EU nations’ attempt to water down privacy protections could increase tension with US over personal data flows across the Atlantic

Posted on Mar 16, 2021 by Glyn Moody

Last month, this blog noted that the EU’s important ePrivacy Regulation has now entered the final stretch of its legislative passage. An article on the Lawfare blog has spotted an interesting section in proposals from the Council of the EU, one of the three bodies that jointly agree new EU legislation. Although short – just a few dozen words – the implications of that section for surveillance and privacy in the EU could be huge. And the knock-on effects will also impact the US, for reasons that will be explained below.

To understand why a single sentence is potentially so momentous, it is necessary to go back a few years. At that time, a group of privacy organizations, including Privacy International and La Quadrature du Net, had brought legal actions against the UK, France and Belgium for their continuing use of “bulk data collection” – that is, indiscriminate mass data retention. The governments of these countries justified this invasion of privacy on the grounds of “national security”. On 6 October 2020, the EU’s highest court, the Court of Justice of the European Union (CJEU), issued its judgments for three related cases:

the Court of Justice of the European Union ruled that mass data retention and collection practices for national security purposes undertaken by member states, must comply with EU law, and therefore have to be subjected to its privacy safeguards. As a result of the decision, EU countries must review their legislation and practices for compliance with the EU requirements to protect people’s security and fundamental rights.

However, the CJEU did make an important distinction between the situation where an intelligence agency gathers personal data directly, and that where communication companies were instructed to collect this data on the behalf of the government. A general national security exemption in EU privacy law permits the first to take place, but not the second. Some governments were unhappy that they were unable to force communications and Internet companies to spy on their users as a matter of course. In particular, the French government has been pushing to roll back that limitation on its surveillance activities. As the Lawfare blog points out, it is now trying to use the ePrivacy Regulation to do that. The text adopted by the Council of the EU includes the following short text:

This Regulation does not apply to: activities, which fall outside the scope of Union law, and in any event measures, processing activities and operations concerning national security and defence, regardless of who is carrying out those activities whether it is a public authority or a private operator acting at the request of a public authority.

The key part is “whether it is a public authority or a private operator acting at the request of a public authority”. This would remove the limitation imposed by the CJEU that only intelligence services could carry out mass surveillance, not Internet or communication companies.

Others have spotted the danger to privacy here. The European Data Protection Board (EDPB) is “an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities.” In effect, it is the main guardian of the EU’s digital privacy laws. Shortly after the Council of the EU published its draft of the ePrivacy Regulation, which included the section quoted above, the EDPB issued a statement outlining its concerns. In particular:

providing a legal basis for anything else than targeted retention for the purposes of law enforcement and safeguarding national security is not allowed under the [EU Charter of Fundamental Rights], and would anyhow need to be subject to strict temporal and material limitations as well as review by a Court or by an independent authority.

The EU Charter of Fundamental Rights is the foundational document of the EU. The EDPB believes that the attempt to circumvent the CJEU’s ruling on mass surveillance by companies is incompatible with the EU Charter, and that only targeted retention is permitted. That viewpoint is unlikely to stop EU governments from trying to overturn the CJEU ruling. But it may encourage one of the other bodies that must agree on new EU legislation, the European Parliament, to refuse to agree to the change. The presence of the section in question is likely to make the ePrivacy negotiations between the various EU bodies even more fraught.

The Lawfare post explores another interesting aspect of this situation. As Privacy News Online reported last year, the main framework for transferring personal data across the Atlantic, known as Privacy Shield, was found to be “invalid” by the CJEU. Given the huge volumes of personal data that flow from the EU to the US, that’s problematic, and the authorities on both sides of the Atlantic have been trying to find a way forward.

A key issue, once more, is national security. The US wants its intelligence agencies to be able to access the personal data of EU citizens that is sent to the US if it needs to; the EU wants that data to be protected in a way that is “essentially equivalent” to the EU’s stringent GDPR. Reconciling those competing demands is already proving hard. If the proposal to allow companies as well as intelligence agencies to carry out mass surveillance on behalf of EU governments survives in the final text of the ePrivacy Regulation, the gulf between the two regions could get worse. With some justice, the US could point out that double standards are being applied, with only companies in the EU allowed to carry out bulk data collection of personal data for the authorities. One danger is that the European Commission might argue that the solution is to allow US companies to do the same for its own government.

Featured image by OneTesla.