Surveillance by intelligence services – Volume II: field perspectives and legal update
examining the factors that led to recent terrorist attacks
in Europe. The committee will look into various aspects,
such as deficiencies in intelligence information sharing
among Member States and the impact of such sharing
on fundamental rights.24
At legislative level, the creation of the Security Union led
to the adoption of the Passenger Name Records (PNR)
Directive. 25 PNR data are collected by airlines from
passengers during check-in and reservation procedures.
Intelligence services can subsequently access PNR
data collected by airlines and use them for intelligence
purposes. The PNR Directive establishes at EU level
a common legal framework for exchanging PNR data
among Member States, as well as sharing PNR data
with Europol. The PNR data may then be used for the
fight against terrorism and serious crime under certain
conditions set by the directive.
National security was also at issue in a 2016 Court of
Justice of the European Union (CJEU) judgment. In joined
cases Tele2 Sverige and Home Secretary v. Watson,26
the CJEU found that requiring telecommunication
companies to retain all electronic communications
data, meaning data about telephone calls, emails and
websites visited by their clients, was not in conformity
with the e-Privacy Directive 27 and the EU Charter of
Fundamental Rights, violating the right to respect for
private life and protection of personal data. The court
stated that, in the case of serious crime, Member
States can impose a general obligation on providers of
electronic telecommunications services to retain data
only if deployed against specific targets. Retention
measures must be necessary and proportionate
regarding the categories of data to be retained, the
means of communication affected, the persons
concerned and the chosen duration of retention.
Furthermore, national authorities’ access to the
retained data must be conditional and meet certain data
protection safeguards. The court explicitly distinguished
cases where the data are retained to protect ‘national
24
25
26
27
22
European Parliament (2017), European Parliament Decision
of 6 July 2017 on setting up a special committee on
terrorism, its responsibilities, numerical strength and term
of office, P8_TA-PROV(2017) 0307, Strasbourg, 6 July 2017.
Directive (EU) 2016/681 of the European Parliament and
of the Council of 27 April 2016 on the use of passenger
name record (PNR) data for the prevention, detection,
investigation and prosecution of terrorist offences and
serious crime, OJ L 119, 4 May 2016 (PNR Directive).
CJEU, Joined Cases C-203/15 and C-698/15, Tele2 Sverige
AB v. Post- och telestyrelsen and Secretary of State
for the Home Department v. Tom Watson and Others,
21 December 2016.
Directive 2002/58/EC of the European Parliament and of
the Council of 12 July 2002 concerning the processing of
personal data and the protection of privacy in the electronic
communications sector, OJ L 201, 31 July 2002 (Directive on
privacy and electronic communications).
security’ from other types of ‘serious crime’.28 Where
‘national security’ is at stake, the court concluded that
access may also be granted to data of persons other
than the specific targets; however, as a safeguard,
there must be objective evidence of these data’s
effective contribution to the fight against a specific
‘national security’ threat.
‘National security’ is also relevant to the transfer of
personal data to a third country on the basis of a decision
that the third country provides an adequate level of
protection of personal data (adequacy decision). Under
the GDPR, to assess the level of protection of personal
data, the European Commission must take into account
any relevant legislation concerning national security
as well as the implementation of such legislation.
In particular, the Commission looks at whether the
third country guarantees effective and enforceable
data subject rights, and effective and judicial redress
for the data subjects whose personal data are being
transferred.29 The EU-US Privacy Shield is an example of
such an adequacy decision. This decision allows for free
flow of data for commercial purposes between the EU
and the US.30 The EU-US Privacy Shield was the result of
the annulment of the Safe Harbour Adequacy Decision
by the CJEU in Schrems.31 The CJEU looked into personal
data transfers to the US on the basis of the Safe Harbour
Adequacy Decision and subsequent access to the data
by national intelligence services for reasons of national
security. The CJEU held that legislation must provide
effective oversight and redress mechanisms. Failing
to provide an effective remedy violates Article 47
of the Charter.
The ‘national security’ exemption thus cannot be
seen as entirely excluding the applicability of EU law.
Individuals’ records of calls, text messages, e-mails and
any other forms of electronic communication that are
retained by their telecommunications providers and
subsequently transferred to intelligence services for
national security purposes could enjoy the standards
of protection offered by the GDPR.
28
29
30
31
CJEU, Joined Cases C-203/15 and C-698/15, Tele2 Sverige AB
v. Post- och telestyrelsen and Secretary of State for the
Home Department v. Tom Watson and Others, 21 December
2016, para. 119.
GDPR, Art. 45.
Commission Implementing Decision (EU) 2016/1250
of 12 July 2016 pursuant to Directive 95/46/EC of the
European Parliament and of the Council on the adequacy
of the protection provided by the EU-U.S. Privacy Shield,
OJ 2016 L207, 1 August 2016.
CJEU, C-362/14, Maximilian Schrems v. Data Protection
Commissioner, 6 October 2015.