Zum Inhalt springen
tingey-injury-law-firm-veNb0DDegzE-unsplash
18 November 2020| doi: 10.5281/zenodo.4275662

Privacy International: Ein Triumph oder Verlust für die Privatsphäre?

Privacy International zeigt, dass ein allgemeines und diskriminierungsfreies Gesetz die Übermittlung von Kommunikationsdaten an öffentliche Einrichtungen nicht verlangen darf. Dies ist ein Gewinn für das Recht auf Privatsphäre. Könnte es jedoch der Anfang davon sein, dieses Recht zu zerpflücken? Solche Übertragungen können immer noch möglich sein, wenn das Gesetz objektive Kriterien festlegt.


Privacy International: what was it about?

On 6 October 2020, the Court of Justice (Court) ruled on the Privacy International case. The dispute involved national law ordering electronic communications service providers (ECS providers) to transfer communications data to British national agencies. The Court had to explain whether national legislation, safeguarding national security, falls under Article 15(1) ePrivacy Directive. This Article allows the restriction of citizens’ right to data protection for the purpose of national security.

National security laws fall under the ePrivacy Directive

The Court’s reasoning to include the national law within the Directive’s remit was twofold. Firstly, the Court agreed that Article 1(3) ePrivacy Directive removes laws on national security activities from the Directive’s scope. Such national legislation may only concern State actions and not those of individuals. In this case, the law also deals with ECS providers. This argumentation is in line with Article 3 Directive, which explains that the Directive applies to transfers of personal data by ECS providers. The Court further stated that national laws based on Article 15(1) ePrivacy Directive restrict the right to data protection. This is only allowed, provided the law complies with certain requirements. Secondly, the Court held that giving communications data to State authorities is processing personal data, as mentioned in Article 3 Directive. Excluding national security laws would strip Article 15(1) ePrivacy Directive of its function, which only allows restrictions of data subjects’ rights under strict conditions.

National security: no ground for blanket provisions

The Court looked whether the national law based on Article 15(1) Directive was necessary, suitable and proportionate to the objective of safeguarding national security. This objective may justify more restrictive rules. However, the national law interfered with the right to respect for private and family life and the right to protection of personal data in a manner that was not strictly necessary. Unsurprisingly, the general and indiscriminate phrasing of the national law allows national authorities to obtain unrestricted access to everyone’s communications data held by ECS providers. This also includes people who may not potentially be a threat to national security. The Court called for safeguards by demanding objective criteria to determine when national agencies may access communications data.

The Court shows its teeth for the sake of privacy

As demonstrated – yet again – by this ruling, the Court does not shy away to ensure a high level of protection of the right to privacy. Especially the last years, the Court has shown the lengths it is willing to go. In Digital Rights Ireland, the Court invalidated EU legislation demanding to store communications data and giving national authorities access. Further, in the Tele2 case, the Court prohibited national law demanding the storage of communications data in a general and indiscriminate manner, in other words without objective criteria. In Schrems I and Schrems II, the Court also invalidated two Adequacy Decisions, which allowed the free flow of personal data between businesses from the EU to those in the U.S. The Court held that U.S. authorities could get a hold of EU citizens’ personal data. Protecting the right to privacy has run like a thread through all these cases, including this one. It comes as no surprise that the Court did not allow the adoption of generic national laws providing national agencies access to communications data. Looking at Digital Rights Ireland, the Court held that EU law asking to keep communications data and giving national authorities access is a serious interference with the right to privacy. In the Tele2 case, the Court clearly expanded its far-reaching level of protection of the right to privacy to national law calling for the storage of communications data. In Privacy International, the Court now also extended these high standards to national laws allowing national agencies access to such data.

A win for privacy or a threat in disguise?

Despite the expected outcome, this judgment should be applauded since the Court – once more – firmly showed its stance on the right to privacy. The Court did away with catch-all provisions allowing the collection of communications data by national agencies. Further, the Court managed to carefully strike a balance between two interests, namely the right to privacy and national security. However, the Court explicitly left the door open for national security laws, provided they establish objective criteria. In other words, ECS providers may need to hand over such data if the national law sets objective requirements. Undoubtedly, Member States will now bring their laws in line with the Court’s ruling. Unfortunately, the Court does not explain what these objective criteria may include. A call for further guidelines and clarifications is likely to emerge.


tl;dr

In its Privacy International ruling, the Court of Justice did away with national laws demanding in a general and indiscriminate manner the transfer of communications data to national authorities. The Court reached this conclusion seeing that the right to privacy was at stake. However, the Court allowed a leeway for such national laws, as long as they provide objective criteria permitting such transfers.


Sarah de Heer is a lecturer at the Faculty of Law at Maastricht University, the Netherlands. She has an interest in IP and ICT law. Sarah has been involved in teaching courses on international and European law at Maastricht University and UHasselt, Belgium. Before becoming a lecturer, she was a Blue Book trainee at DG CONNECT and worked at a law and policy consultancy based in Brussels.

Auf dem Laufenden bleiben

HIIG-Newsletter-Header

Jetzt anmelden und  die neuesten Blogartikel einmal im Monat per Newsletter erhalten.

Forschungsthema im Fokus Entdecken

Du siehst eine Tastatur auf der eine Taste rot gefärbt ist und auf der „Control“ steht. Eine bildliche Metapher für die Regulierung von digitalen Plattformen im Internet und Data Governance. You see a keyboard on which one key is coloured red and says "Control". A figurative metaphor for the regulation of digital platforms on the internet and data governance.

Data Governance

Wir entwickeln robuste Data-Governance-Rahmenwerke und -Modelle, um praktische Lösungen für eine gute Data-Governance-Politik zu finden.

Weitere Artikel

Das Bild zeigt eine Wand mit vielen Uhren, die alle eine andere Uhrzeit zeigen. Das symbolisiert die paradoxen Effekte von generativer KI am Arbeitsplatz auf die Produktivität.

Zwischen Zeitersparnis und Zusatzaufwand: Generative KI in der Arbeitswelt

Generative KI am Arbeitsplatz steigert die Produktivität, doch die Erfahrungen sind gemischt. Dieser Beitrag beleuchtet die paradoxen Effekte von Chatbots.

Das Bild zeigt sieben gelbe Köpfe von Lego-Figuren mit unterschiedlichen Emotionen. Das symbolisiert die Gefühle, die Lehrende an Hochschulen als innere Widerstände gegen veränderung durchleben.

Widerstände gegen Veränderung: Herausforderungen und Chancen in der digitalen Hochschullehre

Widerstände gegen Veränderung an Hochschulen sind unvermeidlich. Doch richtig verstanden, können sie helfen, den digitalen Wandel konstruktiv zu gestalten.

Das Foto zeigt einen jungen Löwen, symbolisch für unseren KI-unterstützten Textvereinfacher Simba, der von der Forschungsgruppe Public Interest AI entwickelt wurde.

Von der Theorie zur Praxis und zurück: Eine Reise durch Public Interest AI

In diesem Blogbeitrag reflektieren wir unsere anfänglichen Überlegungen zur Public Interest AI anhand der Erfahrungen bei der Entwicklung von Simba.