Charting a New European Approach to Security and Data Protection

“Protecting Europe is Europe’s duty. I believe now is therefore the time to build a true European Defense Union. Yes, I know there are some who are perhaps uncomfortable with the idea. But what we should be uncomfortable about are the threats to our security.”

So spoke Ursula von der Leyen, president of the European Commission—the executive branch of the European Union (EU)—when presenting her Political Guidelines in July 2024.  The guidelines inform the priorities for the current, five-year mandate of the European Commission. Echoing von der Leyen’s words, they stated that the Commission “will look at all of our policies through a security lens.”

This is a welcome approach, but as von der Leyen indicated, the EU’s entrance into the domain of national security policy will be met with concern by some member states. EU institutions have historically shown limited understanding for the sensitive issues at play when nation-states protect their national security and public order.

One policy area that pointedly demonstrates this tension is European data protection law. As I will seek to illustrate, in no other policy area has the contrast been more explicit between what EU member states view as necessary to protect their national security and public order and what the EU’s legal framework allows.

But recalibration is possible. And the pressing need for the EU to fill the European security void created by an aggressive Russia—and a U.S. not only pivoting to Asia, but becoming increasingly transactional in its security posture—should animate all stakeholders to seek a new European approach to ensuring both privacy and security.  

European Data Protection Law

European data protection law is best known for its centerpiece legislation, the General Data Protection Regulation (GDPR). The GDPR sets out extensive rules on the protection of personal data and the privacy of individuals, and its scope covers the entire private and the public sectors at large of EU member states. Law enforcement agencies are not covered by the GDPR but are subject to a parallel legal act, the Law Enforcement Directive (LED), which contains similar but more lenient rules on privacy and data protection. Formally, neither of these acts—nor EU law in general—applies to the activities of the intelligence agencies of the EU member states or to activities that safeguard national security. However, this has not prevented European data protection law from having a marked, if indirect, impact on public order and national security in the EU.

A key reason for this development is that the right to data protection is protected by the European Charter on Fundamental Rights, which formally became part of the EU Treaty on Dec. 1, 2009, via the Treaty of Lisbon. Article 8 of the charter and Article 16 of the Treaty on the Functioning of the European Union made the protection of personal data a right for individuals secured by the treaties and provided a specific legal basis—Article 16—for the EU to regulate data protection.

However, when adopting the Treaty of Lisbon, EU member states expressly declared that “whenever rules on protection of personal data to be adopted on the basis of Article 16 could have direct implications for national security, due account will have to be taken of the specific characteristics of the matter.” Similarly, it is expressly provided in Article 4(2) of the Treaty on European Union, that the EU

shall respect … essential State functions [of Member States], including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.

While the member states may have expected that the above provisions and declarations of political intent would be adequate to ensure a clear delineation between member state and EU competences, developments have shown they were mistaken.

Tension Between European Data Protection Law and National Security and Public Order

The best illustration of the tension between the approach of the member states to safeguarding their nations and that of the EU institutions—led by the Court of Justice of the European Union (CJEU)—when balancing security and privacy is within the area of data retention. In European public policy parlance, “data retention” refers to the rules compelling internet service and telecommunication providers to retain information about individual end users concerning the use of devices such as their mobile phones and tablets accessing the networks of such providers. Retained information includes who the end user called, IP addresses, and the geolocation of the end user, captured by logging the physical telecommunication masts used. No communications content—that is, the content of a phone conversation, e-mails, or messaging between mobile phones—is retained. Data retention is thus distinguishable from interception of communications and relates solely to data about communications (metadata).

These rules lead to providers storing very large quantities of data on individuals. As data is retained for up to one year, the data could, in theory, give a detailed profile of a person’s whereabouts, preferences, and associations. However, this data can be legally accessed only by relevant authorities when investigating serious crimes, like homicide or terrorism, or when countering threats to national security. Transfer of retained data must be approved either beforehand or—when exigent circumstances apply—after the fact by an independent authority, which in most member states means a judicial authority.

