UNIVERSITYOFAMSTERDAM FACULTYOFLAW
INTERNATIONALANDEUROPEANLAW:EUROPEANUNIONLAW 2019 – 2020
“Big Brother”:
Blanket Surveillance and the threats it poses to Fundamental Freedoms in the
European Union
Supervisor: Dr. Thomas Vandamme Name: Maria Kythreotou
Mastertrack: International and European Law: Student number: 12621471
European Union Law Email: mariakythr@hotmail.com
ABSTRACT
One of the main obligations of each Member State of the European Union is to safeguard individuals’ fundamental rights in accordance with the Charter of Fundamental Rights of the European Union. Following European Secondary Legislation, each Member State has implemented laws governing the collection and retention of individuals’ personal data, with the purpose of detecting and preventing serious crime. There is a growing concern that the practices used by Member States in this context are threatening European Union citizens’ fundamental rights, specifically the rights to privacy and protection of data under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
This study presents how the use of Blanket Surveillance for the purpose of collecting, retaining and processing digitalised personal data is incompatible with European Union law. Directions that the Court of Justice of the European Union has given through relevant case law are analysed in an effort to indicate inconsistencies within Union law and Member State law, and how this consequently constitutes a threat to individuals’ fundamental rights across the Union. The aim is to answer the question of whether the method of Blanket Surveillance should be subjected to further limitations and restrictions than those already in place under Secondary European Union law.
TABLE OF CONTENTS:
INTRODUCTION………1
METHODOLOGY………..………..…...4
1. CHAPTER 1: SURVEILLANCE MECHANISMS……….5
1.1 Relevant Legal Framework………..5
1.2 Targeted Surveillance………...7
1.3 Untargeted – Blanket Surveillance………...8
1.4 The position of the Court of Justice of the European Union………..10
2. CHAPTER II: EU LEGISLATION AND CJEU CASE LAW EVALUATION…...14
2.1 Digital Rights Ireland and the Data Retention Directive………...14
2.2 Tele2 Sverige and the incompatibility of Blanket Surveillance mechanisms with EU law……….20
2.3 Opinion 1/15, Schrems II and their impact on protecting fundamental rights related to personal data………...23
3. CHAPTER III: MEMBER STATE LEGISLATION AND ITS INCONSISTENCIES WITH UNION LAW AND CASE LAW……….27
3.1 Standard requirements set by case law………...27
3.2 The United Kingdom………..28
3.3 The Netherlands……….29
3.4 Sweden………...31
CONCLUSION………...33
1
INTRODUCTION:
In the ever-growing world of technology, the need for effective protection of fundamental rights from the inevitable growth of dangers and threats posed by technological advancements should undoubtedly be one of the main concerns and priorities of the European Union’s (EU) Member States’ (MS) democratic governments. In an effort to combat these threats and dangers posed to European citizens, the intelligence agencies of each MS are obliged by secondary EU legislation to carry out a number of various surveillance mechanisms and operations – such as collecting digital personal data – that ultimately aim in preventing violations of fundamental and human rights.
The eye-opening revelations of former USA National Security Agency employee Edward Snowden brought to light the fact that the USA Government legally had access to citizens’ phone records following a secret court order, as well as immediate “back door”1 access to personal data held by companies such Facebook and Google via a secret intelligence service programme, PRISM,2 with which many EU MS institutions are associated with. These revelations highlighted that when enforcing such ‘blanket’ mechanisms, intelligence agencies pose what can be described as an even greater or equal threat to fundamental rights, specifically the right to privacy. Cybersecurity expert Mikko Hypponen described PRISM as a programme that is not about surveillance on people that governments “have reason to suspect of some wrongdoings”,3 but instead about “surveillance on people they know are innocent”.4
The way intelligence agencies carry out surveillance operations in regards to the way personal digital data is treated once collected, arguably constitutes a form of Blanket Surveillance; it consists of “intercepting communications and metadata”5 as well as “hacking and database mining”.6 It is confirmed that the Federal Bureau of Investigation (FBI) “has a dedicated
1 Mirren Gidda, ‘Edward Snowden and the NSA files – timeline’ (The Guardian, 21 August 2013)
<https://www.theguardian.com/world/2013/jun/23/edward-snowden-nsa-files-timeline> accessed 14 June 2020.
2 Ibid.
3 Mikko Hypponen, ‘How the NSA betrayed the world's trust — time to act’ (October 2013)
<https://www.ted.com/talks/mikko_hypponen_how_the_nsa_betrayed_the_world_s_trust_time_to_act> Accessed 27 June 2020.
4 Ibid.
5 European Union Agency for Fundamental Rights, ‘Surveillance by intelligence services: fundamental rights
safeguards and remedies in the EU Volume II: field perspectives and legal update’ (2017) p. 9
<https://fra.europa.eu/sites/default/files/fra_uploads/fra-2017-surveillance-intelligence-services-vol-2_en.pdf> Accessed 15 June 2020.
2
team that does nothing but hack into the computers of surveillance targets”.7 It is further
confirmed that the FBI can “remotely activate webcams, microphones, steal documents, get web browsing information”.8 Having the aforementioned practice in mind, along with the fact
that intelligence agencies of some MS similarly carry out “mass surveillance”9 activities, it is impossible for individuals to be aware of when they are being monitored; Blanket Surveillance is thus undoubtedly interfering with their rights to privacy and protection of data.
EU legislation has altered dramatically on the matter of surveillance as is analysed later on in this study, following the judgement delivered by the European Court of Justice (CJEU) in
Digital Rights Ireland,10 (DRI) which invalidated the Data Retention Directive11 (DRD); The CJEU highlighted the fact that the invalidated DRD entailed “a wide-ranging and particularly serious interference with the fundamental rights to the respect for private life and to the protection of personal data”12 which was not “limited to what is strictly necessary”13 in a
democratic society, and therefore constituted a violation.
The purpose of this research is of extreme importance, as it is evident that it is a pressing issue before the CJEU, as there are multiple pending cases before it on the matter of Blanket Surveillance. There is a request for a preliminary ruling by the Investigatory Powers Tribunal of the UK regarding the Privacy International,14 on the matter of whether collecting and using
bulk communications via “operators of public electronic communications networks for the purpose of protecting national security”15 such as countering terrorism can be deemed
compatible with EU law. Another pending request for preliminary ruling comes from France
7 Christopher Soghoian, ‘Government surveillance — this is just the beginning’ (August 2013)
<https://www.ted.com/talks/christopher_an_government_surveillance_this_is_just_the_beginning> Accessed 27 June 2020.
8 Ibid.
9 FRA (n5)p.17.
10 Joined Cases C‑293/12 and C-594/12, Digital Rights Ireland v Minister for Communications and others
[2014] ECLI:EU:C:2014:238.
11 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of
data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC OJ L 105, 13.4.2006, p.54– 63.
