BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
techniques were necessary to protect national security. In doing so, it
expressed serious concern that if the Watson requirements were to apply to
measures taken to safeguard national security, they would frustrate them
and put the national security of Member States at risk. In particular, it noted
the benefits of bulk acquisition in the context of national security; the risk
that the need for prior authorisation could undermine the intelligence
services’ ability to tackle the threat to national security; the danger and
impracticality of implementing a requirement to give notice in respect of the
acquisition or use of a bulk database, especially where national security was
at stake; and the impact an absolute bar on the transfer of data outside the
European Union could have on Member States’ treaty obligations.
237. A public hearing took place on 9 September 2019. The Privacy
International case was heard together with cases C‑511/18 and C‑512/18,
La Quadrature du Net and Others, and C‑520/18, Ordre des barreaux
francophones et germanophone and Others, which also concerned the
application of Directive 2002/58 to activities related to national security and
the combating of terrorism. Thirteen States intervened in support of the
States concerned.
238. Two separate judgments were handed down on 6 October 2020. In
Privacy International the CJEU found that national legislation enabling a
State authority to require providers of electronic communications services to
forward traffic data and location data to the security and intelligence
agencies for the purpose of safeguarding national security fell within the
scope of the Directive on privacy and electronic communications. The
interpretation of that Directive had to take account of the right to privacy,
guaranteed by Article 7 of the Charter, the right to protection of personal
data, guaranteed by Article 8, and the right to freedom of expression,
guaranteed by Article 11. Limitations on the exercise of those rights had to
be provided for by law, respect the essence of the rights, and be
proportionate, necessary, and genuinely meet the objectives of general
interest recognised by the European Union or the need to protect the rights
and freedoms of others. Furthermore, limitations on the protection of
personal data must apply only in so far as is strictly necessary; and in order
to satisfy the requirement of proportionality, the legislation must lay down
clear and precise rules governing the scope and application of the measure
in question and imposing minimum safeguards, so that the persons whose
personal data are affected have sufficient guarantees that data will be
protected effectively against the risk of abuse.
239. In the opinion of the CJEU, national legislation requiring providers
of electronic communications services to disclose traffic data and location
data to the security and intelligence agencies by means of general and
indiscriminate transmission – which affected all persons using electronic
communications services – exceeded the limits of what was strictly
necessary and could not be considered to be justified as required by the
76