Putting privacy limits on national security mass surveillance: The European Court of Justice intervenes

In a little-noticed set of opinions issued on January 15, the European Court of Justice (ECJ) put forward a bold and unprecedented proposition—mass surveillance conducted by European Union (EU) member state national security services should operate within the bounds of the Union’s privacy laws.

ECJ Advocate General (AG) Campos Sanchez-Bordona issued the preliminary opinions in response to civil society challenges to mass surveillance regimes operated by the United Kingdom (UK), Belgium, and France. Advocate Generals are ECJ judicial officials charged with writing opinions that precede—and are intended to guide—a final Court judgment, though the Court may adopt a different result or reasoning.

How did we get here?

Until now, EU member states’ national security surveillance programs have been considered beyond the reach of EU privacy law. Indeed, Article 4(2) of the EU’s founding Treaty on European Union states very clearly that “national security remains the sole responsibility of each member state.”  However, in recent years, the ECJ has embarked on a robust judicial expansion of the scope of individual privacy protections contained in the Union’s Charter of Fundamental Rights as well as EU legislation.

The first step in this direction occurred in 2014, when European privacy activists demanded that the ECJ scrutinize a 2006 EU directive. It required communications companies to retain traffic and location data (metadata) on all individuals for member state law enforcement authorities to use in investigating and prosecuting crime. The ECJ’s Digital Rights Ireland judgment struck down the directive as inconsistent with individual privacy rights guaranteed at EU level. It also clearly ruled out the possibility of member state law enforcement agencies relying on EU law as a basis for bulk data collection on persons not already suspected of being linked to criminal activity.

The next year, the ECJ was confronted with a case questioning a foreign country’s mass surveillance practices for national security purposes. The country in question was the United States, whose global surveillance techniques had been publicly revealed by Edward Snowden. Austrian privacy activist Max Schrems contended that a US-EU commercial data transfer arrangement (the Safe Harbor Framework) should be invalidated. He reasoned that it did not prevent the US intelligence community from utilizing Europeans’ personal data that had originally been transferred to the United States for business purposes. In its 2015 Schrems judgment, the ECJ agreed, sending shock waves through transatlantic commerce and leading to a hasty US-EU renegotiation of the Safe Harbor—now rechristened the Privacy Shield Framework.

In 2017, the ECJ returned to the subject of bulk data retention, extending the reach of EU privacy protections from EU-level law to member state laws that enabled mass surveillance for law enforcement purposes. In its Tele2Sverige and Watson judgments, the Court ruled that member states could not engage in general and indiscriminate retention of metadata for lengthy periods of time. The judgment showed a willingness on the Court’s part to set limits to member state policing activities, historically considered an area where the Union’s authorities were very limited.

Privacy advocates take on the national security establishment

Following this series of rulings, European privacy activists saw an opportunity to challenge broad-scale data collection by member state national security agencies. In the aftermath of Tele2Sverige and Watson, these activists brought a series of cases challenging laws in the United Kingdom, Belgium, and France. 

Member state national security agencies quickly realized the potential threat from these challenges and mobilized their governments to oppose them en masse at the ECJ. Sixteen member states intervened at the September 19 oral hearing—an unusually high number—and took the rare step of coordinating their arguments in advance in order to present a common front before the Court’s judges. At the oral hearing, however, the ECJ’s lead judge in the case did not appear particularly impressed by the show of member state unity.

In the case challenging UK law (titled Privacy International), the government’s lawyers insisted that mass data retention was a uniquely valuable tool in preventing terrorism, because national security data analysts could identify individuals who posed previously unknown threats. They pointed out that law enforcement, by contrast, utilized mass metadata analysis to investigate and prosecute already identified individual criminal suspects. 

Advocate General Sanchez-Bordona was unpersuaded. He insisted that EU legislation protecting privacy of electronic communications should apply equally to national security and to law enforcement. Accordingly, he suggested that the national security measures in question violated the ban on general and indiscriminate data collection on individuals established in the Digital Rights Ireland case. The AG went on to summarily dismiss the UK’s argument about the unique “practical effectiveness” of such national security measures, instead giving priority to “legal effectiveness within the framework of the rule of law.”