12 Court of Justice of the European Union, ‘PRESS RELEASE 54/14’ (2014)
<https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf> Accessed 15 June 2020.
13 Ibid.
14 Case C-623/17, Privacy International v Secretary of State for Foreign and Commonwealth Affairs, Secretary
of State for the Home Department, Government Communications Headquarters, Security Service, Secret Intelligence Service [2020] ECLI:EU:C:2020:5.
15 Thomas Wahl, ‘AG: Data Retention Should Be Strictly Limited’ (2020) EUCRIM
3
regarding the joined cases of La Quadrature du Net,16 on the matter of whether a new French
law on surveillance is compatible with EU law, specifically the collection and retention of “location and traffic data in order to facilitate identification of any person who is civilly and criminally liable”.17 Furthermore, there is another similar request for a preliminary ruling
coming from Belgium, regarding Ordre des barreaux francophones,18 on whether Belgian legislation on retention of data is compatible with EU law.19
Article 2 of the Treaty on European Union (TEU) emphasises the fact that the European Union is established upon respecting values such as human dignity, freedom, equality and human rights. These values are undeniably part of what constitutes fundamental rights; described as universal, non-disposable and distinguishable from patrimonial rights,20 they “constitute the content of substantial democracy”.21 Core fundamental rights such as the right to private and
family life, protection of personal data, freedom of expression, non-discrimination, fair trial and the presumption of innocence, all enshrined within the Charter of Fundamental Rights of the European Union (CFR), are directly affected, perhaps from the greatest threat posed by intelligence agencies operations, that is Blanket Surveillance.
This study presents how the collection and retention of digital personal data through the practice of Blanket Surveillance is occurring in a way that is invasive in relation to EU legislation, mainly Articles 7, 8 CFR, and parallelly Articles 6 and 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). This will be done in order to answer the question of whether the aforementioned method of Blanket Surveillance should be subjected to further limitations than those already in place following recent case law of the CJEU.
16 Joined Cases C-511/18 and C-512/18 La Quadrature du Net, French Data Network, Fédération des
fournisseurs d’accès à Internet associatifs, Igwan.net v Premier ministre, Garde des Sceaux, Ministre de la Justice, Ministre de l’Intérieur, Ministre des Armées [2020] ECLI:EU:C:2020:6.
17 Thomas Wahl (n15).
18 Case C-520/18 Ordre des barreaux francophones et germanophone, Académie Fiscale ASBL, UA, Liga voor
Mensenrechten ASBL, Ligue des Droits de l’Homme ASBL, VZ, WY, XX v Conseil des ministers[2018].
19 Thomas Wahl (n15).
20 Luigi Ferrajoli, ‘FUNDAMENTAL RIGHTS’ [2001], International Journal for the Semiotics of Law, Volume
14, Issue 1, p.1-33, ISSN: 0952-8059.
4
METHODOLOGY:
This study delves into the analysis and explanation of the terms of targeted and untargeted surveillance which are crucial to differentiate, before proceeding to evaluate relevant landmark and significant case judgements delivered by the CJEU and the European Court of Human Rights (ECtHR) on the matter. These judgements will be analysed in an effort to present the position of the Union, as well as how these core institutions indicate that EU citizens’ rights are being violated. A constitutional analysis of various MS’ legislation will additionally be explored in order to present systemic inconsistencies in relation to protecting the aforementioned fundamental rights, such as that of the Netherlands, Sweden, Germany and the UK. In light of the UK exiting the EU, it is important to underline the importance and relevance of examining UK legislation regarding the topic of surveillance; analysis on UK legislation will be limited to the judgement delivered by the ECtHR, as it relates directly to the UK Investigatory Powers Act, that is majorly similar to legislation of other MS and therefore directly relevant to this topic. Through this constitutional review and case law evaluation, a normative analysis will be conducted, examining the two main positions held regarding Blanket Surveillance, that is either fully approving its existence and deeming it necessary in a democratic society, or believing it should be subjected to stricter limitations, before concluding to the writer’s viewpoint and criticism. The sources and statements included in this study were released up to and prior to the 24th of July 2020.
5
CHAPTER I: Surveillance Mechanisms
Surveillance is an operation that can be described in various manners; Roger Clarke describes surveillance as “the systematic investigation or monitoring of the actions or communications of one or more persons”.22 Surveillance enables governments to “address a fragmented reality and create a new and governable collectivity”,23 constituting a form of governmentality.
Victoria Wang and John V. Tucker describe surveillance as “an integral part of everyday life”24 and an act that monitors “our physical environment, in order to improve the safety and security of people and property”.25 This refers to the “visible”26 type of surveillance, such as cameras
installed in public streets of each country, and is to be differentiated from digital ‘invisible’ surveillance.
1.1: Relevant Legal Framework:
Before proceeding in analysing the two main types of surveillance mechanisms, it is essential to establish the relevant legal framework under which this study is conducted. It is important to underline the fact that CFR is horizontally directly effective following the CJEU’s judgement in Bauer,27 and can therefore be invoked between private parties; this means that individuals whose rights were violated as a result of surveillance can invoke CFR before courts to condemn the actions of intelligence agencies. The CFR is therefore relevant when discussing Blanket Surveillance and the impact it can have on individuals of the MS. As summarised by Eleni Frantziou, the legal status of CFR following Bauer deems it as being “horizontally applicable in principle”,28 as well as the fact that its provisions are now “applicable in all situations
governed by EU law”,29 and thus MS laws must “be interpreted in conformity with those
rights”30 enshrined in CFR.
22 Roger Clarke, ‘Introduction to Dataveillance and Information Privacy, and Definitions of Terms’, (2016)
<http://www.rogerclarke.com/DV/Intro.html> Accessed 15 June 2020.
23 Arne Hintz, Lina Denick, Karin Wahl-Jorgensen, ‘Digital Citizenship and Surveillance Society’ (2017)
International Journal of Communication Vol. 11, 731–739
<https://ijoc.org/index.php/ijoc/article/view/5521/1929> Accessed 15 June 2020.
24 Wang, John V. Tucker, ‘Surveillance and identity: conceptual framework and formal models’ (2017) Journal
of Cybersecurity, Volume 3, Issue 3, 145-158
<https://academic.oup.com/cybersecurity/article/3/3/145/4748787> Accessed 15 June 2020.
25 Ibid. 26 Ibid.
27 Case C-569/16 Stadt Wuppertal v Maria Elizabeth Bauer [2018] ECLI:EU:C:2018:871.
28 Eleni Frantziou, ‘Joined cases C-569/16 and C-570/16 Bauer et al: (Most of) the Charter of Fundamental
Rights is Horizontally Applicable’ (European Law Blog, 19 November 2018)
<https://europeanlawblog.eu/2018/11/19/joined-cases-c-569-16-and-c-570-16-bauer-et-al-most-of-the-charter-of-fundamental-rights-is-horizontally-applicable/> accessed 5 July 2020.
29 Ibid. 30 Ibid.
6
This study additionally derives arguments from judgements of both the CJEU and the ECtHR. It is therefore important to explain the relationship between these two courts and how they correspond to one another. Alexandros-Ioannis Kargopoulos suggests that the relationship between the CJEU and the ECtHR is based on a “presumption of equivalent human rights protection and of an abstract legal commitment on the part of the CJEU to follow the jurisprudence of the ECtHR”.31 Furthermore, Article 52(3) CFR on its scope and interpretation
states that where rights within it correspond to rights protected by the ECHR, “the meaning and scope of those rights shall be the same as those laid down by the said Convention”.32 This conformity33 clause is an important finding as this study refers to relevant articles of the ECHR as well as judgements delivered by the ECtHR; it indicates that the CJEU is obliged “to abide by the ECHR standards and to follow the jurisprudence of the ECtHR in the interpretation of any corresponding Charter rights”.34
Before delving into an extensive analysis of the relevant case law that the CJEU and ECtHR have delivered on the matter and examining their impact on an EU level, it is important to identify the two main existing surveillance mechanisms as well as different types of digital data before presenting the impact their retention has on the right to privacy, drawing from general remarks of the two courts in various cases.
It is crucial to define and understand the main two mechanisms of surveillance intelligence agencies use, Targeted and Untargeted Surveillance, as the distinction between each mechanism’s purpose and scale of ‘invasion’ is what “differentiates democratic regimes from police states”.35 The ECtHR set guidelines in regards to what constitutes an acceptable
31 Alexandros-Ioannis Kargopoulos, ‘The presumption of equivalent protection rebutted: the right to a fair trial
in criminal proceedings in the ECHR and EU law’ in Kanstantsin Dzehtsiarou and others (eds.), Human rights law in Europe: the influence, overlaps and contradictions of the EU and the ECHR, Routledge research in human rights law, 2014, 104.
32 Charter of Fundamental Rights of the European Union [2012] OJ C 326, Article 52(3).
33 Alexandros-Ioannis Kargopoulos, ‘ECHR and the CJEU: Competing, overlapping, or Supplementary
Competences?’ (2015) EUCRIM Issue 3/2015 pp.96-100, <https://eucrim.eu/articles/echr-and-cjeu/#docx-to-html-fnref2> accessed 5 June 2020.
34 Ibid.
35 D. Bigo et al. “Mass Surveillance of Personal Data by EU Member States and its Compatibility with EU Law”
(2013) CEPS Papers in Liberty and Security in Europe, p. 6 <https://dare.uva.nl/search?identifier=4dac2c37-ca46-4e5a-9e72-4f52492638f8> Accessed 18 June 2020.
7
surveillance mechanism through cases such as Klass,36 Weber,37 Kennedy38 and Zakharov,39 as
well as in Article 8 of the European Convention on Human Rights which incorporates the general ‘test’ of acceptable interference, derived from case law; public authorities should not interfere with the right to privacy and family life, except if said interference “is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.40
1.2: Targeted Surveillance:
The Dutch Review Committee on the Intelligence and Security Services defined Targeted Surveillance as an “interception where the person, organisation or technical characteristic at whom/which the data collection is targeted can be specified in advance”.41 Targeted Surveillance can be deemed as a mechanism that is necessary to a democratic society, fulfilling the criteria enshrined within Article 8(2) ECHR, to which Article 7 CFR corresponds, as well as the general interest criterion under Article 52(1) CFR;42 this is because it “presupposes the existence of prior suspicion of a targeted individual or organisation”.43
In a study conducted by the European Union Agency for Fundamental Rights (FRA), a prior suspicion is described as “concrete targets upon suspicion that an act falling within the remit of the intelligence services’ tasks could be committed before a surveillance measure can be initiated”.44 This alludes to acts that are threatening towards national and international security, to which drastic preventative measures can be deemed to be in accordance with the law, and
36 Klass and Others v Germany App No 5029/71 (ECHR, 6 September 1978) para.46.
37 Gabriele Weber and Cesar Richard Saravia v Germany App No 54934/00 (ECHR, 29 June 2006) para.117. 38 Kennedy v The United Kingdom App No 26839/05 (ECHR, 18 May 2010) para.148.
39 Roman Zakharov v Russia App no 47143/06 (ECHR, 4 December 2015) para.232. 40 ECHR (n32) Article 8(2).
41 The Dutch Review Committee on the Intelligence and Security Services, ‘ANNUAL REPORT 2013 - 2014
OF THE REVIEW COMMITTEE FOR THE INTELLIGENCE AND SECURITY SERVICES’ (2014) p. 45 <https://english.ctivd.nl/documents/annual-reports/2013/03/31/index> Accessed 18 June 2020.
42 European Union Agency for Fundamental Rights, ‘EU Charter of Fundamental Rights - Article 7 - Respect
for private and family life’ (2020) <https://fra.europa.eu/en/eu-charter/article/7-respect-private-and-family-life> Accessed 18 June 2020.
43 European Union Agency for Fundamental Rights, ‘Surveillance by intelligence services: fundamental rights
safeguards and remedies in the EU Volume I: Member States’ legal frameworks’ (2015) p.17
<https://fra.europa.eu/sites/default/files/fra_uploads/fra-2015-surveillance-intelligence-services-voi-1_en.pdf> Accessed 18 June 2020.
8
necessary in a democratic society as mentioned in Article 8(2) ECHR, and as decided in
Zakharov.
Targeted Surveillance therefore exists when authorities reasonably suspect an individual “has been involved in the commission of criminal offences”.45 As indicated by the ECtHR in paragraph 89 of Szabó and Vissy,46 MS legislation on targeted surveillance has to provide “safeguards sufficiently precise, effective and comprehensive”,47 as will be derived later on
through the analysis of Zakharov and Weber. It is therefore evident that even when conducting an operation using a surveillance mechanism that is deemed necessary in a democratic society, MS ought to set out and follow strict guidelines that would ensure the protection of the suspects’ data.
1.3: Untargeted – Blanket Surveillance:
Contrarily, in the same paper by the Dutch Review Committee, Untargeted Surveillance was defined as an “interception where the person, organisation or technical characteristic at whom/which the data collection is targeted cannot be specified in advance”48. Mass Surveillance and therefore Blanket Surveillance also fall under this definition, as they are both indiscriminate in nature, affecting the privacy of every individual. The perfect way to describe what constitutes Blanket Surveillance is through the theory of the Panopticon, as introduced by British philosopher Jeremy Bentham and later developed by Michel Foucault; Described as a system of “internalised coercion”,49 the theory describes a circularly built prison with cells on
top of each other, and a single control tower located in the centre, in which guards can observe the prisoners at any time without them being aware of it. This constant form of surveillance, according to Foucault, revolves around the concept of power and knowledge in social control, and its result is “acceptance of regulations and docility”.50 As Foucault believed, desired behaviour – in this case prevention of serious crime – is not achieved “through total
45 Mr. Justice John L. Murray, ‘Review of the Law on the Retention of and Access to Communications Data’
(2017) p.13
<http://www.justice.ie/en/JELR/Review_of_the_Law_on_Retention_of_and_Access_to_Communications_Data .pdf/Files/Review_of_the_Law_on_Retention_of_and_Access_to_Communications_Data.pdf> Accessed 28 June 2020.
46 Szabó and Vissy v. Hungary App no 37138/14 (ECHR, 12 January 2016). 47 ibid, para.89.
48 Dutch Review Committee (n41) p.46.
49 Moya K. Mason, ‘Foucault and His Panopticon’ (2020)
<http://www.moyak.com/papers/michel-foucault-power.html> Accessed 20 July 2020.
9
surveillance, but by panoptic discipline and inducing a population to conform by the internalisation of this reality”.51 Today, the theory of the Panopticon has turned into reality in
digital form. Each individual from MS is “surrounded by many guards”.52
It is evident how the latter can be problematic; intelligence agencies now engage in mass operations of Blanket Surveillance without having specific targets to investigate, therefore subjecting every individual under the same ‘fate’ as that of a person reasonably and objectively suspected of having committed a criminal offence. The action of mass surveillance is operated under the intelligence agencies’ Bulk Powers; the power of indiscriminately collecting and having access to vast amounts of data and metadata through interception of communications and interference with equipment which allows intelligence agencies to “investigate the communications of individuals already known to pose a threat, or to generate new intelligence leads”53 regardless of whether that is “associated with current targets”.54
Arguably, as seen through Tele2,55 one of the most personal and private forms of digitalised data is metadata; information consisting of traffic, location and subscriber data.56 Most would think that a surveillance operation would constitute something along the lines of ‘eavesdropping’ a telephone conversation as it is occurring, or an exchange of messages online. However, despite the condemning indications of the CJEU through recent case law, various MS’ legislation such as the Irish Communications (Retention of Data) Act of 2011,57 obliges
communications service providers to collect and retain the metadata of their clients in lack of their knowledge, which includes data “relating to everyone’s telephone calls, text messages, e-mails and communications of the internet”.58 In Tele2, the CJEU described this act as causing
individuals affected to “feel that their private lives are the subject of constant surveillance”.59
This is a prime example of Blanket Surveillance. A sufficient collection of metadata of a
51 Ibid.
52 C. Dianne Martin, ‘The Internet as a Reverse Panopticon’ (2013) ACM Inroads 2013 March, Vol. 4, No.1
<https://doi.org/10.1145/2432596.2432599> Accessed 18 July 2020.
53 FRA (n43).
54 David Anderson Q.C. ‘REPORT OF THE BULK POWERS REVIEW’ (August 2016) p.3
<https://terrorismlegislationreviewer.independent.gov.uk/wp-content/uploads/2016/08/Bulk-Powers-Review-final-report.pdf> Accessed 21 June 2020.
55 Joined Cases C‑203/15 and C‑698/15, Tele2 Sverige AB and Watson [2016] ECLI:EU:C:2016:970.
56 Judith Rauhofer, ‘Privacy and surveillance: legal and socioeconomic aspects of state intrusion into electronic
communications’, p.545-575 in Lilian Edwards and Charlotte Waelde, Law and the Internet (2009), Oxford : Portland, Or.: Hart. 2009.
57 Communications (Retention of Data) Act 2011. 58 Justice John (n45).
10
specific individual can give off a full image in regards to their morals and their life overall.60
This “allows the identification of behavioural patterns for the purpose of profiling individuals”.61 It is a mechanism that undoubtedly breaches the right to privacy under Article
7 and 8 CFR, and Article 8 ECHR.
In his opinion delivered regarding Tele2, Advocate General Saugmandsgaard Øe suggested that the risks arising through Governments accessing metadata through the means of untargeted surveillance – therefore Blanket Surveillance – may be “even greater than those arising from access to the content of communications”.62 He further highlighted that metadata facilitates
“the almost instantaneous cataloguing of entire populations”,63 and indicated how that differs
from collecting pure communications content.64 Additionally, he underlined how the difference between targeted and untargeted, indiscriminate surveillance is that the latter facilitates “mass interference, that is to say interference affecting a substantial portion, or even all of the relevant population”.65
1.4: The position of the Court of Justice of the European Union:
In Schrems,66 the CJEU clearly stated that the limitless and objectiveless bulk collection and
storage of personal data – therefore Untargeted, Blanket Surveillance – goes beyond what is necessary in a democratic society:67
“Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data (…) without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which
60 Judith Rauhofer (n56), p.576. 61 Ibid.
62 Joined Cases C‑203/15 and C‑698/15, Tele2 Sverige AB and Watson [2016] ECLI:EU:C:2016:970, opinion of
AG Saugmandsgaard Øe, para.259.
63 Ibid. 64 Ibid.
65 Ibid, para.256.
66 Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650. 67 Gert Vermeulen & Eva Lievens (Eds), ‘Data Protection and Privacy under Pressure: Transatlantic tensions,
EU surveillance and big data’ (2017) <https://edps.europa.eu/sites/edp/files/publication/17-12-18_wiewiorowski_data_protection_and_privacy_under_pressure_en.pdf> Accessed 21 June 2020.
11
are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail”.68
The difference between targeted and untargeted surveillance and how it can impact human rights was further highlighted in a report by the European Commission For Democracy Through Law, emphasising the importance of the distinction;
“Strategic surveillance thus differs in a number of ways from surveillance in law enforcement or more traditional internal security operations. It does not necessarily start with a suspicion against a particular person or persons. It can instead be proactive: finding a danger rather than investigating a known danger. Herein lay both the value it can have for security operations, and the risk it can pose for individual rights. Prosecution is not the main purpose of gathering intelligence. The intelligence is, however, stored and used in a number of ways which can affect human rights.”69
Another threat to individuals’ data is the existence of Data Brokers; entities that collect users’ personal data with the purpose of selling it to other institutions or entities, including the government.70 The aforementioned undoubtedly interferes with Articles 7, 8, 21, and 47 CFR,
as well as Article 48 which corresponds to Article 6(2) and (3) of the ECHR, and upholds the presumption of innocence; mass surveillance ‘jeopardises’ the notion of the presumption of innocence by treating innocent individuals in the same manner as suspects of serious crimes, regardless of the fact that data collection is general and indiscriminate. The right to protection of personal data is further protected under Article 16 of the Treaty on the Functioning of the European Union (TFEU) and Article 39 TEU. In Tele2, the CJEU condemned the general and indiscriminate retention of data from electronic communications.71 This judgement is of extreme importance and will be analysed in the chapter to follow.
68 Schrems (n66) par.93.
69 European Commission For Democracy Through Law (Venice Commission), ‘REPORT ON THE
DEMOCRATIC OVERSIGHT OF SIGNALS INTELLIGENCE AGENCIES’ (2015) p.10
<https://www.venice.coe.int/webforms/documents/default.aspx?pdffile=CDL-AD(2015)011-e> Accessed 21 June 2020.
70 Robert Sicilliano, ‘Data Brokers: What Are They; How to Get Control of Your Name’, (2014)
<http://www.huffingtonpost.com/robert-siciliano/data-brokers-what-are-the_b_5185127.html> Accessed 21 June 2020.
12
In Zakharov72 and Kennedy,73 the ECtHR had made it clear that “the mere existence of a law
permitting surveillance in itself constitutes interference”74 with rights conferred to individuals
by the ECHR, specifically Article 8. The CJEU followed and agreed with this analysis, as indicated previously by the statement in Schrems, as well as in the landmark judgements of
DRI75 and Tele276 which will all be analysed in the chapter to follow. This finding was further acknowledged and upheld by the CJEU in the opinion delivered regarding the PNR agreement between the EU and Canada,77 despite claims by the UK and Irish governments that interference would only be present when collected data was analysed by intelligence agencies.78
In Zakharov, the ECtHR further established minimum legal quality requirements for each MS to follow when adapting measures in relation to surveillance; relevant legislation has to be clear and offer an “adequate indication as to the circumstances (…) and the conditions on which public authorities are empowered to resort to any such measures”,79 as well as be in line with the rule of law.80 Legislation should further outline:
“(…) the nature of offences which may give rise to an interception order; a definition of the categories of people liable to have their telephones tapped; a limit on the duration of telephone tapping; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which recordings may or must be erased or destroyed”.81
The ECtHR additionally highlighted the fact that “foreseeability”82 cannot be identical to that of other fields when it comes to the context of surveillance, and underlined the “risks of
72 Zakharov (n39) para.229-231. 73 Kennedy (n38) paras.118-129. 74 FRA (n5) p.33,35. 75 DRI (n10) para.34,37. 76 Tele2 (n55) para.100. 77 Opinion 1/15 [2017] ECLI:EU:C:2017:592.
78 Opinion 1/15 [2017] ECLI:EU:C:2017:592, Opinion of AG Mengozzi, paras.171-172. 79 ibid, para.229.
80 ibid, para.228. 81 ibid, para.231. 82 ibid, para.229.
13
arbitrariness”83 arising “where a power vested in the executive is exercised in secret”.84 This
refers to the fact that victims affected by the exercise of Blanket Surveillance cannot be reasonably expected to have foreseen the incident, as it is done in a secret manner, in lack of their knowledge. The general conclusion stemming from Weber85 and Zakharov is that as the act of surveillance is in itself constituting an interference to the right to privacy, regardless of whether its nature is targeted or untargeted, and that Targeted Surveillance can only be justifiable under strict conditions that are in line with the principle of being necessary in a democratic society, and only when MS legislation is such as to “indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity to give the individual adequate protection against arbitrary interference”.86 This leads to
the general requirement that each MS is obliged to establish detailed and clear surveillance measures and procedures within statutes.87
The CJEU follows and endorses this view as it was clearly indicated Tele2; In paragraph 109 of the judgement, the Court highlights the importance of MS incorporating legislation that is clear and precise in regards to the scope of surveillance and retention of data:
“(…) national legislation must, first, lay down clear and precise rules governing the scope and application of such a data retention measure and imposing minimum safeguards, so that the persons whose data has been retained have sufficient guarantees of the effective protection of their personal data against the risk of misuse. That legislation must, in particular, indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that such a measure is limited to what is strictly necessary”.88
It is evident that both the CJEU and the ECtHR agree on the fact that the mere existence of “secret measures or of legislation”89 allowing surveillance, be it targeted or untargeted,
constitutes an interference to the private life of individuals, as indicated previously in Zakharov and Schrems.
83 Ibid. 84 Ibid.
85 Weber (n37) para.93. 86 Zakharov (n39) para.230.
87 Heglas v. Czech Republic App.no.5935/02, (ECHR 1 March 2007) para.74. 88 Tele2 (n55), para.109.
14
CHAPTER II: EU legislation and CJEU case law evaluation:
This chapter will present and analyse the timeline of EU legislation and CJEU case law that is relevant to Blanket Surveillance up until the date of this study, in an effort to draw and understand the position of the Union on the matter. It is important to highlight that cases revolving data collection and retention are relevant in the topic of Blanket Surveillance, as it presupposes such actions. Multiple scholars and commentators argue that despite the multiple landmark judgements delivered by the CJEU, the Union’s position is unclear and can be interpreted in various manners, leaving “a significant range of arguable implications for national legislative measures”90. This argument is reasonable and justifiable, bearing in mind
the fact that relevant cases such as La Quadrature91 are pending for judgement before the CJEU.
2.1: Digital Rights Ireland and the Data Retention Directive:
The CJEU delivered its first landmark judgement in relation to surveillance, collection and retention of data according to the DRD in DRI. The no longer in force Directive, which went ‘hand in hand’ with the Data Protection Directive92 and the E-Privacy Directive (EPD),93 was
initially established aiming to regulate and harmonise legislation on the retention of metadata across MS.94 Under Article 3 of DRD, communication service providers were obliged to collect and retain data of their clients, for the purpose of “the investigation, detection and prosecution of serious crime”,95 as defined by each MS. It therefore obliged all MS, even those not having
established laws on surveillance, to implement legislation overseeing the collection and retention of individuals’ data for the purpose of DRD. This mechanism is directly related to Blanket Surveillance, as individuals cannot be aware of when their communications and personal data is being collected by communication providers.
The data the DRD deemed necessary to collect and retain was that which would enable authorities to indicate the source, destination, date, type, location and equipment used in a
90 Justice John (n45). 91 La Quadrature (n16).
92 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data,OJ L 281,23.11.1995,p.31–50.
93 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications),OJ L 201,31.7.2002,p.37–47.
94 Directive 2006/24/EC (n11) Article 1(1). 95 Ibid.
15
communication.96 As mentioned previously in chapter 1, this is undoubtedly a form of metadata
that can reveal multitudes regarding an individual’s private life, as well as enable authorities to form assumptions and hypothesis, drawing from their interactions with other individuals whose data was also to be collected. Initially, the validity of DRD was contested before the CJEU through an action for annulment under Article 263 TFEU in Ireland,97 where the applicants argued that it “was not adopted on an appropriate legal basis”,98 and that the core objective of the DRD should have been the “investigation, detection and prosecution of crime”.99 After indicating that Ireland had only brought the action for annulment exclusively relying on a potentially wrongful “choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy”,100 the CJEU
concluded that the action had to be dismissed.101
Several years later, Digital Rights Ireland, an Irish organisation fighting for human rights,102 brought a case before the Irish High Court, asking it to declare that DRD is invalid.103 The MS’ High Court in turn referred numerous questions to the CJEU for a preliminary ruling; Firstly, the domestic court questioned whether restricting the rights of individuals under Articles 3, 4 and 6 of the DRD for the purpose of investigating crime and safeguarding the proper operation of the internal market can be deemed compatible with the principle of proportionality under Article 5(4) TEU.104 The most important questions the Court raised relating to Blanket
Surveillance enabled by the DRD which interfered with fundamental rights, were those of whether it was in line with the right to privacy under Article 7 CFR and parallelly Article 8 ECHR, the right to data protection under Article 8 CFR, and the right to freedom of expression under Article 11 CFR and parallelly Article 10 ECHR.105
This case was joined with another case of questions raised for a preliminary ruling before the CJEU by the Austrian Constitutional Court Verfassungsgerichtshof, which specifically
96 ibid, Article 5.
97 Case C-301/06, Ireland v Parliament and Council [2009] ECLI:EU:C:2009:68. 98 ibid, para.24.
99 Lydia F de la Torre, ‘Ireland v. Parliament and Council: the EU data retention directive’, (2019)
<https://medium.com/golden-data/ireland-v-parliament-and-council-895d9d3ac993> accessed 1 July 2020.
100 Ireland (n97), para.57. 101 ibid, para.94.
102 Digital Rights Ireland, ‘ABOUT DIGITAL RIGHTS IRELAND’ (2020)
<https://www.digitalrights.ie/about/> accessed 1 July 2020.
103 DRI (n10) para.17. 104 ibid, para.18. 105 Ibid.
16
questioned whether the DRD could be found to be compatible with CFR and with the principle of proportionality, while allowing “the storing of many types of data in relation to an unlimited number of persons for a long time”,106 and while said retention “affects almost exclusively persons whose conduct in no way justifies the retention of data relating to them”.107 The CJEU was therefore called to assess the validity of the DRD in relation to fundamental rights under CFR and ECHR, and examine to what extent the Union can establish legislation limiting the “exercise of fundamental rights guaranteed”108 by CFR.
In his opinion regarding the joined cases, Advocate General Cruz Villalón highlighted that the “vague feeling of surveillance”109 caused by DRD coming to force should not be neglected, as
it can have a “decisive influence”110 on citizens exercising their rights under CFR and ECHR, specifically the right to freedom of expression. He moved on to note that as the CJEU cannot sufficiently give a ruling on that matter relating to freedom of expression as it is purely hypothetical and lacks material,111 it should focus on examining the DRD’s compatibility112 with Articles 7 and 8 CFR, and the corresponding Article 8 ECHR.
The Advocate General suggested that “utmost vigilance”113 is required in collecting and
retaining personal data, and not solely in processing it. This statement was justified in his view that even in case where the DRD would be found to be in line with Article 8 CFR, it may still be found incompatible with Article 7 CFR114. He further argues that enabling the mere
collection of data relating to “the confidentiality of private life, including intimacy”115 is what
would constitute a breach of the rights safeguarded under Articles 7 and 8 CFR.116 Referring to judgements by the ECtHR, the Advocate General mentioned that storing personal data undoubtedly interferes with Article 8 ECHR,117 and moved on to classify that the degree of the 106 ibid, para.22.
107 Ibid.
108 Orla Lynskey, ‘Plenty to retain? Opinion of the Advocate General in Joined Cases C-293/12 and 594/12,
Digital Rights Ireland ltd and Seitlinger and others’ (2013) <https://europeanlawblog.eu/2013/12/17/plenty-to- retain-opinion-of-the-advocate-general-in-joined-cases-c-29312-and-59412-digital-rights-ireland-ltd-and-seitlinger-and-others/> accessed 1 July 2020.
109 Joined Cases C‑293/12 and C-594/12, Digital Rights Ireland v Minister for Communications and others
[2014] ECLI:EU:C:2014:238, Opinion of AG Cruz Villalón para.52.
110 Ibid. 111 Ibid. 112 ibid, para.54. 113 ibid, para.59. 114 ibid, para.60. 115 ibid, para.65. 116 ibid, para.66. 117 ibid, para.69.
17
interference applied by the DRD is “particularly serious”118. Referring to the form of data
collected as “’special’ personal data”119 as its analysis may “create a both faithful and
exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity”120 reaffirms the fact that data stored in accordance with DRD constituted metadata, as defined previously in the study.
In a manner similar to that followed in judgements delivered by the ECtHR, the Advocate General proceeded to examine whether the aforementioned interference with individuals’ rights could be deemed as being in accordance with the law, and proportionate under Article 5(4) TEU.121 Arguably, one of the most important statements made by the Advocate General in his opinion, is the fact that when implementing an act that can potentially “constitute serious interference with the fundamental rights of citizens of the Union”,122 the Union should not
allow each MS the full competence to interpret and establish its own means of imposing those obligations governed by the relevant act.123 He argues instead that the Union should more properly define “at the very least the principles which must govern the definition, establishment, application and review of observance of those guarantees”124 that are “capable of justifying that interference”.125 The Advocate General concluded his opinion stating that the
DRD was incompatible with Article 52(1) CFR, as well as with the principle of proportionality under Article 5(4) TEU for the reason that Article 6 DRD disproportionately stated that data collected would be retained for a “period of up to two years in the absence of exceptional circumstances”.126
The long awaited ruling of the CJEU is a landmark judgement that had a major impact in the ‘world’ of protecting fundamental rights from threats like Blanket Surveillance. The Court acknowledged the sensitivity of the data collected and retained from individuals of the MS in a similar manner to that of Advocate General Villalón, stating that it “may allow very precise conclusions to be drawn (…) such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of 118 ibid, para.70.
119 ibid, para.74. 120 Ibid.
121 Orla Lynskey (n108).
122 AG Cruz Villalón (n109), para.120. 123 Ibid.
124 Ibid. 125 Ibid.
18
those persons and the social environments frequented by them”.127 While recognising the
“potential impact”128 the DRD could have on the right to freedom of expression under Article
11 CFR just as Advocate General Villalón pointed out in his opinion,129 the CJEU deemed it was appropriate to examine the joined cases solely under the light of Articles 7 and 8 CFR,130 as they were directly related to the issue in hand.131
The CJEU proceeded to examine whether DRD was indeed interfering with the right to privacy and protection of personal data enshrined under Articles 7 and 8 CFR. Refraining to examine whether the mere collection of personal data constituted an interference to fundamental rights, the CJEU stated that interference is present in the fact that DRD allowed the processing and retention of personal data for a vast period of time, not only by communication providers but also by “competent national authorities”.132 The CJEU agreed with Advocate General
Villalón’s comments on individuals feeling like subjects of “constant surveillance”,133 and that the established interference is “wide-ranging”134 and “particularly serious”.135 On examining whether the identified interference was justifiable under Article 52(1) CFR, the CJEU stated that the essence of the rights under CFR is not “adversely affected”,136 and that DRD satisfied “an objective of general interest”137 indicating that each MS is responsible of ensuring that
adequate measures are “adopted against accidental or unlawful destruction, accidental loss or alteration of the data”.138
Finally, the CJEU conducted a proportionality test to distinguish whether the DRD measures could be deemed as “appropriate for attaining the legitimate objectives pursued (…) and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives”.139
The Court found that DRD was suitable in achieving its purpose as it offered “additional opportunities to shed light on serious crime”.140 However, the CJEU went on to state that it
127 DRI (n10) para.27. 128 Orla Lynskey (n108).
129 AG Cruz Villalón (n109) para.52. 130 Orla Lynskey (n108). 131 DRI (n10) para.29. 132 Ibid, para.35. 133 Ibid, para.37. 134 Ibid. 135 Ibid. 136 Ibid, para.40. 137 Ibid, para.44. 138 Ibid, para.40. 139 Ibid, para.46. 140 Ibid, para.49.
19
affected every individual within the EU, even those who were not “in a situation which is liable to give rise to criminal prosecutions”.141 The DRD further failed to place objective criteria that
would indicate “the limits of the access of the competent national authorities”142 to the data
collected, as well as “clear and precise rules governing the extent of the interference”.143 Additionally, the CJEU stated that DRD did not specify whether the data collected would be retained within the EU,144 concluding to the fact that the legislature acted in ultra vires in relation to the principle of proportionality, and that the DRD is invalid.145
What is essential to point out for the purpose of this study, is the fact that both the CJEU and Advocate General Villalón fail to question and examine whether the sole act of collecting data indiscriminately in a ‘blanketed’ manner – not that of accessing and processing it – constitutes an interference to fundamental rights, and whether that should be deemed as necessary, suitable and proportionate for the purpose of combating serious crime.146 The Advocate General’s opinion and the judgement of the CJEU instead concentrate on whether the criteria regulating the accessing and processing of the personal data retained are adequate, completely overlooking the fact that the invalidated DRD obligated institutions to collect this data in a blanketed, bulk, indiscriminate and untargeted manner, and thus failing to challenge the legality of it in regards to the aforementioned mechanisms. As Maja Brkan suggests, the CJEU “fails to explain why the acquisition of knowledge of content could equally not be qualified as a particularly serious interference”.147
Despite the fact that the judgement was deemed as crucial in relation to ensuring data protection, as mentioned in the beginning of the present chapter, it undoubtedly “left open, or undecided, several issues fundamental to the operation of a compulsory communications data retention regime under the national laws of MS”.148 It generally created a confusion amongst
MS on whether EU secondary legislation, specifically the EPD that was ‘paired’ with the invalidated DRD, continued to apply in circumstances where MS institutions “were entitled to
141 Ibid, para.58. 142 Ibid, para.60. 143 Ibid, para.65. 144 Ibid, para.68. 145 Ibid, para.69-72. 146 Orla Lynskey (n108).
147 Maja Brkan, ‘The Essence of the Fundamental Rights to Privacy and Data Protection: Finding the Way
Through the Maze of the CJEU’s Constitutional Reasoning’ [2019] German Law Journal, 20, pp. 864–883, doi:10.1017/glj.2019.66.
20
access retained communications data”.149 This confusion was apparent in the fact that more
requests for preliminary ruling followed after this judgement, most notably Tele2, which is analysed below.
2.2: Tele2 Sverige and the incompatibility of Blanket Surveillance mechanisms with EU law:
Following the complications the Court’s judgement in DRI brought, another request for preliminary ruling ensued by Sweden and the UK, regarding the joined cases of Tele2 and
Watson.150 The Swedish Court sought answers on whether “a general and indiscriminate obligation to retain”151 data following DRI is to be considered compatible with Article 15(1)
of the EPD that was still in force, as well as Articles 7, 8 and 52(1) CFR, following a
claim from Tele2 Sverige, a Swedish communications provider. The English Court of Appeal referred the question of whether there is an EU law governing the access to data that is retained following MS legislation, “in order to comply with Articles 7 and 8”152 CFR,
following a claim from Mr. Watson, an individual that challenged the legality of the Investigatory Powers Act of the UK.
The Court delivered this judgement solely referring to the EPD, however it reasonably is applicable towards “other EU secondary legislation or programmes interpreted in light of”153
CFR. The CJEU initially discovered that there was a conflict between Articles 1(3) and 15(1) of EPD, and proceeded to state that its scope indeed was applicable in national legislation of the MS “relating (…) to the access of the national authorities to the data retained by the providers”.154 The CJEU further underlined that EPD itself obliges providers “to establish
internal procedures”155 regarding access to users’ personal data, as well as the fact that MS are
responsible of ensuring “the confidentiality of communications”156 through their national
legislation.
149 ibid, para.10. 150 Tele2 (n55). 151 Ibid, para.50. 152 Ibid, para.59.
153 Orla Lynskey, ‘Tele2 Sverige AB and Watson et al: Continuity and Radical Change’ (2017)
<https://europeanlawblog.eu/2017/01/12/tele2-sverige-ab-and-watson-et-al-continuity-and-radical-change/> accessed 4 July 2020.
154 Tele2 (n55) para.76. 155 Ibid, para.80. 156 Ibid, para.84.
21
Examining the core of the referred questions, the CJEU noted that despite the fact that Article 15(1) EPD enshrined derogations from the confidentiality principle under Article 5(1) EPD,157
it should be strictly interpreted,158 and therefore cannot permit such derogation to the principle of confidentiality under Article 5(1) to “become the rule”;159 this would constitute the confidentiality principle as “meaningless”.160 Article 15(1) EPD also states that the data
collected should “be retained ‘for a limited period’”,161 but nonetheless does not specify how
long that period should be. The CJEU highlighted the importance of practices involving data retention being compatible with the rights to privacy and data protection under Articles 7 and 8 CFR, but also mentioned Article 11 CFR on the freedom of expression saying it “constitutes one of the essential foundations of a pluralist, democratic society”,162 despite the fact that it
refused to examine its relevance in DRI. Through this, it is apparent that the CJEU recognises the gravity and the impact surveillance mechanisms can reach.
Referring to its judgement in DRI, the Court repeated the findings that the data retained is of extremely sensitive nature as it “is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained”,163 as well as the fact that as this data is collected in a blanket manner, lacking the knowledge of the individuals affected, it is likely “to cause the persons concerned to feel that their private lives are the subject of constant surveillance”.164 The CJEU agreed with the findings of Advocate General
Saugmandsgaard Øe that the risks surrounding “access to communications data (…) may be as great or even greater than those arising from access to the content of communications”,165 and put metadata and communications data “on an equal footing”.166 Furthermore, the Court underlined the fact that individuals feeling like they are the “subjects of constant surveillance”167 can potentially affect their right to freedom of expression under Article 11 CFR.168 Contrastingly, the Court disagreed with the Advocate General’s argument that generalised data retention measures can be “lawful where strictly necessary to combat serious
157 Ibid, para.89. 158 Ibid. 159 Ibid. 160 Ibid. 161 Ibid, para.95. 162 Ibid, para.93. 163 Ibid, para.99. 164 Ibid, para.100.
