Data Protection Insider, Issue 33

– CJEU on Bulk Transfers for National Security in Privacy International

On 6th October, the Grand Chamber of the CJEU delivered its verdict in the case of Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others. The case concerned the legitimacy of UK law legitimating the bulk transfer of subscribers’ traffic and location data from telecommunications service providers to UK security and intelligence services. The referring national Court asked two questions of the CJEU: i) whether the law in question – in particular the requirement for telecommunications providers to transfer subscriber data to security and intelligence services – falls within the scope of the e-Privacy Directive in light of the exclusions in Art. 4 TEU and in Art. 1 of the e-Privacy Directive of national security processing; and ii) whether, and to what extent, do the conditions for the retention and transfer of users data by telecommunications provides outlined in prior CJEU judgments – in particular in Tele2 – apply to the legislation at issue. In relation to the first question, the CJEU observed that: ‘Article 1(3), Article 3 and Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU, must be interpreted as meaning that national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security falls within the scope of that directive.’ In their argumentation, the CJEU highlighted that the listed exclusions for national security processing relate to activities solely conducted by the state, whereas the transfer of subscriber data to the state is an action undertaken by telecommunications providers. In relation to the second question, the CJEU observed that the engaged fundamental rights – including the rights to privacy, data protection and freedom of expression – as well as the relevant provisions in the e-Privacy Directive: ‘must be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.’ The CJEU also observed, however, that similar legislation foreseeing more targeted forms of transfer may still be legitimate.


– CJEU on Communication Data Retention and Analysis in La Quadrature du Net

On 6th October the CJEU delivered its judgement in the Joined Cases of La Quadrature du Net and Others, French Data Network and Others and Ordre des barreaux francophones et germanophone and Others. The cases dealt with the compatibility of Member State laws – in France and Belgium – which prescribe the retention by telecommunication providers and further processing of telecommunications data for law enforcement and national security purposes with European law, namely the CFREU, the e-Privacy Directive and eCommerce Directive. The cases are rich and deep. In this regard, we note the following ten conclusions reached by the CJEU in its judgement: i) such legislation clearly falls within the scope of the e-Privacy Directive (in contrast to the eCommerce Directive) – the CJEU clarified that this conclusion applies also to the GDPR; ii) such legislation has to respect the CFREU, including Articles 3, 4, 6, 7, and 8, bearing in mind the potential limitations possible under Article 52 (1) CFREU; iii) EU law does not preclude the indiscriminate retention of telecommunications data “for a limited period of time” when there exist national security threats which are “genuine and present or foreseeable” – such retention, however, may not be systematic and should be subject to safeguards, including effective judicial review; iv) indiscriminate and general retention not necessary for the purposes of fighting serious crime; v) IP addresses and civil identity information may be retained for the purposes of fighting serious crime; vii) for the purposes of fighting serious crime and ensuring national security, telecommunication providers might be required to store data beyond the periods set out in law; viii) telecommunication providers may be required to perform automated analysis on the retained data at the request of the national security authorities – here the CJEU repeats its conclusions in its EU-Canada PNR Opinion on the quality requirements related to such automated analysis; ix) real-time collection of telecommunications data is permissible only when it is targeted and subject to safeguards; and x) the impacted individuals need only be given general information about retention measures – where a person is identified through the automated analysis, they need to be personally notified, unless the notification is liable to prejudice an ongoing investigation.

We note that above two cases have touched upon a wide variety of issues and will undoubtedly lead to heated discussions. The judgements are likely to be received differently by data protection experts and law enforcement officials. One of the many potential implications of the cases is that national security seems to be given a large margin of appreciation in relation to the legitimate collecting and analysis of telecommunications data, only, however, as a derogation from EU data protection principles. Two questions emerge with this approach: i) how easy will it be for national authorities to keep a clear separation between law enforcement and national security purposes in practice, and thus to refrain from indiscriminate surveillance also for law enforcement purposes; and ii) how tenable is allowing such derogations without common EU data protection standards applicable to national security?


– EDPB Holds 39th Plenary Session –

On 7th and 8th October the EDPB held its 39th Plenary Session. The EDPB discussed, amongst other things:

  • The Article 64 GDPR Opinion on the guarantees to be included in contractual clauses for transfers by a processor to a controller outside the EEA;
  • The pending Article 65 procedure (concerning the consistency mechanism).

The EDPB also adopted the following documents:

The Guidelines are not publicly available yet. They will be published following a linguistic, formatting and legal checks.


– EDPS Admonishes Europol –

On 18th September the EDPS issued his first admonishment to Europol concerning Europol’s ‘big data challenge’. From the publicly available redacted EDPS decision it is clear that this ‘big data challenge’ refers to the large amount of datasets which Europol processes – gathered with the help of special analytical tools and storage facilities. The data refers both to targeted and indiscriminate data forwarded to Europol predominantly by the Member States. Three specific challenges are mentioned: i) the issue of data veracity; ii) the issue of the reliability of the analyses conducted on data; and iii) the issue of the ‘traceability of the decision-making process’ by analysts. The EDPS noted that, when addressing these challenges, Europol does not process the big data in compliance with the Europol Regulation. Problems arise in relation to, amongst others: the principle of purpose limitation; the limitations on the categories of people whose data is processed; the limitations on data storage periods; and data minimisation. The EDPS stops short of banning the processing in question or of proposing concrete measures for rectifying the problematic processing. We note that it is positive that the issue of big data, including in the law enforcement field, is beginning to be inspected and that data protection authorities are starting to hold law enforcement accountable for complying with the different data protection safeguards applicable to their sophisticated analytical processes. The admonishment demonstrates that the complexity of analytical processing cannot be an excuse for non-compliance with data protection principles.


– ICO Concludes Cambridge Analytic Investigation –

The ICO has concluded its investigation into Cambridge Analytica and into political profiling. In the final stages of the investigation, the ICO found no specific evidence that the company – or associated companies – had misused personal data to influence the UK’s referendum on EU membership. In this regard, the ICO observed that the processes used by the ICO were relatively common. The ICO also found no specific evidence that the company – or associated companies – had assisted in Russian interference in the UK’s political process. The ICO had previously uncovered the use of a Russian IP address in connection with one of the companies associated with Cambridge Analytica. The ICO had, however, passed the evidence on to the National Crime Authority due to a belief that the investigation of the use of the IP address lay outside its jurisdiction. It should be recalled that the final stages of the investigation consisted of the examination of certain specific questions and are not equivalent to the findings and outcomes of the investigation as a whole. Nevertheless, given the sensitive and highly public nature of the matters in question, it seems unlikely that the conclusions of the ICO will simply be accepted without further scrutiny or criticism.


– Hamburg DPA Fines H&M 35.3 Million Euros –

The DPA of Hamburg (the HmbBfDI) has issued a fine of 35.3 million Euros to the retail giant H&M. The fine concerns the fact that, since at least 2014, certain managers at H&M’s Nuremberg service centre had been collecting extensive information about the private lives of employees. Such information was collected in ‘Welcome Back Talks’ following employees’ return from holidays and sick leave as well as in other talks and encounters between managers and employees. The information collected included information on employees’ holiday experiences, sickness symptoms and diagnoses as well as on other aspects of their private lives – such as their family situation and religious beliefs. The collected information was used to profile employees and for making certain significant decisions concerning them. The practice was regarded as a particularly invasive interference with employees’ rights. The problem was discovered in 2019 as, for a brief time and due to a system configuration error, the employee files at issue were made accessible to the whole company. In light of the practice, the company has issued an apology and compensation to the impacted employees and has updated its data protection strategy.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply