LexGo

CJEU clarifies legality of surveillance legislation for national security
20/11/2020

What happened?

Recently, the Court of Justice of the European Union (“CJEU”) ruled on case C-623/171 and the joined cases C-511/18, C-512/182 and C-520/183 (the “Joined Cases”) on the lawfulness of national security laws of the United Kingdom, France and Belgium, respectively, which each require electronic communications services providers (the "Service Providers") to retain and disclose traffic and location data of their respective users to national authorities for the purpose of combating crime or safeguarding national security. The CJEU provided some important clarifications on the circumstances in which traffic and location data can be collected and retained.

What clarification did the CJEU provide?

National security is within the competence of each EU Member State. However, the CJEU clarified that national legislation requiring Service Providers to retain and disclose users’ locations and traffic data to public authority falls within the scope of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (the “ePrivacy Directive”). Consequently, those legislative measures have to comply with the general principles of European Law and the Charter of Fundamental Rights of the European Union (the “Charter”).

It follows that Member States cannot restrict the scope of the ePrivacy Directive unless such restrictions comply with the general principles of EU law, are proportionate and preserve the fundamental rights guaranteed under the Charter.

Derogation regarding targeted surveillance

However, the Court did formulate certain derogations regarding the scope of the ePrivacy Directive. More precisely, the Court specified that the ePrivacy Directive does not prevent:

  • the recourse of a Member State to an order requiring Service Providers to retain traffic and location data generally and indiscriminately, only if that Member State faces a serious threat to national security that proves to be genuine and present or foreseeable; and
  • the recourse of Member States to the targeted retention of traffic and location data (1) limited in time to what is strictly necessary and (2) limited on the basis of objective and non-discriminatory factors, according to the categories of persons concerned, or by using a geographical criterion.

The CJEU framed how targeted surveillance can comply with the ePrivacy Directive and existing EU Laws.

Derogations regarding real-time collection

EU Member States may adopt legislative measures requiring Service Providers to collect traffic and location data in real time provided that the collection is based

  • on a genuine and present or foreseeable serious threat to national security; or
  • concerns persons suspected of being involved in terrorist activities.

By this recent ruling, the Court clarified a framework under which Member States can adopt laws under which Service Providers are required to retain and disclose traffic and location data to supervisory authorities.

1.Privacy International v. United Kingdom.
2.La Quadrature du Net & Others v. France.
3.Ordre des barreaux francophones and germanophones & Other v. Belgium.

Voir aussi : Elvinger Hoss Prussen

[+ http://www.elvingerhoss.lu]


Tous les articles Droit Européen

Derniers articles Droit Européen

New step towards the adoption of the public country-by- country reporting (CBCR) directive
07/06/2021

On 1st June, the EU Council reached a provisional political agreement with the European Parliament’s negotiating tea...

Read more

Political agreement reached on public country-by-country reporting
03/06/2021

On 1 June 2021, the Council of the European Union (the “Council”) reached a political agreement with the Europ...

Political agreement reached on public country-by-country reporting Read more

Europe’s new Chief Prosecutor has her hands full from the outset
02/06/2021

On 1 June 2021, the first supranational public prosecution authority, the European Public Prosecutor’s Office (&ldqu...

Read more

La CJUE sanctionnée
01/06/2021

Le Contrôleur Européen de la Protection des Données (EDPS) a reçu une plainte d’une perso...

La CJUE sanctionnée Read more

LexGO Network