106
BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
serious crime; or where access was not subject to prior review by a court or
independent administrative authority.
(c) Privacy International v. Secretary of State for Foreign and Commonwealth
Affairs, Secretary of State for the Home Department, Government
Communications Headquarters, Security Service and Secret Intelligence
Service (IPT/15/110/CH; EU OJ C 22, 22.1.2018, p. 29–30)
235. On 8 September 2017 the IPT gave judgment in the case of Privacy
International, which concerned the acquisition by the agencies of Bulk
Communications Data under section 94 of the Telecommunications Act
1984 (a different regime from those which form the subject of the present
complaints) and Bulk Personal Data. The IPT found that, following their
avowal, the regimes were compliant with Article 8 of the Convention.
However, it identified the following four requirements which appeared to
flow from the CJEU judgment in Watson and Others and which seemed to
go beyond the requirements of Article 8 of the Convention: a restriction on
non-targeted access to bulk data; a need for prior authorisation (save in
cases of validly established emergency) before data could be accessed;
provision for subsequent notification of those affected; and the retention of
all data within the European Union.
236. On 30 October 2017 the IPT made a request to the CJEU for a
preliminary ruling clarifying the extent to which the Watson requirements
could apply where the bulk acquisition and automated processing
techniques were necessary to protect national security. In doing so, it
expressed serious concern that if the Watson requirements were to apply to
measures taken to safeguard national security, they would frustrate them
and put the national security of Member States at risk. In particular, it noted
the benefits of bulk acquisition in the context of national security (referring
to the Bulk Powers Review – see paragraphs 173-176 above); the risk that
the need for prior authorisation could undermine the agencies’ ability to
tackle the threat to national security; the danger and impracticality of
implementing a requirement to give notice in respect of the acquisition or
use of a bulk database, especially where national security was at stake; and
the impact an absolute bar on the transfer of data outside the European
Union could have on Member States’ treaty obligations.