Published by The Lawfare Institute
in Cooperation With
As a result of last summer’s Schrems II judgment by the Court of Justice of the European Union (CJEU), the United States now finds itself forced to consider changes to its foreign surveillance law and practices in order to reestablish a stable basis for transatlantic transfers of personal data. Taking such steps may be the only way to persuade the EU that U.S. surveillance laws offer “essentially equivalent” protections for data to those prevailing in Europe, as EU data protection law requires.
In the fall of 2020, the court softened that bitter pill when, for the first time, it also imposed limits on EU member states’ intelligence services’ own data collection and retention activities. But now the member state governments have struck back against the Luxembourg-based court, quietly slipping into their version of the EU’s ePrivacy legislative reform proposal a provision that would put these contested national security activities beyond the court’s reach. The U.S. government is already on record as objecting to what it perceives as a laxer data protection standard being applied by European courts to their own national intelligence services. This latest move in Brussels has only accentuated the sense of a disparity in treatment.
This post explores the ongoing struggle within the European Union to delimit the national security exception in its data protection law for the activities of member state intelligence services, and the corresponding impact this Brussels debate could have on the ongoing transatlantic negotiations to restore a secure basis for commercial data transfers from the European Union to the United States.
Changing Data Collection and Retention Rules for European National Security Agencies
In October 2020, the CJEU for the first time tackled the question of whether, and to what extent, EU fundamental rights relating to data protection should limit European intelligence services’ data collection and retention programs. Nine member states, including the United Kingdom (an EU member at the time of argument) and France, intervened in the two linked cases, brought by nongovernmental organizations, most notably Privacy International and La Quadrature du Net (LQDN).
In general, the EU exercises competences—such as data protection—granted by its member states, but only to the extent that member states have effectively transferred these powers to the EU. These member states contended that the cases fell under the general national security exception of Article 4(2) of the Treaty on European Union, according to which “national security remains the sole responsibility of each Member State.” They also invoked Article 1(3) of the 2002 Directive on privacy and electronic communications (ePrivacy directive), the governing EU legislation in the proceedings. The latter provides that “this Directive shall not apply to … activities concerning public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.”
In its Oct. 6 Privacy International and LQDN judgments, the CJEU rejected this jurisdictional argument. It drew a distinction between the situation where an intelligence agency processes data itself for national security purposes and where it imposes obligations on electronic communication services to collect, retain and transfer data on the state’s behalf in the name of national security. In the first case, the national security exemption entirely shields intelligence agencies from the reach of EU data protection law, but in the latter case, the same EU law limitations that the court invoked in relation to the United States in Schrems II should apply. In Schrems II, the CJEU had insisted that surveillance programs be “proportionate”—in other words, limited to what is “strictly necessary”—which in turn led to the imposition of a series of specific requirements.
The court added in Privacy International and LQDN that, where an EU government relies on electronic communication services providers for national security collection and retention, it should be afforded greater latitude than when doing so for law enforcement purposes. Law enforcement activities had been considered in a previous line of cases (the 2014 Digital Rights Ireland and 2016 Tele2 Sverige judgments), which had precluded, as a matter of principle, “general and indiscriminate” retention of communications data within the context of criminal investigations. In the national security setting, by contrast, the CJEU expressly conceded that intelligence services could order general and indiscriminate retention of communications data, albeit under conditions including that it be time limited, justified by the existence of a serious threat, “strictly necessary” and “not systematic in nature.”
Despite the CJEU’s evident effort to compromise on applying EU data protection limits to member state national security bulk collection and retention laws, the Oct. 6 judgments appear only to have angered many member states further. France, which had led efforts among member states to preserve data retention for law enforcement purposes after the 2016 Tele2 Sverige judgment, redoubled its objections after the Privacy International and LQDN rulings, seeing a threat to the very core of sovereign functions.
France and its allies finally found an opportunity to undo these unwelcome rulings through the vehicle of ongoing efforts to replace the ePrivacy directive. In January 2017, the European Commission had proposed a successor ePrivacy regulation, seeking to ensure stronger privacy in electronic communications and to adapt the existing ePrivacy rules to the newer ones of the General Data Protection Regulation (GDPR). Although the ePrivacy reform measure advanced quickly in the European Parliament, it was met with resistance from industry and stalled in discussions among EU member states. Finally, in February 2021, after more than four years of internal deadlock, the Council of the European Union adopted its own version of the proposed regulation, paving the way for final three-way (or “trilogue”) compromise negotiations with the commission and parliament to begin soon.
A key step in unblocking the regulation in the council was majority acceptance of a French proposal that seeks to bypass the CJEU case law on data collection and retention conducted under the umbrella of a broad national security exception. In a note to other member states circulated in January 2021, France had made clear that it wouldn’t vote in favor of the ePrivacy regulation unless the council accepted its “red line” related to deference on national security activities. The final text adopted by the council includes Article 2(2a) adopting the French view:
This Regulation does not apply to: activities, which fall outside the scope of Union law, and in any event measures, processing activities and operations concerning national security and defence, regardless of who is carrying out those activities whether it is a public authority or a private operator acting at the request of a public authority. (Emphasis added.)
If the council’s version of the national security exception survives the negotiations with other EU institutions, it would effectively undo the Privacy International and LQDN judgments. Consequently, if a similar case arose in the future, the CJEU would be obliged to conclude that all data collection and retention activities by intelligence agencies for national security purposes—whether done directly or utilizing electronic communications service providers—fell outside the scope of the ePrivacy regulation and, in all likelihood, of EU law as a whole.
One Set of Rules for Europe, Another for the United States?
The Council of the European Union’s quick strike to block member state national security data collection and retention activities from judicial scrutiny under EU law starkly contrasts with the plight of the United States National Security Agency (NSA). Twice in the past six years, the NSA has seen the CJEU harshly judge the agency’s similar surveillance activities. This development may well exacerbate the perception in Washington of a double standard—one set of judicial surveillance rules for Europe and another for the United States.
However, U.S. national security lawyers may not fully appreciate that European law in this area has been developed not only by the European Union but also through the European Convention on Human Rights (ECHR). The ECHR, a treaty concluded within the framework of the separate Council of Europe, binds all EU member states as well as many other European states, and imposes important limitations on the national security activities of their intelligence agencies. The European Court of Human Rights (ECtHR) interprets this convention, and it has issued many surveillance-related judgments.
Even if EU member states are successful in importing a broad national security exception into the ePrivacy regulation, their intelligence agencies activities would still remain bound by the law of the ECHR. In his opinion in Schrems II, the advocate general, a CJEU official whose preliminary analysis often guides the court’s final judgments, went to great lengths to stress that even when EU law does not apply to a member state, an adequacy assessment of a third state’s surveillance laws and practices should be based on the ECHR standards otherwise binding upon EU member states.
Nevertheless, the CJEU’s surveillance jurisprudence is much more restrictive and demanding of governments than the ECtHR’s. Indeed, during the Schrems II proceedings, the U.S. government encouraged the CJEU to apply the more generous standards of ECtHR case law, but the CJEU resolutely refused to do so, or even to mention the ECtHR. The European Data Protection Board has pointed to the relevance of ECtHR case law in its Nov. 10, 2020, Recommendations on the European Essential Guarantees for surveillance measures, but it places much greater weight on CJEU cases as providing a “higher level of protection” than ECtHR law.
It is revealing that EU member states such as France—which are intent on entirely excluding the national security activities of their intelligence agencies from the scope of EU law—are less concerned by the fact that these activities will remain subject to ECHR law. This reflects that ECtHR surveillance jurisprudence is far from comprehensive. For example, there is not a single ECtHR judgment concerning international surveillance such as interceptions taking place outside the territory of a member state. And when a surveillance law is challenged, it often takes several years for the ECtHR to issue a judgment, allowing the intelligence agency in question to function without obstacle during this period. For instance, challenges to the French Intelligence Act of 24 July 2015 are still pending before the ECtHR six years later. Finally, when the ECtHR finally publishes its judgments in such cases, it often allows governments, particularly democratic ones, a “margin of appreciation” (a measure of discretion) in implementation in the national security area that is much broader than the one recognized by the CJEU.
It remains to be seen whether EU member states will succeed in broadening the national security exception in the ePrivacy regulation. The consequence would be to undo the effect of the Privacy International and LQDN judgments and exclude all data retention activities of member states’ intelligence services from the scope of EU legislation on the privacy of communications. The European Parliament seems particularly unhappy with this development, however. Its lead member on the legislation, Brigit Sippel, has been quoted as saying that she “rejects” these council amendments.
The Council of the European Union’s action in the ePrivacy saga has revealed that many EU member states were so deeply uncomfortable with the evolution of CJEU jurisprudence on surveillance, that they decided to do something radical about it. They acted to interpose a broad national security exception in the ePrivacy regulation because they saw it as the only way to preserve freedom of action in the areas of data collection and retention for their intelligence agencies.
France also recently has taken a unilateral additional action in order to escape the data retention case law of the CJEU: It asked the country’s highest administrative court—the Council of State—to ignore the CJEU ruling in the LQDN case. French government lawyers contend that the CJEU acted outside its scope (ultra vires) by usurping for the EU an important “sovereign” competence—national security and protection of public order—that member states had never transferred to it. In effect, the French government’s concern about the CJEU’s intrusion into its intelligence and law enforcement activities is so great that it has asked its highest court to choose between an EU member state’s duty to respect, as a matter of principle, the jurisprudence of the CJEU and its own interpretation of its core constitutional prerogatives.
The United States, by contrast, can make no comparable Houdini-like escape from the Schrems II judgment. EU law provides no national security exemption that may be invoked on behalf of third-state intelligence services. The United States, as well as other third countries, will remain under the close scrutiny of the CJEU in Schrems-like cases addressing their “adequacy” and “essential equivalence.” Similarly, while national data protection authorities in Europe have no basis in EU law to sanction a company responding to an EU member state request for data on national security grounds, they will be able to heavily fine companies transferring data to the United States, on the basis that U.S. national security laws do not meet the Schrems II and the European Data Protection Board’s restrictive surveillance standards.
There can be little doubt that the NSA’s counterparts in European capitals sympathize with its uncomfortable position. After all, these European agencies richly benefit from U.S. intelligence in combating terrorism and other national security threats, and would be loath to lose such a valuable source. One also can presume that Washington is encouraging EU member state governments to bring the same level of appreciation of surveillance interests to the international negotiations for a successor to the Privacy Shield that they brought to their own Brussels deliberations on the ePrivacy regulation.
In both contexts, governments are weighing traditional national security surveillance prerogatives against an increasing and insistent “judicialization” of the fundamental right to data protection in all settings. The situation is in flux both within the European Union and in transatlantic relations. If there is an eventual balance that excludes from the scrutiny of the CJEU the data retention laws and practices of European national security services, but not those of their U.S. counterpart, it might well be unstable. Whether and how U.S. and European diplomats can deliver their governments from this unsustainable situation remains to be seen.