referring court, it is necessary to examine not whether the activity in question constitutes data
processing, but only whether, in substance and effect, the purpose of such activity is to advance an
essential State function, within the meaning of Article 4(2) TEU, through a framework established by
the public authorities that relates to public security.
28
Should the measures at issue in the main proceedings nevertheless fall within the scope of EU law, the
referring court considers that the requirements set out in paragraphs 119 to 125 of the judgment of
21 December 2016, Tele2 (C‑203/15 and C‑698/15, EU:C:2016:970) appear inappropriate in the
context of national security and would undermine the ability of the security and intelligence agencies
to tackle some threats to national security.
29
In those circumstances, the Investigatory Powers Tribunal decided to stay the proceedings and to refer
the following questions to the Court of Justice for a preliminary ruling:
‘In circumstances where:
(a)
the [security and intelligence agencies’] capabilities to use [bulk communications data]
supplied to them are essential to the protection of the national security of the United
Kingdom, including in the fields of counter-terrorism, counter-espionage and counternuclear proliferation;
(b)
a fundamental feature of the [security and intelligence agencies’] use of [bulk
communications data] is to discover previously unknown threats to national security by
means of non-targeted bulk techniques which are reliant upon the aggregation of [those
data] in one place. Its principal utility lies in swift target identification and development, as
well as providing a basis for action in the face of imminent threat;
(c)
the provider of an electronic communications network is not thereafter required to retain
[the bulk communications data] (beyond the period of their ordinary business
requirements), which [are] retained by the State (the [security and intelligence agencies])
alone;
(d)
the national court has found (subject to certain reserved issues) that the safeguards
surrounding the use of [bulk communications data] by the [security and intelligence
agencies] are consistent with the requirements of the ECHR; and
(e)
the national court has found that the imposition of the requirements specified in
[paragraphs 119 to 125 of the judgment of 21 December 2016, Tele2 (C‑203/15 and
C‑698/15, EU:C:2016:970)], if applicable, would frustrate the measures taken to safeguard
national security by the [security and intelligence agencies], and thereby put the national
security of the United Kingdom at risk;
(1)
Having regard to Article 4 TEU and Article 1(3) of [Directive 2002/58], does a requirement in a
direction by a Secretary of State to a provider of an electronic communications network that it
must provide bulk communications data to the [security and intelligence agencies] of a Member
State fall within the scope of Union law and of [Directive 2002/58]?
(2)
If the answer to Question (1) is “yes”, do any of the [requirements applicable to retained
communications data, set out in paragraphs 119 to 125 of the judgment of 21 December 2016,
Tele2 (C‑203/15 and C‑698/15, EU:C:2016:970)] or any other requirements in addition to those
imposed by the ECHR, apply to such a direction by a Secretary of State? And, if so, how and to
what extent do those requirements apply, taking into account the essential necessity of the
[security and intelligence agencies] to use bulk acquisition and automated processing techniques
to protect national security and the extent to which such capabilities, if otherwise compliant with
the ECHR, may be critically impeded by the imposition of such requirements?’
Consideration of the questions referred