In two decisions on October 6, 2020, the Court of Justice of the European Union (CJEU) has once again provided a strict framework for national surveillance laws applicable to electronic communications and online service providers, and the investigative and intelligence measures related thereto. This is the second time since July (C-311/18, “Schrems II” which has invalidated the “Privacy Shield” due to the inadequacies of the US law) that the CJEU has ruled on these issues.
In this instance, it is the UK, Belgian and French laws, as they now stand, that the CJEU has declared to be incompatible with the high level of protection of the rights enshrined in the European Union law.
In continuity with the case law gradually built up since 2014 in its Digital Rights and Tele2 decisions, the October 6, 2020 judgments handed down by the CJEU’s Grand Chamber confirm that the ePrivacy Directive (2002/58/EC), read in the light of the Charter of Fundamental Rights, precludes legislative measures providing, as a preventive measure and for combating crime or safeguarding public or national security, for the general and indiscriminate retention of traffic and location data.
As an innovation, the CJEU has also applied similar conclusions to online hosting service providers subject to the French Law for Confidence in the Digital Economy (“LCEN”), but in application of the GDPR (rather than the ePrivacy Directive).
In these two decisions, the CJEU now confirms and clarifies the strong limitations and safeguards intended to preserve the principles of confidentiality of communications and personal data protection (1°), which is not without consequences for the Member States of the European Union (2°), and for data transfers outside the European Union and the assessment of the legislation of third countries of destination. (3°).
1° Strong limitations and safeguards required by the CJEU, which vary according to the types of public purposes pursued and the degree of interference with the rights and freedoms of the relevant surveillance measures.
As with the July decision invalidating the “Privacy Shield”, the CJEU ruled that the surveillance, investigation and intelligence measures cannot, under any circumstances, be exempted from complying with the European Union’s rule of law merely because they are justified by national security imperatives. Measures imposing obligations on providers subject to the European Union’s secondary law are also subject to review by the CJEU.
In the British, French and Belgian requests for preliminary rulings, the CJEU therefore achieved a particularly rigorous and narrow conciliation between the public interests of security and intelligence, on the one hand, and the protection of rights and freedoms, on the other.
The CJEU sets out – in detail – the conditions, limitations and safeguards of the lawfulness of the regimes for retention, either targeted or restricted, of connection data. The CJEU even goes so far as to determine the rules and criteria for an unprecedented exception regime, authorizing generalized but not “systematic” retention and only in case of a “serious, actual and current or foreseeable threat” for national security. This situation will have to be demonstrated and the court or an independent administrative authority will have to verify its existence.
2° Immediate consequences related to the inadequacy of the relevant national laws of the Member States with regard to these requirements
Faced with the discrepancy between the requirements of the European Union law, as interpreted by the CJEU, and the national laws of the Member States, national legislatures must now modify these laws.
While discussions at the European level on the modification of Directive 2006/24 or on the adoption of a new ePrivacy regulation are having difficulty in leading to a new European framework for the retention and access to electronic communications data, it is perhaps at the national level that reforms will be expected more quickly.
In France, compliance with the Court’s requirements should lead to reforms of the criminal procedure, but above all the 2015 Act on Intelligence and the 2001 Act for Everyday Security.
Among the safeguards these reforms should provide, there should be an overhaul of the procedure applicable to intelligence techniques and the CNCTR (National Commission for the Supervision of Intelligence Techniques). Indeed, its inadequate supervision, and the non-binding nature of its opinions issued to the Prime Minister, as demonstrated in court hearings, are part of the claims courts accept.
In the UK, the ruling is expected to impact the negotiations with the European Commission in the post-Brexit context and the potential adequacy decision which would authorize transfers of personal data from the European Union.
In Belgium, it is the law on the retention of traffic and location data which would in principle be subject to reforms.
3° Incidence on transfers
Lastly, these two decisions provide an indication of the level of data protection in the European Union and, consequently, the substantially equivalent level of protection data exporters subject to the GDPR will have to attain to ensure the lawfulness of transfers outside the European Union.
These two decisions once again demonstrate that this is far from being straightforward. The requirements laid out by the CJEU on the necessary limitations and safeguards within which a legislation is not considered as going beyond “what is strictly necessary in a democratic society” will be useful to guide companies using Standard Contractual Clauses.
CJEU, Grande Chamber, decisions of October 6, 2020, in cases C-623/17 (Privacy International), on the one hand, and, joined, C-511/18, C-512/18 and C-520/18, on the other (La Quadrature du Net, French Data Network and Ordre des barreaux francophones et germanophones and Others).