Law enforcement and intelligence services have consistently maintained that data retention is an important tool for identifying suspects, victims, and witnesses in these types of cases. Often, data retention is the only tool available when identifying suspects and mapping the planning and execution of a crime. Thus, despite judicial skepticism and intense criticism from civil liberty advocates, many EU member states have maintained data retention rules.

Given the privacy-related implications of these rules, data retention has been challenged in national courts in EU member states, in cases that were then referred to the CJEU for adjudication. These cases have focused on the EU data protection rules applicable to the providers retaining the data; even though member states have argued that rules compelling private companies to retain data solely for the purpose of protecting public order and national security fall outside the scope of EU Law. Thus, when providers retain and transfer data on behalf of national authorities, general data protection principles adopted by the EU are applied in a manner that limits or even prohibits data from being retained and shared with law enforcement and intelligence services.

So indirectly, principles like “necessity” and “proportionality” set out in EU rules intended for the private sector have set the standards for how national security and law enforcement authorities are allowed to access and use retained data. On this basis, the highest court within the EU system, the CJEU, has ruled several times on the legality of data retention.

In its jurisprudence, the CJEU has generally been restrictive. But it has also expressed what seems almost like skepticism toward the authorities using retained data. For example, in its landmark ruling in the Digital Rights Ireland case, the court struck down the EU-wide rules on data retention (meaning only member states that actively choose to keep such rules still have them in effect), stating as part of its motivation that

the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.

In other words, the court—in applying data protection standards made for the private sector—held that the mere fact that individuals know that the data may be used by authorities may lead them to “feel” they are subject to “constant surveillance.” But is this a reasonable standard to apply in democracies governed by the rule of law? In most Western democracies, almost any data held by private or public entities is legally accessible by intelligence and law enforcement agencies, assuming the relevant rules for obtaining warrants and other forms of judicial approval are met in accordance with national law. Why should a different standard apply to this data?

In another central ruling in the case of La Quadrature du Net, the court reaffirmed its view that data retention must be “targeted.” This means providers may be compelled to retain data for national security purposes only if the member state concerned can prove “a serious threat to national security that is shown to be genuine and present or foreseeable.” Even if a member state can meet this standard, the general data retention may take place only for a “period that is limited in time to what is strictly necessary.” Additionally, retention and use of data for the purpose of combatting serious crime is allowed only when targeted at “categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary.”

Essentially, the court ruled that law enforcement authorities are required to know beforehand either which mobile phones will be used by perpetrators of serious crime or in which geographical areas serious crimes will be committed. Most law enforcement officers would likely respond to this demand by observing that if they knew by whom, and where, a serious crime was going to be committed, they would seek to prevent that crime. Of course, law enforcement does not have this knowledge, let alone knowledge of which devices or phone numbers prospective criminals will use when planning or committing crimes. Similarly, national security authorities would note that national security threats are not limited to a particular period of time, which is why these authorities cannot “turn on or off” providers’ obligation to retain data. Espionage, terrorism, disinformation campaigns, manipulation of elections, infrastructure sabotage, and other serious threats to national security are pervasive across Europe and likely to remain so for the foreseeable future.

These CJEU rulings on data retention have unveiled a fundamental tension between the court’s application of data protection law and the operational needs of national law enforcement and intelligence services. At times, the backlash has been substantial. The Danish minister for justice remarked on Jan. 27, 2022, that the CJEU was “political,” “activist,” and “on the side of criminals” when ruling on data retention. During the pleadings of the Le Quadrature du Net case, a total of 17 EU member states and the European Commission intervened to argue that “targeted” data retention—as devised by the CJEU—is fundamentally unworkable and leads to crime that could have been prevented and victims that could have been protected, while allowing criminals to evade the law. The court chose to disregard these arguments.

The Way Forward: A New European Approach of “Trust-but-Verify”

As indicated by von der Leyen, many EU member state governments are likely to feel uneasy with the EU and the CJEU playing a substantive role in national security unless there is a greater willingness to accommodate member state concerns.

