Beruflich Dokumente
Kultur Dokumente
COMMISSION
Brussels, 10.1.2017
COM(2017) 10 final
2017/0003 (COD)
Proposal for a
concerning the respect for private life and the protection of personal data in electronic
communications and repealing Directive 2002/58/EC (Regulation on Privacy and
Electronic Communications)
{SWD(2017) 3 final}
{SWD(2017) 4 final}
{SWD(2017) 5 final}
{SWD(2017) 6 final}
EXPLANATORY MEMORANDUM
1
Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, A Digital Single Market Strategy
for Europe, COM(2015) 192 final.
2
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016,
p. 1–88).
3
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector
(Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p.37).
1.3. Consistency with other Union policies
The ePrivacy Directive is part of the regulatory framework for electronic communications. In
2016, the Commission adopted the proposal for a Directive establishing the European
Electronic Communications Code ("EECC")4, which revises the framework. While the
present proposal is not an integral part of the EECC, it partially relies on definitions provided
therein, including that of 'electronic communications services'. Like the EECC, this proposal
also brings OTT providers in its scope to reflect the market reality. In addition, the EECC
complements this proposal by ensuring the security of electronic communications services.
The Radio Equipment Directive 2014/53/EU ("RED")5 ensures a single market for radio
equipment. In particular, it requires that, before being placed on the market, radio equipment
must incorporate safeguards to ensure that the personal data and privacy of the user are
protected. Under the RED and the European Standardisation Regulation (EU) 1025/20126, the
Commission is empowered to adopt measures. This proposal does not affect the RED.
The proposal does not include any specific provisions in the field of data retention. It
maintains the substance of Article 15 of the ePrivacy Directive and aligns it with specific
wording of Article 23 of the GDPR, which provides grounds for Member States to restrict the
scope of the rights and obligations in specific articles of the ePrivacy Directive. Therefore,
Member States are free to keep or create national data retention frameworks that provide,
inter alia, for targeted retention measures, in so far as such frameworks comply with Union
law, taking into account the case-law of the Court of Justice on the interpretation of the
ePrivacy Directive and the Charter of Fundamental Rights7.
Finally, the proposal does not apply to activities of Union institutions, bodies and agencies.
However, its principles and relevant obligations as to the right to respect for private life and
communications in relation to the processing of electronic communications data have been
included in the Proposal for a Regulation repealing Regulation (EC) No 45/20018.
4
Commission proposal for a Directive of the European Parliament and of the Council establishing the
European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)).
5
Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the
harmonisation of the laws of the Member States relating to the making available on the market of radio
equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62–106).
6
Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on
European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives
94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and
2009/105/EC of the European Parliament and of the Council and repealing Council Decision
87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316,
14.11.2012, p. 12–33).
7
See Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others,
ECLI:EU:C:2014:238; Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB and Secretary of State
for the Home Department, ECLI:EU:C:2016:970.
8
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on
the protection of individuals with regard to the processing of personal data by the Community
institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1–22).
rules relating to the free movement of such data. Since an electronic communication involving
a natural person will normally qualify as personal data, the protection of natural persons with
regard to the privacy of communications and processing of such data, should be based on
Article 16.
In addition, the proposal aims at protecting communications and related legitimate interests of
legal persons. The meaning and scope of the rights under Article 7 of the Charter shall, in
accordance with Article 52(3) of the Charter, be the same as those laid down in Article 8(1) of
the European Convention for the Protection of Human Rights and Fundamental Freedoms
("ECHR"). As regards the scope of Article 7 of the Charter, the case-law of the Court of
Justice of the European Union ("CJEU")9 and of the European Court of Human Rights10
confirm that professional activities of legal persons may not be excluded from the protection
of the right guaranteed by Article 7 of the Charter and Article 8 of the ECHR.
Since the initiative pursues a twofold purpose and that the component concerning the
protection of communications of legal persons and the aim of achieving the internal market
for those electronic communications and ensure its functioning in this regard cannot be
considered merely incidental, the initiative should, therefore, also be based on Article 114 of
the TFEU.
2.2. Subsidiarity
Respect for communications is a fundamental right recognised in the Charter. Content of
electronic communications may reveal highly sensitive information about the end-users
involved in the communication. Similarly, metadata derived from electronic communications,
may also reveal very sensitive and personal information, as expressely recognised by the
CJEU11. The majority of Member States also recognise the need to protect communications as
a distinct constitutional right. Whilst it is possible for Member States to enact policies which
ensure that this right is not breached, this would not be achieved in a uniform way in the
absence of Union rules and would create restrictions on cross-border flows of personal and
non-personal data related to the use of electronic communications services. Finally, to
maintain consistency with the GDPR, it is necessary to review the ePrivacy Directive and
adopt measures to bring the two instruments in line.
The technological developments and the ambitions of the DSM strategy have strengthened the
case for action at the Union level. The success of the EU DSM depends on how effectively
the EU brings down national silos and barriers and seize the advantages and economies of a
European digital single market. Moreover, as internet and digital technologies know no
borders, the dimension of the problem goes beyond the territory of a single Member State.
Member States cannot effectively solve the problems in the current situation. A level playing
field for economic operators providing substitutable services and equal protection of end-
users at Union level are requirements for the DSM to work properly.
2.3. Proportionality
To ensure the effective legal protection of respect for privacy and communications, an
extension of scope to cover OTT providers is necessary. While several popular OTT providers
already comply, or partially comply with the principle of confidentiality of communications,
the protection of fundamental rights cannot be left to self-regulation by industry. Also, the
9
See C-450/06 Varec SA, ECLI:EU:C:2008:91, §48.
10
See, inter alia, ECHR, judgments Niemietz v Germany, judgment of 16 December 1992, Series A n°
251-B, §29; Société Colas Est and Others v France, no 37971/97, §41; ECHR 2002-III; Peck v The
United Kingdom no 44647/98, §57, ECHR 2003-I; and also Vinci Construction and GTM Génie Civil et
Services v. France, n°s. 63629/10 and 60567/10, § 63, 2 April 2015.
11
See footnote 7.
importance of the effective protection of privacy of terminal equipment is increasing as it has
become indispensable in personal and professional life for the storage of sensitive
information. The implementation of the ePrivacy Directive has not been effective to empower
end-users. Therefore the implementation of the principle by centralising consent in software
and prompting users with information about the privacy settings thereof, is necessary to
achieve the aim. Regarding the enforcement of this Regulation, it relies on the supervisory
authorities and the consistency mechanism of the GDPR. Moreover, the proposal allows
Member States to take national derogatory measures for specific legitimate purposes. Thus,
the proposal does not go beyond what is necessary to achieve the aims and complies with the
principle of proportionality as set out in Article 5 of the Treaty on European Union. The
obligations put on affected services are kept to a level as minimum as possible, while not
impinging on the fundamental rights concerned.
2.4. Choice of the instrument
The Commission puts forward a proposal for a Regulation in order to ensure consistency with
the GDPR and legal certainty for users and businesses alike by avoiding divergent
interpretation in the Member States. A Regulation can ensure an equal level of protection
throughout the Union for users and lower compliance costs for businesses operating across
borders.
The REFIT evaluation concluded that the above objectives of the Directive remain relevant.
While the GDPR ensures the protection of personal data, the ePrivacy Directive ensures the
confidentiality of communications, which may also contain non-personal data and data related
to a legal person. Therefore, a separate instrument should ensure an effective protection of
Article 7 of the Charter. Other provisions, such as the rules on the sending of unsolicited
marketing communications, have proven to remain relevant too.
In terms of effectiveness and efficiency, the REFIT evaluation found that the Directive has
not fully met its objectives. The unclear drafting of certain provisions and ambiguity in legal
concepts have jeopardized harmonization, thereby creating challenges for businesses to
operate cross-border. The evaluation further showed that some provisions have created an
unnecessary burden on businesses and consumers. For example, the consent rule to protect the
confidentiality of terminal equipment failed to reach its objectives as end-users face requests
to accept tracking cookies without understanding their meaning and, in some cases, are even
exposed to cookies being set without their consent. The consent rule is over-inclusive, as it
also covers non-privacy intrusive practices, and under-inclusive, as it does not clearly cover
some tracking techniques (e.g. device fingerprinting) which may not entail access/storage in
the device. Finally, its implementation can be costly for businesses.
The evaluation concluded that the ePrivacy rules still have EU added-value for better
achieving the objective of ensuring online privacy in the light of an increasingly transnational
electronic communications market. It also demonstrated that overall the rules are coherent
with other relevant legislation, although a few redundancies have been identified vis-à-vis the
new GDPR (see in Section 1.2).
3.2. Stakeholder consultations
The Commission organised a public consultation between 12 April and 5 July 2016 and
received 421 replies12. The key findings are the following13:
– Need for special rules for the electronic communications sector on
confidentiality of electronic communications: 83.4% of the responding citizens,
consumer and civil society organisations and 88.9% of public authorities agree, while
63.4% of industry respondents do not agree.
– Extension of scope to new communications services (OTTs): 76% of citizens and
civil society and 93.1% of public authorities agree, while only 36.2% of respondents
from industry favour such an extension.
– Amending the exemptions to consent for processing traffic and location data:
49.1% of citizens, consumer and civil society organisations and 36% of public
authorities prefer not to broaden the exemptions, while 36% of the industry favour
extended exemptions and 2/3 of industry advocate the mere repeal of the provisions.
– Support for solutions proposed to the cookie consent issue: 81.2% of citizens and
63% of public authorities support imposing obligations on manufacturers of terminal
equipment to market products with privacy-by-default settings activated, while
58.3% of industry favour the option to support self/co-regulation.
In addition, the European Commission organised two workshops in April 2016, one open to
all stakeholders and one open to national competent authorities, addressing the main questions
of the public consultations. The views expressed during the workshops reflected the outcome
of the public consultation.
To obtain views from citizens, a Eurobarometer survey on ePrivacy14 was conducted
throughout the EU. The key findings are the following15:
– 78% say it is very important that personal information on their computer, smartphone
or tablet can only be accessed with their permission.
– 72% state that it is very important that the confidentiality of their e-mails and online
instant messaging is guaranteed.
– 89% agree with the suggested option that the default settings of their browser should
stop the sharing of their information.
3.3. Collection and use of expertise
The Commission relied on the following external expert advice:
– Targeted consultations of EU expert groups: Opinion of the Article 29 Working
Party; Opinion of the EDPS; Opinion of the REFIT Platform; views of BEREC;
views of ENISA and views of members of the Consumer Protection and Cooperation
Network.
– External expertise, particularly the following two studies:
12
162 contributions from citizens, 33 from civil society and consumer organisations; 186 from industry
and 40 from public authorities, including competent authorities enforcing the ePrivacy Directive.
13
The full report is available: https://ec.europa.eu/digital-single-market/news-redirect/37204.
14
2016 Eurobarometer survey (EB) 443 on e-Privacy (SMART 2016/079).
15
The full report is available: https://ec.europa.eu/digital-single-market/news-redirect/37205.
– Study "ePrivacy Directive: assessment of transposition, effectiveness and
compatibility with proposed Data Protection Regulation" (SMART
2013/007116).
– Study "Evaluation and review of Directive 2002/58 on privacy and the
electronic communication sector" (SMART 2016/0080).
3.4. Impact assessment
An impact assessment was carried out for this proposal on which on 28 September 2016, the
Regulatory Scrutiny Board issued a positive opinion16. To address the recommendations of
the Board, the impact assessment explains better the scope of the initiative, its coherence with
other legal instruments (GDPR, EECC, RED) and the need for a separate instrument. The
baseline scenario is further developed and clarified. The analysis of the impacts is
strengthened and made more balanced, clarifying and reinforcing the description of the
expected costs and benefits.
The following policy options were examined against the criteria of effectiveness, efficiency
and coherence:
– Option 1: Non-legislative ("soft law") measures;
– Option 2: Limited reinforcement of privacy/confidentiality and simplification;
– Option 3: Measured reinforcement of privacy/confidentiality and simplification;
– Option 4: Far reaching reinforcement of privacy/confidentiality and simplification;
– Option 5: Repeal of the ePrivacy Directive.
Option 3 was, in most aspects, singled out as the preferred option to achieve the objectives,
while taking into account its efficiency and coherence. The main benefits are:
– Enhancing protection of confidentiality of electronic communications by extending
the scope of the legal instrument to include new functionally equivalent electronic
communications services. In addition, the Regulation enhances end-user's control by
clarifying that consent can be expressed through appropriate technical settings.
– Enhancing protection against unsolicited communications, with the introduction of
an obligation to provide the calling line identification or a mandatory prefix for
marketing calls and the enhanced possibilities to block calls from unwanted numbers.
– Simplifying and clarifying the regulatory environment, by reducing the margin of
manoeuvre left to Member States, repealing outdated provisions and the broadening
of the exceptions to the consent rules.
The economic impact of Option 3 is expected to be overall proportionate to the aims of the
proposal. Business opportunities related to the processing of communications data are opened
up for traditional electronic communications services, while OTT providers become subject to
the same rules. This implies some additional compliance costs for these operators. However,
this change will not substantially affect those OTTs that already operate on the basis of
consent. Finally, the impact of the option would not be felt in the Member States that have
extended these rules to OTTs already.
By centralising the consent in software such as internet browsers and prompting users to
choose their privacy settings and expanding the exceptions to the cookie consent rule, a
significant proportion of businesses would be able to do away with cookie banners and
notices, thus leading to potentially significant cost savings and simplification. However, it
16
http://ec.europa.eu/transparency/regdoc/?fuseaction=ia.
may become more difficult for online targeted advertisers to obtain consent if a large
proportion of users opt for "reject third party cookies" settings. At the same time, centralising
consent does not deprive website operators from the possibility to obtain consent by means of
individual requests to end-users and thus maintain their current business model. Additional
costs would ensue for some providers of browsers or similar software as these would need to
ensure privacy-friendly settings.
The external study identified three distinct implementation scenarios of Option 3, according to
the entity who will establish the dialogue box between the user having chosen "reject third
party cookies" or "do-not-track" settings and websites visited wishing the internet user to
reconsider his/her choice. The entities who could be put in charge of this technical task are: 1)
software such as internet browsers; 2) the third party tracker; 3) the individual websites (i.e.
information society service requested by the user). Option 3 would lead to overall savings in
terms of compliance cost compared to baseline scenario of 70% (€948.8 million savings) in
the first scenario (browser solution), implemented in this proposal. Cost savings would be
lower in other scenarios. As overall savings largely derive from a very significant decrease of
the number of affected businesses, the individual amount of compliance costs for one business
is expected to incur – on average – would be higher than today.
3.5. Regulatory fitness and simplification
The policy measures proposed under the preferred option address the objective of
simplification and reduction of administrative burden, in line with the findings of the REFIT
evaluation and Opinion of the REFIT Platform17.
The REFIT Platform issued three sets of recommendations to the Commission:
– The protection of citizen's private life should be strengthened through an alignment
of the ePrivacy Directive with the General Data Protection Regulation;
– The effectiveness of citizens protections against unsolicited marketing should be
enhanced by adding exceptions to the ‘consent’ rule for cookies;
– The Commission addresses national implementation problems and facilitates the
exchange of best practice amongst Member States.
The proposal include specifically:
– Use of technologically neutral definitions to apprehend new services and
technologies to ensure that the Regulation is future-proof;
– Repeal of the security rules to eliminate regulatory duplication;
– Clarification of scope to help eliminate/reduce the risk of divergent implementation
by Member States (point 3 of the Opinion);
– Clarification and simplification of the consent rule for the use of cookies and other
identifiers, as explained in Sections 3.1 and 3.4 (point 2 of the Opinion);
– Alignment of the supervisory authorities with the authorities competent to enforce
the GDPR and reliance on the consistency mechanism of the GDPR.
3.6. Impact on fundamental rights
The proposal aims to make more effective and increase the level of protection of privacy and
personal data processed in relation with electronic communications in accordance with
Articles 7 and 8 of the Charter and ensure greater legal certainty. The proposal complements
and particularises the GDPR. Effective protection of the confidentiality of communications is
17
http://ec.europa.eu/smart-regulation/refit/refit-platform/docs/recommendations/opinion_comm_net.pdf.
essential for exercising the freedom of expression and information and other related rights,
such as the right to personal data protection or the freedom of thought, conscience and
religion.
4. BUDGETARY IMPLICATIONS
The proposal has no implications for the Union budget.
5. OTHER ELEMENTS
5.1. Implementation plans and monitoring, evaluation and reporting arrangements
The Commission will monitor the application of the Regulation and submit a report on its
evaluation to the European Parliament and to the Council and the European Economic and
Social Committee every three years. These reports will be public and detail the effective
application and enforcement of this Regulation.
Proposal for a
concerning the respect for private life and the protection of personal data in electronic
communications and repealing Directive 2002/58/EC (Regulation on Privacy and
Electronic Communications)
1
OJ C , , p. .
2
OJ C , , p. .
3
OJ C , , p. .
private lives of the persons involved in the electronic communication, such as their
social relationships, their habits and activities of everyday life, their interests, tastes
etc.
(3) Electronic communications data may also reveal information concerning legal entities,
such as business secrets or other sensitive information that has economic value.
Therefore, the provisions of this Regulation should apply to both natural and legal
persons. Furthermore, this Regulation should ensure that provisions of the Regulation
(EU) 2016/679 of the European Parliament and of the Council4, also apply to end-
users who are legal persons. This includes the definition of consent under Regulation
(EU) 2016/679. When reference is made to consent by an end-user, including legal
persons, this definition should apply. In addition, legal persons should have the same
rights as end-users that are natural persons regarding the supervisory authorities;
furthermore, supervisory authorities under this Regulation should also be responsible
for monitoring the application of this Regulation regarding legal persons.
(4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the
Functioning of the European Union, everyone has the right to the protection of
personal data concerning him or her. Regulation (EU) 2016/679 lays down rules
relating to the protection of natural persons with regard to the processing of personal
data and rules relating to the free movement of personal data. Electronic
communications data may include personal data as defined in Regulation (EU)
2016/679.
(5) The provisions of this Regulation particularise and complement the general rules on
the protection of personal data laid down in Regulation (EU) 2016/679 as regards
electronic communications data that qualify as personal data. This Regulation
therefore does not lower the level of protection enjoyed by natural persons under
Regulation (EU) 2016/679. Processing of electronic communications data by providers
of electronic communications services should only be permitted in accordance with
this Regulation.
(6) While the principles and main provisions of Directive 2002/58/EC of the European
Parliament and of the Council5 remain generally sound, that Directive has not fully
kept pace with the evolution of technological and market reality, resulting in an
inconsistent or insufficient effective protection of privacy and confidentiality in
relation to electronic communications. Those developments include the entrance on
the market of electronic communications services that from a consumer perspective
are substitutable to traditional services, but do not have to comply with the same set of
rules. Another development concerns new techniques that allow for tracking of online
behaviour of end-users, which are not covered by Directive 2002/58/EC. Directive
2002/58/EC should therefore be repealed and replaced by this Regulation.
(7) The Member States should be allowed, within the limits of this Regulation, to
maintain or introduce national provisions to further specify and clarify the application
of the rules of this Regulation in order to ensure an effective application and
interpretation of those rules. Therefore, the margin of discretion, which Member States
4
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016,
p. 1–88).
5
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector
(Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p.37).
have in this regard, should maintain a balance between the protection of private life
and personal data and the free movement of electronic communications data.
(8) This Regulation should apply to providers of electronic communications services, to
providers of publicly available directories, and to software providers permitting
electronic communications, including the retrieval and presentation of information on
the internet. This Regulation should also apply to natural and legal persons who use
electronic communications services to send direct marketing commercial
communications or collect information related to or stored in end-users’ terminal
equipment.
(9) This Regulation should apply to electronic communications data processed in
connection with the provision and use of electronic communications services in the
Union, regardless of whether or not the processing takes place in the Union. Moreover,
in order not to deprive end-users in the Union of effective protection, this Regulation
should also apply to electronic communications data processed in connection with the
provision of electronic communications services from outside the Union to end-users
in the Union.
(10) Radio equipment and its software which is placed on the internal market in the Union,
must comply with Directive 2014/53/EU of the European Parliament and of the
Council6. This Regulation should not affect the applicability of any of the
requirements of Directive 2014/53/EU nor the power of the Commission to adopt
delegated acts pursuant to Directive 2014/53/EU requiring that specific categories or
classes of radio equipment incorporate safeguards to ensure that personal data and
privacy of end-users are protected.
(11) The services used for communications purposes, and the technical means of their
delivery, have evolved considerably. End-users increasingly replace traditional voice
telephony, text messages (SMS) and electronic mail conveyance services in favour of
functionally equivalent online services such as Voice over IP, messaging services and
web-based e-mail services. In order to ensure an effective and equal protection of end-
users when using functionally equivalent services, this Regulation uses the definition
of electronic communications services set forth in the [Directive of the European
Parliament and of the Council establishing the European Electronic Communications
Code7]. That definition encompasses not only internet access services and services
consisting wholly or partly in the conveyance of signals but also interpersonal
communications services, which may or may not be number-based, such as for
example, Voice over IP, messaging services and web-based e-mail services. The
protection of confidentiality of communications is crucial also as regards interpersonal
communications services that are ancillary to another service; therefore, such type of
services also having a communication functionality should be covered by this
Regulation.
(12) Connected devices and machines increasingly communicate with each other by using
electronic communications networks (Internet of Things). The transmission of
machine-to-machine communications involves the conveyance of signals over a
network and, hence, usually constitutes an electronic communications service. In order
to ensure full protection of the rights to privacy and confidentiality of
6
Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the
harmonisation of the laws of the Member States relating to the making available on the market of radio
equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62).
7
Commission proposal for a Directive of the European Parliament and of the Council establishing the
European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)).
communications, and to promote a trusted and secure Internet of Things in the digital
single market, it is necessary to clarify that this Regulation should apply to the
transmission of machine-to-machine communications. Therefore, the principle of
confidentiality enshrined in this Regulation should also apply to the transmission of
machine-to-machine communications. Specific safeguards could also be adopted under
sectorial legislation, as for instance Directive 2014/53/EU.
(13) The development of fast and efficient wireless technologies has fostered the increasing
availability for the public of internet access via wireless networks accessible by
anyone in public and semi-private spaces such as 'hotspots' situated at different places
within a city, department stores, shopping malls and hospitals. To the extent that those
communications networks are provided to an undefined group of end-users, the
confidentiality of the communications transmitted through such networks should be
protected. The fact that wireless electronic communications services may be ancillary
to other services should not stand in the way of ensuring the protection of
confidentiality of communications data and application of this Regulation. Therefore,
this Regulation should apply to electronic communications data using electronic
communications services and public communications networks. In contrast, this
Regulation should not apply to closed groups of end-users such as corporate networks,
access to which is limited to members of the corporation.
(14) Electronic communications data should be defined in a sufficiently broad and
technology neutral way so as to encompass any information concerning the content
transmitted or exchanged (electronic communications content) and the information
concerning an end-user of electronic communications services processed for the
purposes of transmitting, distributing or enabling the exchange of electronic
communications content; including data to trace and identify the source and
destination of a communication, geographical location and the date, time, duration and
the type of communication. Whether such signals and the related data are conveyed by
wire, radio, optical or electromagnetic means, including satellite networks, cable
networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial
networks, electricity cable systems, the data related to such signals should be
considered as electronic communications metadata and therefore be subject to the
provisions of this Regulation. Electronic communications metadata may include
information that is part of the subscription to the service when such information is
processed for the purposes of transmitting, distributing or exchanging electronic
communications content.
(15) Electronic communications data should be treated as confidential. This means that any
interference with the transmission of electronic communications data, whether directly
by human intervention or through the intermediation of automated processing by
machines, without the consent of all the communicating parties should be prohibited.
The prohibition of interception of communications data should apply during their
conveyance, i.e. until receipt of the content of the electronic communication by the
intended addressee. Interception of electronic communications data may occur, for
example, when someone other than the communicating parties, listens to calls, reads,
scans or stores the content of electronic communications, or the associated metadata
for purposes other than the exchange of communications. Interception also occurs
when third parties monitor websites visited, timing of the visits, interaction with
others, etc., without the consent of the end-user concerned. As technology evolves, the
technical ways to engage in interception have also increased. Such ways may range
from the installation of equipment that gathers data from terminal equipment over
targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity)
catchers, to programs and techniques that, for example, surreptitiously monitor
browsing habits for the purpose of creating end-user profiles. Other examples of
interception include capturing payload data or content data from unencrypted wireless
networks and routers, including browsing habits without the end-users' consent.
(16) The prohibition of storage of communications is not intended to prohibit any
automatic, intermediate and transient storage of this information insofar as this takes
place for the sole purpose of carrying out the transmission in the electronic
communications network. It should not prohibit either the processing of electronic
communications data to ensure the security and continuity of the electronic
communications services, including checking security threats such as the presence of
malware or the processing of metadata to ensure the necessary quality of service
requirements, such as latency, jitter etc.
(17) The processing of electronic communications data can be useful for businesses,
consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation
broadens the possibilities for providers of electronic communications services to
process electronic communications metadata, based on end-users consent. However,
end-users attach great importance to the confidentiality of their communications,
including their online activities, and that they want to control the use of electronic
communications data for purposes other than conveying the communication.
Therefore, this Regulation should require providers of electronic communications
services to obtain end-users' consent to process electronic communications metadata,
which should include data on the location of the device generated for the purposes of
granting and maintaining access and connection to the service. Location data that is
generated other than in the context of providing electronic communications services
should not be considered as metadata. Examples of commercial usages of electronic
communications metadata by providers of electronic communications services may
include the provision of heatmaps; a graphical representation of data using colors to
indicate the presence of individuals. To display the traffic movements in certain
directions during a certain period of time, an identifier is necessary to link the
positions of individuals at certain time intervals. This identifier would be missing if
anonymous data were to be used and such movement could not be displayed. Such
usage of electronic communications metadata could, for example, benefit public
authorities and public transport operators to define where to develop new
infrastructure, based on the usage of and pressure on the existing structure. Where a
type of processing of electronic communications metadata, in particular using new
technologies, and taking into account the nature, scope, context and purposes of the
processing, is likely to result in a high risk to the rights and freedoms of natural
persons, a data protection impact assessment and, as the case may be, a consultation of
the supervisory authority should take place prior to the processing, in accordance with
Articles 35 and 36 of Regulation (EU) 2016/679.
(18) End-users may consent to the processing of their metadata to receive specific services
such as protection services against fraudulent activities (by analysing usage data,
location and customer account in real time). In the digital economy, services are often
supplied against counter-performance other than money, for instance by end-users
being exposed to advertisements. For the purposes of this Regulation, consent of an
end-user, regardless of whether the latter is a natural or a legal person, should have the
same meaning and be subject to the same conditions as the data subject's consent
under Regulation (EU) 2016/679. Basic broadband internet access and voice
communications services are to be considered as essential services for individuals to
be able to communicate and participate to the benefits of the digital economy. Consent
for processing data from internet or voice communication usage will not be valid if the
data subject has no genuine and free choice, or is unable to refuse or withdraw consent
without detriment.
(19) The content of electronic communications pertains to the essence of the fundamental
right to respect for private and family life, home and communications protected under
Article 7 of the Charter. Any interference with the content of electronic
communications should be allowed only under very clear defined conditions, for
specific purposes and be subject to adequate safeguards against abuse. This Regulation
provides for the possibility of providers of electronic communications services to
process electronic communications data in transit, with the informed consent of all the
end-users concerned. For example, providers may offer services that entail the
scanning of emails to remove certain pre-defined material. Given the sensitivity of the
content of communications, this Regulation sets forth a presumption that the
processing of such content data will result in high risks to the rights and freedoms of
natural persons. When processing such type of data, the provider of the electronic
communications service should always consult the supervisory authority prior to the
processing. Such consultation should be in accordance with Article 36 (2) and (3) of
Regulation (EU) 2016/679. The presumption does not encompass the processing of
content data to provide a service requested by the end-user where the end-user has
consented to such processing and it is carried out for the purposes and duration strictly
necessary and proportionate for such service. After electronic communications content
has been sent by the end-user and received by the intended end-user or end-users, it
may be recorded or stored by the end-user, end-users or by a third party entrusted by
them to record or store such data. Any processing of such data must comply with
Regulation (EU) 2016/679.
