The Court of Justice of the European Union confirmed in a long-awaited judgment on Tuesday 6 October that a Member State cannot require online communication services to systematically collect metadata from their users. However, it has clarified a number of derogations from this principle, in particular in the event of a serious threat to national security or terrorist activity.
“Today’s judgment is a serious blow to the laws in France, the UK, and Belgium and to other current data retention practices in the Member States”, said Diego Naranjo, Policy Officer at European Digital Rights (EDRi). In the European Parliament, Patrick Breyer (Greens/EFA, Germany) was less enthusiastic about the derogations allowed by the Court, particularly with regard to the authorisation of the general retention of IP data.
The Court’s decision answers the questions referred for a preliminary ruling by the courts of France, Belgium, and the United Kingdom (Cases C-623/17, C-511/18 and C-512/18 and C-520/18). As evidence of the interest in these cases, eleven other Member States and Norway participated as observers.
A significant impact
This judgment is an important milestone in the discussions on online protection, and in particular the draft regulation on the protection of electronic communications and the recent derogation for the purpose of combating child pornography. In addition, the Commission has already indicated that, depending on the judges’ decision, it could propose new legislation on data retention.
But this judgment also and above all raises the question of the transfer of personal data between the EU and the UK after the post-Brexit transition period. The Court considers the United Kingdom’s legislation authorising the acquisition and use of personal data by the security and intelligence services to be unlawful under EU law. It was this same logic that led it, in July, to invalidate the data protection shield between the EU and the US (see EUROPE 12529/2).
“The UK’s rules seem to be only slightly better than those in the US, so I wonder how the European Commission will make an adequacy finding for the UK on that basis”, wondered Birgit Sippel (S&D, Germany).
The relevance of the Charter and the e-Privacy Directive
In its judgment, the Court considers that all three cases fall within the scope of the so-called e-Privacy Directive (2002/58), even though the Treaty stresses that national security is a competence of the Member States.
Article 5 of this directive, which is currently being revised, establishes the obligation to ensure the confidentiality of communications and traffic data, while a derogation is allowed from Article 15 provided that it constitutes “a necessary, appropriate and proportionate measure to safeguard national security, defence, and public security or the prevention, investigation, detection, and prosecution of criminal offences”.
According to the Court, however, such derogations cannot become the rule.
Well-defined derogations
However, the European court emphasises that European law allows national governments to order service providers such as Gmail to carry out, temporarily and under supervision, generalised and undifferentiated retention in the event of a serious threat - real and present or foreseeable - to their national security. The same derogation exists for IP addresses allocated to the source of a connection and for data relating to the civil identity of users, for the purposes of safeguarding national security, combating serious crime, and safeguarding public security.
The Court also took a position on the use of automated analysis and real-time collection, in particular of traffic and location data. It considers that Union law does not preclude national legislation requiring service providers to collect traffic and location data in real time in the event of a well-founded suspicion that a person is involved in terrorist activity.
With regard to the use of that information as evidence, the Court states that the e-Privacy Directive requires a national criminal court to exclude evidence which has been obtained through the general and indiscriminate retention of traffic and location data incompatible with Union law “if persons suspected of criminal acts are not in a position to take an effective position on that evidence”.
Links to the judgments: https://bit.ly/3lnJ2K9 and https://bit.ly/30BsKoM (in French) (Original version in French by Sophie Petitjean)