Barring a change to the EU Treaty—which would be cumbersome and politically difficult—the next best solution is that both the EU institutions and the member states pursue legislation to reconcile the principles of European data protection law with the demands of national security. And as the EU pivots to address the acute threat to Europe’s security from an aggressive Russia, ensuring that a rigid approach to data protection does not undermine Europe’s security is more important than ever. The European Commission’s recent announcement that it will propose to “update … rules on data retention, while safeguarding fundamental rights” is a perfect occasion to show member states that they are not alone in assuming responsibility for effectively protecting the people of Europe from the gravest security threats faced in a generation.

Once such rules are adopted, the CJEU should recognize that the sensitive balancing of national security interests requires that a wide margin of discretion be left to member states, as they alone have  a full understanding of the threats confronting Europe. Only then will the EU’s ambitions for a European Defense Union be welcomed by member states.

Luckily, a court of law striking this balance while maintaining meaningful safeguards is not without precedent in a European context. The European Court of Human Rights (ECHR)—a court established under the purview of the Council of Europe—has succeeded in effectively enforcing privacy and data protection rights while recognizing and accommodating member states’ need to have investigative and intelligence-collecting capabilities to protect their citizens. Most notably, the ECHR has held in two cases that the “bulk collection” of telecommunication data when collecting signals intelligence (SIGINT)—which in practice means collecting all internet communication passing through a member state—can take place under the European Convention of Human Rights. However, the court also held that such collection must be subject to “sufficient ‘end-to-end’ safeguards to provide adequate and effective guarantees against arbitrariness and the risk of abuse.” Such safeguards include requiring judicial approval before bulk collection can be initiated, ensuring independent oversight of how collected data is used, and providing meaningful redress mechanisms to individuals by establishing independent redress authorities to hear and adjudicate complaints.

The key difference in the two judicial approaches is that the ECHR fundamentally recognizes that authorities—charged with uncovering the most advanced and well-resourced third-state actors seeking to undermine the security of Europe—cannot know beforehand where and how such threats may present themselves. Unlike the CJEU—which bans or severely limits the very collection and retention, and thereby most value, of data for fear of possible misuse—the ECHR allows collection but imposes requirements aimed at addressing the substantial risks tied to the actual use of data.

The ECHR’s approach could be adopted by the CJEU and in EU law, recognizing the scope and character of the security threat facing the EU without compromising the right to data protection and privacy. The rules and the practice of the CJEU, especially, should reflect the fact that ensuring national security and public order requires trusting authorities to collect and use large quantities of personal data—including data about individuals who are suspected of no crime or other illicit activity.

Holding the opposite view—that authorities in Western democracies cannot be entrusted with collecting and using personal data about citizens for the purpose of protecting those same citizens,  even when subject to strict rules and oversight—is a risky path. Both intelligence services and law enforcement authorities fundamentally strive to uncover that which is unknown: Who was at the crime scene? Who corresponded with an agent of a hostile foreign power? And just as important: Who was not there and thus is immaterial to the investigation? Who—or what—are hostile foreign powers directing their collection of intelligence toward, and how do we counter that threat? They must be entrusted with wide mandates to collect and use the intelligence necessary to answer these questions, especially as authorities operate under tailored rules and strict oversight far more stringent than that of other government agencies, including rules on documentation, judicial approvals, warrants, and political oversight (even if transparency must sometimes be limited to protect sources and methods, the safety of individuals, and relationships with foreign partners).

Trust must also be placed in oversight bodies and courts of law charged with verifying compliance with these rules. These institutions provide effective redress to any individual reasonably found to have been subjected to unwarranted surveillance. Indeed, accepting that authorities will make mistakes and overstep their mandates, and providing meaningful redress and accountability when it happens, is a hallmark of democracies governed by law.

The security challenges faced by the West are mounting and complex. They demand not just a shift of resources toward the scaling of military production capacity across Europe but also a shift in policy. EU policymakers, legislators, courts, and others who oversee the activities of national security authorities and law enforcement must adopt a new European approach of “trust-but-verify”: trust in authorities to protect Europe and in oversight bodies to verify that authorities act within their mandates.