(20) Terminal equipment of end-users of electronic communications networks and any
information relating to the usage of such terminal equipment, whether in particular is
stored in or emitted by such equipment, requested from or processed in order to enable
it to connect to another device and or network equipment, are part of the private sphere
of the end-users requiring protection under the Charter of Fundamental Rights of the
European Union and the European Convention for the Protection of Human Rights and
Fundamental Freedoms. Given that such equipment contains or processes information
that may reveal details of an individual's emotional, political, social complexities,
including the content of communications, pictures, the location of individuals by
accessing the device’s GPS capabilities, contact lists, and other information already
stored in the device, the information related to such equipment requires enhanced
privacy protection. Furthermore, the so-called spyware, web bugs, hidden identifiers,
tracking cookies and other similar unwanted tracking tools can enter end-user's
terminal equipment without their knowledge in order to gain access to information, to
store hidden information and to trace the activities. Information related to the end-
user’s device may also be collected remotely for the purpose of identification and
tracking, using techniques such as the so-called ‘device fingerprinting’, often without
the knowledge of the end-user, and may seriously intrude upon the privacy of these
end-users. Techniques that surreptitiously monitor the actions of end-users, for
example by tracking their activities online or the location of their terminal equipment,
or subvert the operation of the end-users’ terminal equipment pose a serious threat to
the privacy of end-users. Therefore, any such interference with the end-user's terminal
equipment should be allowed only with the end-user's consent and for specific and
transparent purposes.
(21) Exceptions to the obligation to obtain consent to make use of the processing and
storage capabilities of terminal equipment or to access information stored in terminal
equipment should be limited to situations that involve no, or only very limited,
intrusion of privacy. For instance, consent should not be requested for authorizing the
technical storage or access which is strictly necessary and proportionate for the
legitimate purpose of enabling the use of a specific service explicitly requested by the
end-user. This may include the storing of cookies for the duration of a single
established session on a website to keep track of the end-user’s input when filling in
online forms over several pages. Cookies can also be a legitimate and useful tool, for
example, in measuring web traffic to a website. Information society providers that
engage in configuration checking to provide the service in compliance with the end-
user's settings and the mere logging of the fact that the end-user’s device is unable to
receive content requested by the end-user should not constitute access to such a device
or use of the device processing capabilities.
(22) The methods used for providing information and obtaining end-user's consent should
be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other
tracking techniques, end-users are increasingly requested to provide consent to store
such tracking cookies in their terminal equipment. As a result, end-users are
overloaded with requests to provide consent. The use of technical means to provide
consent, for example, through transparent and user-friendly settings, may address this
problem. Therefore, this Regulation should provide for the possibility to express
consent by using the appropriate settings of a browser or other application. The
choices made by end-users when establishing its general privacy settings of a browser
or other application should be binding on, and enforceable against, any third parties.
Web browsers are a type of software application that permits the retrieval and
presentation of information on the internet. Other types of applications, such as the
ones that permit calling and messaging or provide route guidance, have also the same
capabilities. Web browsers mediate much of what occurs between the end-user and the
website. From this perspective, they are in a privileged position to play an active role
to help the end-user to control the flow of information to and from the terminal
equipment. More particularly web browsers may be used as gatekeepers, thus helping
end-users to prevent information from their terminal equipment (for example smart
phone, tablet or computer) from being accessed or stored.
(23) The principles of data protection by design and by default were codified under Article
25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in
most current browsers to ‘accept all cookies’. Therefore providers of software
enabling the retrieval and presentation of information on the internet should have an
obligation to configure the software so that it offers the option to prevent third parties
from storing information on the terminal equipment; this is often presented as ‘reject
third party cookies’. End-users should be offered a set of privacy setting options,
ranging from higher (for example, ‘never accept cookies’) to lower (for example,
‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or
‘only accept first party cookies’). Such privacy settings should be presented in a an
easily visible and intelligible manner.
(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation
(EU) 2016/679, for example, to the storage of third party tracking cookies, they
should, among others, require a clear affirmative action from the end-user of terminal
equipment to signify his or her freely given, specific informed, and unambiguous
agreement to the storage and access of such cookies in and from the terminal
equipment. Such action may be considered to be affirmative, for example, if end-users
are required to actively select ‘accept third party cookies’ to confirm their agreement
and are given the necessary information to make the choice. To this end, it is necessary
to require providers of software enabling access to internet that, at the moment of
installation, end-users are informed about the possibility to choose the privacy settings
among the various options and ask them to make a choice. Information provided
should not dissuade end-users from selecting higher privacy settings and should
include relevant information about the risks associated to allowing third party cookies
to be stored in the computer, including the compilation of long-term records of
individuals' browsing histories and the use of such records to send targeted
advertising. Web browsers are encouraged to provide easy ways for end-users to
change the privacy settings at any time during use and to allow the user to make
exceptions for or to whitelist certain websites or to specify for which websites (third)
party cookies are always or never allowed.
(25) Accessing electronic communications networks requires the regular emission of
certain data packets in order to discover or maintain a connection with the network or
other devices on the network. Furthermore, devices must have a unique address
assigned in order to be identifiable on that network. Wireless and cellular telephone
standards similarly involve the emission of active signals containing unique identifiers
such as a MAC address, the IMEI (International Mobile Station Equipment Identity),
the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a
wireless access point, has a specific range within which such information may be
captured. Service providers have emerged who offer tracking services based on the
scanning of equipment related information with diverse functionalities, including
people counting, providing data on the number of people waiting in line, ascertaining
the number of people in a specific area, etc. This information may be used for more
intrusive purposes, such as to send commercial messages to end-users, for example
when they enter stores, with personalized offers. While some of these functionalities
do not entail high privacy risks, others do, for example, those involving the tracking of
individuals over time, including repeated visits to specified locations. Providers
engaged in such practices should display prominent notices located on the edge of the
area of coverage informing end-users prior to entering the defined area that the
technology is in operation within a given perimeter, the purpose of the tracking, the
person responsible for it and the existence of any measure the end-user of the terminal
equipment can take to minimize or stop the collection. Additional information should
be provided where personal data are collected pursuant to Article 13 of Regulation
(EU) 2016/679.
(26) When the processing of electronic communications data by providers of electronic
communications services falls within its scope, this Regulation should provide for the
possibility for the Union or Member States under specific conditions to restrict by law
certain obligations and rights when such a restriction constitutes a necessary and
proportionate measure in a democratic society to safeguard specific public interests,
including national security, defence, public security and the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties,
including the safeguarding against and the prevention of threats to public security and
other important objectives of general public interest of the Union or of a Member
State, in particular an important economic or financial interest of the Union or of a
Member State, or a monitoring, inspection or regulatory function connected to the
exercise of official authority for such interests. Therefore, this Regulation should not
affect the ability of Member States to carry out lawful interception of electronic
communications or take other measures, if necessary and proportionate to safeguard
the public interests mentioned above, in accordance with the Charter of Fundamental
Rights of the European Union and the European Convention for the Protection of
Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of
the European Union and of the European Court of Human Rights. Providers of
electronic communications services should provide for appropriate procedures to
facilitate legitimate requests of competent authorities, where relevant also taking into
account the role of the representative designated pursuant to Article 3(3).
(27) As regards calling line identification, it is necessary to protect the right of the calling
party to withhold the presentation of the identification of the line from which the call
is being made and the right of the called party to reject calls from unidentified lines.
Certain end-users, in particular help lines, and similar organisations, have an interest
in guaranteeing the anonymity of their callers. As regards connected line
identification, it is necessary to protect the right and the legitimate interest of the
called party to withhold the presentation of the identification of the line to which the
calling party is actually connected.
(28) There is justification for overriding the elimination of calling line identification
presentation in specific cases. End-users' rights to privacy with regard to calling line
identification should be restricted where this is necessary to trace nuisance calls and
with regard to calling line identification and location data where this is necessary to
allow emergency services, such as eCall, to carry out their tasks as effectively as
possible.
(29) Technology exists that enables providers of electronic communications services to
limit the reception of unwanted calls by end-users in different ways, including
blocking silent calls and other fraudulent and nuisance calls. Providers of publicly
available number-based interpersonal communications services should deploy this
technology and protect end-users against nuisance calls and free of charge. Providers
should ensure that end-users are aware of the existence of such functionalities, for
instance, by publicising the fact on their webpage.
(30) Publicly available directories of end-users of electronic communications services are
widely distributed. Publicly available directories means any directory or service
containing end-users information such as phone numbers (including mobile phone
numbers), email address contact details and includes inquiry services. The right to
privacy and to protection of the personal data of a natural person requires that end-
users that are natural persons are asked for consent before their personal data are
included in a directory. The legitimate interest of legal entities requires that end-users
that are legal entities have the right to object to the data related to them being included
in a directory.
(31) If end-users that are natural persons give their consent to their data being included in
such directories, they should be able to determine on a consent basis which categories
of personal data are included in the directory (for example name, email address, home
address, user name, phone number). In addition, providers of publicly available
directories should inform the end-users of the purposes of the directory and of the
search functions of the directory before including them in that directory. End-users
should be able to determine by consent on the basis of which categories of personal
data their contact details can be searched. The categories of personal data included in
the directory and the categories of personal data on the basis of which the end-user's
contact details can be searched should not necessarily be the same.
(32) In this Regulation, direct marketing refers to any form of advertising by which a
natural or legal person sends direct marketing communications directly to one or more
identified or identifiable end-users using electronic communications services. In
addition to the offering of products and services for commercial purposes, this should
also include messages sent by political parties that contact natural persons via
electronic communications services in order to promote their parties. The same should
apply to messages sent by other non-profit organisations to support the purposes of the
organisation.
(33) Safeguards should be provided to protect end-users against unsolicited
communications for direct marketing purposes, which intrude into the private life of
end-users. The degree of privacy intrusion and nuisance is considered relatively
similar independently of the wide range of technologies and channels used to conduct
these electronic communications, whether using automated calling and communication
systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is
therefore justified to require that consent of the end-user is obtained before
commercial electronic communications for direct marketing purposes are sent to end-
users in order to effectively protect individuals against the intrusion into their private
life as well as the legitimate interest of legal persons. Legal certainty and the need to
ensure that the rules protecting against unsolicited electronic communications remain
future-proof justify the need to define a single set of rules that do not vary according to
the technology used to convey these unsolicited communications, while at the same
time guaranteeing an equivalent level of protection for all citizens throughout the
Union. However, it is reasonable to allow the use of e-mail contact details within the
context of an existing customer relationship for the offering of similar products or
services. Such possibility should only apply to the same company that has obtained the
electronic contact details in accordance with Regulation (EU) 2016/679.
(34) When end-users have provided their consent to receiving unsolicited communications
for direct marketing purposes, they should still be able to withdraw their consent at
any time in an easy manner. To facilitate effective enforcement of Union rules on
unsolicited messages for direct marketing, it is necessary to prohibit the masking of
the identity and the use of false identities, false return addresses or numbers while
sending unsolicited commercial communications for direct marketing purposes.
Unsolicited marketing communications should therefore be clearly recognizable as
such and should indicate the identity of the legal or the natural person transmitting the
communication or on behalf of whom the communication is transmitted and provide
the necessary information for recipients to exercise their right to oppose to receiving
further written and/or oral marketing messages.
(35) In order to allow easy withdrawal of consent, legal or natural persons conducting
direct marketing communications by email should present a link, or a valid electronic
mail address, which can be easily used by end-users to withdraw their consent. Legal
or natural persons conducting direct marketing communications through voice-to-
voice calls and through calls by automating calling and communication systems
should display their identity line on which the company can be called or present a
specific code identifying the fact that the call is a marketing call.
(36) Voice-to-voice direct marketing calls that do not involve the use of automated calling
and communication systems, given that they are more costly for the sender and impose
no financial costs on end-users. Member States should therefore be able to establish
and or maintain national systems only allowing such calls to end-users who have not
objected.
(37) Service providers who offer electronic communications services should inform end-
users of measures they can take to protect the security of their communications for
instance by using specific types of software or encryption technologies. The
requirement to inform end-users of particular security risks does not discharge a
service provider from the obligation to take, at its own costs, appropriate and
immediate measures to remedy any new, unforeseen security risks and restore the
normal security level of the service. The provision of information about security risks
to the subscriber should be free of charge. Security is appraised in the light of Article
32 of Regulation (EU) 2016/679.
(38) To ensure full consistency with Regulation (EU) 2016/679, the enforcement of the
provisions of this Regulation should be entrusted to the same authorities responsible
for the enforcement of the provisions Regulation (EU) 2016/679 and this Regulation
relies on the consistency mechanism of Regulation (EU) 2016/679. Member States
should be able to have more than one supervisory authority, to reflect their
constitutional, organisational and administrative structure. The supervisory authorities
should also be responsible for monitoring the application of this Regulation regarding
electronic communications data for legal entities. Such additional tasks should not
jeopardise the ability of the supervisory authority to perform its tasks regarding the
protection of personal data under Regulation (EU) 2016/679 and this Regulation. Each
supervisory authority should be provided with the additional financial and human
resources, premises and infrastructure necessary for the effective performance of the
tasks under this Regulation.
(39) Each supervisory authority should be competent on the territory of its own Member
State to exercise the powers and to perform the tasks set forth in this Regulation. In
order to ensure consistent monitoring and enforcement of this Regulation throughout
the Union, the supervisory authorities should have the same tasks and effective powers
in each Member State, without prejudice to the powers of prosecutorial authorities
under Member State law, to bring infringements of this Regulation to the attention of
the judicial authorities and engage in legal proceedings. Member States and their
supervisory authorities are encouraged to take account of the specific needs of micro,
small and medium-sized enterprises in the application of this Regulation.
(40) In order to strengthen the enforcement of the rules of this Regulation, each supervisory
authority should have the power to impose penalties including administrative fines for
any infringement of this Regulation, in addition to, or instead of any other appropriate
measures pursuant to this Regulation. This Regulation should indicate infringements
and the upper limit and criteria for setting the related administrative fines, which
should be determined by the competent supervisory authority in each individual case,
taking into account all relevant circumstances of the specific situation, with due regard
in particular to the nature, gravity and duration of the infringement and of its
consequences and the measures taken to ensure compliance with the obligations under
this Regulation and to prevent or mitigate the consequences of the infringement. For
the purpose of setting a fine under this Regulation, an undertaking should be
understood to be an undertaking in accordance with Articles 101 and 102 of the
Treaty.
(41) In order to fulfil the objectives of this Regulation, namely to protect the fundamental
rights and freedoms of natural persons and in particular their right to the protection of
personal data and to ensure the free movement of personal data within the Union, the
power to adopt acts in accordance with Article 290 of the Treaty should be delegated
to the Commission to supplement this Regulation. In particular, delegated acts should
be adopted in respect of the information to be presented, including by means of
standardised icons in order to give an easily visible and intelligible overview of the
collection of information emitted by terminal equipment, its purpose, the person
responsible for it and of any measure the end-user of the terminal equipment can take
to minimise the collection. Delegated acts are also necessary to specify a code to
identify direct marketing calls including those made through automated calling and
communication systems. It is of particular importance that the Commission carries out
appropriate consultations and that those consultations be conducted in accordance with
the principles laid down in the Interinstitutional Agreement on Better Law-Making of
13 April 20168. In particular, to ensure equal participation in the preparation of
delegated acts, the European Parliament and the Council receive all documents at the
same time as Member States' experts, and their experts systematically have access to
meetings of Commission expert groups dealing with the preparation of delegated acts.
Furthermore, in order to ensure uniform conditions for the implementation of this
Regulation, implementing powers should be conferred on the Commission when
provided for by this Regulation. Those powers should be exercised in accordance with
Regulation (EU) No 182/2011.
(42) Since the objective of this Regulation, namely to ensure an equivalent level of
protection of natural and legal persons and the free flow of electronic communications
data throughout the Union, cannot be sufficiently achieved by the Member States and
can rather, by reason of the scale or effects of the action, be better achieved at Union
level, the Union may adopt measures, in accordance with the principle of subsidiarity
as set out in Article 5 of the Treaty on European Union. In accordance with the
principle of proportionality as set out in that Article, this Regulation does not go
beyond what is necessary in order to achieve that objective.
(43) Directive 2002/58/EC should be repealed.
HAVE ADOPTED THIS REGULATION:
8
Interinstitutional Agreement between the European Parliament, the Council of the European Union and
the European Commission on Better Law-Making of 13 April 2016 (OJ L 123, 12.5.2016, p. 1–14).
CHAPTER I
GENERAL PROVISIONS
Article 1
Subject matter
1. This Regulation lays down rules regarding the protection of fundamental rights and
freedoms of natural and legal persons in the provision and use of electronic
communications services, and in particular, the rights to respect for private life and
communications and the protection of natural persons with regard to the processing
of personal data.
2. This Regulation ensures free movement of electronic communications data and
electronic communications services within the Union, which shall be neither
restricted nor prohibited for reasons related to the respect for the private life and
communications of natural and legal persons and the protection of natural persons
with regard to the processing of personal data.
3. The provisions of this Regulation particularise and complement Regulation (EU)
2016/679 by laying down specific rules for the purposes mentioned in paragraphs 1
and 2.
Article 2
Material Scope
1. This Regulation applies to the processing of electronic communications data carried
out in connection with the provision and the use of electronic communications
services and to information related to the terminal equipment of end-users.
2. This Regulation does not apply to:
(a) activities which fall outside the scope of Union law;
(b) activities of the Member States which fall within the scope of Chapter 2 of Title V of
the Treaty on European Union;
(c) electronic communications services which are not publicly available;
(d) activities of competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties,
including the safeguarding against and the prevention of threats to public security;
3. The processing of electronic communications data by the Union institutions, bodies,
offices and agencies is governed by Regulation (EU) 00/0000 [new Regulation
replacing Regulation 45/2001].
4. This Regulation shall be without prejudice to the application of Directive
2000/31/EC9, in particular of the liability rules of intermediary service providers in
Articles 12 to 15 of that Directive.
5. This Regulation shall be without prejudice to the provisions of Directive
2014/53/EU.
9
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal
aspects of information society services, in particular electronic commerce, in the Internal Market
('Directive on electronic commerce') (OJ L 178, 17.7.2000, p. 1–16).
Article 3
Territorial scope and representative
1. This Regulation applies to:
(a) the provision of electronic communications services to end-users in the Union,
irrespective of whether a payment of the end-user is required;
(b) the use of such services;
(c) the protection of information related to the terminal equipment of end-users located
in the Union.
2. Where the provider of an electronic communications service is not established in the
Union it shall designate in writing a representative in the Union.
3. The representative shall be established in one of the Member States where the end-
users of such electronic communications services are located.
4. The representative shall have the power to answer questions and provide information
in addition to or instead of the provider it represents, in particular, to supervisory
authorities, and end-users, on all issues related to processing electronic
communications data for the purposes of ensuring compliance with this Regulation.
5. The designation of a representative pursuant to paragraph 2 shall be without
prejudice to legal actions, which could be initiated against a natural or legal person
who processes electronic communications data in connection with the provision of
electronic communications services from outside the Union to end-users in the
Union.
Article 4
Definitions
1. For the purposes of this Regulation, following definitions shall apply:
(a) the definitions in Regulation (EU) 2016/679;
(b) the definitions of ‘electronic communications network’, ‘electronic communications
service’, ‘interpersonal communications service’, ‘number-based interpersonal
communications service’, ‘number-independent interpersonal communications
service’, ‘end-user’ and ‘call’ in points (1), (4), (5), (6), (7), (14) and (21)
respectively of Article 2 of [Directive establishing the European Electronic
Communications Code];
(c) the definition of 'terminal equipment' in point (1) of Article 1 of Commission
Directive 2008/63/EC10.
2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal
communications service’ shall include services which enable interpersonal and
interactive communication merely as a minor ancillary feature that is intrinsically
linked to another service.
3. In addition, for the purposes of this Regulation the following definitions shall apply:
(a) ‘electronic communications data’ means electronic communications content and
electronic communications metadata;
10
Commission Directive 2008/63/EC of 20 June 2008 on competition in the markets in
telecommunications terminal equipment (OJ L 162, 21.6.2008, p. 20–26).
(b) ‘electronic communications content’ means the content exchanged by means of
electronic communications services, such as text, voice, videos, images, and sound;
(c) ‘electronic communications metadata’ means data processed in an electronic
communications network for the purposes of transmitting, distributing or exchanging
electronic communications content; including data used to trace and identify the
source and destination of a communication, data on the location of the device
generated in the context of providing electronic communications services, and the
date, time, duration and the type of communication;
(d) ‘publicly available directory’ means a directory of end-users of electronic
communications services, whether in printed or electronic form, which is published
or made available to the public or to a section of the public, including by means of a
directory enquiry service;
(e) ‘electronic mail’ means any electronic message containing information such as text,
voice, video, sound or image sent over an electronic communications network which
can be stored in the network or in related computing facilities, or in the terminal
equipment of its recipient;
(f) ‘direct marketing communications’ means any form of advertising, whether written
or oral, sent to one or more identified or identifiable end-users of electronic
communications services, including the use of automated calling and communication
systems with or without human interaction, electronic mail, SMS, etc.;
(g) ‘direct marketing voice-to-voice calls’ means live calls, which do not entail the use
of automated calling systems and communication systems;
(h) ‘automated calling and communication systems’ means systems capable of
automatically initiating calls to one or more recipients in accordance with
instructions set for that system, and transmitting sounds which are not live speech,
including calls made using automated calling and communication systems which
connect the called person to an individual.
CHAPTER II
PROTECTION OF ELECTRONIC COMMUNICATIONS OF
NATURAL AND LEGAL PERSONS AND OF INFORMATION
STORED IN THEIR TERMINAL EQUIPMENT
Article 5
Confidentiality of electronic communications data
Electronic communications data shall be confidential. Any interference with electronic
communications data, such as by listening, tapping, storing, monitoring, scanning or other
kinds of interception, surveillance or processing of electronic communications data, by
persons other than the end-users, shall be prohibited, except when permitted by this
Regulation.
Article 6
Permitted processing of electronic communications data
1. Providers of electronic communications networks and services may process
electronic communications data if:
(a) it is necessary to achieve the transmission of the communication, for the duration
necessary for that purpose; or
(b) it is necessary to maintain or restore the security of electronic communications
networks and services, or detect technical faults and/or errors in the transmission of
electronic communications, for the duration necessary for that purpose.
Article 7
Storage and erasure of electronic communications data
1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3),
the provider of the electronic communications service shall erase electronic
communications content or make that data anonymous after receipt of electronic
communication content by the intended recipient or recipients. Such data may be
recorded or stored by the end-users or by a third party entrusted by them to record,
store or otherwise process such data, in accordance with Regulation (EU) 2016/679.
2. Without prejudice to point (b) of Article 6(1) and points (a) and (c) of Article 6(2),
the provider of the electronic communications service shall erase electronic
communications metadata or make that data anonymous when it is no longer needed
for the purpose of the transmission of a communication.
11
Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015
laying down measures concerning open internet access and amending Directive 2002/22/EC on
universal service and users’ rights relating to electronic communications networks and services and
Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the
Union (OJ L 310, 26.11.2015, p. 1–18).
3. Where the processing of electronic communications metadata takes place for the
purpose of billing in accordance with point (b) of Article 6(2), the relevant metadata
may be kept until the end of the period during which a bill may lawfully be
challenged or a payment may be pursued in accordance with national law.
Article 8
Protection of information stored in and related to end-users’ terminal equipment
1. The use of processing and storage capabilities of terminal equipment and the
collection of information from end-users’ terminal equipment, including about its
software and hardware, other than by the end-user concerned shall be prohibited,
except on the following grounds:
(a) it is necessary for the sole purpose of carrying out the transmission of an electronic
communication over an electronic communications network; or
(b) the end-user has given his or her consent; or
(c) it is necessary for providing an information society service requested by the end-
user; or
(d) if it is necessary for web audience measuring, provided that such measurement is
carried out by the provider of the information society service requested by the end-
user.
2. The collection of information emitted by terminal equipment to enable it to connect
to another device and, or to network equipment shall be prohibited, except if:
(a) it is done exclusively in order to, for the time necessary for, and for the purpose of
establishing a connection; or
(b) a clear and prominent notice is displayed informing of, at least, the modalities of the
collection, its purpose, the person responsible for it and the other information
required under Article 13 of Regulation (EU) 2016/679 where personal data are
collected, as well as any measure the end-user of the terminal equipment can take to
stop or minimise the collection.
The collection of such information shall be conditional on the application of
appropriate technical and organisational measures to ensure a level of security
appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have
been applied.
3. The information to be provided pursuant to point (b) of paragraph 2 may be provided
in combination with standardized icons in order to give a meaningful overview of the
collection in an easily visible, intelligible and clearly legible manner.
4. The Commission shall be empowered to adopt delegated acts in accordance with
Article 27 determining the information to be presented by the standardized icon and
the procedures for providing standardized icons.
Article 9
Consent
1. The definition of and conditions for consent provided for under Articles 4(11) and 7
of Regulation (EU) 2016/679/EU shall apply.
2. Without prejudice to paragraph 1, where technically possible and feasible, for the
purposes of point (b) of Article 8(1), consent may be expressed by using the
appropriate technical settings of a software application enabling access to the
internet.
3. End-users who have consented to the processing of electronic communications data
as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3) shall be
given the possibility to withdraw their consent at any time as set forth under Article
7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic
intervals of 6 months, as long as the processing continues.
Article 10
Information and options for privacy settings to be provided
1. Software placed on the market permitting electronic communications, including the
retrieval and presentation of information on the internet, shall offer the option to
prevent third parties from storing information on the terminal equipment of an end-
user or processing information already stored on that equipment.
2. Upon installation, the software shall inform the end-user about the privacy settings
options and, to continue with the installation, require the end-user to consent to a
setting.
3. In the case of software which has already been installed on 25 May 2018, the
requirements under paragraphs 1 and 2 shall be complied with at the time of the first
update of the software, but no later than 25 August 2018.
Article 11
Restrictions
1. Union or Member State law may restrict by way of a legislative measure the scope of
the obligations and rights provided for in Articles 5 to 8 where such a restriction
respects the essence of the fundamental rights and freedoms and is a necessary,
appropriate and proportionate measure in a democratic society to safeguard one or
more of the general public interests referred to in Article 23(1)(a) to (e) of
Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function
connected to the exercise of official authority for such interests.
2. Providers of electronic communications services shall establish internal procedures
for responding to requests for access to end-users’ electronic communications data
based on a legislative measure adopted pursuant to paragraph 1. They shall provide
the competent supervisory authority, on demand, with information about those
procedures, the number of requests received, the legal justification invoked and their
response.
CHAPTER III
NATURAL AND LEGAL PERSONS' RIGHTS TO CONTROL
ELECTRONIC COMMUNICATIONS
Article 12
Presentation and restriction of calling and connected line identification
1. Where presentation of the calling and connected line identification is offered in
accordance with Article [107] of the [Directive establishing the European Electronic
Communication Code], the providers of publicly available number-based
interpersonal communications services shall provide the following:
(a) the calling end-user with the possibility of preventing the presentation of the calling
line identification on a per call, per connection or permanent basis;
(b) the called end-user with the possibility of preventing the presentation of the calling
line identification of incoming calls;
(c) the called end-user with the possibility of rejecting incoming calls where the
presentation of the calling line identification has been prevented by the calling end-
user;
(d) the called end-user with the possibility of preventing the presentation of the
connected line identification to the calling end-user.
2. The possibilities referred to in points (a), (b), (c) and (d) of paragraph 1 shall be
provided to end-users by simple means and free of charge.
3. Point (a) of paragraph 1 shall also apply with regard to calls to third countries
originating in the Union. Points (b), (c) and (d) of paragraph 1 shall also apply to
incoming calls originating in third countries.
4. Where presentation of calling or connected line identification is offered, providers of
publicly available number-based interpersonal communications services shall
provide information to the public regarding the options set out in points (a), (b), (c)
and (d) of paragraph 1.
Article 13
Exceptions to presentation and restriction of calling and connected line identification
1. Regardless of whether the calling end-user has prevented the presentation of the
calling line identification, where a call is made to emergency services, providers of
publicly available number-based interpersonal communications services shall
override the elimination of the presentation of the calling line identification and the
denial or absence of consent of an end-user for the processing of metadata, on a per-
line basis for organisations dealing with emergency communications, including
public safety answering points, for the purpose of responding to such
communications.
2. Member States shall establish more specific provisions with regard to the
establishment of procedures and the circumstances where providers of publicly
available number-based interpersonal communication services shall override the
elimination of the presentation of the calling line identification on a temporary basis,
where end-users request the tracing of malicious or nuisance calls.
Article 14
Incoming call blocking
Providers of publicly available number-based interpersonal communications services shall
deploy state of the art measures to limit the reception of unwanted calls by end-users and shall
also provide the called end-user with the following possibilities, free of charge:
(a) to block incoming calls from specific numbers or from anonymous sources;
(b) to stop automatic call forwarding by a third party to the end-user's terminal
equipment.
Article 15
Publicly available directories
1. The providers of publicly available directories shall obtain the consent of end-users
who are natural persons to include their personal data in the directory and,
consequently, shall obtain consent from these end-users for inclusion of data per
category of personal data, to the extent that such data are relevant for the purpose of
the directory as determined by the provider of the directory. Providers shall give end-
users who are natural persons the means to verify, correct and delete such data.
