The UK’s laws permitting the acquisition and use of bulk communications data by the security and intelligence agencies – MI5, MI6 and GCHQ – have been held by the Court of Justice of the European Union (“CJEU”) to be incompatible with EU law, following the recent judgment of Privacy International (C‑512/17).
Difficult questions were raised as to the extent to which the UK government can justify mass surveillance and use of bulk communications data (the ‘who, what, when, where and why’ of communications) in light of the EU law obligations it must comply with.
This judgment was handed down alongside connected cases of Quadrature du Net and Others (C-511/18 and C-512/18) from France, where Privacy International is also a party, and Ordre des barreaux francophones et germanophone and others (C-520/18) from Belgium.
At the beginning of 2015, the existence of practices for the acquisition and use of bulk communications data by the various security and intelligence agencies (“SIAs”) of the UK, namely MI5, MI6 and GCHQ, was made public, including in a report by the Intelligence and Security Committee of Parliament. On 5 June 2015, Privacy International, a non-governmental organisation, brought an action before the Investigatory Powers Tribunal against the Secretary of State for Foreign and Commonwealth Affairs, the Secretary of State for the Home Department and those SIAs, challenging the lawfulness of those practices .
The case has now been referred to the Court of Justice of the European Union (“CJEU”). It was considered by a Grand Chamber, comprising of 15 judges, and judgment was handed down on 6 October 2020.
Question for CJEU
- Does a domestic legislative measure requiring electronic communications networks to provide bulk communications data to security and intelligence agencies, in the interests of national security, fall within the scope of EU law?
- If so, is such a measure compatible with EU law – specifically, Article 15(1) of Directive 2002/58 (“the E-Privacy Directive”), read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter, and the Tele2/Watson requirements?
In its judgment, the Grand Chamber confirmed that, with regard to the first question, the matter clearly fell within the scope of EU law. This article focuses on the second, arguably more interesting, question.
What does the domestic law say?
The relevant domestic legislation is s.94 of the Telecommunications Act 1984 (“the 1984 Act”) entitled ‘Directions in the interests of national security etc.’. It provides that the Secretary of State may give providers of electronic communications services such general or specific ‘directions’ as appear to him to be necessary in the interests of national security or relations with a foreign government.
In this case, the directions were to providers of electronic communications networks who were required, by virtue of s.94, to provide SIAs with bulk communications data collected in the course of their economic activity, falling within the scope of EU law.
This data is defined in s.21(4) and s.21(6) of the Regulation of Investigatory Powers Act 2000 (“RIPA”) and includes traffic data and service use information (i.e. the ‘who, where, when and how’ of communication), with only the content of communications being excluded. That data includes, inter alia, the name and address of the user, the telephone number of the person making the call and the number called by that person, the IP addresses of the source and addressee of the communication and the addresses of the websites visited .
That data is transmitted to the security and intelligence agencies and retained by them for the purposes of their activities . The databases compiled by the security and intelligence agencies are subject to bulk, unspecific, automated processing, with the aim of discovering unknown threats.
The EU law framework
By its second question, the referring court sought to ascertain whether Article 15(1) of the E-Privacy Directive, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter, is to be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security .
The general rule: Article 5 E-Privacy Directive
Article 5(1) of the E-Privacy Directive sets out the general rule as follows:
“1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.” (Emphases added)
This effectively enshrines the principle of confidentiality of both electronic communications and the related traffic data and requires, in principle, persons other than users be prohibited from storing, without those users’ consent, those communications and that data. That provision would cover any operation enabling third parties to become aware of communications and data relating thereto for purposes other than the conveyance of a communication . The prohibition of intercepting/tapping/processing data would clearly apply to security and intelligence agencies.
Further, this general rule gives expression to the Charter rights enshrined in Article 7 (‘Respect for private and family life’) and Article 8 (‘Protection of personal data’). Users of electronic communications services are entitled to expect that their communications and data will remain anonymous and may not be recorded, unless they have agreed otherwise (as per La Quadrature du Net and Others C-511/18, C-512/18 and C-520/18, at ).
Derogation from the rule: Article 15 E-Privacy Directive
Article 15(1) of the E-Privacy Directive enables a Member State to introduce an exception to the general rule (that electronic communications must not be intercepted/stored) in the following terms:
“Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5 […] when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security […] To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of [EU] law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.” (Emphasis added)
So as long as the measure is necessary, appropriate and proportionate to safeguard national security within a democratic society, and is in keeping with EU case law, then the derogation from the general rule will be permissible. Recital 11 of the Directive specifies that a measure of that nature must be ‘strictly’ proportionate to the intended purpose. In order to satisfy the requirement of proportionality, the legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees that data will be effectively protected against the risk of abuse .
