Skip to content
18 November 2020| doi: 10.5281/zenodo.4275662

Privacy International: a triumph or loss for privacy?

Privacy International shows that a general and indiscriminate law may not demand the transfer of communications data to public agencies. This is a win for the right to privacy. However, could it be the beginning of picking this right apart? Such transfers may still be possible, if the law establishes objective criteria.

Privacy International: what was it about?

On 6 October 2020, the Court of Justice (Court) ruled on the Privacy International case. The dispute involved national law ordering electronic communications service providers (ECS providers) to transfer communications data to British national agencies. The Court had to explain whether national legislation, safeguarding national security, falls under Article 15(1) ePrivacy Directive. This Article allows the restriction of citizens’ right to data protection for the purpose of national security.

National security laws fall under the ePrivacy Directive

The Court’s reasoning to include the national law within the Directive’s remit was twofold. Firstly, the Court agreed that Article 1(3) ePrivacy Directive removes laws on national security activities from the Directive’s scope. Such national legislation may only concern State actions and not those of individuals. In this case, the law also deals with ECS providers. This argumentation is in line with Article 3 Directive, which explains that the Directive applies to transfers of personal data by ECS providers. The Court further stated that national laws based on Article 15(1) ePrivacy Directive restrict the right to data protection. This is only allowed, provided the law complies with certain requirements. Secondly, the Court held that giving communications data to State authorities is processing personal data, as mentioned in Article 3 Directive. Excluding national security laws would strip Article 15(1) ePrivacy Directive of its function, which only allows restrictions of data subjects’ rights under strict conditions.

National security: no ground for blanket provisions

The Court looked whether the national law based on Article 15(1) Directive was necessary, suitable and proportionate to the objective of safeguarding national security. This objective may justify more restrictive rules. However, the national law interfered with the right to respect for private and family life and the right to protection of personal data in a manner that was not strictly necessary. Unsurprisingly, the general and indiscriminate phrasing of the national law allows national authorities to obtain unrestricted access to everyone’s communications data held by ECS providers. This also includes people who may not potentially be a threat to national security. The Court called for safeguards by demanding objective criteria to determine when national agencies may access communications data.

The Court shows its teeth for the sake of privacy

As demonstrated – yet again – by this ruling, the Court does not shy away to ensure a high level of protection of the right to privacy. Especially the last years, the Court has shown the lengths it is willing to go. In Digital Rights Ireland, the Court invalidated EU legislation demanding to store communications data and giving national authorities access. Further, in the Tele2 case, the Court prohibited national law demanding the storage of communications data in a general and indiscriminate manner, in other words without objective criteria. In Schrems I and Schrems II, the Court also invalidated two Adequacy Decisions, which allowed the free flow of personal data between businesses from the EU to those in the U.S. The Court held that U.S. authorities could get a hold of EU citizens’ personal data. Protecting the right to privacy has run like a thread through all these cases, including this one. It comes as no surprise that the Court did not allow the adoption of generic national laws providing national agencies access to communications data. Looking at Digital Rights Ireland, the Court held that EU law asking to keep communications data and giving national authorities access is a serious interference with the right to privacy. In the Tele2 case, the Court clearly expanded its far-reaching level of protection of the right to privacy to national law calling for the storage of communications data. In Privacy International, the Court now also extended these high standards to national laws allowing national agencies access to such data.

A win for privacy or a threat in disguise?

Despite the expected outcome, this judgment should be applauded since the Court – once more – firmly showed its stance on the right to privacy. The Court did away with catch-all provisions allowing the collection of communications data by national agencies. Further, the Court managed to carefully strike a balance between two interests, namely the right to privacy and national security. However, the Court explicitly left the door open for national security laws, provided they establish objective criteria. In other words, ECS providers may need to hand over such data if the national law sets objective requirements. Undoubtedly, Member States will now bring their laws in line with the Court’s ruling. Unfortunately, the Court does not explain what these objective criteria may include. A call for further guidelines and clarifications is likely to emerge.


In its Privacy International ruling, the Court of Justice did away with national laws demanding in a general and indiscriminate manner the transfer of communications data to national authorities. The Court reached this conclusion seeing that the right to privacy was at stake. However, the Court allowed a leeway for such national laws, as long as they provide objective criteria permitting such transfers.

Sarah de Heer is a lecturer at the Faculty of Law at Maastricht University, the Netherlands. She has an interest in IP and ICT law. Sarah has been involved in teaching courses on international and European law at Maastricht University and UHasselt, Belgium. Before becoming a lecturer, she was a Blue Book trainee at DG CONNECT and worked at a law and policy consultancy based in Brussels.

This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact

Sign up for HIIG's Monthly Digest

and receive our latest blog articles.

Further articles

Could digital supply chains help the industry to become more sustainable?

Sustainable industries through digital supply chains?

Can digital supply chains help the industry to become more sustainable? Researchers at the Research Institute for Sustainability (RIFS) at the Helmholtz Centre Potsdam explored the opportunities and risks of...

Man sieht eine*n Lieferant*in eines Online-Lieferdienst für Essen auf einem Motorroller. Das Bild steht sinnbildlich für die Arbeitenden in der Gig Economy in Kenia. You see a delivery person from an online food delivery service on a scooter. The image is emblematic of the workers in the gig economy in Kenya.

Towards a socially just gig economy in Kenya: Stakeholder engagement and regulatory processes

The gig economy in Kenya is growing rapidly but conditions for workers are often precarious. We investigated the livelihoods of gig workers.

Man sieht mehrer Spiegel, die in unterschiedlichen Formen angeordnet sind und verschiedene Oberflächen, wie den Himmel, eine Hauswand und so weiter widerspiegeln. Das Bild steht sinnbildlich für die vielen verschiedenen Bedeutungen von autonomen Systemen in unserer Gesellschaft. You see several mirrors arranged in different shapes reflecting different surfaces, such as the sky, a house wall and so on. The image is emblematic of the many different meanings of autonomous machines in our society.

The age of machine autonomy?

Can machines be autonomous – or is it a human prerogative? This categorical question dominates many discussions on our relationship to purportedly intelligent machines. A human vs. machine rhetoric, however,...