The Court of Justice of the European Union (CJEU), the EU’s top court, has played a key role in protecting privacy in the digital age, in Europe and beyond. In 2014, it ruled that a major piece of EU legislation, the Data Retention Directive, was “invalid” – that is, illegal – and should be taken off the statute books by members of the EU. This is known as the Digital Rights Ireland judgment:
The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.Then, in 2016, the CJEU affirmed that decision by ruling specifically that “EU law precludes national legislation that prescribes general and indiscriminate retention of data,” in what is known as the Tele2 Sverige and Watson judgment.
There is now a third important privacy case going through the CJEU, which touches on not just data retention, but also bulk surveillance, whose astonishing scale was first revealed by Edward Snowden. The case in question combines four references from national courts in EU member states for a preliminary ruling from the top court. In all those cases the core issue is the problem of the application of the Directive on privacy and electronic communications to activities relating to national security and combatting terrorism. Once the CJEU has ruled on the points of law, the national courts will then implement that decision. But before the main judgment is handed down, an opinion is offered by one of the CJEU’s “Advocates General“. This is a senior lawyer who acts as an advisor to the court. The opinion of the Advocate General is not binding on the CJEU, but is often indicative of how the court itself will rule. Campos Sánchez-Bordona, one of the court’s Advocates General, has just released his opinion on the bulk surveillance case.
This is the key part of the legal argument: “The provisions of the directive will not apply to activities which are intended to safeguard national security and are undertaken by the public authorities themselves, without requiring the cooperation of private individuals and, therefore, without imposing on them obligations in the management of business” (UK Case C-623/17, paragraph 34/79).”.
Mr Campos Sánchez-Bordona proposes that the case-law of the Court of Justice laid down in the Tele2 Sverige and Watson judgment should be upheld, stressing that a general and indiscriminate retention of all traffic and location data of all subscribers and registered users is disproportionate.Once again, the previous judgments on data retention are cited and reinforced. The key words here are “general and indiscriminate”. The Advocate General goes on to recommend that “limited and discriminate retention” of specific categories of data should be allowed. He also recommends that limited access to that data by governments should be permitted, subject to some stringent requirements:
a prior review carried out either by a court or by an independent administrative authority; to the data subjects being notified – provided that does not jeopardise ongoing investigations –, and to the adoption of rules to avoid misuse of, and unlawful access to, that data.
He suggests that “in exceptional situations characterised by an imminent threat or an extraordinary risk warranting the official declaration of a state of emergency”, it should still be permissible for national laws to allow, for a limited period, the possibility of imposing an obligation to retain data that is “as extensive and general as is deemed necessary”.
As well as ruling that general and indiscriminate data retention is unacceptable except in these extreme situations, Sánchez-Bordona suggests a new and important clarification of other issues here. It concerns a key element of EU privacy laws that provides a general exception for activities that are aimed at safeguarding national security. He points out that the exemption only applies to activities “carried out by the public authorities on their own account, without requiring the cooperation of private parties and not, therefore, imposing obligations on the latter in relation to the management of their businesses.” By contrast, when the co-operation of companies is required, even if the activity is for the purpose of national security, then the protection of privacy provided by EU law will apply to those businesses. That’s important, because governments are increasingly demanding that Internet companies help carry out surveillance of users. In Sánchez-Bordona’s view, that should be subject to EU privacy safeguards.
Unfortunately for the online advertising industry, the CJEU begs to differ: In today’s judgment, the Court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a pre-checked checkbox which that user must deselect to refuse his or her consent.
As emphasised above, this is only the Advocate General’s opinion, and may not be followed by the main CJEU. However, if the top court does agree, it will have two important effects. One is that “general and indiscriminate” bulk surveillance will not be permitted within the EU, except under exceptional circumstances. Arguably just as important is his view that exemptions for national security do not apply when private companies are involved. Since most surveillance requires the help of businesses at some point, if adopted by the CJEU this would extend the reach of EU legislation greatly. And as we have seen with the GDPR and other EU laws, the knock-on effects around the world are also likely to be important, since many nations look to the EU for guidance on framing new data protection laws. Let’s hope the CJEU does indeed agree with the opinion of its Advocate General, ensuring that national security exceptions are not unlimited, and that laws protecting privacy still apply.
Featured image by Laura Poitras/ACLU.