How Europe’s Intelligence Services Aim to Avoid the EU’s Highest Court—and What It Means for the United States

As a result of last summer’s Schrems II judgment by the Court of Justice of the European Union (CJEU), the United States now finds itself forced to consider changes to its foreign surveillance law and practices in order to reestablish a stable basis for transatlantic transfers of personal data. Taking such steps may be the only way to persuade the EU that U.S. surveillance laws offer “essentially equivalent” protections for data to those prevailing in Europe, as EU data protection law requires.

In the fall of 2020, the court softened that bitter pill when, for the first time, it also imposed limits on EU member states’ intelligence services’ own data collection and retention activities. But now the member state governments have struck back against the Luxembourg-based court, quietly slipping into their version of the EU’s ePrivacy legislative reform proposal a provision that would put these contested national security activities beyond the court’s reach. The U.S. government is already on record as objecting to what it perceives as a laxer data protection standard being applied by European courts to their own national intelligence services. This latest move in Brussels has only accentuated the sense of a disparity in treatment.

This post explores the ongoing struggle within the European Union to delimit the national security exception in its data protection law for the activities of member state intelligence services, and the corresponding impact this Brussels debate could have on the ongoing transatlantic negotiations to restore a secure basis for commercial data transfers from the European Union to the United States.

Changing Data Collection and Retention Rules for European National Security Agencies

In October 2020, the CJEU for the first time tackled the question of whether, and to what extent, EU fundamental rights relating to data protection should limit European intelligence services’ data collection and retention programs. Nine member states, including the United Kingdom (an EU member at the time of argument) and France, intervened in the two linked cases, brought by nongovernmental organizations, most notably Privacy International and La Quadrature du Net (LQDN).

In general, the EU exercises competences—such as data protection—granted by its member states, but only to the extent that member states have effectively transferred these powers to the EU. These member states contended that the cases fell under the general national security exception of Article 4(2) of the Treaty on European Union, according to which “national security remains the sole responsibility of each Member State.” They also invoked Article 1(3) of the 2002 Directive on privacy and electronic communications (ePrivacy directive), the governing EU legislation in the proceedings. The latter provides that “this Directive shall not apply to … activities concerning public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.” 

In its Oct. 6 Privacy International and LQDN judgments, the CJEU rejected this jurisdictional argument. It drew a distinction between the situation where an intelligence agency processes data itself for national security purposes and where it imposes obligations on electronic communication services to collect, retain and transfer data on the state’s behalf in the name of national security. In the first case, the national security exemption entirely shields intelligence agencies from the reach of EU data protection law, but in the latter case, the same EU law limitations that the court invoked in relation to the United States in Schrems II should apply. In Schrems II, the CJEU had insisted that surveillance programs be “proportionate”—in other words, limited to what is “strictly necessary”—which in turn led to the imposition of a series of specific requirements.

The court added in Privacy International and LQDN that, where an EU government relies on electronic communication services providers for national security collection and retention, it should be afforded greater latitude than when doing so for law enforcement purposes. Law enforcement activities had been considered in a previous line of cases (the 2014 Become a supporter of IT Security News and help us remove the ads.