Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

AG Says ePrivacy Applies to Government Access to Communications Data

By Eduardo Ustaran on January 20, 2020
Email this postTweet this postLike this postShare this post on LinkedIn

On January 15, the Court of Justice of the European Union’s (CJEU) Advocate General (AG) Manuel Campos Sánchez-Bordona delivered his Opinion on four references for preliminary rulings on the topic of retention of and access to communications data.

Of the four references, two originated from France, one from Belgium, and one from the Investigatory Powers Tribunal (IPT) in the United Kingdom. The latter arose from a challenge by Privacy International to the UK Security and Intelligence Agencies’ (SIAs) powers under the Telecommunications Act 2014 and the Data Retention and Investigatory Powers Act 2014. SIAs have the power to compel providers of electronic communications services, such as internet service providers, to retain and hand over bulk communications data. Communications data does not include the content of communications but does reveal traffic and location data, as well as information on users’ social, business and financial activities, communications, and travel.

The IPT found as a matter of fact, and specified in its reference for a preliminary ruling, that these powers are “essential to the protection of the national security of the United Kingdom.” The questions referred to the CJEU concerned:

  1. the applicability of the ePrivacy Directive (ePD) in the context of the use of these powers; and
  2. whether the requirements specified in the previous CJEU decision Tele2 Sverige/Watson also applied.

The IPT went so far as to specify that the imposition of such requirements would “critically impede” the SIAs’ bulk acquisition and automated processing techniques.

Opinion

The Advocate General found that the ePD did apply to the retention of data by electronic communications providers and its subsequent transmission to the SIAs. The processing was carried out in connection with the provision of publicly available electronic communications services in public communications networks in the EU, which precisely corresponds to the ePD’s scope of application. While the ePD does not apply to activities undertaken by public authorities themselves in order to safeguard national security, the AG was of the view that such activities should be narrowly defined so as to avoid depriving EU privacy law of its effectiveness in protecting fundamental rights. As a result, he concluded that the legislation providing for the SIAs’ powers in relation to bulk communications data was not compatible with the ePD.

Although this finding meant that it was not necessary to consider whether the Tele2 Sverige/Watson requirements applied to the legislation, the AG set out the features that would be required in the new legislation for it to be compliant with the ePD and the CJEU’s case law on the subject. Legislation should determine, precisely and on the basis of objective criteria, the categories of data that are deemed essential to retain and the circle of persons who are affected, and should establish substantive and procedural requirements governing access by the competent authorities to the retained data. Other than in “duly substantiated cases of urgency,” access to the data must be subject to prior review by a court or an independent administrative authority, whose decision should be made in response to a reasoned request by the competent authorities.

Brexit implications

The Data Retention and Investigatory Powers Act 2014 has now been replaced by the Investigatory Powers Act 2016, though the latter has similar provisions on bulk communications data which, according to the AG, must be considered incompatible with EU law. As a result, if the CJEU agrees with the AG, there could be implications relating to the UK’s exit from the European Union.

In the coming months, the European Commission will be assessing the UK’s level of protection of personal data with the goal of concluding an adequacy agreement, which will ensure that personal data can continue to be transferred freely between the EU and the UK following the Brexit transition period. This assessment will cover the legal controls on SIAs’ surveillance capabilities, and the Commission will need to consider any findings by the CJEU in this respect. Ensuring and demonstrating the right balance between safeguarding national security and respecting citizens’ privacy and data protection rights will be essential to achieve the desired outcome.

 

Elizabeth Campion, a paralegal in our London office, contributed to this entry.

Photo of Eduardo Ustaran Eduardo Ustaran
Read more about Eduardo UstaranEmail
  • Posted in:
    Privacy & Data Security
  • Blog:
    HL Chronicle of Data Protection
  • Organization:
    Hogan Lovells
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Boston ERISA & Insurance Litigation Blog
  • Stridon News and Insights
  • Taft Class Action & Consumer Insights
  • Labor and Employment Law Insights
  • Age of Disruption
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo