(ii)
(c)
in connection with the provision to or use by any person of any telecommunications
service, of any part of a telecommunication system;
any information not falling within paragraph (a) or (b) that is held or obtained, in relation to
persons to whom he provides the service, by a person providing a postal service or
telecommunications service.
…
(6)
… “traffic data”, in relation to any communication, means—
(a)
any data identifying, or purporting to identify, any person, apparatus or location to or from
which the communication is or may be transmitted,
(b)
any data identifying or selecting, or purporting to identify or select, apparatus through which, or
by means of which, the communication is or may be transmitted,
(c)
any data comprising signals for the actuation of apparatus used for the purposes of a
telecommunication system for effecting (in whole or in part) the transmission of any
communication, and
(d)
any data identifying the data or other data as data comprised in or attached to a particular
communication.
…’
18
Sections 65 to 69 of the RIPA lay down the rules on the functioning and jurisdiction of the
Investigatory Powers Tribunal (United Kingdom). Under section 65 of the RIPA, a complaint may be
made to the Investigatory Powers Tribunal if there is reason to believe that data has been acquired
inappropriately.
The dispute in the main proceedings and the questions referred for a preliminary ruling
19
At the beginning of 2015, the existence of practices for the acquisition and use of bulk
communications data by the various security and intelligence agencies of the United Kingdom, namely
GCHQ, MI5 and MI6, was made public, including in a report by the Intelligence and Security
Committee of Parliament (United Kingdom). On 5 June 2015, Privacy International, a nongovernmental organisation, brought an action before the Investigatory Powers Tribunal (United
Kingdom) against the Secretary of State for Foreign and Commonwealth Affairs, the Secretary of State
for the Home Department and those security and intelligence agencies, challenging the lawfulness of
those practices.
20
The referring court examined the lawfulness of those practices in the light, first of all, of national law
and the provisions of the European Convention for the Protection of Human Rights and Fundamental
Freedoms, signed in Rome on 4 November 1950 (‘the ECHR’), and, subsequently, of EU law. In a
judgment of 17 October 2016, that court held that the defendants in the main proceedings had
acknowledged that those agencies acquired and used, in their activities, sets of bulk personal data, such
as biographical data or travel data, financial or commercial information, communications data liable to
include sensitive data covered by professional secrecy, or journalistic material. That data, obtained by
various, possibly secret, means, would be analysed by cross-checking and by automated processing and
could be disclosed to other persons and authorities and shared with foreign partners. In that context, the
security and intelligence agencies would also use bulk communications data, acquired from providers
of public electronic communications networks under, inter alia, directions issued by a Secretary of
State on the basis of section 94 of the 1984 Act. GCHQ and MI5 have been doing this since 2001 and
2005 respectively.
21
The referring court found that those measures for the acquisition and use of data were consistent with
national law and, since 2015, subject to issues that remained under consideration concerning the