The Advocate General did, however, suggest that some member state national security mass data collection practices should be permitted. The UK, Belgian, and French measures had to be subjected to EU-level privacy discipline because they enlisted private electronic communications companies to engage in broad-scale metadata collection. But, the AG argued that when member states exercise their national security competence “directly, using their own resources,” that should fall outside the scope of EU law. In addition, Sanchez-Bordona quietly proposed a second partial escape hatch: in cases of urgency, a national security agency could apply to a court or other independent authority for advance permission to collect more broadly.

There is reason to believe that the ECJ panel responsible for deciding these national security cases will largely follow the AG’s opinion. Doing so would further establish the Court’s legacy in strengthening privacy rights for Europeans. Moreover, the EU’s highest court is not the only European court seeking to profile itself on privacy issues. The Council of Europe’s European Court of Human Rights (ECtHR) has also steadily been deciding cases involving competing security and privacy interests. In addition, a number of prominent member state courts—notably the German Federal Constitutional Court—have done likewise in recent years. Observers of the confluence of case-law in this area detect an element of competitive rivalry among the three tribunals.

Even if the ECJ acts in these cases as the Advocate General has urged, its judgments may not be the final word on the subject, though. A large number of EU member states would be left wondering about the clear stipulation in the Union’s founding treaties that national security is their “sole responsibility.” They could react by calling for EU legislation or a treaty change clarifying that regulating national security data collection is definitively out of the Union’s scope.

International implications

By imposing privacy limits on member states’ national security data collection practices, the ECJ would also have an impact on countries outside the Union, including the post-Brexit United Kingdom and the United States. Escaping the jurisdiction of the European Court of Justice may have been one of the Brexiteers’ principal aims, but, in practice, the UK may not enjoy unbridled freedom to escape ECJ jurisprudence on national security data collection. Rather, in return for granting the UK unrestricted commercial data transfers to and from the continent, the European Commission may well demand that the UK trim its national security data practices to the same extent as continental jurisdictions. The EU has leverage in this discussion, which will occur later this year and in parallel to the broader negotiation on the future UK-EU relationship.

US government officials will closely watch how the United Kingdom grapples with an EU demand to conform its robust national security data collection activities to EU privacy law. The US government is expected to launch its own free trade agreement negotiations with the UK soon and the subject of privacy constraints on digital trade is sure to be on the table. Both parties need and want data to flow freely across the Atlantic. If the UK finds itself unable to escape ECJ jurisprudence in negotiations with the Union on national security data collection, it cannot simply turn around and ignore those rulings when European-origin data is conveyed onwards to the United States for commercial purposes. The US government, however, would likely resist importing EU privacy strictures affecting US national security practices through the separate vehicle of a US-UK trade agreement.

Nevertheless, a potential ECJ decision to impose some privacy discipline on EU member state national security data practices could contribute to an eventual rapprochement between the Union and the United States. Ever since the Schrems I ruling, the US government has seethed over its national security law and practices being the subject of ECJ privacy scrutiny, while EU member states’ comparable behavior received a free pass from the Court. If Privacy International serves to align, to some degree, the ECJ’s view of third states’ and member states’ surveillance laws, a calmer basis for a transatlantic privacy/security dialogue could be established. The United Kingdom, now joining the United States as an EU outsider, thus could conceivably help lay the basis for a productive conversation between Washington and Brussels, by itself coming to terms with the EU’s developing national security data protection jurisprudence. Resolving the long-running US-EU dispute over how to balance security and privacy imperatives remains a work in progress, but it may not be a hopeless task.

Kenneth Propp is a nonresident senior fellow in the Atlantic Council’s Future Europe Initiative.

Further reading

Image: The entrance of the European Court of Justice is pictured in Luxembourg, January 26, 2017. Picture taken January 26, 2017. REUTERS/Francois Lenoir