2. The providers of a publicly available directory shall inform end-users who are
natural persons whose personal data are in the directory of the available search
functions of the directory and obtain end-users’ consent before enabling such search
functions related to their own data.
3. The providers of publicly available directories shall provide end-users that are legal
persons with the possibility to object to data related to them being included in the
directory. Providers shall give such end-users that are legal persons the means to
verify, correct and delete such data.
4. The possibility for end-users not to be included in a publicly available directory, or to
verify, correct and delete any data related to them shall be provided free of charge.
Article 16
Unsolicited communications
1. Natural or legal persons may use electronic communications services for the
purposes of sending direct marketing communications to end-users who are natural
persons that have given their consent.
2. Where a natural or legal person obtains electronic contact details for electronic mail
from its customer, in the context of the sale of a product or a service, in accordance
with Regulation (EU) 2016/679, that natural or legal person may use these electronic
contact details for direct marketing of its own similar products or services only if
customers are clearly and distinctly given the opportunity to object, free of charge
and in an easy manner, to such use. The right to object shall be given at the time of
collection and each time a message is sent.
3. Without prejudice to paragraphs 1 and 2, natural or legal persons using electronic
communications services for the purposes of placing direct marketing calls shall:
(a) present the identity of a line on which they can be contacted; or
(b) present a specific code/or prefix identifying the fact that the call is a marketing call.
4. Notwithstanding paragraph 1, Member States may provide by law that the placing of
direct marketing voice-to-voice calls to end-users who are natural persons shall only
be allowed in respect of end-users who are natural persons who have not expressed
their objection to receiving those communications.
5. Member States shall ensure, in the framework of Union law and applicable national
law, that the legitimate interest of end-users that are legal persons with regard to
unsolicited communications sent by means set forth under paragraph 1 are
sufficiently protected.
6. Any natural or legal person using electronic communications services to transmit
direct marketing communications shall inform end-users of the marketing nature of
the communication and the identity of the legal or natural person on behalf of whom
the communication is transmitted and shall provide the necessary information for
recipients to exercise their right to withdraw their consent, in an easy manner, to
receiving further marketing communications.
7. The Commission shall be empowered to adopt implementing measures in accordance
with Article 26(2) specifying the code/or prefix to identify marketing calls, pursuant
to point (b) of paragraph 3.
Article 17
Information about detected security risks
In the case of a particular risk that may compromise the security of networks and electronic
communications services, the provider of an electronic communications service shall inform
end-users concerning such risk and, where the risk lies outside the scope of the measures to be
taken by the service provider, inform end-users of any possible remedies, including an
indication of the likely costs involved.
CHAPTER IV
INDEPENDENT SUPERVISORY AUTHORITIES AND
ENFORCEMENT
Article 18
Independent supervisory authorities
1. The independent supervisory authority or authorities responsible for monitoring the
application of Regulation (EU) 2016/679 shall also be responsible for monitoring the
application of this Regulation. Chapter VI and VII of Regulation (EU) 2016/679
shall apply mutatis mutandis. The tasks and powers of the supervisory authorities
shall be exercised with regard to end-users.
2. The supervisory authority or authorities referred to in paragraph 1 shall cooperate
whenever appropriate with national regulatory authorities established pursuant to the
[Directive Establishing the European Electronic Communications Code].
Article 19
European Data Protection Board
The European Data Protection Board, established under Article 68 of Regulation (EU)
2016/679, shall have competence to ensure the consistent application of this Regulation. To
that end, the European Data Protection Board shall exercise the tasks laid down in Article 70
of Regulation (EU) 2016/679. The Board shall also have the following tasks:
Article 20
Cooperation and consistency procedures
Each supervisory authority shall contribute to the consistent application of this Regulation
throughout the Union. For this purpose, the supervisory authorities shall cooperate with each
other and the Commission in accordance with Chapter VII of Regulation (EU) 2016/679
regarding the matters covered by this Regulation.
CHAPTER V
REMEDIES, LIABILITY AND PENALTIES
Article 21
Remedies
1. Without prejudice to any other administrative or judicial remedy, every end-user of
electronic communications services shall have the same remedies provided for in
Articles 77, 78, and 79 of Regulation (EU) 2016/679.
2. Any natural or legal person other than end-users adversely affected by infringements
of this Regulation and having a legitimate interest in the cessation or prohibition of
alleged infringements, including a provider of electronic communications services
protecting its legitimate business interests, shall have a right to bring legal
proceedings in respect of such infringements.
Article 22
Right to compensation and liability
Any end-user of electronic communications services who has suffered material or non-
material damage as a result of an infringement of this Regulation shall have the right to
receive compensation from the infringer for the damage suffered, unless the infringer proves
that it is not in any way responsible for the event giving rise to the damage in accordance with
Article 82 of Regulation (EU) 2016/679.
Article 23
General conditions for imposing administrative fines
1. For the purpose of this Article, Chapter VII of Regulation (EU) 2016/679 shall apply
to infringements of this Regulation.
2. Infringements of the following provisions of this Regulation shall, in accordance
with paragraph 1, be subject to administrative fines up to EUR 10 000 000, or in the
case of an undertaking, up to 2 % of the total worldwide annual turnover of the
preceding financial year, whichever is higher:
(a) the obligations of any legal or natural person who process electronic communications
data pursuant to Article 8;
(b) the obligations of the provider of software enabling electronic communications,
pursuant to Article 10;
(c) the obligations of the providers of publicly available directories pursuant to Article
15;
(d) the obligations of any legal or natural person who uses electronic communications
services pursuant to Article 16.
3. Infringements of the principle of confidentiality of communications, permitted
processing of electronic communications data, time limits for erasure pursuant to
Articles 5, 6, and 7 shall, in accordance with paragraph 1 of this Article, be subject to
administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4
% of the total worldwide annual turnover of the preceding financial year, whichever
is higher.
4. Member States shall lay down the rules on penalties for infringements of Articles 12,
13, 14, and 17.
5. Non-compliance with an order by a supervisory authority as referred to in Article 18,
shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an
undertaking, up to 4 % of the total worldwide annual turnover of the preceding
financial year, whichever is higher.
6. Without prejudice to the corrective powers of supervisory authorities pursuant to
Article 18, each Member State may lay down rules on whether and to what extent
administrative fines may be imposed on public authorities and bodies established in
that Member State.
7. The exercise by the supervisory authority of its powers under this Article shall be
subject to appropriate procedural safeguards in accordance with Union and Member
State law, including effective judicial remedy and due process.
8. Where the legal system of the Member State does not provide for administrative
fines, this Article may be applied in such a manner that the fine is initiated by the
competent supervisory authority and imposed by competent national courts, while
ensuring that those legal remedies are effective and have an equivalent effect to the
administrative fines imposed by supervisory authorities. In any event, the fines
imposed shall be effective, proportionate and dissuasive. Those Member States shall
notify to the Commission the provisions of their laws which they adopt pursuant to
this paragraph by [xxx] and, without delay, any subsequent amendment law or
amendment affecting them.
Article 24
Penalties
1. Member States shall lay down the rules on other penalties applicable to
infringements of this Regulation in particular for infringements which are not subject
to administrative fines pursuant to Article 23, and shall take all measures necessary
to ensure that they are implemented. Such penalties shall be effective, proportionate
and dissuasive.
2. Each Member State shall notify to the Commission the provisions of its law which it
adopts pursuant to paragraph 1, no later than 18 months after the date set forth under
Article 29(2) and, without delay, any subsequent amendment affecting them.
CHAPTER VI
DELEGATED ACTS AND IMPLEMENTING ACTS
Article 25
Exercise of the delegation
1. The power to adopt delegated acts is conferred on the Commission subject to the
conditions laid down in this Article.
2. The power to adopt delegated acts referred to in Article 8(4) shall be conferred on the
Commission for an indeterminate period of time from [the data of entering into force
of this Regulation].
3. The delegation of power referred to in Article 8(4) may be revoked at any time by
the European Parliament or by the Council. A decision to revoke shall put an end to
the delegation of the power specified in that decision. It shall take effect the day
following the publication of the decision in the Official Journal of the European
Union or at a later date specified therein. It shall not affect the validity of any
delegated acts already in force.
4. Before adopting a delegated act, the Commission shall consult experts designated by
each Member State in accordance with the principles laid down in the Inter-
institutional Agreement on Better Law-Making of 13 April 2016.
5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to
the European Parliament and to the Council.
6. A delegated act adopted pursuant to Article 8(4) shall enter into force only if no
objection has been expressed either by the European Parliament or the Council
within a period of two months of notification of that act to the European Parliament
and the Council or if, before the expiry of that period, the European Parliament and
the Council have both informed the Commission that they will not object. That
period shall be extended by two months at the initiative of the European Parliament
or of the Council.
Article 26
Committee
1. The Commission shall be assisted by the Communications Committee established
under Article 110 of the [Directive establishing the European Electronic
Communications Code]. That committee shall be a committee within the meaning of
Regulation (EU) No 182/201112.
2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No
182/2011 shall apply.
CHAPTER VII
FINAL PROVISIONS
Article 27
Repeal
1. Directive 2002/58/EC is repealed with effect from 25 May 2018.
2. References to the repealed Directive shall be construed as references to this
Regulation.
Article 28
Monitoring and evaluation clause
By 1 January 2018 at the latest, the Commission shall establish a detailed programme for
monitoring the effectiveness of this Regulation.
No later than three years after the date of application of this Regulation, and every three years
thereafter, the Commission shall carry out an evaluation of this Regulation and present the
main findings to the European Parliament, the Council and the European Economic and
12
Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011
laying down the rules and general principles concerning mechanisms for control by Member States of
the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13–18).
Social Committee. The evaluation shall, where appropriate, inform a proposal for the
amendment or repeal of this Regulation in light of legal, technical or economic developments.
Article 29
Entry into force and application
1. This Regulation shall enter into force on the twentieth day following that of its
publication in the Official Journal of the European Union.
2. It shall apply from 25 May 2018.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels,
III
(Acts adopted under the EU Treaty)
THE COUNCIL OF THE EUROPEAN UNION, privacy and to the protection of personal data. Common
standards regarding the processing and protection of
personal data processed for the purpose of preventing
and combating crime contribute to the achieving of
Having regard to the Treaty on European Union, and in both aims.
particular Articles 30, 31 and 34(2)(b) thereof,
(1) The European Union has set itself the objective of main
taining and developing the Union as an area of freedom,
security and justice in which a high level of safety is to (5) The exchange of personal data within the framework of
be provided by common action among the Member police and judicial cooperation in criminal matters,
States in the fields of police and judicial cooperation in notably under the principle of availability of information
criminal matters. as laid down in the Hague Programme, should be
supported by clear rules enhancing mutual trust
between the competent authorities and ensuring that
the relevant information is protected in a way that
(2) Common action in the field of police cooperation under excludes any discrimination in respect of such cooper
Article 30(1)(b) of the Treaty on European Union and ation between the Member States while fully respecting
common action on judicial cooperation in criminal fundamental rights of individuals. Existing instruments at
matters under Article 31(1)(a) of the Treaty on the European level do not suffice; Directive 95/46/EC of
European Union imply a need to process the relevant the European Parliament and of the Council of
information which should be subject to appropriate 24 October 1995 on the protection of individuals with
provisions on the protection of personal data. regard to the processing of personal data and on the free
movement of such data (3) does not apply to the
processing of personal data in the course of an activity
which falls outside the scope of Community law, such as
(3) Legislation falling within the scope of Title VI of the those provided for by Title VI of the Treaty on European
Treaty on European Union should foster police and Union, nor, in any case, to processing operations
judicial cooperation in criminal matters with regard to concerning public security, defence, state security or the
its efficiency as well as its legitimacy and compliance activities of the State in areas of criminal law.
with fundamental rights, in particular the right to
(2) OJ C 198, 12.8.2005, p. 1.
(1) OJ C 125 E, 22.5.2008, p. 154. (3) OJ L 281, 23.11.1995, p. 31.
30.12.2008 EN Official Journal of the European Union L 350/61
(6) This Framework Decision applies only to data gathered proceedings data are based on the subjective perception
or processed by competent authorities for the purpose of of individuals and in some cases are totally unverifiable.
the prevention, investigation, detection or prosecution of Consequently, the requirement of accuracy cannot
criminal offences or the execution of criminal penalties. appertain to the accuracy of a statement but merely to
This Framework Decision should leave it to Member the fact that a specific statement has been made.
States to determine more precisely at national level
which other purposes are to be considered as incom
patible with the purpose for which the personal data
were originally collected. In general, further processing
(13) Archiving in a separate data set should be permissible
for historical, statistical or scientific purposes should
only if the data are no longer required and used for the
not be considered as incompatible with the original
prevention, investigation, detection or prosecution of
purpose of the processing.
criminal offences or the execution of criminal penalties.
Archiving in a separate data set should also be
permissible if the archived data are stored in a database
(7) The scope of this Framework Decision is limited to the with other data in such a way that they can no longer be
processing of personal data transmitted or made available used for the prevention, investigation, detection or prose
between Member States. No conclusions should be cution of criminal offences or the execution of criminal
inferred from this limitation regarding the competence penalties. The appropriateness of the archiving period
of the Union to adopt acts relating to the collection should depend on the purposes of archiving and the
and processing of personal data at national level or the legitimate interests of the data subjects. In the case of
expediency for the Union to do so in the future. archiving for historical purposes a very long period may
be envisaged.
(18) The rules in this Framework Decision regarding the trans (26) It may be necessary to inform data subjects regarding the
mission of personal data by the judiciary, police or processing of their data, in particular where there has
customs to private parties do not apply to the disclosure been particularly serious encroachment on their rights
of data to private parties (such as defence lawyers and as a result of secret data collection measures, in order
victims) in the context of criminal proceedings. to ensure that data subjects can have effective legal
protection.
(32) When necessary to protect personal data in relation to (38) This Framework Decision is without prejudice to existing
processing which by scale or by type holds specific risks obligations and commitments incumbent upon Member
for fundamental rights and freedoms, for example States or upon the Union by virtue of bilateral and/or
processing by means of new technologies, mechanisms multilateral agreements with third States. Future
or procedures, it is appropriate to ensure that the agreements should comply with the rules on exchanges
competent national supervisory authorities are with third States.
consulted prior to the establishment of filing systems
aimed at the processing of these data.
(42) Since the objective of this Framework Decision, namely application and development of the Schengen acquis (5),
the determination of common rules for the protection of which fall within the area referred to in Article 1, point
personal data processed in the framework of police and H and I of Decision 1999/437/EC read in conjunction
judicial cooperation in criminal matters, cannot be suf with Article 3 of Council Decision 2008/149/JHA (6) on
ficiently achieved by the Member States, and can the conclusion of that Agreement on behalf of the
therefore, by reason of the scale and effects of the European Union.
action, be better achieved at the Union level, the Union
may adopt measures in accordance with the principle of
subsidiarity as set out in Article 5 of the Treaty estab
lishing the European Community and referred to in (47) As regards Liechtenstein, this Framework Decision
Article 2 of the Treaty on European Union. In constitutes a development of the provisions of the
accordance with the principle of proportionality as set Schengen acquis within the meaning of the Protocol
out in Article 5 of the Treaty establishing the European signed between the European Union, the European
Community, this Framework Decision does not go Community, the Swiss Confederation and the Principality
beyond what is necessary to achieve that objective. of Liechtenstein on the accession of the Principality of
Liechtenstein to the Agreement between the European
Union, the European Community and the Swiss Confed
eration on the Swiss Confederation’s association with the
(43) The United Kingdom is taking part in this Framework implementation, application and development of the
Decision, in accordance with Article 5 of the Protocol Schengen acquis, which fall within the area referred to
integrating the Schengen acquis into the framework of the in Article 1, point H and I of Decision 1999/437/EC
European Union annexed to the Treaty on European read in conjunction with Article 3 of Council Decision
Union and to the Treaty establishing the European 2008/262/JHA (7) on the signature of that Protocol on
Community, and Article 8(2) of Council Decision behalf of the European Union.
2000/365/EC of 29 May 2000 concerning the request
of the United Kingdom of Great Britain and Northern
Ireland to take part in some of the provisions of the (48) This Framework Decision respects the fundamental rights
Schengen acquis (1). and observes the principles recognised in particular by
the Charter of Fundamental Rights of the European
Union (8). This Framework Decision seeks to ensure full
respect for the rights to privacy and the protection of
(44) Ireland is taking part in this Framework Decision in personal data reflected in Articles 7 and 8 of the Charter,
accordance with Article 5 of the Protocol integrating
the Schengen acquis into the framework of the
European Union annexed to the Treaty on European
Union and to the Treaty establishing the European HAS ADOPTED THIS FRAMEWORK DECISION:
Community, and Article 6(2) of Council Decision
2002/192/EC of 28 February 2002 concerning Ireland’s
request to take part in some of the provisions of the
Article 1
Schengen acquis (2).
Purpose and scope
1. The purpose of this Framework Decision is to ensure a
(45) As regards Iceland and Norway, this Framework Decision high level of protection of the fundamental rights and freedoms
constitutes a development of provisions of the Schengen of natural persons, and in particular their right to privacy, with
acquis within the meaning of the Agreement concluded respect to the processing of personal data in the framework of
by the Council of the European Union and the Republic police and judicial cooperation in criminal matters, provided for
of Iceland and the Kingdom of Norway concerning the by Title VI of the Treaty on European Union, while guaran
latter’s association with the implementation, application teeing a high level of public safety.
and development of the Schengen acquis (3), which fall
within the area referred to in Article 1, points H and I
of Council Decision 1999/437/EC (4) on certain 2. In accordance with this Framework Decision, Member
arrangements for the application of that Agreement. States shall protect the fundamental rights and freedoms of
natural persons, and in particular their right to privacy when,
for the purpose of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal
(46) As regards Switzerland, this Framework Decision penalties, personal data:
constitutes a development of the provisions of the
Schengen acquis within the meaning of the Agreement
between the European Union, the European
Community and the Swiss Confederation on the Swiss (a) are or have been transmitted or made available between
Confederation’s association with the implementation, Member States;
(b) are or have been transmitted or made available by Member (f) ‘recipient’ means any body to which data are disclosed;
States to authorities or to information systems established
on the basis of Title VI of the Treaty on European Union; or
(g) ‘the data subject’s consent’ means any freely given specific
and informed indication of his wishes by which the data
(c) are or have been transmitted or made available to the subject signifies his agreement to personal data relating to
competent authorities of the Member States by authorities him being processed;
or information systems established on the basis of the
Treaty on European Union or the Treaty establishing the
European Community. (h) ‘competent authorities’ mean agencies or bodies established
by legal acts adopted by the Council pursuant to Title VI of
the Treaty on European Union, as well as police, customs,
3. This Framework Decision shall apply to the processing of judicial and other competent authorities of the Member
personal data wholly or partly by automatic means, and to the States that are authorised by national law to process
processing otherwise than by automatic means, of personal data personal data within the scope of this Framework Decision;
which form part of a filing system or are intended to form part
of a filing system.
(i) ‘controller’ means the natural or legal person, public
authority, agency or any other body which alone or
4. This Framework Decision is without prejudice to essential jointly with others determines the purposes and means of
national security interests and specific intelligence activities in the processing of personal data;
the field of national security.
(j) ‘referencing’ means the marking of stored personal data
5. This Framework Decision shall not preclude Member without the aim of limiting their processing in future;
States from providing, for the protection of personal data
collected or processed at national level, higher safeguards than
those established in this Framework Decision. (k) ‘to make anonymous’ means to modify personal data in
such a way that details of personal or material circum
stances can no longer or only with disproportionate
investment of time, cost and labour be attributed to an
Article 2
identified or identifiable natural person.
Definitions
For the purposes of this Framework Decision: Article 3
Principles of lawfulness, proportionality and purpose
(a) ‘personal data’ mean any information relating to an iden 1. Personal data may be collected by the competent au-
tified or identifiable natural person (‘data subject’); an iden thorities only for specified, explicit and legitimate purposes in
tifiable person is one who can be identified, directly or the framework of their tasks and may be processed only for the
indirectly, in particular by reference to an identification same purpose for which data were collected. Processing of the
number or to one or more factors specific to his physical, data shall be lawful and adequate, relevant and not excessive in
physiological, mental, economic, cultural or social identity; relation to the purposes for which they are collected.
(b) ‘processing of personal data’ and ‘processing’ mean any 2. Further processing for another purpose shall be permitted
operation or set of operations which is performed upon in so far as:
personal data, whether or not by automatic means, such
as collection, recording, organisation, storage, adaptation
or alteration, retrieval, consultation, use, disclosure by trans (a) it is not incompatible with the purposes for which the data
mission, dissemination or otherwise making available, were collected;
alignment or combination, blocking, erasure or destruction;
(d) ‘personal data filing system’ and ‘filing system’ mean any (c) processing is necessary and proportionate to that other
structured set of personal data which are accessible purpose.
according to specific criteria, whether centralised, decen
tralised or dispersed on a functional or geographical basis;
The competent authorities may also further process the trans
mitted personal data for historical, statistical or scientific
(e) ‘processor’ means any body which processes personal data purposes, provided that Member States provide appropriate
on behalf of the controller; safeguards, such as making the data anonymous.
L 350/66 EN Official Journal of the European Union 30.12.2008
4. When the personal data are contained in a judicial 1. Upon transmission or making available of the data, the
decision or record related to the issuance of a judicial transmitting authority may in line with the national law and in
decision, the rectification, erasure or blocking shall be carried accordance with Articles 4 and 5, indicate the time limits for
out in accordance with national rules on judicial proceedings. the retention of data, upon the expiry of which the recipient
must erase or block the data or review whether or not they are
still needed. This obligation shall not apply if, at the time of the
Article 5 expiry of these time limits, the data are required for a current
investigation, prosecution of criminal offences or enforcement
Establishment of time limits for erasure and review of criminal penalties.
Appropriate time limits shall be established for the erasure of
personal data or for a periodic review of the need for the
storage of the data. Procedural measures shall ensure that 2. Where the transmitting authority has not indicated a time
these time limits are observed. limit in accordance with paragraph 1, the time limits referred to
in Articles 4 and 5 for the retention of data provided for under
the national law of the receiving Member State shall apply.
Article 6
Processing of special categories of data
Article 10
The processing of personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs or trade- Logging and documentation
union membership and the processing of data concerning 1. All transmissions of personal data are to be logged or
health or sex life shall be permitted only when this is strictly documented for the purposes of verification of the lawfulness
necessary and when the national law provides adequate safe of the data processing, self-monitoring and ensuring proper data
guards. integrity and security.
Article 7
2. Logs or documentation prepared under paragraph 1 shall
Automated individual decisions be communicated on request to the competent supervisory
A decision which produces an adverse legal effect for the data authority for the control of data protection. The competent
subject or significantly affects him and which is based solely on supervisory authority shall use this information only for the
automated processing of data intended to evaluate certain control of data protection and for ensuring proper data
personal aspects relating to the data subject shall be permitted processing as well as data integrity and security.
only if authorised by a law which also lays down measures to
safeguard the data subject’s legitimate interests.
Article 11
(a) the prevention, investigation, detection or prosecution of gation, detection or prosecution of criminal offences or
criminal offences or the execution of criminal penalties the execution of criminal penalties;
other than those for which they were transmitted or made
available;
(c) the Member State from which the data were obtained has
given its consent to transfer in compliance with its national
(b) other judicial and administrative proceedings directly related law; and
to the prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties;
(d) the third State or international body concerned ensures an
adequate level of protection for the intended data
(c) the prevention of an immediate and serious threat to public processing.
security; or
Article 12
(a) the national law of the Member State transferring the data
Compliance with national processing restrictions so provides because of:
1. Where, under the law of the transmitting Member State,
specific processing restrictions apply in specific circumstances to
data exchanges between competent authorities within that (i) legitimate specific interests of the data subject; or
Member State, the transmitting authority shall inform the
recipient of such restrictions. The recipient shall ensure that
these processing restrictions are met.
(ii) legitimate prevailing interests, especially important
public interests; or
(a) the competent authority of the Member State from which relating to him have been transmitted or made available
the data were obtained has consented to transmission in and information on the recipients or categories of recipients
compliance with its national law; to whom the data have been disclosed and communication
of the data undergoing processing; or
(b) no legitimate specific interests of the data subject prevent
transmission; and (b) at least a confirmation from the national supervisory
authority that all necessary verifications have taken place.
(c) in particular cases transfer is essential for the competent
authority transmitting the data to a private party for:
2. The Member States may adopt legislative measures
restricting access to information pursuant to paragraph 1(a),
(i) the performance of a task lawfully assigned to it; where such a restriction, with due regard for the legitimate
interests of the person concerned, constitutes a necessary and
proportional measure:
(ii) the prevention, investigation, detection or prosecution
of criminal offences or the execution of criminal
penalties;
(a) to avoid obstructing official or legal inquiries, investigations
or procedures;
(iii) the prevention of an immediate and serious threat to
public security; or
(b) to avoid prejudicing the prevention, detection, investigation
and prosecution of criminal offences or for the execution of
(iv) the prevention of serious harm to the rights of indi criminal penalties;
viduals.
2. The competent authority transmitting the data to a private (c) to protect public security;
party shall inform the latter of the purposes for which the data
may exclusively be used.
(d) to protect national security;
Article 15
(e) to protect the data subject or the rights and freedoms of
Information on request of the competent authority others.
The recipient shall, on request, inform the competent authority
which transmitted or made available the personal data about
their processing. 3. Any refusal or restriction of access shall be set out in
writing to the data subject. At the same time, the factual or
legal reasons on which the decision is based shall also be
Article 16 communicated to him. The latter communication may be
omitted where a reason under paragraph 2(a) to (e) exists. In
Information for the data subject
all of these cases the data subject shall be advised that he may
1. Member States shall ensure that the data subject is appeal to the competent national supervisory authority, a
informed regarding the collection or processing of personal judicial authority or to a court.
data by their competent authorities, in accordance with
national law.
Article 18
2. When personal data have been transmitted or made Right to rectification, erasure or blocking
available between Member States, each Member State may, in
1. The data subject shall have the right to expect the
accordance with the provisions of its national law referred to in
controller to fulfil its duties in accordance with Articles 4, 8
paragraph 1, ask that the other Member State does not inform
and 9 concerning the rectification, erasure or blocking of
the data subject. In such case the latter Member State shall not
personal data which arise from this Framework Decision.
inform the data subject without the prior consent of the other
Member States shall lay down whether the data subject may
Member State.
assert this right directly against the controller or through the
intermediary of the competent national supervisory authority. If
Article 17 the controller refuses rectification, erasure or blocking, the
refusal must be communicated in writing to the data subject
Right of access who must be informed of the possibilities provided for in
1. Every data subject shall have the right to obtain, following national law for lodging a complaint or seeking judicial
requests made at reasonable intervals, without constraint and remedy. Upon examination of the complaint or judicial
without excessive delay or expense: remedy, the data subject shall be informed whether the
controller acted properly or not. Member States may also
provide that the data subject shall be informed by the
(a) at least a confirmation from the controller or from the competent national supervisory authority that a review has
national supervisory authority as to whether or not data taken place.
30.12.2008 EN Official Journal of the European Union L 350/69
2. If the accuracy of an item of personal data is contested by unlawful destruction or accidental loss, alteration, unauthorised
the data subject and its accuracy or inaccuracy cannot be ascer disclosure or access, in particular where the processing involves
tained, referencing of that item of data may take place. the transmission over a network or the making available by
granting direct automated access, and against all other
unlawful forms of processing, taking into account in particular
the risks represented by the processing and the nature of the
Article 19 data to be protected. Having regard to the state of the art and
the cost of their implementation, such measures shall ensure a
Right to compensation level of security appropriate to the risks represented by the
1. Any person who has suffered damage as a result of an processing and the nature of the data to be protected.
unlawful processing operation or of any act incompatible with
the national provisions adopted pursuant to this Framework
Decision shall be entitled to receive compensation for the 2. In respect of automated data processing each Member
damage suffered from the controller or other authority State shall implement measures designed to:
competent under national law.
2. Persons working for a competent au- (h) prevent the unauthorised reading, copying, modification or
thority of a Member State shall be bound by all the data deletion of personal data during transfers of personal data
protection rules which apply to the competent authority in or during transportation of data media (transport control);
question.
3. Member States shall provide that processors may be data, of imposing a temporary or definitive ban on
designated only if they guarantee that they observe the processing, of warning or admonishing the controller, or
requisite technical and organisational measures under that of referring the matter to national parliaments or
paragraph 1 and comply with the instructions under other political institutions;
Article 21. The competent authority shall monitor the
processor in those respects.
