Skip to main content
Trending Topics
Featured Insights
View All Services
View All Industries
About Us Overview
    • Insights
    • Court of Justice of the European Union rules that EU law precludes Member State laws on mass surveillance for electronic communications services providers. A threat to a UK adequacy decision?

      Court of Justice of the European Union rules that EU law precludes Member State laws on mass surveillance for electronic communications services providers. A threat to a UK adequacy decision?

      Authors:
      Generate PDF
      Share

      Related People:   Alistair Ho, Trainee Solicitor

      On 6 October 2020, the Court of Justice of the European Union ("CJEU") handed down a judgment outlining that EU law restricts European Union ("EU") Member States from requiring providers of electronic communications services to generally and indiscriminately retain traffic and location data for the purposes of combatting crime or safeguarding national security.

      The CJEU's judgment arises out of background proceedings brought in the UK, France and Belgium with respect to the lawfulness of certain national legislation in those jurisdictions which requires providers of electronic communications services to forward user traffic data and location data to certain public authorities, or otherwise to retain such data in a general or indiscriminate way. Despite the traffic and location data in question not comprising the actual content of underlying communications, the CJEU noted that the transmission of such data nonetheless presented a serious risk to individuals. In particular, the CJEU acknowledged that the transmission of traffic and location data made it possible to identify the "who, where, when and how" behind a certain communication, therefore eroding sensitivities and making such information "no less sensitive that the actual content of the communications".

      Some key findings from the CJEU:

      • EU Directive 2002/58/EC on Privacy and Electronic Communications ("the ePrivacy Directive") precludes any Member State national legislation from permitting national authorities to require electronic communications service providers to retain or send traffic data and location data to that Member State's security and intelligence agencies for the general purpose of safeguarding national security;
      • any legislative measures adopted by Member State national legislation which seek to restrict the scope of Articles 5, 6 and 9 of the ePrivacy Directive (relating to confidentiality of communications, traffic data and location data respectively) must be done so in accordance with EU laws, including the EU's proportionality principle, and must guarantee an individual's fundamental rights under the Charter of Fundamental Rights of the European Union (the "Charter"); and
      • Member State national legislation which obliges electronic communications services providers to forward or retain traffic and location data in a general and indiscriminate way constitutes "particularly serious interferences with the fundamental rights guaranteed by the Charter, where there is no link between the conduct of the persons whose data is affected and the objective pursued by the legislation at issue".

      Notwithstanding the above, the CJEU did note that there were instances in which the ePrivacy Directive, read in light of the Charter, did not prevent Member States from requiring electronic communications services providers to retain, generally and indiscriminately, traffic and location data to public authorities. Such instances include where the Member State concerned is facing a serious threat to national security that proves to be "genuine and present or foreseeable". A decision imposing an order to retain the data must only be for a period that is limited in time to what is strictly necessary and must be subject to effective review either by a court or by an independent administrative body whose decision is binding.

      Implications on a UK data protection adequacy decision

      Once the Brexit transition period ends on the 31 December 2020, the UK will become a "third country" for the purposes of the EU General Data Protection Regulation ("GDPR"). Therefore, in the absence of the European Commission ("EC") delivering an adequacy decision with respect to UK data protection laws, personal data flows from the European Economic Area to the UK would have to be subject to certain transfer mechanisms contained in the GDPR.

      The UK government is confident that adequacy decisions can be concluded with the EC by the end of the Brexit transition period. However, given that the background proceedings concerned UK national security laws, the CJEU's latest judgment may damage the UK's chances of receiving any adequacy decision in the short term. EEA organisations seeking to transfer personal data to the UK after the 31 December 2020 should be on alert to the possibility of the UK not receiving an adequacy decision. In such a circumstance, organisations should be ready to consider alternative appropriate safeguards contained in the GDPR as the legal mechanism for effecting future transfers.

      Authors

      Related Services & Industries

      Stay Up To Date With Our Insights

      See how we use a multidisciplinary, integrated approach to meet our clients' needs.
      Subscribe

      Follow us

      © 2024 Mayer Brown

       

       

      Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website.

      “Mayer Brown” and the Mayer Brown logo are trademarks of Mayer Brown.

      Attorney Advertising. Prior results do not guarantee a similar outcome.