Related People:   Alistair Ho, Trainee Solicitor

On 6 October 2020, the Court of Justice of the European Union ("CJEU") handed down a judgment outlining that EU law restricts European Union ("EU") Member States from requiring providers of electronic communications services to generally and indiscriminately retain traffic and location data for the purposes of combatting crime or safeguarding national security.

The CJEU's judgment arises out of background proceedings brought in the UK, France and Belgium with respect to the lawfulness of certain national legislation in those jurisdictions which requires providers of electronic communications services to forward user traffic data and location data to certain public authorities, or otherwise to retain such data in a general or indiscriminate way. Despite the traffic and location data in question not comprising the actual content of underlying communications, the CJEU noted that the transmission of such data nonetheless presented a serious risk to individuals. In particular, the CJEU acknowledged that the transmission of traffic and location data made it possible to identify the "who, where, when and how" behind a certain communication, therefore eroding sensitivities and making such information "no less sensitive that the actual content of the communications".

Some key findings from the CJEU:

  • EU Directive 2002/58/EC on Privacy and Electronic Communications ("the ePrivacy Directive") precludes any Member State national legislation from permitting national authorities to require electronic communications service providers to retain or send traffic data and location data to that Member State's security and intelligence agencies for the general purpose of safeguarding national security;
  • any legislative measures adopted by Member State national legislation which seek to restrict the scope of Articles 5, 6 and 9 of the ePrivacy Directive (relating to confidentiality of communications, traffic data and location data respectively) must be done so in accordance with EU laws, including the EU's proportionality principle, and must guarantee an individual's fundamental rights under the Charter of Fundamental Rights of the European Union (the "Charter"); and
  • Member State national legislation which obliges electronic communications services providers to forward or retain traffic and location data in a general and indiscriminate way constitutes "particularly serious interferences with the fundamental rights guaranteed by the Charter, where there is no link between the conduct of the persons whose data is affected and the objective pursued by the legislation at issue".

Notwithstanding the above, the CJEU did note that there were instances in which the ePrivacy Directive, read in light of the Charter, did not prevent Member States from requiring electronic communications services providers to retain, generally and indiscriminately, traffic and location data to public authorities. Such instances include where the Member State concerned is facing a serious threat to national security that proves to be "genuine and present or foreseeable". A decision imposing an order to retain the data must only be for a period that is limited in time to what is strictly necessary and must be subject to effective review either by a court or by an independent administrative body whose decision is binding.

Implications on a UK data protection adequacy decision

Once the Brexit transition period ends on the 31 December 2020, the UK will become a "third country" for the purposes of the EU General Data Protection Regulation ("GDPR"). Therefore, in the absence of the European Commission ("EC") delivering an adequacy decision with respect to UK data protection laws, personal data flows from the European Economic Area to the UK would have to be subject to certain transfer mechanisms contained in the GDPR.

The UK government is confident that adequacy decisions can be concluded with the EC by the end of the Brexit transition period. However, given that the background proceedings concerned UK national security laws, the CJEU's latest judgment may damage the UK's chances of receiving any adequacy decision in the short term. EEA organisations seeking to transfer personal data to the UK after the 31 December 2020 should be on alert to the possibility of the UK not receiving an adequacy decision. In such a circumstance, organisations should be ready to consider alternative appropriate safeguards contained in the GDPR as the legal mechanism for effecting future transfers.