Justice did away with national laws demanding in a general and indiscriminate manner the transfer of communications data to national authorities. The Court reached this conclusion seeing that the right to privacy was at stake. However, the Court allowed a leeway for such national laws, as long as they provide objective criteria permitting such transfers.


Sarah de Heer is a lecturer at the Faculty of Law at Maastricht University, the Netherlands. She has an interest in IP and ICT law. Sarah has been involved in teaching courses on international and European law at Maastricht University and UHasselt, Belgium. Before becoming a lecturer, she was a Blue Book trainee at DG CONNECT and worked at a law and policy consultancy based in Brussels.

Sign up for HIIG's Monthly Digest

HIIG-Newsletter-Header

You will receive our latest blog articles once a month in a newsletter.

Explore Research issue in focus

Du siehst eine Tastatur auf der eine Taste rot gefärbt ist und auf der „Control“ steht. Eine bildliche Metapher für die Regulierung von digitalen Plattformen im Internet und Data Governance. You see a keyboard on which one key is coloured red and says "Control". A figurative metaphor for the regulation of digital platforms on the internet and data governance.

Data governance

We develop robust data governance frameworks and models to provide practical solutions for good data governance policies.

Further articles

Modern subway station escalators leading to platforms, symbolizing the structured pathways of access rights. In the context of online platforms, such rights enable research but impose narrow constraints, raising questions about academic freedom.

Why access rights to platform data for researchers restrict, not promote, academic freedom

New German and EU digital laws grant researchers access rights to platform data, but narrow definitions of research risk undermining academic freedom.

Three groups of icons representing people have shapes travelling between them and a page in the middle of the image. The page is a simple rectangle with straight lines representing data used for people analytics. The shapes traveling towards the page are irregular and in squiggly bands.

Empowering workers with data

As workplaces become data-driven, can workers use people analytics to advocate for their rights? This article explores how data empowers workers and unions.

A stylised illustration featuring a large "X" in a minimalist font, with a dry branch and faded leaves on one side, and a vibrant blue bird in flight on the other. The image symbolises transition, with the bird representing the former Twitter logo and the "X" symbolising the platform's rebranding and policy changes under Elon Musk.

Two years after the takeover: Four key policy changes of X under Musk

This article outlines four key policy changes of X since Musk’s 2022 takeover, highlighting how the platform's approach to content moderation has evolved.