CJEU - C-623/17 - Privacy International (BCD case)

From GDPRhub
CJEU - C-623/17 BCD case
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 1(3) and Article 3, Directive 2002/58/EC
Article 5 and Article 15(1) – Charter of Fundamental Rights of the European Union
Articles 7, 8 and 11 and Article 52(1), Article 4(2) TEU
Decided: 06.10.2020
Parties: Privacy International
Secretary of State for Foreign and Commonwealth Affairs, Secretary of State for the Home Department, Government Communications Headquarters, Security Service, Secret Intelligence Service
UK Secretary of State for Foreign and Commonwealth Affairs, Secretary of State for the Home Department, Government Communications Headquarters, Security Service, Secret Intelligence Service
Case Number/Name: C-623/17 BCD case
European Case Law Identifier: ECLI:EU:C:2020:790
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Mariam Tabatadze


The Court of Justice of the European Union (CJEU) ruled to limit general and indiscriminate access to bulk electronic communications by the security and intelligence agencies. The CJEU reiterated that "derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary".

English Summary

Facts

Privacy international has challenged the lawfulness of the practices of collecting and using the bulk communications data (BCD) by the UK security and intelligence agencies. The Investigatory Powers Tribunal referred to the Court of Justice of the European Union the questions whether the existence of such practices fall within the scope of EU law and of Directive 2002/58 and if yes, does the EU law precludes national legislation enabling State authority to require providers of electronic communications services to carry out the 'general and indiscriminate' transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.

Dispute

The referring court asked two questions : firstly, having regard to Article 4 TEU (referring to national security)  and Article 1(3) of Directive 2002/58, ("Directive shall not apply to activities ..... which fall to the activities concerning public security, defence, State security") does a requirement in a direction by a Secretary of State to a provider of an electronic communications network that it must provide bulk communications data to the security and intelligence agencies of a Member State fall within the scope of Union law and of Directive.

The second question reffered to the court was seeking to ascertain whether Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter, is to be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.

Holding

The UK and several EU members states highlighted that the activities of security and intelligence agencies are the sole responsibility of Member States as it guaranteed in the treaty (Article 4(2) TEU), and the Directive should not apply to national legislation as the purpose of that legislation is to safeguard national security. In addition, the governments stated that the Article 1(3) of the directive defines the scope of that directive and excludes from that scope the activities concerning public security, defence, and State security, and the those provisions perfectly reflect the allocation of competences defined in Article 4(2) TEU.

Contrary to the governments arguments, the CJEU ruled out that national legislation to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security falls within the scope of that directive, adding the settled case law of the Court: although it is for the Member States to define their essential security interests and to adopt appropriate measures to ensure their internal and external security, the mere fact that a national measure has been taken for the purpose of protecting national security cannot render EU law inapplicable and exempt the Member States from their obligation to comply with that law.”

The EU Court started from the point that, although the Article 1(3) of directive excludes from its scope ‘activities of the State’ in the areas of national security, these activities are unrelated to fields in which individuals are active (judgment of 2 October 2018, Ministerio Fiscal, C‑207/16, EU:C:2018:788, paragraph 32 and the case-law cited).

The Court determined that the directive requires the Members states to ensure the right to privacy and confidentiality, with respect to the processing of personal data in the Electronic communications services, and not only its scope extends to a legislative measure that requires providers of electronic communications services to retain traffic data and location data, but also to a legislative measure requiring them to grant the competent national authorities access to that data, referring to the article 1 and 3 and 15 of that directive.

As regards to the second question, the Court stated that yes, directive precludes the Member states to adopt legislation intended to restrict the scope of its confidentiality obligations and that current legislation where the national security agencies have general and indiscriminate access to the traffic data and location data exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society, as required by Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter.

The CJEU has reiterated again that 'that derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary' and that the deviation from the directive obligations should be by exceptions based on the famous test: when such restrictions are necessary, appropriate and proportionate for the national security purposes.

The national legislation 'must lay down the substantive and procedural conditions governing that use' and the access should be consistent with the objective pursued by the legislation.



Comment

Share your comments here!

Further Resources

CJEU Restricts Indiscriminate Access to Electronic Communications for National Security Purposes, National Law Review , https://www.natlawreview.com/article/cjeu-restricts-indiscriminate-access-to-electronic-communications-national-security

Bulk Personal Datasets & Bulk Communications Data challenge, Privacy International https://privacyinternational.org/legal-action/bulk-personal-datasets-bulk-communications-data-challenge