(c) the power to engage in legal proceedings where the national
provisions adopted pursuant to this Framework Decision
4. Personal data may be processed by a processor only on
have been infringed or to bring this infringement to the
the basis of a legal act or a written contract.
attention of the judicial authorities. Decisions by the super
visory authority which give rise to complaints may be
appealed against through the courts.
Article 23
Prior consultation
Member States shall ensure that the competent national super 3. Each supervisory authority shall hear claims lodged by any
visory authorities are consulted prior to the processing of person concerning the protection of his rights and freedoms in
personal data which will form part of a new filing system to regard to the processing of personal data. The person concerned
be created where: shall be informed of the outcome of the claim.
(a) special categories of data referred to in Article 6 are to be 4. Member States shall provide that the members and staff of
processed; or the supervisory authority are bound by the data protection
provisions applicable to the competent authority in question
and, even after their employment has ended, are to be subject
(b) the type of processing, in particular using new technologies, to a duty of professional secrecy with regard to confidential
mechanism or procedures, holds otherwise specific risks for information to which they have access.
the fundamental rights and freedoms, and in particular the
privacy, of the data subject.
Article 26
Article 24 Relationship to agreements with third States
Penalties This Framework Decision is without prejudice to any obli
Member States shall adopt suitable measures to ensure the full gations and commitments incumbent upon Member States or
implementation of the provisions of this Framework Decision upon the Union by virtue of bilateral and/or multilateral
and shall in particular lay down effective, proportionate and agreements with third States existing at the time of adoption
dissuasive penalties to be imposed in case of infringements of of this Framework Decision.
the provisions adopted pursuant to this Framework Decision.
Article 28 text of the provisions transposing into their national law the
obligations imposed on them under this Framework Decision,
Relationship to previously adopted acts of the Union as well as information on the supervisory authorities referred to
Where in acts, adopted under Title VI of the Treaty on in Article 25. On the basis of a report established using this
European Union prior to the date of entry into force of this information by the Commission, the Council shall, before
Framework Decision and regulating the exchange of personal 27 November 2011, assess the extent to which Member
data between Member States or the access of designated au- States have complied with the provisions of this Framework
thorities of Member States to information systems established Decision.
pursuant to the Treaty establishing the European Community,
specific conditions have been introduced as to the use of such
data by the receiving Member State, these conditions shall take Article 30
precedence over the provisions of this Framework Decision on
the use of data received from or made available by another Entry into force
Member State. This Framework Decision shall enter into force on the 20th day
following its publication in the Official Journal of the European
Article 29 Union.
Implementation
1. Member States shall take the necessary measures to Done at Brussels, 27 November 2008.
comply with the provisions of this Framework Decision
before 27 November 2010.
For the Council
2. By the same date Member States shall transmit to the The President
General Secretariat of the Council and to the Commission the M. ALLIOT-MARIE
19.7.2003 EN Official Journal of the European Union L 181/27
AGREEMENT
on extradition between the European Union and the United States of America
CONTENTS
Preamble
Article 2 Definitions
Article 3 Scope of application of this Agreement in relation to bilateral extradition treaties with Member
States
Article 12 Transit
Article 15 Consultations
Article 17 Non-derogation
Article 21 Review
Explanatory Note
DESIRING further to facilitate cooperation between the European Union Member States and the United States of
America,
DESIRING to combat crime in a more effective way as a means of protecting their respective democratic societies and
common values,
HAVING DUE REGARD for rights of individuals and the rule of law,
MINDFUL of the guarantees under their respective legal systems which provide for the right to a fair trial to an extra-
dited person, including the right to adjudication by an impartial tribunal established pursuant to law,
(a) regardless of whether the laws in the requesting and Transmission of documents following provisional arrest
requested States place the offence within the same category
of offences or describe the offence by the same termi-
nology; 1. If the person whose extradition is sought is held under
provisional arrest by the requested State, the requesting State
(b) regardless of whether the offence is one for which United may satisfy its obligation to transmit its request for extradition
States federal law requires the showing of such matters as and supporting documents through the diplomatic channel
interstate transportation, or use of the mails or of other pursuant to Article 5(1), by submitting the request and docu-
facilities affecting interstate or foreign commerce, such ments to the Embassy of the requested State located in the
matters being merely for the purpose of establishing juris- requesting State. In that case, the date of receipt of such request
diction in a United States federal court; and by the Embassy shall be considered to be the date of receipt by
the requested State for purposes of applying the time limit that
(c) in criminal cases relating to taxes, customs duties, currency must be met under the applicable extradition treaty to enable
control and the import or export of commodities, regard- the person's continued detention.
less of whether the laws of the requesting and requested
States provide for the same kinds of taxes, customs duties,
or controls on currency or on the import or export of the 2. Where a Member State on the date of signature of this
same kinds of commodities. Agreement, due to the established jurisprudence of its domestic
legal system applicable at such date, cannot apply the measures
referred to in paragraph 1, this Article shall not apply to it,
4. If the offence has been committed outside the territory of until such time as that Member State and the United States of
the requesting State, extradition shall be granted, subject to the America, by exchange of diplomatic note, agree otherwise.
other applicable requirements for extradition, if the laws of the
requested State provide for the punishment of an offence
committed outside its territory in similar circumstances. If the
laws of the requested State do not provide for the punishment
of an offence committed outside its territory in similar circum- Article 8
stances, the executive authority of the requested State, at its
discretion, may grant extradition provided that all other applic-
able requirements for extradition are met. Supplemental information
1. Requests for extradition and supporting documents shall 2. Such supplementary information may be requested and
be transmitted through the diplomatic channel, which shall furnished directly between the Ministries of Justice of the States
include transmission as provided for in Article 7. concerned.
L 181/30 EN Official Journal of the European Union 19.7.2003
Article 9 Article 11
(b) the places where each of the offences was committed; Where the offence for which extradition is sought is punishable
by death under the laws in the requesting State and not punish-
(c) the respective interests of the requesting States; able by death under the laws in the requested State, the
requested State may grant extradition on the condition that the
(d) the seriousness of the offences;
death penalty shall not be imposed on the person sought, or if
(e) the nationality of the victim; for procedural reasons such condition cannot be complied with
by the requesting State, on condition that the death penalty if
(f) the possibility of any subsequent extradition between the imposed shall not be carried out. If the requesting State accepts
requesting States; and extradition subject to conditions pursuant to this Article, it
shall comply with the conditions. If the requesting State does
(g) the chronological order in which the requests were received not accept the conditions, the request for extradition may be
from the requesting States. denied.
19.7.2003 EN Official Journal of the European Union L 181/31
Article 14 Article 19
Where the requesting State contemplates the submission of The European Union shall notify the United States of America
particularly sensitive information in support of its request for of any designation pursuant to Article 2(3) and Article 10(2),
extradition, it may consult the requested State to determine the prior to the exchange of written instruments described in
extent to which the information can be protected by the Article 3(2) between the Member States and the United States
requested State. If the requested State cannot protect the infor- of America.
mation in the manner sought by the requesting State, the
requesting State shall determine whether the information shall
nonetheless be submitted. Article 20
Territorial application
Article 15
1. This Agreement shall apply:
Consultations
(a) to the United States of America;
The Contracting Parties shall, as appropriate, consult to enable (b) in relation to the European Union to:
the most effective use to be made of this Agreement, including
— Member States,
to facilitate the resolution of any dispute regarding the interpre-
tation or application of this Agreement. — territories for whose external relations a Member State
has responsibility, or countries that are not Member
States for whom a Member State has other duties with
respect to external relations, where agreed upon by
Article 16 exchange of diplomatic note between the Contracting
Parties, duly confirmed by the relevant Member State.
Temporal application
2. The application of this Agreement to any territory or
1. This Agreement shall apply to offences committed before country in respect of which extension has been made in accor-
as well as after it enters into force. dance with subparagraph (b) of paragraph 1 may be terminated
by either Contracting Party giving six months' written notice to
2. This Agreement shall apply to requests for extradition the other Contracting Party through the diplomatic channel,
made after its entry into force. Nevertheless, Articles 4 and 9 where duly confirmed between the relevant Member State and
shall apply to requests pending in a requested State at the time the United States of America.
this Agreement enters into force.
Article 21
Article 17
Review
Non-derogation
The Contracting Parties agree to carry out a common review of
this Agreement as necessary, and in any event no later than five
1. This Agreement is without prejudice to the invocation by years after its entry into force. The review shall address in parti-
the requested State of grounds for refusal relating to a matter cular the practical implementation of the Agreement and may
not governed by this Agreement that is available pursuant to a also include issues such as the consequences of further develop-
bilateral extradition treaty in force between a Member State ment of the European Union relating to the subject matter of
and the United States of America. this Agreement, including Article 10.
This Agreement shall not preclude the conclusion, after its 2. Either Contracting Party may terminate this Agreement at
entry into force, of bilateral Agreements between a Member any time by giving written notice to the other Party, and such
State and the United States of America consistent with this termination shall be effective six months after the date of such
Agreement. notice.
L 181/32 EN Official Journal of the European Union 19.7.2003
Done at Washington DC on the twenty-fifth day of June in the year two thousand and three in duplicate in
the Danish, Dutch, English, Finnish, French, German, Greek, Italian, Portuguese, Spanish and Swedish
languages, each text being equally authentic.
Explanatory Note on the Agreement on Extradition between the European Union and the United
States of America
This Explanatory Note reflects understandings regarding the application of certain provisions of the Agree-
ment on Extradition between the European Union and the United States of America (hereinafter ‘the Agree-
ment’) agreed between the Contracting Parties.
On Article 10
Article 10 is not intended to affect the obligations of States Parties to the Rome Statute of the International
Criminal Court, nor to affect the rights of the United States of America as a non-Party with regard to the
International Criminal Court.
On Article 18
Article 18 provides that the Agreement shall not preclude the conclusion, after its entry into force, of bilat-
eral agreements on extradition between a Member State and the United States of America consistent with
the Agreement.
Should any measures set forth in the Agreement create an operational difficulty for either one or more
Member States or the United States of America, such difficulty should in the first place be resolved, if
possible, through consultations between the Member State or Member States concerned and the United
States of America, or, if appropriate, through the consultation procedures set out in this Agreement. Where
it is not possible to address such operational difficulty through consultations alone, it would be consistent
with the Agreement for future bilateral agreements between the Member State or Member States and the
United States of America to provide an operationally feasible alternative mechanism that would satisfy the
objectives of the specific provision with respect to which the difficulty has arisen.
8.9.2017 CURIA - Documents
REQUESTS for a preliminary ruling under Article 267 TFEU, made by the Kammarrätten i Stockholm
(Administrative Court of Appeal, Stockholm, Sweden) and the Court of Appeal (England & Wales)
(Civil Division) (United Kingdom), by decisions, respectively, of 29 April 2015 and 9 December 2015,
received at the Court on 4 May 2015 and 28 December 2015, in the proceedings
and
Tom Watson,
Peter Brice,
Geoffrey Lewis,
interveners:
Privacy International,
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 1/27
8.9.2017 CURIA - Documents
having regard to the decision of the President of the Court of 1 February 2016 that Case C‑698/15
should be determined pursuant to the expedited procedure provided for in Article 105(1) of the Rules
of Procedure of the Court,
having regard to the written procedure and further to the hearing on 12 April 2016,
– Tele2 Sverige AB, by M. Johansson and N. Torgerzon, advokater, and by E. Lagerlöf and
S. Backman,
– Mr Watson, by J. Welch and E. Norton, Solicitors, I. Steele, Advocate, B. Jaffey, Barrister, and
D. Rose QC,
– Mr Brice and Mr Lewis, by A. Suterwalla and R. de Mello, Barristers, R. Drabble QC, and
S. Luke, Solicitor,
– Open Rights Group and Privacy International, by D. Carey, Solicitor, and by R. Mehta and
J. Simor, Barristers,
– The Law Society of England and Wales, by T. Hickman, Barrister, and by N. Turner,
– the United Kingdom Government, by S. Brandon, L. Christie and V. Kaye, acting as Agents, and
by D. Beard QC, G. Facenna QC, J. Eadie QC and S. Ford, Barrister,
– the Belgian Government, by J.-C. Halleux, S. Vanrie and C. Pochet, acting as Agents,
– the German Government, by T. Henze, M. Hellmann and J. Kemper, acting as Agents, and by
M. Kottmann and U. Karpenstein, Rechtsanwalte,
– Ireland, by E. Creedon, L. Williams and A. Joyce, acting as Agents, and by D. Fennelly BL,
– the French Government, by G. de Bergues, D. Colas, F.-X. Bréchot and C. David, acting as
Agents,
after hearing the Opinion of the Advocate General at the sitting on 19 July 2016,
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 2/27
8.9.2017 CURIA - Documents
Judgment
1 These requests for a preliminary ruling concern the interpretation of Article 15(1) of Directive
2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing
of personal data and the protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC
of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11)
(‘Directive 2002/58’), read in the light of Articles 7 and 8 and Article 52(1) of the Charter of
Fundamental Rights of the European Union (‘the Charter’).
2 The requests have been made in two proceedings between (i) Tele2 Sverige AB and Post- och
telestyrelsen (the Swedish Post and Telecom Authority; ‘PTS’), concerning an order sent by PTS to
Tele2 Sverige requiring the latter to retain traffic and location data in relation to its subscribers and
registered users (Case C‑203/15), and (ii) Mr Tom Watson, Mr Peter Brice and Mr Geoffrey Lewis, on
the one hand, and the Secretary of State for the Home Department (United Kingdom of Great Britain
and Northern Ireland), on the other, concerning the conformity with EU law of Section 1 of the Data
Retention and Investigatory Powers Act 2014 (‘DRIPA’) (Case C‑698/15).
Legal context
EU law
Directive 2002/58
‘(2) This Directive seeks to respect the fundamental rights and observes the principles recognised in
particular by [the Charter]. In particular, this Directive seeks to ensure full respect for the rights
set out in Articles 7 and 8 of that Charter.
...
(6) The Internet is overturning traditional market structures by providing a common, global
infrastructure for the delivery of a wide range of electronic communications services. Publicly
available electronic communications services over the Internet open new possibilities for users
but also new risks for their personal data and privacy.
(7) In the case of public communications networks, specific legal, regulatory and technical
provisions should be made in order to protect fundamental rights and freedoms of natural persons
and legitimate interests of legal persons, in particular with regard to the increasing capacity for
automated storage and processing of data relating to subscribers and users.
...
(11) Like Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995
on the protection of individuals with regard to the processing of personal data and on the free
movement of such data (OJ 1995 L 281, p. 31)], this Directive does not address issues of
protection of fundamental rights and freedoms related to activities which are not governed by
Community law. Therefore it does not alter the existing balance between the individual’s right to
privacy and the possibility for Member States to take the measures referred to in Article 15(1) of
this Directive, necessary for the protection of public security, defence, State security (including
the economic well-being of the State when the activities relate to State security matters) and the
enforcement of criminal law. Consequently, this Directive does not affect the ability of Member
States to carry out lawful interception of electronic communications, or take other measures, if
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 3/27
8.9.2017 CURIA - Documents
necessary for any of these purposes and in accordance with the European Convention for the
Protection of Human Rights and Fundamental Freedoms, as interpreted by the rulings of the
European Court of Human Rights. Such measures must be appropriate, strictly proportionate to
the intended purpose and necessary within a democratic society and should be subject to
adequate safeguards in accordance with the European Convention for the Protection of Human
Rights and Fundamental Freedoms.
...
(21) Measures should be taken to prevent unauthorised access to communications in order to protect
the confidentiality of communications, including both the contents and any data related to such
communications, by means of public communications networks and publicly available electronic
communications services. National legislation in some Member States only prohibits intentional
unauthorised access to communications.
(22) The prohibition of storage of communications and the related traffic data by persons other than
the users or without their consent is not intended to prohibit any automatic, intermediate and
transient storage of this information in so far as this takes place for the sole purpose of carrying
out the transmission in the electronic communications network and provided that the information
is not stored for any period longer than is necessary for the transmission and for traffic
management purposes, and that during the period of storage the confidentiality remains
guaranteed. ...
...
(26) The data relating to subscribers processed within electronic communications networks to
establish connections and to transmit information contain information on the private life of
natural persons and concern the right to respect for their correspondence or concern the
legitimate interests of legal persons. Such data may only be stored to the extent that is necessary
for the provision of the service for the purpose of billing and for interconnection payments, and
for a limited time. Any further processing of such data … may only be allowed if the subscriber
has agreed to this on the basis of accurate and full information given by the provider of the
publicly available electronic communications services about the types of further processing it
intends to perform and about the subscriber’s right not to give or to withdraw his/her consent to
such processing. ...
...
(30) Systems for the provision of electronic communications networks and services should be
designed to limit the amount of personal data necessary to a strict minimum. ...’
‘1. This Directive provides for the harmonisation of the national provisions required to ensure an
equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy
and confidentiality, with respect to the processing of personal data in the electronic communication
sector and to ensure the free movement of such data and of electronic communication equipment and
services in the Community.
2. The provisions of this Directive particularise and complement Directive [95/46] for the purposes
mentioned in paragraph 1. Moreover, they provide for protection of the legitimate interests of
subscribers who are legal persons.
3. This Directive shall not apply to activities which fall outside the scope of the Treaty establishing
the European Community, such as those covered by Titles V and VI of the Treaty on European Union,
and in any case to activities concerning public security, defence, State security (including the economic
well-being of the State when the activities relate to State security matters) and the activities of the State
in areas of criminal law.’
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 4/27
8.9.2017 CURIA - Documents
‘Save as otherwise provided, the definitions in Directive [95/46] and in Directive 2002/21/EC of the
European Parliament and of the Council of 7 March 2002 on a common regulatory framework for
electronic communications networks and services (Framework Directive) [(OJ 2002 L 108, p. 33)]
shall apply.
...
(b) “traffic data” means any data processed for the purpose of the conveyance of a communication
on an electronic communications network or for the billing thereof;
(c) “location data” means any data processed in an electronic communications network or by an
electronic communications service, indicating the geographic position of the terminal equipment
of a user of a publicly available electronic communications service;
(d) “communication” means any information exchanged or conveyed between a finite number of
parties by means of a publicly available electronic communications service. This does not
include any information conveyed as part of a broadcasting service to the public over an
electronic communications network except to the extent that the information can be related to the
identifiable subscriber or user receiving the information;
...’
‘This Directive shall apply to the processing of personal data in connection with the provision of
publicly available electronic communications services in public communications networks in the
Community, including public communications networks supporting data collection and identification
devices.’
‘1. The provider of a publicly available electronic communications service must take appropriate
technical and organisational measures to safeguard security of its services, if necessary in conjunction
with the provider of the public communications network with respect to network security. Having
regard to the state of the art and the cost of their implementation, these measures shall ensure a level of
security appropriate to the risk presented.
1a. Without prejudice to Directive [95/46], the measures referred to in paragraph 1 shall at
least:
– ensure that personal data can be accessed only by authorised personnel for legally authorised
purposes,
– protect personal data stored or transmitted against accidental or unlawful destruction, accidental
loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and
– ensure the implementation of a security policy with respect to the processing of personal data.
...’
‘1. Member States shall ensure the confidentiality of communications and the related traffic data by
means of a public communications network and publicly available electronic communications services,
through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds
of interception or surveillance of communications and the related traffic data by persons other than
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 5/27
8.9.2017 CURIA - Documents
users, without the consent of the users concerned, except when legally authorised to do so in
accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary
for the conveyance of a communication without prejudice to the principle of confidentiality.
...
3. Member States shall ensure that the storing of information, or the gaining of access to
information already stored, in the terminal equipment of a subscriber or user is only allowed on
condition that the subscriber or user concerned has given his or her consent, having been provided with
clear and comprehensive information, in accordance with Directive [95/46], inter alia, about the
purposes of the processing. This shall not prevent any technical storage or access for the sole purpose
of carrying out the transmission of a communication over an electronic communications network, or as
strictly necessary in order for the provider of an information society service explicitly requested by the
subscriber or user to provide the service.’
‘1. Traffic data relating to subscribers and users processed and stored by the provider of a public
communications network or publicly available electronic communications service must be erased or
made anonymous when it is no longer needed for the purpose of the transmission of a communication
without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1).
2. Traffic data necessary for the purposes of subscriber billing and interconnection payments may be
processed. Such processing is permissible only up to the end of the period during which the bill may
lawfully be challenged or payment pursued.
3. For the purpose of marketing electronic communications services or for the provision of value
added services, the provider of a publicly available electronic communications service may process the
data referred to in paragraph 1 to the extent and for the duration necessary for such services or
marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or
subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at
any time.
...
10 Article 9(1) of that directive, that article being headed ‘Location data other than traffic data’, provides:
‘Where location data other than traffic data, relating to users or subscribers of public communications
networks or publicly available electronic communications services, can be processed, such data may
only be processed when they are made anonymous, or with the consent of the users or subscribers to
the extent and for the duration necessary for the provision of a value added service. The service
provider must inform the users or subscribers, prior to obtaining their consent, of the type of location
data other than traffic data which will be processed, of the purposes and duration of the processing and
whether the data will be transmitted to a third party for the purpose of providing the value added
service. …’
11 Article 15 of that directive, headed ‘Application of certain provisions of Directive [95/46]’, states:
‘1. Member States may adopt legislative measures to restrict the scope of the rights and obligations
provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when
such restriction constitutes a necessary, appropriate and proportionate measure within a democratic
society to safeguard national security (i.e. State security), defence, public security, and the prevention,
investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 6/27
8.9.2017 CURIA - Documents
communication system, as referred to in Article 13(1) of Directive [95/46]. To this end, Member States
may, inter alia, adopt legislative measures providing for the retention of data for a limited period
justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall
be in accordance with the general principles of Community law, including those referred to in
Article 6(1) and (2) of the Treaty on European Union.
...
1b. Providers shall establish internal procedures for responding to requests for access to users’
personal data based on national provisions adopted pursuant to paragraph 1. They shall provide the
competent national authority, on demand, with information about those procedures, the number of
requests received, the legal justification invoked and their response.
2. The provisions of Chapter III on judicial remedies, liability and sanctions of Directive [95/46]
shall apply with regard to national provisions adopted pursuant to this Directive and with regard to the
individual rights derived from this Directive.
...’
Directive 95/46
12 Article 22 of Directive 95/46, which is in Chapter III of that directive, is worded as follows:
‘Without prejudice to any administrative remedy for which provision may be made, inter alia before
the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member
States shall provide for the right of every person to a judicial remedy for any breach of the rights
guaranteed him by the national law applicable to the processing in question.’
Directive 2006/24/EC
13 Article 1(2) of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006
on the retention of data generated or processed in connection with the provision of publicly available
electronic communications services or of public communications networks and amending Directive
2002/58/EC (OJ 2006 L 105, p. 54), that article being headed ‘Subject matter and scope’, provided:
‘This Directive shall apply to traffic and location data on both legal entities and natural persons and to
the related data necessary to identify the subscriber or registered user. It shall not apply to the content
of electronic communications, including information consulted using an electronic communications
network.’
‘1. By way of derogation from Articles 5, 6 and 9 of [Directive 2002/58], Member States shall
adopt measures to ensure that the data specified in Article 5 of this Directive are retained in accordance
with the provisions thereof, to the extent that those data are generated or processed by providers of
publicly available electronic communications services or of a public communications network within
their jurisdiction in the process of supplying the communications services concerned.
2. The obligation to retain data provided for in paragraph 1 shall include the retention of the data
specified in Article 5 relating to unsuccessful call attempts where those data are generated or
processed, and stored (as regards telephony data) or logged (as regards Internet data), by providers of
publicly available electronic communications services or of a public communications network within
the jurisdiction of the Member State concerned in the process of supplying the communication services
concerned. This Directive shall not require data relating to unconnected calls to be retained.’
Swedish law
15 It is apparent from the order for reference in Case C‑203/15 that the Swedish legislature, in order to
transpose Directive 2006/24 into national law, amended the lagen (2003:389) om elektronisk
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 7/27
8.9.2017 CURIA - Documents
kommunikation [Law (2003:389) on electronic communications; ‘the LEK’] and the förordningen
(2003:396) om elektronisk kommunikation [Regulation (2003:396) on electronic communications].
Both of those texts, in the versions applicable to the dispute in the main proceedings, contain rules on
the retention of electronic communications data and on access to that data by the national authorities.
16 Access to that data is, in addition, regulated by the lagen (2012:278) om inhämtning av uppgifter om
elektronisk kommunikation i de brottsbekämpande myndigheternas underrättelseverksamhet (Law
(2012:278) on gathering of data relating to electronic communications as part of intelligence gathering
by law enforcement authorities: ‘Law 2012:278’) and by the rättegångsbalken (Code of Judicial
Procedure; ‘the RB’).
17 According to the information provided by the referring court in Case C‑203/15, the provisions of
Paragraph 16a of Chapter 6 of the LEK, read together with Paragraph 1 of Chapter 2 of that law,
impose an obligation on providers of electronic communications services to retain data the retention of
which was required by Directive 2006/24. The data concerned is that relating to subscriptions and all
electronic communications necessary to trace and identify the source and destination of a
communication; to determine its date, time, and type; to identify the communications equipment used
and to establish the location of mobile communication equipment used at the start and end of each
communication. The data which there is an obligation to retain is data generated or processed in the
context of telephony services, telephony services which use a mobile connection, electronic messaging
systems, internet access services and internet access capacity (connection mode) provision services.
The obligation extends to data relating to unsuccessful communications. The obligation does not
however extend to the content of communications.
19 In accordance with Paragraph 16d of Chapter 6 of the LEK, the data covered by Paragraph 16a of that
Chapter must be retained by the providers of electronic communications services for six months from
the date of the end of communication. The data must then be immediately erased, unless otherwise
provided in the second subparagraph of Paragraph 16d of that Chapter.
20 Access to retained data by the national authorities is governed by the provisions of Law 2012:278, the
LEK and the RB.
– Law 2012:278
21 In the context of intelligence gathering, the national police, the Säkerhetspolisen (the Swedish Security
Service), and the Tullverket (the Swedish Customs Authority) may, on the basis of Paragraph 1 of Law
2012:278, on the conditions prescribed by that law and without informing the provider of an electronic
communications network or a provider of an electronic communications service authorised under the
LEK, undertake the collection of data relating to messages transmitted by an electronic
communications network, the electronic communications equipment located in a specified
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 8/27
8.9.2017 CURIA - Documents
geographical area and the geographical areas(s) where electronic communications equipment is or was
located.
22 In accordance with Paragraphs 2 and 3 of Law 2012:278, data may, as a general rule, be collected if,
depending on the circumstances, the measure is particularly necessary in order to avert, prevent or
detect criminal activity involving one or more offences punishable by a term of imprisonment of at
least two years, or one of the acts listed in Paragraph 3 of that law, referring to offences punishable by
a term of imprisonment of less than two years. Any grounds supporting that measure must outweigh
considerations relating to the harm or prejudice that may be caused to the person affected by that
measure or to an interest opposing that measure. In accordance with Paragraph 5 of that law, the
duration of the measure must not exceed one month.
23 The decision to implement such a measure is to be taken by the director of the authority concerned or
by a person to whom that responsibility is delegated. The decision is not subject to prior review by a
judicial authority or an independent administrative authority.
24 Under Paragraph 6 of Law 2012:278, the Säkerhets och integritetsskyddsnämnden (the Swedish
Commission on Security and Integrity Protection) must be informed of any decision authorising the
collection of data. In accordance with Paragraph 1 of Lagen (2007:980) om tillsyn över viss
brottsbekämpande verksamhet (Law (2007:980) on the supervision of certain law enforcement
activities), that authority is to oversee the application of the legislation by the law enforcement
authorities.
– The LEK
25 Under Paragraph 22, first subparagraph, point 2, of Chapter 6 of the LEK, all providers of electronic
communications services must disclose data relating to a subscription at the request of the prosecution
authority, the national police, the Security Service or any other public law enforcement authority, if that
data is connected with a presumed criminal offence. On the information provided by the referring court
in Case C‑203/15, it is not necessary that the offence be a serious crime.
– The RB
26 The RB governs the disclosure of retained data to the national authorities within the framework of
preliminary investigations. In accordance with Paragraph 19 of Chapter 27 of the RB, ‘placing
electronic communications under surveillance’ without the knowledge of third parties is, as a general
rule, permitted within the framework of preliminary investigations that relate to, inter alia, offences
punishable by a sentence of imprisonment of at least six months. The expression ‘placing electronic
communications under surveillance’, under Paragraph 19 of Chapter 27 of the RB, means obtaining
data without the knowledge of third parties that relates to a message transmitted by an electronic
communications network, the electronic communications equipment located or having been located in
a specific geographical area, and the geographical area(s) where specific electronic communications
equipment is or has been located.
27 According to what is stated by the referring court in Case C‑203/15, information on the content of a
message may not be obtained on the basis of Paragraph 19 of Chapter 27 of the RB. As a general rule,
placing electronic communications under surveillance may be ordered, under Paragraph 20 of Chapter
27 of the RB, only where there are reasonable grounds for suspicion that an individual has committed
an offence and that the measure is particularly necessary for the purposes of the investigation: the
subject of that investigation must moreover be an offence punishable by a sentence of imprisonment of
at least two years, or attempts, preparation or conspiracy to commit such an offence. In accordance
with Paragraph 21 of Chapter 27 of the RB, the prosecutor must, other than in cases of urgency, request
from the court with jurisdiction authority to place electronic communications under surveillance.
28 Under Paragraph 3a of Chapter 6 of the LEK, providers of electronic communications services who
are subject to an obligation to retain data must take appropriate technical and organisational measures
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 9/27
8.9.2017 CURIA - Documents
to ensure the protection of data during processing. On the information provided by the referring court
in Case C‑203/15, Swedish law does not, however, make any provision as to where the data is to be
retained.
DRIPA
29 Section 1 of DRIPA, headed ‘Powers for retention of relevant communications data subject to
safeguards’, provides:
‘(1) The Secretary of State may by notice (a “retention notice”) require a public telecommunications
operator to retain relevant communications data if the Secretary of State considers that the
requirement is necessary and proportionate for one or more of the purposes falling within
paragraphs (a) to (h) of section 22(2) of the Regulation of Investigatory Powers Act 2000
(purposes for which communications data may be obtained).
(f) relate to data whether or not in existence at the time of the giving, or coming into force, of
the notice.
(3) The Secretary of State may by regulations make further provision about the retention of relevant
communications data.
(b) the maximum period for which data is to be retained under a retention notice;
(c) the content, giving, coming into force, review, variation or revocation of a retention notice;
(d) the integrity, security or protection of, access to, or the disclosure or destruction of, data
retained by virtue of this section;
(e) the enforcement of, or auditing compliance with, relevant requirements or restrictions;
(g) the reimbursement by the Secretary of State (with or without conditions) of expenses
incurred by public telecommunications operators in complying with relevant requirements
or restrictions;
(h) the [Data Retention (EC Directive) Regulations 2009] ceasing to have effect and the
transition to the retention of data by virtue of this section.
(5) The maximum period provided for by virtue of subsection (4)(b) must not exceed 12 months
beginning with such day as is specified in relation to the data concerned by regulations under
subsection (3).
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 10/27
8.9.2017 CURIA - Documents
...’
RIPA
31 Section 21(4) of the Regulation of Investigatory Powers Act 2000 (‘RIPA’), that section being in
Chapter II of that act and headed ‘Lawful acquisition and disclosure of communications data’, states:
(a) any traffic data comprised in or attached to a communication (whether by the sender or
otherwise) for the purposes of any postal service or telecommunication system by means of
which it is being or may be transmitted;
(b) any information which includes none of the contents of a communication (apart from any
information falling within paragraph (a)) and is about the use made by any person:
(ii) in connection with the provision to or use by any person of any telecommunications
service, of any part of a telecommunication system;
(c) any information not falling within paragraph (a) or (b) that is held or obtained, in relation to
persons to whom he provides the service, by a person providing a postal service or
telecommunications service’.
32 On the information provided in the order for reference in Case C‑698/15, that data includes ‘user
location data’, but not data relating to the content of a communication.
‘(1) This section applies where a person designated for the purposes of this Chapter believes that it
is necessary on grounds falling within subsection (2) to obtain any communications data.
(2) It is necessary on grounds falling within this subsection to obtain communications data if it is
necessary:
(f) for the purpose of assessing or collecting any tax, duty, levy or other imposition,
contribution or charge payable to a government department;
(g) or the purpose, in an emergency, of preventing death or injury or any damage to a person’s
physical or mental health, or of mitigating any injury or damage to a person’s physical or
mental health; or
(h) or any purpose (not falling within paragraphs (a) to (g)) which is specified for the purposes
of this subsection by an order made by the Secretary of State.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 11/27
8.9.2017 CURIA - Documents
(4) Subject to subsection (5), where it appears to the designated person that a postal or
telecommunications operator is or may be in possession of, or be capable of obtaining, any
communications data, the designated person may, by notice to the postal or telecommunications
operator, require the operator:
(a) if the operator is not already in possession of the data, to obtain the data; and
(b) in any case, to disclose all of the data in his possession or subsequently obtained by him.
(5) The designated person shall not grant an authorisation under subsection (3) or give a notice
under subsection (4), unless he believes that obtaining the data in question by the conduct
authorised or required by the authorisation or notice is proportionate to what is sought to be
achieved by so obtaining the data.’
34 Under Section 65 of RIPA, complaints may be made to the Investigatory Powers Tribunal (United
Kingdom) if there is reason to believe that data has been acquired inappropriately.
35 The Data Retention Regulations 2014 (‘the 2014 Regulations’), adopted on the basis of DRIPA, are
divided into three parts, Part 2 containing regulations 2 to 14 of that legislation. Regulation 4, headed
‘Retention notices’, provides:
(a) the public telecommunications operator (or description of operators) to whom it relates,
(d) any other requirements, or any restrictions, in relation to the retention of the data.
(2) A retention notice must not require any data to be retained for more than 12 months beginning
with:
(a) in the case of traffic data or service use data, the day of the communication concerned, and
(b) in the case of subscriber data, the day on which the person concerned leaves the
telecommunications service concerned or (if earlier) the day on which the data is changed.
...’
36 Regulation 7 of the 2014 Regulations, headed ‘Data integrity and security’, provides:
‘(1) A public telecommunications operator who retains communications data by virtue of section 1
of [DRIPA] must:
(a) secure that the data is of the same integrity and subject to at least the same security and
protection as the data on any system from which it is derived,
(b) secure, by appropriate technical and organisational measures, that the data can be accessed
only by specially authorised personnel, and
(c) protect, by appropriate technical and organisational measures, the data against accidental
or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful retention,
processing, access or disclosure.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 12/27
8.9.2017 CURIA - Documents
(2) A public telecommunications operator who retains communications data by virtue of section 1
of [DRIPA] must destroy the data if the retention of the data ceases to be authorised by virtue of
that section and is not otherwise authorised by law.
(3) The requirement in paragraph (2) to destroy the data is a requirement to delete the data in such a
way as to make access to the data impossible.
(4) It is sufficient for the operator to make arrangements for the deletion of the data to take place at
such monthly or shorter intervals as appear to the operator to be practicable.’
‘(1) A public telecommunications operator must put in place adequate security systems (including
technical and organisational measures) governing access to communications data retained by
virtue of section 1 of [DRIPA] in order to protect against any disclosure of a kind which does not
fall within section 1(6)(a) of [DRIPA].
(2) A public telecommunications operator who retains communications data by virtue of section 1
of [DRIPA] must retain the data in such a way that it can be transmitted without undue delay in
response to requests.’
38 Regulation 9 of the 2014 Regulations, headed ‘Oversight by the Information Commissioner’, states:
‘The Information Commissioner must audit compliance with requirements or restrictions imposed by
this Part in relation to the integrity, security or destruction of data retained by virtue of section 1 of
[DRIPA].’
39 The Acquisition and Disclosure of Communications Data Code of Practice (‘the Code of Practice’)
contains, in paragraphs 2.5 to 2.9 and 2.36 to 2.45, guidance on the necessity for and proportionality of
obtaining communications data. As explained by the referring court in Case C‑698/15, particular
attention must, in accordance with paragraphs 3.72 to 3.77 of that code, be paid to necessity and
proportionality where the communications data sought relates to a person who is a member of a
profession that handles privileged or otherwise confidential information.
40 Under paragraph 3.78 to 3.84 of that code, a court order is required in the specific case of an
application for communications data that is made in order to identify a journalist’s source. Under
paragraphs 3.85 to 3.87 of that code, judicial approval is required when an application for access is
made by local authorities. No authorisation, on the other hand, need be obtained from a court or any
independent body with respect to access to communications data protected by legal professional
privilege or relating to doctors of medicine, Members of Parliament or ministers of religion.
41 Paragraph 7.1 of the Code of Practice provides that communications data acquired or obtained under
the provisions of RIPA, and all copies, extracts and summaries of that data, must be handled and stored
securely. In additions, the requirements of the Data Protection Act must be adhered to.
42 In accordance with paragraph 7.18 of the Code of Practice, where a United Kingdom public authority
is considering the possible disclosure to overseas authorities of communications data, it must, inter
alia, consider whether that data will be adequately protected. However, it is stated in paragraph 7.22 of
that code that a transfer of data to a third country may take place where that transfer is necessary for
reasons of substantial public interest, even where the third country does not provide an adequate level
of protection. On the information given by the referring court in Case C‑698/15, the Secretary of State
for the Home Department may issue a national security certificate that exempts certain data from the
provisions of the legislation.
43 In paragraph 8.1 of that code, it is stated that RIPA established the Interception of Communications
Commissioner (United Kingdom), whose remit is, inter alia, to provide independent oversight of the
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 13/27
8.9.2017 CURIA - Documents
exercise and performance of the powers and duties contained in Chapter II of Part I of RIPA. As is
stated in paragraph 8.3 of the code, the Commissioner may, where he can ‘establish that an individual
has been adversely affected by any wilful or reckless failure’, inform that individual of suspected
unlawful use of powers.
The disputes in the main proceedings and the questions referred for a preliminary ruling
Case C‑203/15
45 On 15 April 2014, the Rikspolisstyrelsen (the Swedish National Police Authority, Sweden) sent to the
PTS a complaint to the effect that Tele2 Sverige had ceased to send to it the data concerned.
46 On 29 April 2014, the justitieminister (Swedish Minister for Justice) appointed a special reporter to
examine the Swedish legislation at issue in the light of the Digital Rights judgment. In a report dated
13 June 2014, entitled ‘Datalagring, EU-rätten och svensk rätt, Ds 2014:23’ (Data retention, EU law
and Swedish law; ‘the 2014 report’), the special reporter concluded that the national legislation on the
retention of data, as set out in Paragraphs 16a to 16f of the LEK, was not incompatible with either EU
law or the European Convention for the Protection of Human Rights and Fundamental Freedoms,
signed in Rome on 4 November 1950 (‘the ECHR’). The special reporter emphasised that the Digital
Rights judgment could not be interpreted as meaning that the general and indiscriminate retention of
data was to be condemned as a matter of principle. From his perspective, neither should the Digital
Rights judgment be understood as meaning that the Court had established, in that judgment, a set of
criteria all of which had to be satisfied if legislation was to be able to be regarded as proportionate. He
considered that it was necessary to assess all the circumstances in order to determine the compatibility
of the Swedish legislation with EU law, such as the extent of data retention in the light of the
provisions on access to data, on the duration of retention, and on the protection and the security of data.
47 On that basis, on 19 June 2014 the PTS informed Tele2 Sverige that it was in breach of its obligations
under the national legislation in failing to retain the data covered by the LEK for six months, for the
purpose of combating crime. By an order of 27 June 2014, the PTS ordered Tele2 Sverige to
commence, by no later than 25 July 2014, the retention of that data.
48 Tele2 Sverige considered that the 2014 report was based on a misinterpretation of the Digital Rights
judgment and that the obligation to retain data was in breach of the fundamental rights guaranteed by
the Charter, and therefore brought an action before the Förvaltningsrätten i Stockholm (Administrative
Court, Stockholm) challenging the order of 27 June 2014. Since that court dismissed the action, by
judgment of 13 October 2014, Tele2 Sverige brought an appeal against that judgment before the
referring court.
49 In the opinion of the referring court, the compatibility of the Swedish legislation with EU law should
be assessed with regard to Article 15(1) of Directive 2002/58. While that directive establishes the
general rule that traffic and location data should be erased or made anonymous when no longer
required for the transmission of a communication, Article 15(1) of that directive introduces a
derogation from that general rule since it permits the Member States, where justified on one of the
specified grounds, to restrict that obligation to erase or render anonymous, or even to make provision
for the retention of data. Accordingly, EU law allows, in certain situations, the retention of electronic
communications data.
50 The referring court nonetheless seeks to ascertain whether a general and indiscriminate obligation to
retain electronic communications data, such as that at issue in the main proceedings, is compatible,
taking into consideration the Digital Rights judgment, with Article 15(1) of Directive 2002/58, read in
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 14/27
8.9.2017 CURIA - Documents
the light of Articles 7 and 8 and Article 52(1) of the Charter. Given that the opinions of the parties
differ on that point, it is necessary that the Court give an unequivocal ruling on whether, as maintained
by Tele2 Sverige, the general and indiscriminate retention of electronic communications data is per se
incompatible with Articles 7 and 8 and Article 52(1) of the Charter, or whether, as stated in the 2014
Report, the compatibility of such retention of data is to be assessed in the light of provisions relating to
access to the data, the protection and security of the data and the duration of retention.
‘(1) Is a general obligation to retain traffic data covering all persons, all means of electronic
communication and all traffic data without any distinctions, limitations or exceptions for the
purpose of combating crime … compatible with Article 15(1) of Directive 2002/58/EC, taking
account of Articles 7 and 8 and Article 52(1) of the Charter?
(2) If the answer to question 1 is in the negative, may the retention nevertheless be permitted where:
(a) access by the national authorities to the retained data is determined as [described in
paragraphs 19 to 36 of the order for reference], and
(b) data protection and security requirements are regulated as [described in paragraphs 38 to
43 of the order for reference], and
(c) all relevant data is to be retained for six months, calculated as from the day when the
communication is ended, and subsequently erased as [described in paragraph 37 of the
order for reference]?’
Case C‑698/15
52 Mr Watson, Mr Brice and Mr Lewis each lodged, before the High Court of Justice (England & Wales),
Queen’s Bench Division (Divisional Court) (United Kingdom), applications for judicial review of the
legality of Section 1 of DRIPA, claiming, inter alia, that that section is incompatible with Articles 7
and 8 of the Charter and Article 8 of the ECHR.
53 By judgment of 17 July 2015, the High Court of Justice (England & Wales), Queen’s Bench Division
(Divisional Court) held that the Digital Rights judgment laid down ‘mandatory requirements of EU
law’ applicable to the legislation of Member States on the retention of communications data and access
to such data. According to the High Court of Justice, since the Court, in that judgment, held that
Directive 2006/24 was incompatible with the principle of proportionality, national legislation
containing the same provisions as that directive could, equally, not be compatible with that principle. It
follows from the underlying logic of the Digital Rights judgment that legislation that establishes a
general body of rules for the retention of communications data is in breach of the rights guaranteed in
Articles 7 and 8 of the Charter, unless that legislation is complemented by a body of rules for access to
the data, defined by national law, which provides sufficient safeguards to protect those rights.
Accordingly, Section 1 of DRIPA is not compatible with Articles 7 and 8 of the Charter in so far as it
does not lay down clear and precise rules providing for access to and use of retained data and in so far
as access to that data is not made dependent on prior review by a court or an independent
administrative body.
54 The Secretary of State for the Home Department brought an appeal against that judgment before the
Court of Appeal (England & Wales) (Civil Division) (United Kingdom).
55 That court states that Section 1(1) of DRIPA empowers the Secretary of State for the Home
Department to adopt, without any prior authorisation from a court or an independent administrative
body, a general regime requiring public telecommunications operators to retain all data relating to any
postal service or any telecommunications service for a maximum period of 12 months if he/she
considers that such a requirement is necessary and proportionate to achieve the purposes stated in the
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 15/27
8.9.2017 CURIA - Documents
United Kingdom legislation. Even though that data does not include the content of a communication, it
could be highly intrusive into the privacy of users of communications services.
56 In the order for reference and in its judgment of 20 November 2015, delivered in the appeal procedure,
wherein it decided to send to the Court this request for a preliminary ruling, the referring court
considers that the national rules on the retention of data necessarily fall within the scope of
Article 15(1) of Directive 2002/58 and must therefore conform to the requirements of the Charter.
However, as stated in Article 1(3) of that directive, the EU legislature did not harmonise the rules
relating to access to retained data.
57 As regards the effect of the Digital Rights judgment on the issues raised in the main proceedings, the
referring court states that, in the case that gave rise to that judgment, the Court was considering the
validity of Directive 2006/24 and not the validity of any national legislation. Having regard, inter alia,
to the close relationship between the retention of data and access to that data, it was essential that that
directive should incorporate a set of safeguards and that the Digital Rights judgment should analyse,
when examining the lawfulness of the data retention regime established by that directive, the rules
relating to access to that data. The Court had not therefore intended to lay down, in that judgment,
mandatory requirements applicable to national legislation on access to data that does not implement
EU law. Further, the reasoning of the Court was closely linked to the objective pursued by Directive
2006/24. National legislation should, however, be assessed in the light of the objectives pursued by that
legislation and its context.
58 As regards the need to refer questions to the Court for a preliminary ruling, the referring court draws
attention to the fact that, when the order for reference was issued, six courts in other Member States,
five of those courts being courts of last resort, had declared national legislation to be invalid on the
basis of the Digital Rights judgment. The answer to the questions referred is therefore not obvious,
although the answer is required to give a ruling on the cases brought before that court.
59 In those circumstances, the Court of Appeal (England & Wales) (Civil Division) decided to stay the
proceedings and to refer to the Court the following questions for a preliminary ruling:
‘(1) Does [the Digital Rights judgment] (including, in particular, paragraphs 60 to 62 thereof) lay
down mandatory requirements of EU law applicable to a Member State’s domestic regime
governing access to data retained in accordance with national legislation, in order to comply with
Articles 7 and 8 of [the Charter]?
(2) Does [the Digital Rights judgment] expand the scope of Articles 7 and/or 8 of [the Charter]
beyond that of Article 8 of the European Convention of Human Rights … as established in the
jurisprudence of the European Court of Human Rights …?’
60 By order of 1 February 2016, Davis and Others (C‑698/15, not published, EU:C:2016:70), the
President of the Court decided to grant the request of the Court of Appeal (England & Wales) (Civil
Division) that Case C‑698/15 should be dealt with under the expedited procedure provided for in
Article 105(1) of the Court’s Rules of Procedure.
61 By decision of the President of the Court of 10 March 2016, Cases C‑203/15 and C‑698/15 were
joined for the purposes of the oral part of the procedure and the judgment.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 16/27
8.9.2017 CURIA - Documents
62 By the first question in Case C‑203/15, the Kammarrätten i Stockholm (Administrative Court of
Appeal, Stockholm) seeks, in essence, to ascertain whether Article 15(1) of Directive 2002/58, read in
the light of Articles 7 and 8 and Article 52(1) of the Charter, must be interpreted as precluding national
legislation such as that at issue in the main proceedings that provides, for the purpose of fighting crime,
for general and indiscriminate retention of all traffic and location data of all subscribers and registered
users with respect to all means of electronic communications.
63 That question arises, in particular, from the fact that Directive 2006/24, which the national legislation
at issue in the main proceedings was intended to transpose, was declared to be invalid by the Digital
Rights judgment, though the parties disagree on the scope of that judgment and its effect on that
legislation, given that it governs the retention of traffic and location data and access to that data by the
national authorities.
64 It is necessary first to examine whether national legislation such as that at issue in the main proceeding
falls within the scope of EU law.
65 The Member States that have submitted written observations to the Court have differed in their
opinions as to whether and to what extent national legislation on the retention of traffic and location
data and access to that data by the national authorities, for the purpose of combating crime, falls within
the scope of Directive 2002/58. Whereas, in particular, the Belgian, Danish, German and Estonian
Governments, Ireland and the Netherlands Government have expressed the opinion that the answer is
that it does, the Czech Government has proposed that the answer is that it does not, since the sole
objective of such legislation is to combat crime. The United Kingdom Government, for its part, argues
that only legislation relating to the retention of data, but not legislation relating to the access to that
data by the competent national law enforcement authorities, falls within the scope of that directive.
66 As regards, finally, the Commission, while it maintained, in its written observations submitted to the
Court in Case C‑203/15, that the national legislation at issue in the main proceedings falls within the
scope of Directive 2002/58, the Commission argues, in its written observations in Case C‑698/15, that
only national rules relating to the retention of data, and not those relating to the access of the national
authorities to that data, fall within the scope of that directive. The latter rules should, however,
according to the Commission, be taken into consideration in order to assess whether national
legislation governing the retention of data by providers of electronic communications services
constitutes a proportionate interference in the fundamental rights guaranteed in Articles 7 and 8 of the
Charter.
67 In that regard, it must be observed that a determination of the scope of Directive 2002/58 must take
into consideration, inter alia, the general structure of that directive.
68 Article 1(1) of Directive 2002/58 indicates that the directive provides, inter alia, for the harmonisation
of the provisions of national law required to ensure an equivalent level of protection of fundamental
rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the
processing of personal data in the electronic communications sector.
69 Article 1(3) of that directive excludes from its scope ‘activities of the State’ in specified fields,
including the activities of the State in areas of criminal law and in the areas of public security, defence
and State security, including the economic well-being of the State when the activities relate to State
security matters (see, by analogy, with respect to the first indent of Article 3(2) of Directive 95/46,
judgments of 6 November 2003, Lindqvist, C‑101/01, EU:C:2003:596, paragraph 43, and of
16 December 2008, Satakunnan Markkinapörssi and Satamedia, C‑73/07, EU:C:2008:727,
paragraph 41).
70 Article 3 of Directive 2002/58 states that the directive is to apply to the processing of personal data in
connection with the provision of publicly available electronic communications services in public
communications networks in the European Union, including public communications networks
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 17/27
8.9.2017 CURIA - Documents
71 Article 15(1) of Directive 2002/58 states that Member States may adopt, subject to the conditions laid
down, ‘legislative measures to restrict the scope of the rights and obligations provided for in Article 5,
Article 6, Article 8(1), (2), (3) and (4), and Article 9 [of that directive]’. The second sentence of
Article 15(1) of that directive identifies, as an example of measures that may thus be adopted by
Member States, measures ‘providing for the retention of data’.
72 Admittedly, the legislative measures that are referred to in Article 15(1) of Directive 2002/58 concern
activities characteristic of States or State authorities, and are unrelated to fields in which individuals
are active (see, to that effect, judgment of 29 January 2008, Promusicae, C‑275/06, EU:C:2008:54,
paragraph 51). Moreover, the objectives which, under that provision, such measures must pursue, such
as safeguarding national security, defence and public security and the prevention, investigation,
detection and prosecution of criminal offences or of unauthorised use of the electronic communications
system, overlap substantially with the objectives pursued by the activities referred to in Article 1(3) of
that directive.
73 However, having regard to the general structure of Directive 2002/58, the factors identified in the
preceding paragraph of this judgment do not permit the conclusion that the legislative measures
referred to in Article 15(1) of Directive 2002/58 are excluded from the scope of that directive, for
otherwise that provision would be deprived of any purpose. Indeed, Article 15(1) necessarily
presupposes that the national measures referred to therein, such as those relating to the retention of data
for the purpose of combating crime, fall within the scope of that directive, since it expressly authorises
the Member States to adopt them only if the conditions laid down in the directive are met.
74 Further, the legislative measures referred to in Article 15(1) of Directive 2002/58 govern, for the
purposes mentioned in that provision, the activity of providers of electronic communications services.
Accordingly, Article 15(1), read together with Article 3 of that directive, must be interpreted as
meaning that such legislative measures fall within the scope of that directive.
75 The scope of that directive extends, in particular, to a legislative measure, such as that at issue in the
main proceedings, that requires such providers to retain traffic and location data, since to do so
necessarily involves the processing, by those providers, of personal data.
76 The scope of that directive also extends to a legislative measure relating, as in the main proceedings,
to the access of the national authorities to the data retained by the providers of electronic
communications services.
77 The protection of the confidentiality of electronic communications and related traffic data, guaranteed
in Article 5(1) of Directive 2002/58, applies to the measures taken by all persons other than users,
whether private persons or bodies or State bodies. As confirmed in recital 21 of that directive, the aim
of the directive is to prevent unauthorised access to communications, including ‘any data related to
such communications’, in order to protect the confidentiality of electronic communications.
78 In those circumstances, a legislative measure whereby a Member State, on the basis of Article 15(1) of
Directive 2002/58, requires providers of electronic communications services, for the purposes set out
in that provision, to grant national authorities, on the conditions laid down in such a measure, access to
the data retained by those providers, concerns the processing of personal data by those providers, and
that processing falls within the scope of that directive.
79 Further, since data is retained only for the purpose, when necessary, of making that data accessible to
the competent national authorities, national legislation that imposes the retention of data necessarily
entails, in principle, the existence of provisions relating to access by the competent national authorities
to the data retained by the providers of electronic communications services.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 18/27
8.9.2017 CURIA - Documents
80 That interpretation is confirmed by Article 15(1b) of Directive 2002/58, which provides that providers
are to establish internal procedures for responding to requests for access to users’ personal data, based
on provisions of national law adopted pursuant to Article 15(1) of that directive.
81 It follows from the foregoing that national legislation, such as that at issue in the main proceedings in
Cases C‑203/15 and C‑698/15, falls within the scope of Directive 2002/58.
The interpretation of Article 15(1) of Directive 2002/58, in the light of Articles 7, 8, 11 and
Article 52(1) of the Charter
82 It must be observed that, according to Article 1(2) of Directive 2002/58, the provisions of that
directive ‘particularise and complement’ Directive 95/46. As stated in its recital 2, Directive 2002/58
seeks to ensure, in particular, full respect for the rights set out in Articles 7 and 8 of the Charter. In that
regard, it is clear from the explanatory memorandum of the Proposal for a Directive of the European
Parliament and of the Council concerning the processing of personal data and the protection of privacy
in the electronic communications sector (COM(2000) 385 final), which led to Directive 2002/58, that
the EU legislature sought ‘to ensure that a high level of protection of personal data and privacy will
continue to be guaranteed for all electronic communications services regardless of the technology
used’.
83 To that end, Directive 2002/58 contains specific provisions designed, as is apparent from, in particular,
recitals 6 and 7 of that directive, to offer to the users of electronic communications services protection
against risks to their personal data and privacy that arise from new technology and the increasing
capacity for automated storage and processing of data.
84 In particular, Article 5(1) of that directive provides that the Member States must ensure, by means of
their national legislation, the confidentiality of communications effected by means of a public
communications network and publicly available electronic communications services, and the
confidentiality of the related traffic data.
86 Accordingly, as confirmed by recitals 22 and 26 of Directive 2002/58, under Article 6 of that directive,
the processing and storage of traffic data are permitted only to the extent necessary and for the time
necessary for the billing and marketing of services and the provision of value added services (see, to
that effect, judgment of 29 January 2008, Promusicae, C‑275/06, EU:C:2008:54, paragraphs 47 and
48). As regards, in particular, the billing of services, that processing is permitted only up to the end of
the period during which the bill may be lawfully challenged or legal proceedings brought to obtain
payment. Once that period has elapsed, the data processed and stored must be erased or made
anonymous. As regards location data other than traffic data, Article 9(1) of that directive provides that
that data may be processed only subject to certain conditions and after it has been made anonymous or
the consent of the users or subscribers obtained.
87 The scope of Article 5, Article 6 and Article 9(1) of Directive 2002/58, which seek to ensure the
confidentiality of communications and related data, and to minimise the risks of misuse, must
moreover be assessed in the light of recital 30 of that directive, which states: ‘Systems for the provision
of electronic communications networks and services should be designed to limit the amount of
personal data necessary to a strict minimum’.
88 Admittedly, Article 15(1) of Directive 2002/58 enables the Member States to introduce exceptions to
the obligation of principle, laid down in Article 5(1) of that directive, to ensure the confidentiality of
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 19/27
8.9.2017 CURIA - Documents
personal data, and to the corresponding obligations, referred to in Articles 6 and 9 of that directive (see,
to that effect, judgment of 29 January 2008, Promusicae, C‑275/06, EU:C:2008:54, paragraph 50).
89 Nonetheless, in so far as Article 15(1) of Directive 2002/58 enables Member States to restrict the
scope of the obligation of principle to ensure the confidentiality of communications and related traffic
data, that provision must, in accordance with the Court’s settled case-law, be interpreted strictly (see,
by analogy, judgment of 22 November 2012, Probst, C‑119/12, EU:C:2012:748, paragraph 23). That
provision cannot, therefore, permit the exception to that obligation of principle and, in particular, to the
prohibition on storage of data, laid down in Article 5 of Directive 2002/58, to become the rule, if the
latter provision is not to be rendered largely meaningless.
