46.
If the BCD regime is entirely outside the Treaty and the scope of the
Directives, as was the case in Parliament v Council, then the Watson
Requirements would not apply. It is only if the Respondents’ arguments as to
scope set out above fail that consideration of them will be necessary, and to
the extent that they could be applicable to BCD acquired for the purpose of
national security.
47.
The Watson Requirements are seemingly four:
i)
Subject to clarification of the impact of paragraph 119 of the Judgment, to
which we shall refer, there is a restriction on any non-targeted access to Bulk
Data.
ii)
There must be prior authorisation (save in cases of validly established
urgency) before any access to data (paragraph 120).
iii)
There must be provision for subsequent notification of those affected
(paragraph 121).
iv)
All data must be retained within the European Union (paragraph 122 and 125:
there is doubt as to the effect of paragraph 123, as discussed below).
48.
On any basis, it is difficult to see how the ambit of the EPD applies after
acquisition by the SIAs, but even if it were widely interpreted, then the first
three Watson Requirements might be apt, but the fourth, relating to the later
use of the acquired data by a Member State’s SIAs would appear to be a
further extension.
Page 44