Those following the legal debate following the Schrems-II decision, are well aware that one of the main arguments on the U.S. side is that the European Union should not only look at third countries’ surveillance practices, but also at their own. The typical response is that this is not possible, because national security is excluded from the competences of the EU and thus cannot be legislated by the European Commission. A series of new judgments from the Court of Justice of the European Union (CJEU) shed some new light however.
The judgments, released on 6 October 2020, relate to four cases*, criticising legislation allowing the national security agencies in the United Kingdom, Belgium and France to collect communications traffic data, on the basis of an exception in the ePrivacy Directive from 2002. Following the terrorist attacks in Madrid and London in 2004 and 2005, the European Union created a general data retention scheme for telecommunications data, that was since struck down by the CJEU for not complying with the fundamental rights to privacy and data protection. Also national laws creating a similar scheme, either based on the EU scheme or on the own initiative of an EU Member State, have been annulled by the CJEU. In the current cases, the questions put to the Court included if it was possible at all to collect telecommunications traffic data in bulk, and if so, under what conditions?
The judgment of the CJEU
Most importantly, the CJEU has confirmed in both judgments that the transmission of personal data from a communications service provider (i.e. a telecom or internet service provider) to a government authority, including to the national security services, is covered by data protection law. In this sp ..
Support the originator by clicking the read the rest link below.