90 It must, in that regard, be observed that the first sentence of Article 15(1) of Directive 2002/58
provides that the objectives pursued by the legislative measures that it covers, which derogate from the
principle of confidentiality of communications and related traffic data, must be ‘to safeguard national
security — that is, State security — defence, public security, and the prevention, investigation,
detection and prosecution of criminal offences or of unauthorised use of the electronic communication
system’, or one of the other objectives specified in Article 13(1) of Directive 95/46, to which the first
sentence of Article 15(1) of Directive 2002/58 refers (see, to that effect, judgment of 29 January 2008,
Promusicae, C‑275/06, EU:C:2008:54, paragraph 53). That list of objectives is exhaustive, as is
apparent from the second sentence of Article 15(1) of Directive 2002/58, which states that the
legislative measures must be justified on ‘the grounds laid down’ in the first sentence of Article 15(1)
of that directive. Accordingly, the Member States cannot adopt such measures for purposes other than
those listed in that latter provision.
91 Further, the third sentence of Article 15(1) of Directive 2002/58 provides that ‘[a]ll the measures
referred to [in Article 15(1)] shall be in accordance with the general principles of [European Union]
law, including those referred to in Article 6(1) and (2) [EU]’, which include the general principles and
fundamental rights now guaranteed by the Charter. Article 15(1) of Directive 2002/58 must, therefore,
be interpreted in the light of the fundamental rights guaranteed by the Charter (see, by analogy, in
relation to Directive 95/46, judgments of 20 May 2003, Österreichischer Rundfunk and Others,
C‑465/00, C‑138/01 and C‑139/01, EU:C:2003:294, paragraph 68; of 13 May 2014, Google Spain and
Google, C‑131/12, EU:C:2014:317, paragraph 68, and of 6 October 2015, Schrems, C‑362/14,
EU:C:2015:650, paragraph 38).
92 In that regard, it must be emphasised that the obligation imposed on providers of electronic
communications services, by national legislation such as that at issue in the main proceedings, to retain
traffic data in order, when necessary, to make that data available to the competent national authorities,
raises questions relating to compatibility not only with Articles 7 and 8 of the Charter, which are
expressly referred to in the questions referred for a preliminary ruling, but also with the freedom of
expression guaranteed in Article 11 of the Charter (see, by analogy, in relation to Directive 2006/24,
the Digital Rights judgment, paragraphs 25 and 70).
93 Accordingly, the importance both of the right to privacy, guaranteed in Article 7 of the Charter, and of
the right to protection of personal data, guaranteed in Article 8 of the Charter, as derived from the
Court’s case-law (see, to that effect, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650,
paragraph 39 and the case-law cited), must be taken into consideration in interpreting Article 15(1) of
Directive 2002/58. The same is true of the right to freedom of expression in the light of the particular
importance accorded to that freedom in any democratic society. That fundamental right, guaranteed in
Article 11 of the Charter, constitutes one of the essential foundations of a pluralist, democratic society,
and is one of the values on which, under Article 2 TEU, the Union is founded (see, to that effect,
judgments of 12 June 2003, Schmidberger, C‑112/00, EU:C:2003:333, paragraph 79, and of
6 September 2011, Patriciello, C‑163/10, EU:C:2011:543, paragraph 31).
94 In that regard, it must be recalled that, under Article 52(1) of the Charter, any limitation on the
exercise of the rights and freedoms recognised by the Charter must be provided for by law and must
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 20/27
8.9.2017 CURIA - Documents
respect the essence of those rights and freedoms. With due regard to the principle of proportionality,
limitations may be imposed on the exercise of those rights and freedoms only if they are necessary and
if they genuinely meet objectives of general interest recognised by the European Union or the need to
protect the rights and freedoms of others (judgment of 15 February 2016, N., C‑601/15 PPU,
EU:C:2016:84, paragraph 50).
95 With respect to that last issue, the first sentence of Article 15(1) of Directive 2002/58 provides that
Member States may adopt a measure that derogates from the principle of confidentiality of
communications and related traffic data where it is a ‘necessary, appropriate and proportionate measure
within a democratic society’, in view of the objectives laid down in that provision. As regards recital
11 of that directive, it states that a measure of that kind must be ‘strictly’ proportionate to the intended
purpose. In relation to, in particular, the retention of data, the requirement laid down in the second
sentence of Article 15(1) of that directive is that data should be retained ‘for a limited period’ and be
‘justified’ by reference to one of the objectives stated in the first sentence of Article 15(1) of that
directive.
96 Due regard to the principle of proportionality also derives from the Court’s settled case-law to the
effect that the protection of the fundamental right to respect for private life at EU level requires that
derogations from and limitations on the protection of personal data should apply only in so far as is
strictly necessary (judgments of 16 December 2008, Satakunnan Markkinapörssi and Satamedia,
C‑73/07, EU:C:2008:727, paragraph 56; of 9 November 2010, Volker und Markus Schecke and Eifert,
C‑92/09 and C‑93/09, EU:C:2010:662, paragraph 77; the Digital Rights judgment, paragraph 52, and
of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 92).
97 As regards whether national legislation, such as that at issue in Case C‑203/15, satisfies those
conditions, it must be observed that that legislation provides for a general and indiscriminate retention
of all traffic and location data of all subscribers and registered users relating to all means of electronic
communication, and that it imposes on providers of electronic communications services an obligation
to retain that data systematically and continuously, with no exceptions. As stated in the order for
reference, the categories of data covered by that legislation correspond, in essence, to the data whose
retention was required by Directive 2006/24.
98 The data which providers of electronic communications services must therefore retain makes it
possible to trace and identify the source of a communication and its destination, to identify the date,
time, duration and type of a communication, to identify users’ communication equipment, and to
establish the location of mobile communication equipment. That data includes, inter alia, the name and
address of the subscriber or registered user, the telephone number of the caller, the number called and
an IP address for internet services. That data makes it possible, in particular, to identify the person with
whom a subscriber or registered user has communicated and by what means, and to identify the time of
the communication as well as the place from which that communication took place. Further, that data
makes it possible to know how often the subscriber or registered user communicated with certain
persons in a given period (see, by analogy, with respect to Directive 2006/24, the Digital Rights
judgment, paragraph 26).
99 That data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the
private lives of the persons whose data has been retained, such as everyday habits, permanent or
temporary places of residence, daily or other movements, the activities carried out, the social
relationships of those persons and the social environments frequented by them (see, by analogy, in
relation to Directive 2006/24, the Digital Rights judgment, paragraph 27). In particular, that data
provides the means, as observed by the Advocate General in points 253, 254 and 257 to 259 of his
Opinion, of establishing a profile of the individuals concerned, information that is no less sensitive,
having regard to the right to privacy, than the actual content of communications.
100 The interference entailed by such legislation in the fundamental rights enshrined in Articles 7 and 8 of
the Charter is very far-reaching and must be considered to be particularly serious. The fact that the data
is retained without the subscriber or registered user being informed is likely to cause the persons
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 21/27
8.9.2017 CURIA - Documents
concerned to feel that their private lives are the subject of constant surveillance (see, by analogy, in
relation to Directive 2006/24, the Digital Rights judgment, paragraph 37).
101 Even if such legislation does not permit retention of the content of a communication and is not,
therefore, such as to affect adversely the essence of those rights (see, by analogy, in relation to
Directive 2006/24, the Digital Rights judgment, paragraph 39), the retention of traffic and location data
could nonetheless have an effect on the use of means of electronic communication and, consequently,
on the exercise by the users thereof of their freedom of expression, guaranteed in Article 11 of the
Charter (see, by analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraph 28).
102 Given the seriousness of the interference in the fundamental rights concerned represented by national
legislation which, for the purpose of fighting crime, provides for the retention of traffic and location
data, only the objective of fighting serious crime is capable of justifying such a measure (see, by
analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraph 60).
103 Further, while the effectiveness of the fight against serious crime, in particular organised crime and
terrorism, may depend to a great extent on the use of modern investigation techniques, such an
objective of general interest, however fundamental it may be, cannot in itself justify that national
legislation providing for the general and indiscriminate retention of all traffic and location data should
be considered to be necessary for the purposes of that fight (see, by analogy, in relation to Directive
2006/24, the Digital Rights judgment, paragraph 51).
104 In that regard, it must be observed, first, that the effect of such legislation, in the light of its
characteristic features as described in paragraph 97 of the present judgment, is that the retention of
traffic and location data is the rule, whereas the system put in place by Directive 2002/58 requires the
retention of data to be the exception.
105 Second, national legislation such as that at issue in the main proceedings, which covers, in a
generalised manner, all subscribers and registered users and all means of electronic communication as
well as all traffic data, provides for no differentiation, limitation or exception according to the objective
pursued. It is comprehensive in that it affects all persons using electronic communication services,
even though those persons are not, even indirectly, in a situation that is liable to give rise to criminal
proceedings. It therefore applies even to persons for whom there is no evidence capable of suggesting
that their conduct might have a link, even an indirect or remote one, with serious criminal offences.
Further, it does not provide for any exception, and consequently it applies even to persons whose
communications are subject, according to rules of national law, to the obligation of professional
secrecy (see, by analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraphs 57
and 58).
106 Such legislation does not require there to be any relationship between the data which must be retained
and a threat to public security. In particular, it is not restricted to retention in relation to (i) data
pertaining to a particular time period and/or geographical area and/or a group of persons likely to be
involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons,
contribute, through their data being retained, to fighting crime (see, by analogy, in relation to Directive
2006/24, the Digital Rights judgment, paragraph 59).
107 National legislation such as that at issue in the main proceedings therefore exceeds the limits of what
is strictly necessary and cannot be considered to be justified, within a democratic society, as required
by Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the
Charter.
108 However, Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1)
of the Charter, does not prevent a Member State from adopting legislation permitting, as a preventive
measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime,
provided that the retention of data is limited, with respect to the categories of data to be retained, the
means of communication affected, the persons concerned and the retention period adopted, to what is
strictly necessary.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 22/27
8.9.2017 CURIA - Documents
109 In order to satisfy the requirements set out in the preceding paragraph of the present judgment, that
national legislation must, first, lay down clear and precise rules governing the scope and application of
such a data retention measure and imposing minimum safeguards, so that the persons whose data has
been retained have sufficient guarantees of the effective protection of their personal data against the
risk of misuse. That legislation must, in particular, indicate in what circumstances and under which
conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that
such a measure is limited to what is strictly necessary (see, by analogy, in relation to Directive
2006/24, the Digital Rights judgment, paragraph 54 and the case-law cited).
110 Second, as regards the substantive conditions which must be satisfied by national legislation that
authorises, in the context of fighting crime, the retention, as a preventive measure, of traffic and
location data, if it is to be ensured that data retention is limited to what is strictly necessary, it must be
observed that, while those conditions may vary according to the nature of the measures taken for the
purposes of prevention, investigation, detection and prosecution of serious crime, the retention of data
must continue nonetheless to meet objective criteria, that establish a connection between the data to be
retained and the objective pursued. In particular, such conditions must be shown to be such as actually
to circumscribe, in practice, the extent of that measure and, thus, the public affected.
111 As regard the setting of limits on such a measure with respect to the public and the situations that may
potentially be affected, the national legislation must be based on objective evidence which makes it
possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious
criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a
serious risk to public security. Such limits may be set by using a geographical criterion where the
competent national authorities consider, on the basis of objective evidence, that there exists, in one or
more geographical areas, a high risk of preparation for or commission of such offences.
112 Having regard to all of the foregoing, the answer to the first question referred in Case C‑203/15 is that
Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the
Charter, must be interpreted as precluding national legislation which, for the purpose of fighting crime,
provides for the general and indiscriminate retention of all traffic and location data of all subscribers
and registered users relating to all means of electronic communication.
The second question in Case C‑203/15 and the first question in Case C‑698/15
113 It must, at the outset, be noted that the Kammarrätten i Stockholm (Administrative Court of Appeal,
Stockholm) referred the second question in Case C‑203/15 only in the event that the answer to the first
question in that case was negative. That second question, however, arises irrespective of whether
retention of data is generalised or targeted, as set out in paragraphs 108 to 111 of this judgment.
Accordingly, the Court must answer the second question in Case C‑203/15 together with the first
question in Case C‑698/15, which is referred regardless of the extent of the obligation to retain data
that is imposed on providers of electronic communications services.
114 By the second question in Case C‑203/15 and the first question in Case C‑698/15, the referring courts
seek, in essence, to ascertain whether Article 15(1) of Directive 2002/58, read in the light of Articles 7,
8 and Article 52(1) of the Charter, must be interpreted as precluding national legislation governing the
protection and security of traffic and location data, and more particularly, the access of the competent
national authorities to retained data, where that legislation does not restrict that access solely to the
objective of fighting serious crime, where that access is not subject to prior review by a court or an
independent administrative authority, and where there is no requirement that the data concerned should
be retained within the European Union.
115 As regards objectives that are capable of justifying national legislation that derogates from the
principle of confidentiality of electronic communications, it must be borne in mind that, since, as stated
in paragraphs 90 and 102 of this judgment, the list of objectives set out in the first sentence of
Article 15(1) of Directive 2002/58 is exhaustive, access to the retained data must correspond,
genuinely and strictly, to one of those objectives. Further, since the objective pursued by that
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 23/27
8.9.2017 CURIA - Documents
legislation must be proportionate to the seriousness of the interference in fundamental rights that that
access entails, it follows that, in the area of prevention, investigation, detection and prosecution of
criminal offences, only the objective of fighting serious crime is capable of justifying such access to
the retained data.
116 As regards compatibility with the principle of proportionality, national legislation governing the
conditions under which the providers of electronic communications services must grant the competent
national authorities access to the retained data must ensure, in accordance with what was stated in
paragraphs 95 and 96 of this judgment, that such access does not exceed the limits of what is strictly
necessary.
117 Further, since the legislative measures referred to in Article 15(1) of Directive 2002/58 must, in
accordance with recital 11 of that directive, ‘be subject to adequate safeguards’, a data retention
measure must, as follows from the case-law cited in paragraph 109 of this judgment, lay down clear
and precise rules indicating in what circumstances and under which conditions the providers of
electronic communications services must grant the competent national authorities access to the data.
Likewise, a measure of that kind must be legally binding under domestic law.
118 In order to ensure that access of the competent national authorities to retained data is limited to what is
strictly necessary, it is, indeed, for national law to determine the conditions under which the providers
of electronic communications services must grant such access. However, the national legislation
concerned cannot be limited to requiring that access should be for one of the objectives referred to in
Article 15(1) of Directive 2002/58, even if that objective is to fight serious crime. That national
legislation must also lay down the substantive and procedural conditions governing the access of the
competent national authorities to the retained data (see, by analogy, in relation to Directive 2006/24,
the Digital Rights judgment, paragraph 61).
119 Accordingly, and since general access to all retained data, regardless of whether there is any link, at
least indirect, with the intended purpose, cannot be regarded as limited to what is strictly necessary, the
national legislation concerned must be based on objective criteria in order to define the circumstances
and conditions under which the competent national authorities are to be granted access to the data of
subscribers or registered users. In that regard, access can, as a general rule, be granted, in relation to
the objective of fighting crime, only to the data of individuals suspected of planning, committing or
having committed a serious crime or of being implicated in one way or another in such a crime (see, by
analogy, ECtHR, 4 December 2015, Zakharov v. Russia, CE:ECHR:2015:1204JUD004714306, § 260).
However, in particular situations, where for example vital national security, defence or public security
interests are threatened by terrorist activities, access to the data of other persons might also be granted
where there is objective evidence from which it can be deduced that that data might, in a specific case,
make an effective contribution to combating such activities.
120 In order to ensure, in practice, that those conditions are fully respected, it is essential that access of the
competent national authorities to retained data should, as a general rule, except in cases of validly
established urgency, be subject to a prior review carried out either by a court or by an independent
administrative body, and that the decision of that court or body should be made following a reasoned
request by those authorities submitted, inter alia, within the framework of procedures for the
prevention, detection or prosecution of crime (see, by analogy, in relation to Directive 2006/24, the
Digital Rights judgment, paragraph 62; see also, by analogy, in relation to Article 8 of the ECHR,
ECtHR, 12 January 2016, Szabó and Vissy v. Hungary, CE:ECHR:2016:0112JUD003713814, §§ 77
and 80).
121 Likewise, the competent national authorities to whom access to the retained data has been granted
must notify the persons affected, under the applicable national procedures, as soon as that notification
is no longer liable to jeopardise the investigations being undertaken by those authorities. That
notification is, in fact, necessary to enable the persons affected to exercise, inter alia, their right to a
legal remedy, expressly provided for in Article 15(2) of Directive 2002/58, read together with
Article 22 of Directive 95/46, where their rights have been infringed (see, by analogy, judgments of
7 May 2009, Rijkeboer, C‑553/07, EU:C:2009:293, paragraph 52, and of 6 October 2015, Schrems,
C‑362/14, EU:C:2015:650, paragraph 95).
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 24/27
8.9.2017 CURIA - Documents
122 With respect to the rules relating to the security and protection of data retained by providers of
electronic communications services, it must be noted that Article 15(1) of Directive 2002/58 does not
allow Member States to derogate from Article 4(1) and Article 4(1a) of that directive. Those provisions
require those providers to take appropriate technical and organisational measures to ensure the
effective protection of retained data against risks of misuse and against any unlawful access to that
data. Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to
it, the providers of electronic communications services must, in order to ensure the full integrity and
confidentiality of that data, guarantee a particularly high level of protection and security by means of
appropriate technical and organisational measures. In particular, the national legislation must make
provision for the data to be retained within the European Union and for the irreversible destruction of
the data at the end of the data retention period (see, by analogy, in relation to Directive 2006/24, the
Digital Rights judgment, paragraphs 66 to 68).
123 In any event, the Member States must ensure review, by an independent authority, of compliance with
the level of protection guaranteed by EU law with respect to the protection of individuals in relation to
the processing of personal data, that control being expressly required by Article 8(3) of the Charter and
constituting, in accordance with the Court’s settled case-law, an essential element of respect for the
protection of individuals in relation to the processing of personal data. If that were not so, persons
whose personal data was retained would be deprived of the right, guaranteed in Article 8(1) and (3) of
the Charter, to lodge with the national supervisory authorities a claim seeking the protection of their
data (see, to that effect, the Digital Rights judgment, paragraph 68, and the judgment of 6 October
2015, Schrems, C‑362/14, EU:C:2015:650, paragraphs 41 and 58).
124 It is the task of the referring courts to determine whether and to what extent the national legislation at
issue in the main proceedings satisfies the requirements stemming from Article 15(1) of Directive
2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, as set out in
paragraphs 115 to 123 of this judgment, with respect to both the access of the competent national
authorities to the retained data and the protection and level of security of that data.
125 Having regard to all of the foregoing, the answer to the second question in Case C‑203/15 and to the
first question in Case C‑698/15 is that Article 15(1) of Directive 2002/58, read in the light of
Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national
legislation governing the protection and security of traffic and location data and, in particular, access of
the competent national authorities to the retained data, where the objective pursued by that access, in
the context of fighting crime, is not restricted solely to fighting serious crime, where access is not
subject to prior review by a court or an independent administrative authority, and where there is no
requirement that the data concerned should be retained within the European Union.
126 By the second question in Case C‑698/15, the Court of Appeal (England & Wales) (Civil Division)
seeks in essence to ascertain whether, in the Digital Rights judgment, the Court interpreted Articles 7
and/or 8 of the Charter in such a way as to expand the scope conferred on Article 8 ECHR by the
European Court of Human Rights.
127 As a preliminary point, it should be recalled that, whilst, as Article 6(3) TEU confirms, fundamental
rights recognised by the ECHR constitute general principles of EU law, the ECHR does not constitute,
as long as the European Union has not acceded to it, a legal instrument which has been formally
incorporated into EU law (see, to that effect, judgment of 15 February 2016, N., C‑601/15 PPU,
EU:C:2016:84, paragraph 45 and the case-law cited).
128 Accordingly, the interpretation of Directive 2002/58, which is at issue in this case, must be undertaken
solely in the light of the fundamental rights guaranteed by the Charter (see, to that effect, judgment of
15 February 2016, N., C‑601/15 PPU, EU:C:2016:84, paragraph 46 and the case-law cited).
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 25/27
8.9.2017 CURIA - Documents
129 Further, it must be borne in mind that the explanation on Article 52 of the Charter indicates that
paragraph 3 of that article is intended to ensure the necessary consistency between the Charter and the
ECHR, ‘without thereby adversely affecting the autonomy of Union law and … that of the Court of
Justice of the European Union’ (judgment of 15 February 2016, N., C‑601/15 PPU, EU:C:2016:84,
paragraph 47). In particular, as expressly stated in the second sentence of Article 52(3) of the Charter,
the first sentence of Article 52(3) does not preclude Union law from providing protection that is more
extensive then the ECHR. It should be added, finally, that Article 8 of the Charter concerns a
fundamental right which is distinct from that enshrined in Article 7 of the Charter and which has no
equivalent in the ECHR.
130 However, in accordance with the Court’s settled case-law, the justification for making a request for a
preliminary ruling is not for advisory opinions to be delivered on general or hypothetical questions, but
rather that it is necessary for the effective resolution of a dispute concerning EU law (see, to that effect,
judgments of 24 April 2012, Kamberaj, C‑571/10, EU:C:2012:233, paragraph 41; of 26 February 2013,
Åkerberg Fransson, C‑617/10, EU:C:2013:105, paragraph 42, and of 27 February 2014, Pohotovosť,
C‑470/12, EU:C:2014:101 paragraph 29).
131 In this case, in view of the considerations set out, in particular, in paragraphs 128 and 129 of the
present judgment, the question whether the protection conferred by Articles 7 and 8 of the Charter is
wider than that guaranteed in Article 8 of the ECHR is not such as to affect the interpretation of
Directive 2002/58, read in the light of the Charter, which is the matter in dispute in the proceedings in
Case C‑698/15.
132 Accordingly, it does not appear that an answer to the second question in Case C‑698/15 can provide
any interpretation of points of EU law that is required for the resolution, in the light of that law, of that
dispute.
Costs
134 Since these proceedings are, for the parties to the main proceedings, a step in the actions pending
before the national courts, the decision on costs is a matter for those courts. Costs incurred in
submitting observations to the Court, other than the costs of those parties, are not recoverable.
1. Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of
12 July 2002 concerning the processing of personal data and the protection of privacy in the
electronic communications sector (Directive on privacy and electronic communications), as
amended by Directive 2009/136/EC of the European Parliament and of the Council of
25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter
of Fundamental Rights of the European Union, must be interpreted as precluding national
legislation which, for the purpose of fighting crime, provides for general and indiscriminate
retention of all traffic and location data of all subscribers and registered users relating to
all means of electronic communication.
2. Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of
Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights, must be
interpreted as precluding national legislation governing the protection and security of
traffic and location data and, in particular, access of the competent national authorities to
the retained data, where the objective pursued by that access, in the context of fighting
crime, is not restricted solely to fighting serious crime, where access is not subject to prior
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 26/27
8.9.2017 CURIA - Documents
3. The second question referred by the Court of Appeal (England & Wales) (Civil Division) is
inadmissible.
Registrar President
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 27/27
GRAND CHAMBER
JUDGMENT
STRASBOURG
4 December 2015
PROCEDURE
1. The case originated in an application (no. 47143/06) against the
Russian Federation lodged with the Court under Article 34 of the
Convention for the Protection of Human Rights and Fundamental Freedoms
(“the Convention”) by a Russian national, Mr Roman Andreyevich
Zakharov (“the applicant”), on 20 October 2006.
2. The applicant was initially represented by Mr B. Gruzd, a lawyer
practising in St Petersburg. He was subsequently represented by lawyers of
the NGO EHRAC/Memorial Human Rights Centre, based in Moscow. The
Russian Government (“the Government”) were represented by
Mr G. Matyushkin, Representative of the Russian Federation at the
European Court of Human Rights.
3. The applicant alleged that the system of secret interception of mobile
telephone communications in Russia violated his right to respect for his
2 ROMAN ZAKHAROV v. RUSSIA JUDGMENT
private life and correspondence and that he did not have any effective
remedy in that respect.
4. On 19 October 2009 the application was communicated to the
Government.
5. On 11 March 2014 the Chamber of the First Section, to which the
case had been allocated (Rule 52 § 1 of the Rules of Court), composed of
Isabelle Berro-Lefèvre, President, Khanlar Hajiyev, Julia Laffranque,
Linos-Alexandre Sicilianos, Erik Møse, Ksenija Turković, Dmitry Dedov,
judges, and also of Søren Nielsen, Section Registrar, relinquished
jurisdiction in favour of the Grand Chamber, neither of the parties having
objected to relinquishment (Article 30 of the Convention and Rule 72).
6. A hearing took place in public in the Human Rights Building,
Strasbourg, on 24 September 2014 (Rule 59 § 3).
There appeared before the Court:
THE FACTS
15. The Constitution guarantees to everyone the right to respect for his
private life, personal and family secrets and the right to defend his honour
and reputation (Article 23 § 1). It further guarantees the right to respect for
correspondence, telephone, postal, telegraph and other communications.
ROMAN ZAKHAROV v. RUSSIA JUDGMENT 5
That right may be restricted only on the basis of a court order (Article 23
§ 2).
16. The Constitution also stipulates that it is not permissible to collect,
store, use or disseminate information about a person’s private life without
his/her consent. State and municipal authorities must ensure that any person
has access to documents and materials affecting his rights and freedoms,
except where the law provides otherwise (Article 24).
17. The Communications Act of 7 July 2003 (no. 126-FZ) guarantees
the privacy of postal, telegraphic and other forms of communication
transmitted by means of telecommunications networks or mail services.
Restrictions on the privacy of communications are permissible only in cases
specified in federal laws (section 63(1)). The interception of
communications is subject to prior judicial authorisation, except in cases
specified in federal laws (section 63(3)).
18. On 2 October 2003 in its decision no. 345-O the Constitutional Court
held that the right to privacy of telephone communications covered all data
transmitted, stored or discovered by means of telephone equipment,
including non-content-based data, such as information about the incoming
and outgoing connections of a specified subscriber. The monitoring of such
data was also subject to prior judicial authorisation.
22. Actions by a public official which clearly exceed his or her authority
and entail a substantial violation of an individual’s or a legal entity’s rights
and lawful interests, are punishable by a fine, a prohibition on occupying
certain posts or engaging in certain activities for a period of up to five years,
correctional labour for a period of up to four years or imprisonment for a
period ranging from four months to four years (Article 286 § 1 of the
Criminal Code).
23. Ruling no. 19 of 16 October 2009 by the Plenary Supreme Court
provides that for the purposes of Articles 285 and 286 of the Criminal Code
“a substantial violation of an individual’s or a legal entity’s rights and
lawful interests” means a violation of the rights and freedoms guaranteed by
the generally established principles and provisions of international law and
the Constitution of the Russian Federation – such as the right to respect for
a person’s honour and dignity, private or family life, correspondence,
telephone, postal, telegraph and other communications, the inviolability of
the home, etc. In assessing whether the violation was “substantial” in
respect of a legal entity, it is necessary to take into account the extent of the
damage sustained as a result of the unlawful act, the nature and the amount
of the pecuniary damage, the number of persons affected and the gravity of
the physical, pecuniary or non-pecuniary damage inflicted on them
(paragraph 18 (2)).
24. Criminal proceedings are opened if there are sufficient facts showing
that a criminal offence has been committed (Article 140 § 2 of the Code of
Criminal Procedure).
information about a person’s criminal activities entered into a file was not
subsequently confirmed, the personal file had to be closed.
51. Records of intercepted telephone and other communications must be
sealed and stored under conditions excluding any risk of their being listened
to or copied by unauthorised persons (section 8(4) of the OSAA).
52. Information about the facilities used in operational-search activities,
the methods employed, the officials involved and the data collected
constitutes a State secret. It may be declassified only pursuant to a special
decision of the head of the State agency performing the operational-search
activities (section 12(1) of the OSAA and section 5(4) of the State Secrets
Act, Law no. 5485-I of 21 July 1993).
53. Materials containing State secrets should be clearly marked with the
following information: degree of secrecy, the State agency which has taken
the decision to classify them, registration number, and the date or conditions
for declassifying them (section 12 of the State Secrets Act).
ensure that only the information that the recipient needs for the performance
of his or her duties is disclosed (section 25 of the State Secrets Act).
58. If the data collected in the course of operational-search activities
contain information about the commission of a criminal offence, that
information, together with all the necessary supporting material such as
photographs and audio or video recordings, must be sent to the competent
investigation authorities or a court. If the information was obtained as a
result of operational-search measures involving interference with the right
to the privacy of postal, telegraphic and other communications transmitted
by means of a telecommunications network or mail services, or with the
privacy of the home, it must be sent to the investigation or prosecution
authorities together with the judicial decision authorising those
measures. The information must be transmitted in accordance with
the special procedure for handling classified information, unless the
State agency performing operational-search activities has decided
to declassify it (paragraphs 1, 12, 14 and 16 of Order
no. 776/703/509/507/1820/42/535/398/68 of 27 September 2013 by the
Ministry of the Interior).
