The validity of EU Member State legislation to collect and analyse bulk communications (meta)data about us by the security agencies continues to be vexed by questions over the application of EU privacy law requirements

The UK Investigatory Powers Tribunal (IPT) has this month referred questions to the EU Court of Justice (CJEU) in a decision related to the case, Privacy International v Secretary Of State For Foreign And Commonwealth Affairs & others [2017] UKIPTrib IPT_15_110_CH, 8 September 2017. The case, and the questions, refer to issues around the automated acquisition and use of bulk communications data by the UK security and intelligence agencies.

The background to this case can be found in a series of posts on this blog (e.g. here, here, and here). From this, the key point to understand in appreciating the importance of this decision is the fact the Investigatory Powers Act 2016 (‘IPA’) is particularly controversial in light of the CJEU’s December 2016 judgement in the case of Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and others (Joined Cases C-203/15 and C-698/15) regarding the validity of its predecessor legislation (the Data Retention and Investigatory Powers Act 2014, otherwise known as ‘DRIPA’).

In that previous judgement – known as the ‘Watson case’ – the CJEU confirmed that EU law precludes national (EU Member State) legislation that prescribes general and indiscriminate retention of data. This is because such retention practices are incompatible with requirements set out in the E-Privacy Directive ensuring the confidentiality of communications, as read in the light of the EU Charter of Fundamental Rights and its right to respect for private life (Article 7), the right to protection of personal data (Article 8), and the right to an effective remedy and fair trial (Article 47). Whereas, it is generally accepted that Member States retain competence to adopt their own national data retention laws under Article 15(1) of the E-Privacy Directive but only provided that those laws comply with the fundamental rights principles that form part of EU law. A derogation is only permitted in very limited circumstances “when such restriction constitutes a necessary, appropriate and proportionate measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system“. The Watson case set out four data retention requirements to ensure necessity and proportionality (mirroring similar requirements in the earlier Digital Rights Ireland judgement and Schrems judgement by the CJEU, discussed by Sophie here):

• A restriction on non-targeted access to bulk data.
• Prior review and authorisation by a court (or an independent administrative body) before any access to retained data, other than in cases validly established as urgent.
• Provision for subsequent notification of those affected.
• All data must be retained within the EU and irreversibly destroyed at the end of the retention period.

The broad thrust of the questions referred by the IPT involves a parallel ‘gateway’ issue. In particular, the IPT has asked whether security and intelligences agencies’ activities in relation to the collecting and analysing bulk communications data are actually subject to EU law in the first place. If not, it would fall outside its scope and be exempt from complying with the requirements set out in the Watson case.

(To note, not under referral is the question of whether the European Convention of Human Rights – ‘ECHR’ – applies, as this is accepted by both parties to the case as a given. It is also accepted by the IPT which ruled last year that the collection and use of bulk communications data by the UK security and intelligence agencies did not comply with Article 8 ECHR prior to 2015, as described in Sophie’s post here. As a reminder, Article 8 – protecting the right to respect private and family life from interference by a public authority – is a qualified right, which means that any state intervention must be justified, have a legal basis, be necessary in a democratic society and in the interests of the legitimate objectives set out in Article 8(2)).

So, what does the IPT’s decision say?

First, it outlines the arguments put forward by the UK government agencies acting as respondents in defending the use of bulk data capabilities by security and intelligence agencies. They argue that existing safeguards – set out in the IPA – are sufficient to prevent abuses and, indeed, applying the Watson case requirements would preclude the ability to achieve critical value in using bulk data capabilities to secure national security. Most importantly, they argue that Article 4 of the Treaty on the European Union provides that “national security remains the sole responsibility of each Member State“, taking domestic legislation on this topic outside the jurisdictional remit of EU law, yet this issue was not addressed in the Watson case.

Second, in deciding to refer questions to the CJEU, the IPT refers to the issue of concern as the collection and analysis of bulk communications data, “in respect of which a commercial operator, engaged in an activity within the scope of EU law is compelled, by a direction enforceable by law, to provide to the [security and intelligence agencies] data obtained in the course of ordinary business purposes.” In particular, to paraphrase, the IPT asks the CJEU: (1) to what extent is this type of activity governed by EU law; (2) are subject to the requirements of Article 15(1) of the E-Privacy Directive in accordance with the decision in Watson case; and, (3) are subject to the four requirements set out in Watson and if so to what extent taking into account the fact that such capabilities may be critically impeded by these requirements?

(To note, the scope of the reference does not apply to the use of bulk personal datasets in national security investigations, more about which I have written here, as they are collected voluntarily. But – as mentioned – let’s not forget that the IPT has already addressed the privacy issues arising with their use last year under the ECHR).

Intervention by the CJEU seems a good idea, as agreed by all involved in the case. There is clear tension between the Watson requirements and carrying out bulk data capabilities effectively. More to the point is the question whether build data capabilities can ever be justified as necessary and proportionate as they encompass massive metadata trawls about individuals not under suspicion of any offence against the state. And of course, against this on-going political and legal public dialogue, EU review of international data agreements against high and newly clarified privacy standards continue to attract attention (see my post here on the recent dismissal of the EU-Canada PNR agreement as incompatible with the rights to privacy and data protection in the Charter).

In any event, we should not expect any quick resolutions on these matters. The reference was not expedited to the CJEU and will probably take a number of years, as Brexit negotiations also trundle on – something which ultimately could lead to UK data protection law being subject to an assessment of adequacy at some point in the event of a ‘hard’ brexit.

‘DRIPA is dead, long live IPA’? … I, for one, won’t be placing any bets on the subject quite yet.

Alison Knight