Blogs | Privacy and data protection | Data protection standards | Surveillance and data retention

Data retention: “National security” is not a blank cheque

By EDRi · January 29, 2020

On 15 January, Advocate General (AG) Campos Sánchez-Bordona of the Court of Justice of the European Union (CJEU) delivered his opinions on four cases regarding data retention regimes in France, Belgium and the UK, in the context of these Members States’ surveillance programmes.

The AG endorsed the previous case law on data retention, confirming that a general and indiscriminate retention of personal data is disproportionate, even when such schemes are implemented for national security reasons.

An interesting take from his Opinions is how he challenged EU Member States who tend to consider national security as their get-out-of-jail-free card.

National security cannot be used as escape route from EU law

One of the questions the AG had to answer concerned the applicability of the ePrivacy Directive, which Member States contested. They argued that EU law was not applicable, as the surveillance programmes were a matter of national security, in the context of terrorism threats, and therefore not within the EU’s jurisdiction.

Even though the matter had already been solved in the Tele 2 case, the AG, faced with determined Member States, provided for a clear and hopefully once and for all analysis on the national security argument. In all three opinions, the AG stresses that, in these cases, national security reasons could not prevent the applicability of EU law. For the AG, the notion of “national security” is too vague to be invoked to oppose the application of safeguards regarding the protection of personal data and confidentiality of citizens (C-511/18 and C-512/18, para. 74).

He therefore proceeded to define this notion in light of the ePrivacy Directive. The Directive would not apply when activities related to “national security” are undertaken by the public authorities directly themselves, by their own means and for their own account. But as soon as the States impose obligations on private actors for these same reasons, the Directive applies (C-511/18 and C-512/18, para. 79 to 85).

In these cases, telecom operators are obliged, under the law, to retain the data of their subscribers and to allow public authorities access to it. It does not matter that these obligations are imposed for national security reasons.

…and neither can the fundamental right of security

To add another layer to the “security” argument, the French case mentioned the right to security under Article 6 of the Charter of Fundamental Rights of the European Union as a justification to the data retention scheme. This could be a valid argument, but as the AG points out, the right to security protected in the Charter is the right to personal security against arbitrary arrest or detention and does not cover public security in the sense of terrorism threats and attacks (C-511/18 and C-512/18, para. 98, 99).

Terrorism as an excuse?

As part of the “national security” argument, France also argued that the general and indiscriminate retention of personal data was put in place to fight terrorism, in a context of serious and persistent threats to national security.

The AG, however, rightly points out that in the French legislation, terrorism is only one of the justifications possible for such a data retention regime. Terrorism threats are part of the factual context and the excuse for imposing such a regime, while in reality, the regime applies generally, for the purpose of fighting crime (C-511/18 and C-512/18, para. 119 & 120).

Moreover, the CJEU had already rejected, in the Tele2 case, the possibility of having a general and indiscriminate data retention regime for antiterrorism reasons. The AG underlines that this is not incompatible with the view of the Court that fighting terrorism is a legitimate and vital interest for the State. But the case law of the CJEU is clear that, such an objective of general interest, as vital as it can be, cannot in itself justify the necessity of a general and indiscriminate retention regime.

In response to Member States arguing against anything less than a general and indiscriminate retention for this purpose, the AG explains that the fight against terrorism cannot only be contemplated in regards to its efficiency. Because of the scale and the means put into this issue, it must be part of the Rule of Law and must respect fundamental rights. Relying only on efficiency would mean ignoring other democratic issues and could potentially, in extreme cases, lead to harms done to citizens. (C-511/18 and C-512/18, para. 131).

The AG succeeds in debunking the Member States’ arguments, but stops short of preventing abuse.

The danger of “state of emergency” exceptions

Indeed, at the end of his analysis, the AG very briefly (C-511/18 and C-512/18, para. 104 and C-520/18, para. 105 & 106) explains that regardless of what he argued, Member States could be allowed to impose an obligation to retain data, as wide and general as needs be. This could only be done in really exceptional situations, where there is an imminent threat or an extraordinary risk justifying the enactment of a state of emergency in a Member States.

The only safeguard mentioned is the “limited period” that these kind of schemes could run for. This is not enough as we saw how a “state of emergency” can be abused. In France, after the terrorist attacks of November 2015, l’état d’urgence, state of emergency, was enacted and went on for two years. It has been shown that this scheme was not only used for antiterrorism purposes, but also as a tool of social, security and political control, used to conduct surveillance and arrests of, for example, climate activists who are considered “extremists” .

More globally, this has been demonstrated by the various electronic surveillance programmes implemented by the USA after 9/11 in the name of the “war on terror”.

The AG’s opinions are not binding but usually influence the final judgments of the CJEU, which will be issued in the upcoming months. EDRi will be following the development of these cases.

Indiscriminate data retention considered disproportionate, once again (15.01.2020)

Preliminary Statement: Advocate General’s Opinion Advises that Mass Surveillance Regime is Unlawful (15.01.2020)

AG’s Opinion: Mass retention of data incompatible with EU law (29.01.2020)

CJEU Press Release: Advocate General Campos Sánchez-Bordona: the means and methodsof combating terrorismmust be compatible with the requirements of the rule of law (15.01.2020)

(Contribution by Laureline Lemoine, EDRi)