165 AG Saugmandsgaard Øe (n62) para.259. 166 Maja Brkan (n147).
167 Tele2 (n55) para.100. 168 Ibid, para.101.
22
crime”.169 The Court instead ruled that solely targeted measures of surveillance can be lawful,
only under strict guidelines and restrictions.170
Arguably, the most important finding and conclusion the Court came to in Tele2 is the fact that the objective of fighting serious crime cannot justify “national legislation providing for the general and indiscriminate retention”171 of data, and that such legislation cannot be deemed compatible with Articles 7, 8 and 11 CFR.172 Although the CJEU stated that targeted retention of data in order to combat serious crime is permitted under strict conditions,173 the main point to hold on in this judgement, is that the CJEU denounced Blanket Surveillance measures, deeming them incompatible with EU law in a rather radical174 judgement that did manage to clear up some of the confusion created after DRI. The result of Tele2 is what the Court had been ‘building up’ to in Schrems where, as mentioned previously in Chapter 1, it stated that legislation authorising storage of personal data on a generalised basis, “without any differentiation, limitation or exception being made in the light of the objective pursued”175 and without setting “limits of the access of the public authorities to the data”176 collected, cannot
be regarded as being limited to what is strictly necessary and therefore constitutes an interference to fundamental rights.
Nonetheless, Tele2 raised more questions and controversy on the matter. For example, although the Court had stated that fighting serious crime can be the only objective under which data retention can be justified,177 it did not go on to define what constitutes a serious crime. Furthermore, it is argued that the judgement came late,178 as many MS had already established legislation interfering with fundamental rights, following the Court’s guidance from previous cases and secondary EU legislation. Moreover, despite suggestions by the Advocate General that data retained should remain in the MS it was collected,179 the Court generalises this
169 Will R Mbioh, 'Post-Och Telestyrelsen and Watson and the Investigatory Powers Act
2016' (2017) 3 Eur Data Prot L Rev 273.
170 Ibid. 171 Tele2 (n55) para.103. 172 Ibid, para.112. 173 Ibid, para.108. 174 Orla Lynskey (n153). 175 Schrems (n66) para.93. 176 Ibid. 177 Tele2 (n55) para.102. 178 Orla Lynskey (n153).
23
retention in the judgement by mentioning that data retained remains in the EU.180 The transfer
of personal data collected in the EU to a country outside of the EU was examined in the CJEU’s opinion on the PNR agreement between Canada and the EU, as well as its landmark judgement in Schrems II181 that was delivered several days before the deadline of this study. Additionally, the Court once again refrained from directly commenting on whether the mere act of collection – not retention – of personal data constitutes an interference with fundamental rights. It is however reasonable to assume that the Court does indeed hold this opinion, as mentioned previously in Chapter 1 through the analysis of ECtHR case law.
2.3: Opinion 1/15, Schrems II and their impact on protecting fundamental rights related to personal data:
The CJEU’s Opinion issued regarding the agreement negotiated between the EU and Canada on the “transfer and processing of Passenger Name Record data”182 is important to analyse in this study. The CJEU examined this agreement under the light of CFR. The drafted agreement envisioned that Canadian authorities would be able to view and process data of MS individuals that would be systematically and continuously transferred to the country from other MS, as well as potentially transfer that data to other third countries on its own prerogative.183 The
agreement indicated a “data storage period of five years”,184 which meant that Canadian
authorities and potentially third country authorities would have access to data of passengers that would reveal their travelling itinerary and habits, their relationships with other people, and data in relation to their health and diet.185 This undoubtedly constitutes a form of mass Blanket and indiscriminate Surveillance. The Court also noted that multiple parts of the agreement were unclear, and that the objective of generally preventing terrorism was inadequate in justifying transfer of personal data to a third country outside the EU,186 which in turn blurred the idea of what the Court considers to be a serious crime.
180 Orla Lynskey (n153).
181 Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2020]
ECLI:EU:C:2020:559.
182 Opinion 1/15 (n77) para.20.
183 Court of Justice of the European Union, ‘PRESS RELEASE No 84/17’ (2017)
<https://curia.europa.eu/jcms/upload/docs/application/pdf/2017-07/cp170084en.pdf> accessed 10 July 2020.
184 Ibid. 185 Ibid.
186 Arianna Vedaschi and Chara Graziani, ‘PNR Agreements between Fundamental Rights and National
Security: Opinion 1/15’ (2018) <https://europeanlawblog.eu/2018/01/23/pnr-agreements-between-fundamental-rights-and-national-security-opinion-115/> accessed July 16 2020.
24
Based on the above findings, the CJEU opined that the drafted agreement was incompatible with the fundamental rights of private life and protection of personal data enshrined in Articles 7 and 8 CFR, as well as the principle of proportionality under 52(1) CFR,187 following a thorough examination on whether that interference can be justified, whether it is limited to what is strictly necessary, and whether it is clear and precise in its content, to which the Court answered negatively.188 Despite its finding that indiscriminate retention of data is not in line with EU law in Tele2, the CJEU seemed to ‘take a step back’ to accommodate and normalise the practice of mass surveillance in this case, but set out such strict requirements for it, that they realistically could not be followed.189 Ultimately, this was the reason for the Court deeming the agreement incompatible with Union law. This gave rise to more confusion on what the Court’s position truly is regarding mass, blanket and indiscriminate surveillance.
The same logic was followed in the newly delivered landmark judgement of the CJEU in
Schrems II, where it invalidated the Commission Decision 2016/1250190 on the adequacy of protection provided by the Data Protection Shield between the United States (US) and the EU.191 This case also follows the reasoning in the first Schrems case mentioned in this study, which had also invalidated another Decision of the Commission that incorrectly found that the US “ensured an adequate level of protection”192 of personal data transferred to it. In answering
the request for preliminary ruling in Schrems II, the CJEU firstly acknowledged the applicability of the General Data Protection Regulation193 (GDPR) which envisages that
transfer of data to third countries can only take place if “the third country in question ensures an adequate level of data protection”,194 even if the purpose of the transfer is regarding public
security measures.195
187 Opinion 1/15 (n77) para. 232. 188 No 84/17 (n183).
189 Arianna Vedaschi (n186).
190 Commission Implementing Decision 2016/1250, of 12 July 2016 pursuant to Directive 95/46/EC of the
European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (C (2016) 4176),2016 O.J.L 207.
191 Court of Justice of the European Union, ‘PRESS RELEASE No 91/20’ (2020)
<https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf> accessed 16 July 2020.
192 Ibid.
193 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ.L 119,4.5.2016,p.1–88.
194 Facebook (n181) para.95. 195 Ibid, para.203.
