On 6 October 2020, the European Court of Justice (“CJEU”) issued a ruling confirming that the bulk communications data regimes operated by the UK, France and Belgium were incompatible with European law. The CJEU applied the decision to several cases, including case C-623/17, brought by Privacy International (“PI”) against the UK Government and various organisations within the UK intelligence community, and joint cases under the collective name La Quadrature du Net and Others. The ruling affirmed that the practice of collecting the data of individual citizens from service providers, including location and traffic data, and then bundling this together into larger packages for the ostensible purpose of protecting national security interests, runs counter to Articles 7, 8 and 11 of the EU Charter of Fundamental Rights.
The practice of collecting bulk sets of personal data was first disclosed in 2015. GCHG, MI5 and MI6 were all revealed to be receiving and then retaining this data, pursuant to the 1984 Telecommunications Act, allowing them to ascertain the ‘who, where, when and how’ of a specific communication. A case was brought by PI before the Investigatory Powers Tribunal (“IPT”) in 2015, with PI suggesting that the current regime was unlawful as it failed to provide various safeguards as established in a previous CJEU ruling – Tele2/Watson. The UK Government countered by stressing that the issue fell within national security grounds and was therefore outside the remit of the EU. The IPT subsequently referred the case to the CJEU. Combining the cases from the UK, France and Belgium into one ruling, the CJEU decided on 6 October 2020 that EU law applies every time a national Government forces telecommunications companies to hand over data to intelligence agencies, even when the expressed purpose of the transfer is for national security considerations. As such, the CJEU affirmed that countries must follow the privacy safeguards laid out in EU law and that any legislation issued by a national legislature must not limit the freedoms laid out in Articles 7 (Respect for privacy and family life), 8 (Protection of personal data) and 11 (Freedom of thought and expression).
The CJEU’s ruling has a number of profound ramifications for the UK and Europe. Firstly, if intelligence agencies are prohibited from using bulk data processed by service providers, then all public agencies are too, given that the intelligence community is afforded the maximum discretion by the courts on issues of this magnitude. Secondly, EU law is applicable to issues of national security, broadening the scope of the EU’s powers over national governments. Lastly, while it is still unclear what the ramifications of this ruling will be for the UK as 31 December looms ever closer, particularly as this decision will be challenged, it suggests that the issues of privacy, data collection and internet/communications regulation will continue to challenge lawmakers in both Westminster and Brussels.
The information in this blog is for general information purposes only and does not purport to be comprehensive or to provide legal advice. Whilst every effort is made to ensure the information and law is current as of the date of publication it should be stressed that, due to the passage of time, this does not necessarily reflect the present legal position. Gherson accepts no responsibility for loss which may arise from accessing or reliance on information contained in this blog. For formal advice on the current law please don’t hesitate to contact Gherson. Legal advice is only provided pursuant to a written agreement, identified as such, and signed by the client and by or on behalf of Gherson.