The interpretation of Article 15(1) of the E-Privacy Directive must take account Articles 7 and 8, as above, but also the right to freedom of expression as enshrined in Article 11 of the Charter (following Digital Rights Ireland and Others (C-293/12 and C-594/12, EU:C:2014:238) ). These Charter rights are not absolute and are subject to their own derogations – specifically, by Article 52 of the Charter “Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.” – in a similar way to the relationship between Article 5(1) and Article 15(1) of the E-Privacy Directive.
The ‘strictly necessary’ requirement, in terms of the persons affected, the sorts of data retained and the length of retention, was confirmed in Tele2 Sverige and Watson and Others (C-203/15 and C-698/15, at -). In that case the court unequivocally stated that legislation providing for “general and indiscriminate retention” of data is incompatible with the E-Privacy Directive, as read in light of the relevant EU Charter rights ( of Tele2). The court also found in Tele2 that Article 15(1) cannot permit the exception to the Directive’s confidentiality obligation to become the rule, as this would render the confidentiality obligation meaningless ( of Tele2).
Did the domestic law go beyond what is ‘strictly necessary’?
The short answer is yes. The Grand Chamber took issue with the transmission of traffic data and location data to SIAs – in a general and indiscriminate way – as effectively being the blanket rule required by domestic law. Rather, as established by the Directive, the exception must remain the exception .
The effect of the domestic legislation was to make the derogation – i.e. permitting to intercept/store data – the general rule. As a result, the Grand Chamber held that the domestic law went further than was strictly necessary. It would infringe disproportionately on Articles 7 and 8 of the Charter, and possibly on Article 11. In particular, the court noted that:
“The interference with the right enshrined in Article 7 of the Charter entailed by the transmission of traffic data and location data to the security and intelligence agencies must be regarded as being particularly serious, bearing in mind inter alia the sensitive nature of the information which that data may provide and, in particular, the possibility of establishing a profile of the persons concerned on the basis of that data, such information being no less sensitive than the actual content of communications. In addition, it is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.” 
The court added that “given the significant amount of traffic data and location data that can be retained continuously by a general retention measure and the sensitive nature of the information which that data may provide, the mere retention of that data by the providers of electronic communications services entails a risk of abuse and unlawful access.” .
With regard to the objective – in this case protection of national security – whilst this is particularly serious in nature (and thus possibly justifying measures entailing more serious interference with fundamental rights ), it must still lay down substantive and procedural conditions governing that use in accordance with EU law. In its concluding remarks, the Grand Chamber considered that the domestic law went beyond what was strictly necessary:
“national legislation requiring providers of electronic communications services to disclose traffic data and location data to the security and intelligence agencies by means of general and indiscriminate transmission exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society…” 
This judgement comes at an interesting time in the UK, when there is significant public anxiety surrounding government measures to tackle COVID-19, such as the Test and Trace App, which may be perceived as invasions of privacy. It also follows the recent Court of Appeal decision R (Bridges) v Chief Constable of South Wales Police (Respondent) and others  EWCA Civ 1058, which held that automated facial recognition technology being used by South Wales Police Force was unlawful.
The Privacy International judgment confirms that a derogation in EU law cannot become a general rule in domestic law, and vice versa. If it does, domestic law will be in breach of its EU law obligations. Whilst this dynamic is likely to change after 31 December 2020 (the end of the transition period as it currently stands), the decision underlines the importance of legislature infringing on fundamental rights only to the extent that is strictly necessary and proportionate to the objective of the measure. Following this judgment, legislation and governmental measures that seek to impose blanket restrictions on rights are likely to be subject to greater scrutiny and challenge from individuals and/or organisations.
Whilst s.94 of the 1984 Act was repealed by Sch. 10 para. 99 of the IPA 2016, the IPA 2016 has a similar provision – s.252 entitled ‘National security notices’ – which states that the Secretary of State may give any telecommunications operator in the UK a national security ‘notice’ if (1) the notice is necessary in the interests of national security (2) the conduct required by the notice is proportionate to what is sought to be achieved by that conduct, and (3) the decision to give the notice has been approved by a Judicial Commissioner.
Although there is a clear difference in form between the Secretary of State giving ‘directions’ to network providers to disclose data to SIAs, and giving a ‘national security notice’, it could be argued that this difference is merely cosmetic.
If current domestic legislation still permits the “general and indiscriminate” collection of data, then there could be serious concerns when the UK exits the EU in terms of ‘adequacy’. By the end of the transition period, the European Commission must have assessed whether the UK is granted adequacy for data protection purposes, i.e. whether it will possible for EU/EEA member states to continue transferring personal data to the UK after the transition period without the need for additional safeguards. The European Commission must be satisfied that UK laws concerning national security and surveillance ensure an adequate level of protection for personal data, such that they are “essentially equivalent” to EU law (from the 2014 case of Schrems  IEHC 310 ).
Whether the IPA 2016 and its changes – cosmetic or otherwise – offer a sufficient level of adequacy will ultimately be a decision for the European Commission to make. However, if answered in the negative, lack of adequacy could have serious consequences for data sharing between the UK and EU.