On October 6, 2020, the Court of Justice of the European Union (“CJEU”) handed down Grand Chamber judgments determining that the ePrivacy Directive (the “Directive”) does not allow for EU Member States to adopt legislation intended to restrict the scope of its confidentiality obligations unless they comply with the general principles of EU law, particularly the principle of proportionality, as well as fundamental rights under the Charter of Fundamental Rights of the European Union (the “Charter”).

The cases stem from challenges to EU Member State national security law brought in the UK, France and Belgium by privacy activists Privacy International (Case C‑623/17), La Quadrature du Net and others (C-511/18), French Data Network and others (Case C-512/18) and Ordre des Barreaux francophones et germanophones and others (Case C-520/18), the latter three of which were joined by the President of the CJEU. The challenges related to laws obliging providers of electronic communications services (“providers”) to forward the traffic and location data (i.e., bulk communications data) of individuals to public authorities, or to retain such data in a general and indiscriminate way.

Privacy International Case

In the case brought by Privacy International, several EU Member States, including the UK, contended that the activities of security and intelligence agencies are essential state functions and the sole responsibility of Member States, and therefore the Directive should not apply to national legislation that safeguards national security. The CJEU disagreed and determined that such laws do fall within the scope of the Directive, commenting that according to settled case law: “although it is for the Member States to define their essential security interests and to adopt appropriate measures to ensure their internal and external security, the mere fact that a national measure has been taken for the purpose of protecting national security cannot render EU law inapplicable and exempt the Member States from their obligation to comply with that law.”

The Directive requires Member States to ensure the confidentiality of communications and traffic data through national legislation, but also allows for Member States to adopt legislation restricting the scope of this obligation when necessary, appropriate and proportionate to safeguard national security. In its judgment, the CJEU made clear that such deviation from the Directive’s confidentiality obligations should be the exception rather than the rule, and that the Directive does not allow for Member States to adopt legislation intended to restrict the scope of the confidentiality obligation unless they comply with the general principles of EU law and are proportionate.

The CJEU set out limitations on Member States’ ability to restrict the Directive’s scope, stating: “it should be borne in mind that the protection of the fundamental right to privacy requires […] that derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary.” The CJEU determined that the Directive precludes national legislation enabling authorities to require providers to carry out general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.

The Three Joined Cases

With regards to the second judgment involving the three joined cases, the CJEU assessed four specific points.

First, the CJEU considered that the Directive precludes national provisions that require providers to retain general and indiscriminate traffic and location data as a preventive measure to safeguard national security and combat crime. However, the CJEU also provided several carve outs to this preclusion, where Member States may derogate from the Directive’s general confidentiality requirements for the purposes of safeguarding national security, combatting serious criminality and preventing serious threats against public security, provided that (1) rules outlining these derogations are clear and precise; (2) material and procedural requirements are implemented; and (3) the individuals concerned have effective guarantees against any abuse. In particular, the CJEU authorized orders that require providers to undertake general and indiscriminate retention of traffic and location data where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable, so long as the order is subject to effective review by a court or independent administrative body. Such an order may only be imposed for a period of time that is considered strictly necessary. In addition, the CJEU also held as acceptable the targeted retention of traffic and location data, as long as it is limited in time and limited to what is strictly necessary for the purposes of national security or crime prevention, as well as the general and indiscriminate retention of IP addresses for a strictly necessary period of time. Similarly, the CJEU considered the general and indiscriminate retention of the civil identity of users of electronic communications (without time restrictions) acceptable. Lastly the requirement for providers to retain traffic and location data after the end of an initial retention period in order to shed light on serious crimes or acts affecting national security (i.e., expedited retention) is acceptable for purposes of combatting serious crime when authorized by a decision from the competent authority, subject to effective judicial review.

Second, the CJEU ruled that the automated analysis and real-time collection of traffic data, location data, or the real-time collection of data relating to the location of devices is authorized if (1) the automated analysis is limited to cases where a Member State is facing a serious, genuine and present or foreseeable threat to national security; and (2) the real-time collection is limited to persons validly suspected of being involved in terrorist activities. In both cases, the seriousness of the threat and the danger posed by the suspected individual must be subject to a prior review carried out by a court or independent administrative body whose decision is binding.

Third, the CJEU insisted that national law may not require providers of access to online public communication services and hosting services providers to retain data in a general and indiscriminate way.

Finally, the CJEU was asked whether it is possible to temporarily maintain the effects of a national provision that breaches EU Law in order to avoid legal uncertainty and to use data previously been collected and retained. On this issue, the CJEU held that the Directive, read in light of the Charter, does not allow a national court to temporarily apply a provision of national law that is otherwise incompatible with EU Law. In particular, the CJEU prohibited national courts from applying a national provision requiring providers to retain in a generalized and indiscriminate manner traffic and location data, even if the objective of the contested provision is to safeguard national security and prevent serious crimes. With this, the CJEU reaffirmed the principle of EU law primacy over Member State law, which may not undermine the effects of EU law. The CJEU further confirmed the obligation for national courts to apply EU law and set aside any national provisions in breach of EU law without awaiting the prior decision of a legislative or judicial body. The CJEU added that only the CJEU itself is able to suspend in exceptional circumstances the application of an EU provision in favor of national law for overriding considerations of legal certainty. Consequently, the use of information and evidence resulting from general and indiscriminate retention in the context of criminal proceedings was raised and the CJEU re-affirmed that national law currently has the role of determining rules of admissibility regarding evidence gathered in breach of EU law. As such, evidence collected in breach of EU law is potentially admissible, with the CJEU emphasizing that under established case law, evidence must be set aside when it contravenes the right to a fair trial.