proportionality of those measures and the transfer of data to third parties, with Article 8 ECHR. In that
regard, it stated that evidence had been submitted to it concerning the applicable safeguards, in
particular as regards the procedures for accessing and disclosing data outside the security and
intelligence agencies, the arrangements for retaining data, and independent oversight arrangements.
22
As regards the lawfulness of the acquisition and use measures at issue in the main proceedings in the
light of EU law, the referring court examined, in a judgment of 8 September 2017, whether those
measures fell within the scope of EU law and, if so, whether they were compatible with EU law. That
court found, as regards bulk communications data, that the providers of electronic communications
networks were required, under section 94 of the 1984 Act, should a Secretary of State issue directions
to that effect, to provide the security and intelligence agencies with data collected in the course of their
economic activity falling within the scope of EU law. However, that was not the case for the
acquisition of other data obtained by those agencies without the use of such binding powers. On the
basis of that finding, the referring court considered it necessary to refer questions to the Court in order
to determine whether a regime such as that resulting from section 94 of the 1984 Act falls within the
scope of EU law and, if so, whether and in what way the requirements laid down by the case-law
resulting from the judgment of 21 December 2016, Tele2 Sverige and Watson and Others (C‑203/15
and C‑698/15, EU:C:2016:970; ‘Tele2’) apply to that regime.
23
In that regard, in its request for a preliminary ruling, the referring court states that, pursuant to section
94 of the 1984 Act, the Secretary of State may give providers of electronic communications services
such general or specific directions as appear to him to be necessary in the interests of national security
or relations with a foreign government. Referring to the definitions set out in section 21(4) and (6) of
the RIPA, that court states that the data concerned includes traffic data and service use information,
within the meaning of that provision, with only the content of communications being excluded. Such
data and information make it possible, in particular, to know the ‘who, where, when and how’ of a
communication. That data is transmitted to the security and intelligence agencies and retained by them
for the purposes of their activities.
24
According to the referring court, the regime at issue in the main proceedings differs from that resulting
from the Data Retention and Investigatory Powers Act 2014, at issue in the case which gave rise to the
judgment of 21 December 2016, Tele2 (C‑203/15 and C‑698/15, EU:C:2016:970), since the latter
regime provided for the retention of data by providers of electronic communications services and the
making available of that data not only to security and intelligence agencies, in the interests of national
security, but also to other public authorities, depending on their needs. Furthermore, that judgment
concerned a criminal investigation, not national security.
25
The referring court adds that the databases compiled by the security and intelligence agencies are
subject to bulk, unspecific, automated processing, with the aim of discovering unknown threats. To that
end, the referring court states that the sets of metadata thus compiled should be as comprehensive as
possible, so as to have a ‘haystack’ in order to find the ‘needle’ hidden therein. As regards the
usefulness of bulk data acquisition by those agencies and the techniques for consulting that data, that
court refers in particular to the findings of the report drawn up on 19 August 2016 by David Anderson
QC, then United Kingdom Independent Reviewer of Terrorism Legislation, who relied, when drawing
up that report, on a review conducted by a team of intelligence specialists and on the testimony of
security and intelligence agency officers.
26
The referring court also states that, according to Privacy International, the regime at issue in the main
proceedings is unlawful in the light of EU law, while the defendants in the main proceedings consider
that the obligation to transfer data provided for by that regime, access to that data and its use do not fall
within the competences of the European Union, in accordance, in particular, with Article 4(2) TEU,
according to which national security remains the sole responsibility of each Member State.
27
In that regard, the Investigatory Powers Tribunal considers, on the basis of the judgment of 30 May
2006, Parliament v Council and Commission (C‑317/04 and C‑318/04, EU:C:2006:346, paragraphs 56
to 59), concerning the transfer of passenger name record data for the purpose of protecting public
security, that the activities of commercial undertakings in processing and transferring data for the
purpose of protecting national security do not appear to fall within the scope of EU law. For the