59. If the person whose telephone or other communications were
intercepted is charged with a criminal offence, the records are to be given to
the investigator and attached to the criminal case file. Their further use and
storage are governed by criminal procedural law (section 8(5) of the
OSAA).
60. Data collected as a result of operational-search activities may be
used for the preparation and conduct of the investigation and court
proceedings and used as evidence in criminal proceedings in accordance
with the legal provisions governing the collection, evaluation and
assessment of evidence. The decision to transfer the collected data to other
law-enforcement agencies or to a court is taken by the head of the State
agency performing the operational-search activities (section 11 of the
OSAA).
61. If the interception was authorised in the framework of criminal
proceedings, the investigator may obtain the records from the agency
conducting it at any time during the authorised period of interception. The
records must be sealed and must be accompanied by a cover letter indicating
the dates and time of the beginning and end of the recorded
communications, as well as the technical means used to intercept them.
Recordings must be listened to by the investigator in the presence of
attesting witnesses, an expert where necessary and the persons whose
communications have been intercepted. The investigator must draw up an
official report containing a verbatim transcription of those parts of the
recorded communications that are relevant to the criminal case
(Article 186 §§ 6 and 7 of the CCrP). On 4 March 2013 Article 186 § 7 was
14 ROMAN ZAKHAROV v. RUSSIA JUDGMENT
74. The Federal Security Service Act of 3 April 1995 (no. 40-FZ,
hereafter “the FSB Act”) provides that information about the security
services’ undercover agents, as well as about the tactics, methods and means
used by them is outside the scope of supervision by prosecutors
(section 24).
75. The procedures for prosecutors’ supervision of operational-search
activities have been set out in Order no. 33, issued by the Prosecutor
General’s Office on 15 February 2011.
76. Order no. 33 provides that a prosecutor may carry out routine
inspections of agencies carrying out operational-search activities, as well as
ad hoc inspections following a complaint by an individual or receipt of
information about potential violations. Operational-search activities
performed by the FSB in the sphere of counterintelligence may be inspected
only following an individual complaint (paragraph 5 of Order no. 33).
77. During the inspection the prosecutor must verify compliance with
the following requirements:
- observance of citizens’ constitutional rights, such as the right to respect
for private and family life, home, correspondence, telephone, postal,
telegraph and other communications;
- that the measures taken in the course of operational-search activities
are lawful and justified, including those measures that have been authorised
by a court (paragraphs 4 and 6 of Order no. 33).
78. During the inspection the prosecutor must study the originals of the
relevant operational-search materials, including personal files, information
on the use of technical equipment, registration logs and internal instructions,
and may request explanations from competent officials. The prosecutors
must protect the sensitive data entrusted to them from unauthorised access
or disclosure (paragraphs 9 and 12 of Order no. 33).
79. If a prosecutor identifies a breach of the law, he or she must request
the official responsible for it to remedy the breach. He or she must also take
measures to stop and remedy violations of citizens’ rights and to bring those
responsible to liability (paragraphs 9 and 10 of Order no. 33). A State
official who refuses to comply with a prosecutor’s orders may be brought to
liability in accordance with the law (paragraph 11).
80. The prosecutors responsible for supervision of operational-search
activities must submit six-monthly reports detailing the results of the
inspections to the Prosecutor General’s Office (paragraph 15 of Order
no. 33). A report form to be filled by prosecutors is attached to Order
no. 33. The form indicates that it is confidential. It contains two sections,
both in table format. The first section concerns inspections carried out
during the reference period and contains information about the number of
inspections, number of files inspected and number of breaches detected. The
second section concerns citizens’ complaints and contains information about
the number of complaints examined and granted.
ROMAN ZAKHAROV v. RUSSIA JUDGMENT 17
81. Russian law does not provide that a person whose communications
are intercepted must be notified at any point. However, a person who is in
possession of the facts of the operational-search measures to which he or
she was subjected and whose guilt has not been proved in accordance with
the procedure prescribed by law, that is, he or she has not been charged or
the charges have been dropped on the ground that the alleged offence was
not committed or that one or more elements of a criminal offence were
missing, is entitled to receive information about the data collected in the
course of the operational-search activities, to the extent compatible with the
requirements of operational confidentiality (“конспирации”) and excluding
data which could enable State secrets to be disclosed (section 5(4-6) of the
OSAA).
82. In its decision of 14 July 1998 (cited in paragraph 40 above) the
Constitutional Court noted that any person who was in possession of the
facts of the operational-search measures to which he or she had been
subjected was entitled to receive information about the data collected in the
course of those activities, unless that data contained State secrets. Under
section 12 of the OSAA, data collected in the course of operational-search
activities – such as information about criminal offences and the persons
involved in their commission – were a State secret. However, information
about breaches of citizens’ rights or unlawful acts on the part of the
authorities could not be classified as a State secret and should be disclosed.
Section 12 could not therefore serve as a basis for refusing access to
information affecting a person’s rights, provided that such information did
not concern the aims of, or the grounds for, the operational-search activities.
In view of the above, the fact that, pursuant to the contested Act, a person
was not entitled to be granted access to the entirety of the data collected
about him or her did not constitute a violation of that person’s constitutional
rights.
I. Judicial review
to the complainant that he or she may raise the complaints before the
relevant trial court (paragraph 9).
89. Article 125 of the CCrP provides for the judicial review of decisions
and acts or failures to act by an investigator or a prosecutor which are
capable of adversely affecting the constitutional rights or freedoms of the
participants to criminal proceedings. The lodging of a complaint does not
suspend the challenged decision or act, unless the investigator, the
prosecutor, or the court decides otherwise. The court must examine the
complaint within five days. The complainant, his counsel, the investigator
and the prosecutor are entitled to attend the hearing. The complainant must
substantiate his complaint (Article 125 §§ 1-4 of the CCrP).
90. Participants in the hearing are entitled to study all the materials
submitted to the court and to submit additional materials relevant to the
complaint. Disclosure of criminal-case materials is permissible only if it is
not contrary to the interests of the investigation and does not breach the
rights of the participants in the criminal proceedings. The judge may request
the parties to produce the materials which served as a basis for the contested
decision or any other relevant materials (paragraph 12 of Ruling no. 1 of
10 February 2009 of the Plenary Supreme Court of the Russian Federation).
91. Following the examination of the complaint, the court either declares
the challenged decision, act or failure to act unlawful or unjustified and
instructs the responsible official to rectify the indicated shortcoming, or
dismisses the complaint (Article 125 § 5 of the CCrP). When instructing the
official to rectify the indicated shortcoming, the court may not indicate any
specific measures to be taken by the official or annul or order that the
official annul the decision found to be unlawful or unjustified (paragraph 21
of Ruling no. 1 of 10 February 2009 of the Plenary Supreme Court of the
Russian Federation).
no. 70 in paragraph 1.4 was lawful, as Order no. 70 was technical in nature
and was therefore not subject to publication in a generally accessible official
publication. It had therefore been published only in a specialised magazine.
As to paragraph 2.6, the Supreme Court considered that it could be
interpreted as requiring communications service providers to grant
law-enforcement agencies access to information about subscribers without
judicial authorisation. Such a requirement was, however, incompatible with
the Communications Act. The Supreme Court therefore found that
paragraph 2.6 was unlawful and inapplicable.
129. On 25 October 2000 the Ministry of Communications amended
Order no. 130 by repealing paragraph 2.6.
130. In reply to a request for information by the NGO “Civilian
Control”, the Ministry of Communications stated, in a letter dated
20 August 2006, that the repealing of paragraph 2.6 of Order no. 130 did not
mean that communications service providers had to be informed about
operational-search measures in respect of a subscriber or be provided with a
copy of the relevant decision granting judicial authorisation for such
surveillance.
131. Order no. 130 was repealed on 16 January 2008 (see paragraph 134
below).
A. United Nations
139. Resolution no. 68/167, on The Right to Privacy in the Digital Age,
adopted by the General Assembly on 18 December 2013, reads as follows:
“The General Assembly,
...
4. Calls upon all States:
...
(c) To review their procedures, practices and legislation regarding the surveillance
of communications, their interception and the collection of personal data, including
mass surveillance, interception and collection, with a view to upholding the right to
privacy by ensuring the full and effective implementation of all their obligations under
international human rights law;
(d) To establish or maintain existing independent, effective domestic oversight
mechanisms capable of ensuring transparency, as appropriate, and accountability for
State surveillance of communications, their interception and the collection of personal
data ...”
28 ROMAN ZAKHAROV v. RUSSIA JUDGMENT
B. Council of Europe
(b) falling under State secrecy in accordance with the legislation of the Russian
Federation on State secrecy.
The Russian Federation declares that in accordance with subparagraph “c” of
paragraph 2 of Article 3 of the Convention, it will apply the Convention to personal
data which is not processed automatically, if the application of the Convention
corresponds to the nature of the actions performed with the personal data without
using automatic means.
The Russian Federation declares that in accordance with subparagraph “a” of
paragraph 2 of Article 9 of the Convention, it retains the right to limit the right of the
data subject to access personal data on himself for the purposes of protecting State
security and public order.”
142. The Additional Protocol to the Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data,
regarding supervisory authorities and transborder data flows of 8 November
2001 (CETS No. 181), signed but not ratified by Russia, provides as
follows:
“Article 1 – Supervisory authorities
1. Each Party shall provide for one or more authorities to be responsible for
ensuring compliance with the measures in its domestic law giving effect to the
principles stated in Chapters II and III of the Convention and in this Protocol.
2. a. To this end, the said authorities shall have, in particular, powers of
investigation and intervention, as well as the power to engage in legal proceedings or
bring to the attention of the competent judicial authorities violations of provisions of
domestic law giving effect to the principles mentioned in paragraph 1 of Article 1 of
this Protocol.
b. Each supervisory authority shall hear claims lodged by any person concerning
the protection of his/her rights and fundamental freedoms with regard to the
processing of personal data within its competence.
3. The supervisory authorities shall exercise their functions in complete
independence.
4. Decisions of the supervisory authorities, which give rise to complaints, may be
appealed against through the courts ...”
143. A Recommendation by the Committee of Ministers, regulating the
use of personal data in the police sector, adopted on 17 September 1987
(No. R (87) 15), reads as follows:
“1.1. Each member state should have an independent supervisory authority outside
the police sector which should be responsible for ensuring respect for the principles
contained in this recommendation ...
2.1. The collection of personal data for police purposes should be limited to such as
is necessary for the prevention of a real danger or the suppression of a specific
criminal offence. Any exception to this provision should be the subject of specific
national legislation.
2.2. Where data concerning an individual have been collected and stored without
his knowledge, and unless the data are deleted, he should be informed, where
30 ROMAN ZAKHAROV v. RUSSIA JUDGMENT
practicable, that information is held about him as soon as the object of the police
activities is no longer likely to be prejudiced ...
3.1. As far as possible, the storage of personal data for police purposes should be
limited to accurate data and to such data as are necessary to allow police bodies to
perform their lawful tasks within the framework of national law and their obligations
arising from international law ...
5.2.i. Communication of data to other public bodies should only be permissible if,
in a particular case:
a. there exists a clear legal obligation or authorisation, or with the authorisation
of the supervisory authority, or if
b. these data are indispensable to the recipient to enable him to fulfil his own
lawful task and provided that the aim of the collection or processing to be carried out
by the recipient is not incompatible with the original processing, and the legal
obligations of the communicating body are not contrary to this.
5.2.ii. Furthermore, communication to other public bodies is exceptionally
permissible if, in a particular case:
a. the communication is undoubtedly in the interest of the data subject and either
the data subject has consented or circumstances are such as to allow a clear
presumption of such consent, or if
b. the communication is necessary so as to prevent a serious and imminent
danger.
5.3.i. The communication of data to private parties should only be permissible if, in
a particular case, there exists a clear legal obligation or authorisation, or with the
authorisation of the supervisory authority ...
6.4. Exercise of the rights [of the data subject] of access, rectification and erasure
should only be restricted insofar as a restriction is indispensable for the performance
of a legal task of the police or is necessary for the protection of the data subject or the
rights and freedoms of others ...
6.5. A refusal or a restriction of those rights should be reasoned in writing. It should
only be possible to refuse to communicate the reasons insofar as this is indispensable
for the performance of a legal task of the police or is necessary for the protection of
the rights and freedoms of others.
6.6. Where access is refused, the data subject should be able to appeal to the
supervisory authority or to another independent body which shall satisfy itself that the
refusal is well founded.
7.1. Measures should be taken so that personal data kept for police purposes are
deleted if they are no longer necessary for the purposes for which they were stored.
For this purpose, consideration shall in particular be given to the following criteria:
the need to retain data in the light of the conclusion of an inquiry into a particular
case; a final judicial decision, in particular an acquittal; rehabilitation; spent
convictions; amnesties; the age of the data subject, particular categories of data.
7.2. Rules aimed at fixing storage periods for the different categories of personal
data as well as regular checks on their quality should be established in agreement with
the supervisory authority or in accordance with domestic law.
ROMAN ZAKHAROV v. RUSSIA JUDGMENT 31
8. The responsible body should take all the necessary measures to ensure the
appropriate physical and logical security of the data and prevent unauthorised access,
communication or alteration. The different characteristics and contents of files should,
for this purpose, be taken into account.”
144. A Recommendation by the Committee of Ministers on the
protection of personal data in the area of telecommunication services, with
particular reference to telephone services, adopted on 7 February 1995
(No. R (95) 4), reads in so far as relevant as follows:
“2.4. Interference by public authorities with the content of a communication,
including the use of listening or tapping devices or other means of surveillance or
interception of communications, must be carried out only when this is provided for by
law and constitutes a necessary measure in a democratic society in the interests of:
a. protecting state security, public safety, the monetary interests of the state or the
suppression of criminal offences;
b. protecting the data subject or the rights and freedoms of others.
2.5. In the case of interference by public authorities with the content of a
communication, domestic law should regulate:
a. the exercise of the data subject’s rights of access and rectification;
b. in what circumstances the responsible public authorities are entitled to refuse to
provide information to the person concerned, or delay providing it;
c. storage or destruction of such data.
If a network operator or service provider is instructed by a public authority to effect
an interference, the data so collected should be communicated only to the body
designated in the authorisation for that interference ...”
C. European Union
providers. Other issues associated with these interfaces will be handled according to
accepted practices in individual countries...
5. Law enforcement agencies require the interception to be designed and
implemented to preclude unauthorized or improper use and to safeguard the
information related to the interception...
5.2. Law enforcement agencies require network operators/service providers to
ensure that intercepted communications are only transmitted to the monitoring agency
specified in the interception authorization...”
146. The above requirements were confirmed and expounded in Council
Resolution No. 9194/01 of 20 June 2001 on law-enforcement operational
needs with respect to public telecommunication networks and services.
147. The judgment adopted by the Court of Justice of the European
Union (the CJEU) on 8 April 2014 in the joint cases of Digital Rights
Ireland and Seitinger and Others declared invalid the Data Retention
Directive 2006/24/EC laying down the obligation on the providers of
publicly available electronic communication services or of public
communications networks to retain all traffic and location data for periods
from six months to two years, in order to ensure that the data were available
for the purpose of the investigation, detection and prosecution of serious
crime, as defined by each Member State in its national law. The CJEU noted
that, even though the directive did not permit the retention of the content of
the communication, the traffic and location data covered by it might allow
very precise conclusions to be drawn concerning the private lives of the
persons whose data had been retained. Accordingly, the obligation to retain
those data constituted in itself an interference with the right to respect for
private life and communications guaranteed by Article 7 of the Charter of
Fundamental Rights of the EU and the right to protection of personal data
under Article 8 of the Charter. Furthermore, the access of the competent
national authorities to the data constituted a further interference with those
fundamental rights. The CJEU further held that the interference was
particularly serious. The fact that data were retained and subsequently used
without the subscriber or registered user being informed was likely to
generate in the minds of the persons concerned the feeling that their private
lives were the subject of constant surveillance. The interference satisfied an
objective of general interest, namely to contribute to the fight against
serious crime and terrorism and thus, ultimately, to public security.
However, it failed to satisfy the requirement of proportionality. Firstly, the
directive covered, in a generalised manner, all persons and all means of
electronic communication as well as all traffic data without any
differentiation, limitation or exception being made in the light of the
objective of fighting against serious crime. It therefore entailed an
interference with the fundamental rights of practically the entire European
population. It applied even to persons for whom there was no evidence
capable of suggesting that their conduct might have a link, even an indirect
ROMAN ZAKHAROV v. RUSSIA JUDGMENT 33
or remote one, with serious crime. Secondly, the directive did not contain
substantive and procedural conditions relating to the access of the
competent national authorities to the data and to their subsequent use. By
simply referring, in a general manner, to serious crime, as defined by each
Member State in its national law, the directive failed to lay down any
objective criterion by which to determine which offences might be
considered to be sufficiently serious to justify such an extensive interference
with the fundamental rights enshrined in Articles 7 and 8 of the Charter.
Above all, the access by the competent national authorities to the data
retained was not made dependent on a prior review carried out by a court or
by an independent administrative body whose decision sought to limit
access to the data and their use to what was strictly necessary for the
purpose of attaining the objective pursued. Thirdly, the directive required
that all data be retained for a period of at least six months, without any
distinction being made between the categories of data on the basis of their
possible usefulness for the purposes of the objective pursued or according to
the persons concerned. The CJEU concluded that the directive entailed a
wide-ranging and particularly serious interference with the fundamental
rights enshrined in Articles 7 and 8 of the Charter, without such an
interference being precisely circumscribed by provisions to ensure that it
was actually limited to what was strictly necessary. The CJEU also noted
that the directive did not provide for sufficient safeguards, by means of
technical and organisational measures, to ensure effective protection of the
data retained against the risk of abuse and against any unlawful access and
use of those data.
THE LAW
A. Admissibility
149. The Government submitted that the applicant could not claim to be
a victim of the alleged violation of his right to respect for his private life or
correspondence (see paragraphs 152 to 157 below). Moreover, he had not
exhausted domestic remedies (see paragraphs 219 to 226 below).
150. The Court considers that the Government’s objections are so
closely linked to the substance of the applicant’s complaint that they must
be joined to the merits.
151. The Court further notes that this complaint is not manifestly
ill-founded within the meaning of Article 35 § 3 (a) of the Convention. It is
not inadmissible on any other grounds. It must therefore be declared
admissible.
B. Merits
which found that the installation of a video camera in the claimant’s office
and the tapping of his office telephone had been unlawful because those
surveillance measures had been carried out without prior judicial
authorisation (see also paragraphs 219 to 224 below). Finally, Russian law
provided for supervision of interception of communications by an
independent body, the prosecutor’s office.
157. The Government concluded, in view of the above, that the present
case was different from the case of Association for European Integration
and Human Rights and Ekimdzhiev v. Bulgaria (no. 62540/00, 28 June
2007) where the Court had refused to apply the “reasonable likelihood” test
because of the absence of any safeguards against unlawful interception in
Bulgaria. Given that Russian law provided for adequate and sufficient
safeguards against abuse in the sphere of interception of communications,
including available remedies, in the Government’ opinion, the applicant
could not claim an interference as a result of the mere existence of
legislation permitting secret surveillance. In the absence of a “reasonable
likelihood” that his telephone communications had been intercepted, he
could not claim to be a victim of the alleged violation of Article 8 of the
Convention.
(ii) The applicant
158. The applicant submitted that he could claim to be a victim of a
violation of Article 8 occasioned by the mere existence of legislation which
allowed a system of secret interception of communications, without having
to demonstrate that such secret measures had been in fact applied to him.
The existence of such legislation entailed a threat of surveillance for all
users of the telecommunications services and therefore amounted in itself to
an interference with the exercise of his rights under Article 8. He relied in
support of his position on the cases of Klass and Others (cited above, §§ 34
and 37), Association for European Integration and Human Rights and
Ekimdzhiev (cited above, § 58) and Kennedy (cited above, § 123).
159. The applicant maintained that the test of “reasonable likelihood”
had been applied by the Court only in those cases where the applicant had
alleged actual interception, while in the cases concerning general complaints
about legislation and practice permitting secret surveillance measures the
“mere existence” test established in the Klass and Others judgment had
been applied (see Association for European Integration and Human Rights
and Ekimdzhiev, cited above, § 59, and Kennedy, cited above, §§ 122 and
123, with further references). In the case of Liberty and Others v. the United
Kingdom (no. 58243/00, §§ 56 and 57, 1 July 2008), the Court found that
the existence of powers permitting the authorities to intercept
communications constituted an interference with the Article 8 rights of the
applicants, since they were persons to whom these powers might have been
applied. In the case of Kennedy (cited above, § 124) that test had been
ROMAN ZAKHAROV v. RUSSIA JUDGMENT 37
applicant and those measures (see Klass and Others, cited above, § 34). The
Court explained the reasons for its approach as follows:
“36. The Court points out that where a State institutes secret surveillance the
existence of which remains unknown to the persons being controlled, with the effect
that the surveillance remains unchallengeable, Article 8 could to a large extent be
reduced to a nullity. It is possible in such a situation for an individual to be treated in a
manner contrary to Article 8, or even to be deprived of the right granted by that
Article, without his being aware of it and therefore without being able to obtain a
remedy either at the national level or before the Convention institutions ...
The Court finds it unacceptable that the assurance of the enjoyment of a right
guaranteed by the Convention could be thus removed by the simple fact that the
person concerned is kept unaware of its violation. A right of recourse to the
Commission for persons potentially affected by secret surveillance is to be derived
from Article 25 [currently Article 34], since otherwise Article 8 runs the risk of being
nullified.
37. As to the facts of the particular case, the Court observes that the contested
legislation institutes a system of surveillance under which all persons in the Federal
Republic of Germany can potentially have their mail, post and telecommunications
monitored, without their ever knowing this unless there has been either some
indiscretion or subsequent notification in the circumstances laid down in the Federal
Constitutional Court’s judgment ... To that extent, the disputed legislation directly
affects all users or potential users of the postal and telecommunication services in the
Federal Republic of Germany. Furthermore, as the Delegates rightly pointed out, this
menace of surveillance can be claimed in itself to restrict free communication through
the postal and telecommunication services, thereby constituting for all users or
potential users a direct interference with the right guaranteed by Article 8 ...
38. Having regard to the specific circumstances of the present case, the Court
concludes that each of the applicants is entitled to ‘(claim) to be the victim of a
violation’ of the Convention, even though he is not able to allege in support of his
application that he has been subject to a concrete measure of surveillance. The
question whether the applicants were actually the victims of any violation of the
Convention involves determining whether the contested legislation is in itself
compatible with the Convention’s provisions ...”
166. Following the Klass and Others case, the case-law of the
Convention organs developed two parallel approaches to victim status in
secret surveillance cases.
167. In several cases the Commission and the Court held that the test in
Klass and Others could not be interpreted so broadly as to encompass every
person in the respondent State who feared that the security services might
have compiled information about him or her. An applicant could not,
however, be reasonably expected to prove that information concerning his
or her private life had been compiled and retained. It was sufficient, in the
area of secret measures, that the existence of practices permitting secret
surveillance be established and that there was a reasonable likelihood that
the security services had compiled and retained information concerning his
or her private life (see Esbester, cited above; Redgrave, cited above;
Christie v. the United Kingdom, no. 21482/93, Commission decision of
40 ROMAN ZAKHAROV v. RUSSIA JUDGMENT
of surveillance measures. Russian law did not establish any special rules for
surveillance in sensitive situations, for example where the confidentiality of
journalists’ sources was at stake, or where surveillance concerned privileged
lawyer-client communications.
192. The applicant further submitted that the domestic law did not
impose any requirement on the judge to verify the existence of a
“reasonable suspicion” against the person concerned or to apply the
“necessity” and “proportionality” test. The requesting authorities had no
obligation to attach any supporting materials to the interception requests.
Moreover, the OSAA expressly prohibited submission to the judge of
certain materials – those containing information about undercover agents or
police informers or about the organisation and tactics of operational-search
measures – thereby making it impossible for the judge to effectively verify
the existence of a “reasonable suspicion”. Russian law did not require that
the judge should authorise interception only when it was impossible to
achieve the legitimate aims by other less intrusive means.
193. In support of his allegation that the judges did not verify the
existence of a “reasonable suspicion” against the person concerned and did
not apply the “necessity” and “proportionality” test, the applicant produced
copies of analytical notes issued by three District Courts in different
Russian regions (the Tambov region, the Tula region and the Dagestan
Republic). The courts summarised their own case-law concerning
operational-search measures involving interference with the privacy of
communications or privacy of the home for the period from 2010 to 2013.
One of the courts noted that it refused authorisation to carry out an
operational-search measure if it did not appear on the list of operational-
search measures in the OSAA, if the request for authorisation was not
signed by a competent official or was not reasoned, or if the case fell under
statutory restrictions on the use of that measure (for example, relating to the
person’s status or to the nature of the offence). Authorisation was given if
all of the above conditions were met. Another court stated that authorisation
could also be refused if the request was insufficiently reasoned, that is, if it
did not contain sufficient information permitting the judge to ascertain that
the measure was lawful and justified. The third court stated that it granted
authorisation if that was requested by the law-enforcement authorities. It
never refused a request for authorisation. All three courts considered that the
request was sufficiently reasoned if it referred to the existence of
information listed in section 8(2) of the OSAA (see paragraph 31 above).
One of the courts noted that supporting materials were never attached to
requests for authorisation; another court noted that some, but not all, of the
requests were accompanied by supporting materials, while the third court
stated that all requests were accompanied by supporting materials. In all
three courts the judges never requested the law-enforcement authorities to
submit additional supporting materials, such as materials confirming the
ROMAN ZAKHAROV v. RUSSIA JUDGMENT 47
were inextricably linked, since there was in principle little scope for
recourse to the courts by the individual concerned unless the latter was
advised of the measures taken without his or her knowledge and was thus
able to challenge their legality retrospectively (he referred to Weber and
Saravia, cited above).
217. The applicant argued that remedies available under Russian law
were ineffective. As regards the possibility for the subject of surveillance to
apply for judicial review of the measures applied, the burden of proof was
on the claimant to demonstrate that his or her telephone had been tapped.
However, since those monitored were not informed about the surveillance
measures unless charged with a criminal offence, the burden of proof was
impossible to satisfy. The copies of domestic judgments submitted by the
Government concerned searches and seizures, that is, operative-search
measures which were known to the person concerned (see paragraphs 220,
221 and 223 below). The applicant knew of no publicly available judicial
decisions where an interception subject’s complaint about unlawful
interception had been allowed. It was also significant that in none of the
judgments produced by the Government had the domestic courts assessed
the proportionality of the contested operative-search measures. The
domestic proceedings brought by the applicant had also clearly
demonstrated that remedies available under Russian law were ineffective.
Moreover, in the case of Avanesyan v. Russia (no. 41152/06, 18 September
2014) the Court had already found that there were no effective remedies
under Russian law to challenge operational-search measures.
218. Lastly, the applicant submitted that an interception subject or the
communications service providers could not challenge the ministerial orders
governing secret interceptions of communications, because those orders
were considered to be technical rather than legal in nature and were
therefore not subject to judicial review, as demonstrated by the decisions
mentioned in paragraph 161 above.
(β) The Government
219. The Government argued that in Russia a person claiming that his or
her rights had been or were being violated by a State official performing
operational-search activities was entitled to complain to the official’s
superior, the prosecutor or a court, in accordance with section 5 of the
OSAA (see paragraph 83 above).
220. As explained by the Plenary Supreme Court, if the person
concerned learned about the interception, he or she could apply to a court of
general jurisdiction in accordance with the procedure established by
Chapter 25 of the Code of Civil Procedure (see paragraph 92 above).
According to the Government, a claimant did not have to prove that his or
her right had been breached as a result of the interception measures. The
burden of proof was on the intercepting authorities to show that the
ROMAN ZAKHAROV v. RUSSIA JUDGMENT 55
interception measures had been lawful and justified. Russian law provided
that if a breach of the claimant’s rights was found by a court in civil
proceedings, the court had to take measures to remedy the violation and
compensate the damage (see paragraph 97 above). The Government
submitted copies of two judicial decisions under Chapter 25 of the Code of
Civil Procedure, declaring searches and seizures of objects or documents
unlawful and ordering the police to take specific measures to remedy the
violations.
221. Furthermore, according to the Government, the interception
subject was also entitled to lodge a supervisory-review complaint against
the judicial decision authorising the interception, as explained by the
Constitutional Court in its decision of 15 July 2008 (see paragraph 43
above). He or she was likewise entitled to lodge an appeal or a cassation
appeal.
222. If the interception was carried out in the framework of criminal
proceedings, the person concerned could also lodge a complaint under
Article 125 of the CCrP. The Government referred to the Supreme Court’s
decision of 26 October 2010 quashing, by way of supervisory review, the
lower courts’ decisions to declare inadmissible K.’s complaint under
Article 125 of the CCrP about the investigator’s refusal to give her a copy
of the judicial decision authorising interception of her communications. The
Supreme Court held that her complaint was to be examined under Article
125 of the CCrP, despite the fact that she had been already convicted, and
that she was entitled to receive a copy of the interception authorisation. The
Government submitted copies of ten judicial decisions allowing complaints
under Article 125 of the CCrP about unlawful searches and seizures of
objects or documents. They also produced a copy of a judgment acquitting a
defendant on appeal after finding that his conviction at first instance had
been based on inadmissible evidence obtained as a result of an unlawful test
purchase of drugs.
223. The Government further submitted that the person concerned could
apply for compensation under Article 1069 of the Civil Code
(see paragraph 102 above). That Article provided for compensation of
pecuniary and non-pecuniary damage caused to an individual or a legal
entity by unlawful actions by State and municipal bodies and officials,
provided that the body’s or the official’s fault had been established.
Compensation for non-pecuniary damage was determined in accordance
with the rules set out in Articles 1099-1101 of the Civil Code
(see paragraphs 103 and 104 above). The Government highlighted, in
particular, that non-pecuniary damage caused through dissemination of
information which was damaging to honour, dignity or reputation could be
compensated irrespective of the tortfeasor’s fault. The Government
submitted a copy of a decision of 9 December 2013 by the Vichuga Town
Court of the Ivanovo Region, awarding compensation in respect of non-
56 ROMAN ZAKHAROV v. RUSSIA JUDGMENT
some basis in domestic law and to be compatible with the rule of law, which
is expressly mentioned in the Preamble to the Convention and inherent in
the object and purpose of Article 8. The law must thus meet quality
requirements: it must be accessible to the person concerned and foreseeable
as to its effects (see, among many other authorities, Rotaru v. Romania
[GC], no. 28341/95, § 52, ECHR 2000-V; S. and Marper v. the United
Kingdom [GC], nos. 30562/04 and 30566/04, § 95, ECHR 2008; and
Kennedy, cited above, § 151).
229. The Court has held on several occasions that the reference to
“foreseeability” in the context of interception of communications cannot be
the same as in many other fields. Foreseeability in the special context of
secret measures of surveillance, such as the interception of communications,
cannot mean that an individual should be able to foresee when the
authorities are likely to intercept his communications so that he can adapt
his conduct accordingly. However, especially where a power vested in the
executive is exercised in secret, the risks of arbitrariness are evident. It is
therefore essential to have clear, detailed rules on interception of telephone
conversations, especially as the technology available for use is continually
becoming more sophisticated. The domestic law must be sufficiently clear
to give citizens an adequate indication as to the circumstances in which and
the conditions on which public authorities are empowered to resort to any
such measures (see Malone, cited above, § 67; Leander v. Sweden,
26 March 1987, § 51, Series A no. 116; Huvig v. France, 24 April 1990,
§ 29, Series A no. 176-B; Valenzuela Contreras v. Spain, 30 July 1998, §
46, Reports of Judgments and Decisions 1998-V; Rotaru, cited above, § 55;
Weber and Saravia, cited above, § 93; and Association for European
Integration and Human Rights and Ekimdzhiev, cited above, § 75).
230. Moreover, since the implementation in practice of measures of
secret surveillance of communications is not open to scrutiny by the
individuals concerned or the public at large, it would be contrary to the rule
of law for the discretion granted to the executive or to a judge to be
expressed in terms of an unfettered power. Consequently, the law must
indicate the scope of any such discretion conferred on the competent
authorities and the manner of its exercise with sufficient clarity to give the
individual adequate protection against arbitrary interference (see, among
other authorities, Malone, cited above, § 68; Leander, cited above, § 51;
Huvig, cited above, § 29; and Weber and Saravia, cited above, § 94).
231. In its case-law on secret measures of surveillance, the Court has
developed the following minimum safeguards that should be set out in law
in order to avoid abuses of power: the nature of offences which may give
rise to an interception order; a definition of the categories of people liable to
have their telephones tapped; a limit on the duration of telephone tapping;
the procedure to be followed for examining, using and storing the data
obtained; the precautions to be taken when communicating the data to other
58 ROMAN ZAKHAROV v. RUSSIA JUDGMENT
Authorisation procedures
257. The Court will take into account a number of factors in assessing
whether the authorisation procedures are capable of ensuring that secret
surveillance is not ordered haphazardly, irregularly or without due and
ROMAN ZAKHAROV v. RUSSIA JUDGMENT 65
about the nature and sources of intelligence information and yet accord the
individual a substantial measure of procedural justice (see, mutatis
mutandis, Chahal v. the United Kingdom, 15 November 1996, § 131,
Reports of Judgments and Decisions 1996-V).
262. Furthermore, the Court observes that in Russia the judges are not
instructed, either by the CCrP or by the OSAA, to verify the existence of a
“reasonable suspicion” against the person concerned or to apply the
“necessity” and “proportionality” test”. At the same time, the Court notes
that the Constitutional Court has explained in its decisions that the burden
of proof is on the requesting agency to show that interception is necessary
and that the judge examining an interception request should verify the
grounds for that measure and grant authorisation only if he or she is
persuaded that interception is lawful, necessary and justified. The
Constitutional Court has also held that the judicial decision authorising
interception should contain reasons and refer to specific grounds for
suspecting that a criminal offence has been committed, or is ongoing, or is
being plotted or that activities endangering national, military, economic or
ecological security are being carried out, as well as that the person in respect
of whom interception is requested is involved in these criminal or otherwise
dangerous activities (see paragraphs 40 to 42 above). The Constitutional
Court has therefore recommended, in substance, that when examining
interception authorisation requests Russian courts should verify the
existence of a reasonable suspicion against the person concerned and should
authorise interception only if it meets the requirements of necessity and
proportionality.
263. However, the Court observes that the domestic law does not
explicitly require the courts of general jurisdiction to follow the
Constitutional Court’s opinion as to how a legislative provision should be
interpreted if such opinion has been expressed in a decision rather than a
judgment (see paragraph 106 above). Indeed, the materials submitted by the
applicant show that the domestic courts do not always follow the above-
mentioned recommendations of the Constitutional Court, all of which were
contained in decisions rather than in judgments. Thus, it transpires from the
analytical notes issued by District Courts that interception requests are often
not accompanied by any supporting materials, that the judges of these
District Courts never request the interception agency to submit such
materials and that a mere reference to the existence of information about a
criminal offence or activities endangering national, military, economic or
ecological security is considered to be sufficient for the authorisation to be
granted. An interception request is rejected only if it is not signed by a
competent person, contains no reference to the offence in connection with
which interception is to be ordered, or concerns a criminal offence in
respect of which interception is not permitted under domestic law
(see paragraph 193 above). Thus, the analytical notes issued by District
ROMAN ZAKHAROV v. RUSSIA JUDGMENT 67
Courts, taken together with the statistical information for the period from
2009 to 2013 provided by the applicant (see paragraph 194 above), indicate
that in their everyday practice Russian courts do not verify whether there is
a “reasonable suspicion” against the person concerned and do not apply the
“necessity” and “proportionality” test.
264. Lastly, as regards the content of the interception authorisation, it
must clearly identify a specific person to be placed under surveillance or a
single set of premises as the premises in respect of which the authorisation
is ordered. Such identification may be made by names, addresses, telephone
numbers or other relevant information (see Klass and Others, cited above,
§ 51; Liberty and Others, cited above, §§ 64 and 65; Dumitru Popescu
(no. 2), cited above, § 78; Association for European Integration and Human
Rights and Ekimdzhiev, cited above, § 80; and Kennedy, cited above, § 160).
265. The Court observes that the CCrP requires that a request for
interception authorisation must clearly mention a specific person whose
communications are to be intercepted, as well as the duration of the
interception measure (see paragraph 46 above). By contrast, the OSAA does
not contain any requirements either with regard to the content of the request
for interception or to the content of the interception authorisation. As a
result, courts sometimes grant interception authorisations which do not
mention a specific person or telephone number to be tapped, but authorise
interception of all telephone communications in the area where a criminal
offence has been committed. Some authorisations do not mention the
duration for which interception is authorised (see paragraph 193 above).
The Court considers that such authorisations, which are not clearly
prohibited by the OSAA, grant a very wide discretion to the
law-enforcement authorities as to which communications to intercept, and
for how long.
266. The Court further notes that in cases of urgency it is possible to
intercept communications without prior judicial authorisation for up to
forty-eight hours. A judge must be informed of any such case within
twenty-four hours from the commencement of the interception. If no
judicial authorisation has been issued within forty-eight hours, the
interception must be stopped immediately (see paragraph 35 above). The
Court has already examined the “urgency” procedure provided for in
Bulgarian law and found that it was compatible with the Convention
(see Association for European Integration and Human Rights and
Ekimdzhiev, cited above, §§ 16 and 82). However, in contrast to the
Bulgarian provision, the Russian “urgent procedure” does not provide for
sufficient safeguards to ensure that it is used sparingly and only in duly
justified cases. Thus, although in the criminal sphere the OSAA limits
recourse to the urgency procedure to cases where there exists an immediate
danger that a serious or especially serious offence may be committed, it
does not contain any such limitations in respect of secret surveillance in
68 ROMAN ZAKHAROV v. RUSSIA JUDGMENT
knowledge, and unless the data are deleted, he or she should be informed,
where practicable, that information is held about him or her as soon as the
object of the police activities is no longer likely to be prejudiced (§ 2.2, see
paragraph 143 above).
288. In the cases of Klass and Others and Weber and Saravia the Court
examined German legislation which provided for notification of
surveillance as soon as that could be done after its termination without
jeopardising its purpose. The Court took into account that it was an
independent authority, the G10 Commission, which had the power to decide
whether an individual being monitored was to be notified of a surveillance
measure. The Court found that the provision in question ensured an
effective notification mechanism which contributed to keeping the
interference with the secrecy of telecommunications within the limits of
what was necessary to achieve the legitimate aims pursued (see Klass and
Others, cited above, § 58, and Weber and Saravia, cited above, § 136). In
the cases of Association for European Integration and Human Rights and
Ekimdzhiev and Dumitru Popescu (no. 2), the Court found that the absence
of a requirement to notify the subject of interception at any point was
incompatible with the Convention, in that it deprived the interception
subject of an opportunity to seek redress for unlawful interferences with his
or her Article 8 rights and rendered the remedies available under the
national law theoretical and illusory rather than practical and effective. The
national law thus eschewed an important safeguard against the improper use
of special means of surveillance (see Association for European Integration
and Human Rights and Ekimdzhiev, cited above, §§ 90 and 91, and Dumitru
Popescu (no. 2), cited above, § 77). By contrast, in the case of Kennedy the
absence of a requirement to notify the subject of interception at any point in
time was compatible with the Convention, because in the United Kingdom
any person who suspected that his communications were being or had been
intercepted could apply to the Investigatory Powers Tribunal, whose
jurisdiction did not depend on notification to the interception subject that
there had been an interception of his or her communications (see Kennedy,
cited above, § 167).
289. Turning now to the circumstances of the present case, the Court
observes that in Russia persons whose communications have been
intercepted are not notified of this fact at any point or under any
circumstances. It follows that, unless criminal proceedings have been
opened against the interception subject and the intercepted data have been
used in evidence, or unless there has been a leak, the person concerned is
unlikely ever to find out if his or her communications have been intercepted.
290. The Court takes note of the fact that a person who has somehow
learned that his or her communications have been intercepted may request
information about the corresponding data (see paragraph 81 above). It is
worth noting in this connection that in order to be entitled to lodge such a
ROMAN ZAKHAROV v. RUSSIA JUDGMENT 75
(see paragraphs 85, 95, 96 and 105 above). In the absence of notification or
some form of access to official documents relating to the interceptions such
a burden of proof is virtually impossible to satisfy. Indeed, the applicant’s
judicial complaint was rejected by the domestic courts on the ground that he
had failed to prove that his telephone communications had been intercepted
(see paragraphs 11 and 13 above). The Court notes that the Government
submitted several judicial decisions taken under Chapter 25 of the Code of
Civil Procedure or Article 1069 of the Civil Code (see paragraphs 220
to 223 above). However, all of those decisions, with one exception, concern
searches or seizures of documents or objects, that is, operational-search
measures carried out with the knowledge of the person concerned. Only one
judicial decision concerns interception of communications. In that case the
intercept subject was able to discharge the burden of proof because she had
learned about the interception of her communications in the course of
criminal proceedings against her.
297. Further, the Court takes note of the Government’s argument that
Russian law provides for criminal remedies for abuse of power,
unauthorised collection or dissemination of information about a person’s
private and family life and breach of citizens’ right to privacy of
communications. For the reasons set out in the preceding paragraphs these
remedies are also available only to persons who are capable of submitting to
the prosecuting authorities at least some factual information about the
interception of their communications (see paragraph 24 above).
298. The Court concludes from the above that the remedies referred to
by the Government are available only to persons who are in possession of
information about the interception of their communications. Their
effectiveness is therefore undermined by the absence of a requirement to
notify the subject of interception at any point, or an adequate possibility to
request and obtain information about interceptions from the authorities.
Accordingly, the Court finds that Russian law does not provide for an
effective judicial remedy against secret surveillance measures in cases
where no criminal proceedings were brought against the interception
subject. It is not the Court’s task in the present case to decide whether these
remedies will be effective in cases where an individual learns about the
interception of his or her communications in the course of criminal
proceedings against him or her (see, however, Avanesyan, cited above,
where some of these remedies were found to be ineffective to complain
about an “inspection” of the applicant’s flat).
299. Lastly, with respect to the remedies to challenge the alleged
insufficiency of safeguards against abuse in Russian law before the Russian
courts, the Court is not convinced by the Government’s argument that such
remedies are effective (see paragraphs 156 and 225 above). As regards the
possibility to challenge the OSAA before the Constitutional Court, the
Court observes that the Constitutional Court has examined the
78 ROMAN ZAKHAROV v. RUSSIA JUDGMENT
306. The applicant complained that he had no effective remedy for his
complaint under Article 8. He relied on Article 13 of the Convention, which
reads as follows:
“Everyone whose rights and freedoms as set forth in [the] Convention are violated
shall have an effective remedy before a national authority notwithstanding that the
violation has been committed by persons acting in an official capacity.”
307. Having regard to the findings under Article 8 of the Convention in
paragraphs 286 to 300 above, the Court considers that, although the
complaint under Article 13 of the Convention is closely linked to the
complaint under Article 8 and therefore has to be declared admissible, it is
not necessary to examine it separately (see Liberty and Others, cited above,
§ 73).
“If the Court finds that there has been a violation of the Convention or the Protocols
thereto, and if the internal law of the High Contracting Party concerned allows only
partial reparation to be made, the Court shall, if necessary, afford just satisfaction to
the injured party.”
A. Damage
313. Before the Chamber, the applicant claimed 26,579 Russian roubles
(RUB, about 670 euros (EUR) on the date of submission) for postal and
translation expenses. He relied on postal and fax service invoices and a
translation services contract.
314. Before the Grand Chamber, the applicant claimed 22,800 pounds
sterling (GBP, about EUR 29,000 on the date of submission) and
EUR 13,800 for legal fees. He relied on lawyers’ time-sheets. Relying on
bills and invoices, he also claimed GBP 6,833.24 (about EUR 8,700 on the
date of submission) for translation, travelling and other administrative
expenses.
315. The Government accepted the claim for costs and expenses made
before the Chamber because it was supported by documentary evidence. As
ROMAN ZAKHAROV v. RUSSIA JUDGMENT 81
regards the claims for costs and expenses made before the Grand Chamber,
the Government submitted that the claims had been submitted more than a
month after the hearing. As regards the legal fees, the Government
submitted that part of those fees covered the work performed by the
representatives before the applicant had signed an authority form and that
there was no authority form in the name of Ms Levine. Furthermore, the
number of representatives and the number of hours spent by them on the
preparation of the case had been excessive. There was moreover no
evidence that the applicant had paid the legal fees in question or was under a
legal or contractual obligation to pay them. As regards the translation and
other administrative expenses, the Government submitted that the applicant
had not submitted any documents showing that he had paid the amounts
claimed. Nor had he proved that the translation expenses had been indeed
necessary, given that some of the applicant’s lawyers spoke Russian. The
rates claimed by the translators had been excessive. Lastly, the travelling
expenses had been also excessive.
316. According to the Court’s case-law, an applicant is entitled to the
reimbursement of costs and expenses only in so far as it has been shown
that these have been actually and necessarily incurred and are reasonable as
to quantum. In the present case, regard being had to the documents in its
possession and the above criteria, the Court considers it reasonable to award
the sum of EUR 40,000 covering costs under all heads, plus any tax that
may be chargeable to the applicant.
C. Default interest
317. The Court considers it appropriate that the default interest rate
should be based on the marginal lending rate of the European Central Bank,
to which should be added three percentage points.
5. Holds, unanimously,
(a) that the respondent State is to pay the applicant, within three
months, EUR 40,000 (forty thousand euros), plus any tax that may be
chargeable to the applicant, in respect of costs and expenses;
(b) that from the expiry of the above-mentioned three months until
settlement simple interest shall be payable on the above amount at a rate
equal to the marginal lending rate of the European Central Bank during
the default period plus three percentage points;
D.S.
T.L.E.
ROMAN ZAKHAROV v. RUSSIA – SEPARATE OPINIONS 83
“36...The Court finds it unacceptable that the assurance of the enjoyment of a right
guaranteed by the Convention could be thus removed by the simple fact that the
person concerned is kept unaware of its violation. A right of recourse to the
Commission for persons potentially affected by secret surveillance is to be derived
from Article 25 ..., since otherwise Article 8 ... runs the risk of being nullified”.
However, the German and English scandals referred to above confirm
that, sooner or later, the individual concerned will become aware of the
interception. One may find relevant examples in the Russian context (see
Shimovolos v. Russia, no. 30194/09, 21 June 2011). The applicant in the
present case is not aware of any interception of his communications, and
this fact cannot be ignored by the Court.
The Court has on many occasions avoided examining cases in abstracto
(see Silver and Others v. the United Kingdom, 25 March 1983, Series A
no. 61, § 79; Nikolova v. Bulgaria [GC], no. 31195/96, § 60, ECHR
1999-II; Nejdet Şahin and Perihan Şahin v. Turkey [GC], no. 13279/05,
§§ 68-70, 20 October 2011; Sabanchiyeva and Others v. Russia,
no. 38450/05, § 137, ECHR 2013; and Monnat v. Switzerland,
no. 73604/01, §§ 31-32, ECHR 2006-X). Thus, one can presume that the
interception cases are unique. We then need to know the reasons why the
Court should change its general approach when examining such cases. Yet
we have no idea about what those reasons might be. If the legislation creates
the risk of arbitrariness, then we need to see the outcome of that
arbitrariness. I am not sure that a few examples (unrelated to the applicant’s
case) prove that the entire system of safeguards should be revised and
strengthened. I would accept such an approach if the Court had a huge
backlog of individual repetitive petitions showing that Order no. 70 (on the
connection of interception equipment to operators’ networks) is not
technical in nature but that it creates a structural problem in Russia. If that is
the case, however, we need a pilot procedure and a pilot judgment.
Every case in which the Court has found a violation of the Convention
(more than 15,000 judgments) is based on the abuse of power, even where
the domestic legislation is of good quality. Every abuse of power is a
question of ethics, and cannot be eliminated by legislative measures alone.
The Court has consistently held that its task is not to review domestic law
and practice in abstracto or to express a view as to the compatibility of the
provisions of legislation with the Convention, but to determine whether the
manner in which they were applied or in which they affected the applicant
gave rise to a violation of the Convention (see, among other authorities, in
the Article 14 context, Religionsgemeinschaft der Zeugen Jehovas and
Others v. Austria, no. 40825/98, § 90, 31 July 2008).
Article 34 of the Convention does not institute for individuals a kind of
actio popularis for the interpretation of the Convention; it does not permit
individuals to complain against a law in abstracto simply because they feel
that it contravenes the Convention. In principle, it does not suffice for an
ROMAN ZAKHAROV v. RUSSIA – SEPARATE OPINIONS 85
individual applicant to claim that the mere existence of a law violates his
rights under the Convention; it is necessary that the law should have been
applied to his detriment (see Klass, cited above, § 33). These principles
should not be applied arbitrarily.
JUDGMENT
STRASBOURG
12 January 2016
FINAL
06/06/2016
This judgment has become final under Article 44 § 2 of the Convention. It may be
subject to editorial revision.
SZABÓ AND VISSY v. HUNGARY JUDGMENT 1
PROCEDURE
1. The case originated in an application (no. 37138/14) against Hungary
lodged with the Court under Article 34 of the Convention for the Protection
of Human Rights and Fundamental Freedoms (“the Convention”) by two
Hungarian nationals, Mr Máté Szabó and Ms Beatrix Vissy (“the
applicants”), on 13 May 2014.
2. The applicants were represented by Mr L. Majtényi, a lawyer
practising in Budapest. The Hungarian Government (“the Government”)
were represented Mr Z. Tallódi, Agent, Ministry of Justice.
3. The applicants complained under Article 8 of the Convention that
they could potentially be subjected to unjustified and disproportionately
intrusive measures within the framework of “section 7/E (3) surveillance”
(see paragraphs 10-12 below), in particular for want of judicial control. In
their view, the latter issue also constituted a violation of their rights under
Articles 6 and 13 of the Convention.
4. On 12 June 2014 the application was communicated to the
Government.
5. On 27 August and 1 September 2014, respectively, Privacy
International and Center for Democracy and Technology, both
non-governmental organisations, were granted leave to make written
submissions (Article 36 § 2 of the Convention and Rule 44 § 3 of the Rules
of Court).
2 SZABÓ AND VISSY v. HUNGARY JUDGMENT
THE FACTS
6. The applicants were born in 1976 and 1986 respectively and live in
Budapest.
7. When introducing the application, the applicants were staff members
of Eötvös Károly Közpolitikai Intézet, a non-governmental, “watchdog”
organisation voicing criticism of the Government. The subsequent employer
of one of the applicants was subjected to financial control measures by the
Government in 2014, which according to the applicants verged on vexation.
8. Act no. CXLVII of 2010 defines combating terrorism as one of the
tasks of the police. Within the force, a specific Anti-Terrorism Task Force
(“TEK”) was established as of 1 January 2011. Its competence is defined in
section 7/E of Act no. XXXIV of 1994 on the Police, as amended by Act
no. CCVII of 2011 (the “Police Act”).
9. Under this legislation, TEK’s prerogatives in the field of secret
intelligence gathering include secret house search and surveillance with
recording, opening of letters and parcels, as well as checking and recording
the contents of electronic or computerised communications, all this without
the consent of the persons concerned.
10. The authorisation process for these activities is dependent on the
actual competence exercised by TEK, namely whether it is within the
framework of secret surveillance linked to the investigation of certain
specific crimes enumerated in the law (section 7/E (2)) or to secret
surveillance within the framework of intelligence gathering for national
security (section 7/E (3)).
11. Whereas the scenario under section 7/E (2) is as such subject to
judicial authorisation, the one under section 7/E (3) is authorised by the
Minister in charge of justice, (i) in order to prevent terrorist acts or in the
interests of Hungary’s national security or (ii) in order to rescue Hungarian
citizens from capture abroad in war zones or in the context of terrorist acts.
12. “Section 7/E (3) surveillance” takes place under the rules of the
National Security Act under the condition that the necessary intelligence
cannot be obtained in any other way. Otherwise, the law does not contain
any particular rules on the circumstances in which this measure can be
ordered, as opposed to “section 7/E (2) surveillance”, which is conditional
on the suspicion of certain serious crimes. The time-frame of
“section 7/E (3) surveillance” is 90 days, which can be prolonged for
another 90-day period by the Minister; however, the latter has no right to
know about the results of the ongoing surveillance when called on to decide
on its prolongation. Once the surveillance is terminated, the law imposes no
specific obligation on the authorities to destroy any irrelevant intelligence
obtained.
SZABÓ AND VISSY v. HUNGARY JUDGMENT 3
16. Act no. XXXIV of 1994 on the Police (“the Police Act”) provides as
relevant:
4 SZABÓ AND VISSY v. HUNGARY JUDGMENT
Section 1
“(2) The police – within the scope of its duties as prescribed by the Fundamental
Law of Hungary, by this Act and by other laws for preventing and combating crimes,
administrating and policing – ...
15. ... within the territory of Hungary ...
a) tracks terrorist organisations,
b) prevents, tracks and repels any attempts of individuals, groups or organisations to
carry out terrorist acts and impedes the commission of any crimes by them,
c) impedes the promotion of the operation of terrorist organisations by individuals,
groups or organisations through providing financial or other support.”
Section 7/E
“(1) The anti-terrorist organ does not exercise any investigatory competence. It:
a) fulfils the tasks prescribed in section 1 subsection (2) point 15, and within these
tasks ...
ad) – within the framework of the fight against terrorism and in order to safeguard
the national security interests of Hungary – prevents, tracks and repels any attempts to
carry out terrorist acts (terrorcselekmény) in Hungary. ...
d) on the basis of the decision of the Minister responsible for policing as endorsed
by the Minister responsible for foreign affairs – in line with the rules of international
law – contributes to rescuing Hungarian citizens who are – outside the territory of
Hungary – in distress due to an imminent and life-threatening danger of act of war,
armed conflict, hostage-taking or terrorist action; to ensuring their safe return to
Hungary and to carrying out their evacuation; to this end it cooperates with the
Member States and the organs of the European Union, with the organs of the North
Atlantic Treaty Organization, with the related international organisations and with the
authorities of the concerned foreign country.
e) acquires, analyses, assesses and forwards information relating to foreign countries
or being of foreign origin which is required for fulfilling the task prescribed in section
d) above.
(2) The anti-terrorist organ may – for the purpose of fulfilling its tasks prescribed in
subsection (1) point a) sub-points aa) to ac) and in point c) – perform secret
intelligence gathering in line with the provisions of Chapter VII of the Act on Police.
(3) The anti-terrorist organ may – for the purpose of fulfilling its tasks prescribed in
subsection (1) point a) sub-point ad) and in point e) – perform secret intelligence
gathering in line with the provisions of sections 53-60 of Act no. CXXV of 1995 on
the National Security Services (the “Nbtv.”), in the course of which it may request and
handle data according to the provisions of sections 38-52 of Nbtv. The secret
intelligence gathering provided in section 56 points a)-e) of Nbtv. is subject to
authorisation of the Minister responsible for justice.”
The crime of “terrorist act” (terrorcselekmény) is defined in section 261
of the Old Criminal Code and sections 314 to 316 of the New Criminal
Code.
17. Act no. CXXV of 1995 on the National Security Services (the
“National Security Act”, “Nbtv.”) contains the passages below.
SZABÓ AND VISSY v. HUNGARY JUDGMENT 5
Section 43
“The National Security Services may use data having come to their knowledge
exclusively for the purpose that corresponds to the legal basis for ordering their
acquisition, except
a) if the data are indicative of the commission of a criminal act and forwarding the
data is legally allowed, or
b) if they substantiate an obligation to inform another National Security Service and
the party receiving the data is itself authorised to obtain them.”
Section 44
“(1) For the purpose of fulfilling their tasks the National Security Services may
request data from each other and are obliged to provide data to each other in line with
the provisions of this Act.
(4) The bodies requesting data disclosure shall be responsible for the management of
data disclosed to them according to the provisions of this Act and the data
6 SZABÓ AND VISSY v. HUNGARY JUDGMENT
management legislation; they shall register the data they receive and their utilisation
and, upon request, they shall inform the National Security Service thereof.”
Section 45
“(1) The National Security Services may, under an international obligation, transfer
personal data to foreign data processing authorities within the framework of laws on
protection of personal data.”
Section 50
“(2) Personal data processed by the National Security Services shall be deleted
immediately if
a) the deadline specified in subsection (1) has expired;
b) deletion was ordered by a court in data protection proceedings;
c) processing of the data is unlawful;
d) the conditions specified in section 60 (2) are met;
e) processing of the data became manifestly unnecessary.”
Section 53
“(2) The National Security Services may apply the special means and methods of
secret intelligence gathering only if the intelligence needed for the performance of the
tasks laid down in the present Act cannot be obtained in any other way.”
Section 56
“The National Security Services may, under an external permission
a) search a dwelling secretly and record by means of technical equipment what they
perceive;
b) keep a dwelling under surveillance by means of technical equipment and record
what they perceive;
c) open and check postal mail and any closed parcel belonging to an identifiable
person and record their contents by means of technical equipment;
d) detect the content of communications transmitted by electronic communications
network and record it by means of technical equipment;
e) detect the data transmitted by or contained on a computer or network, record it by
means of technical equipment and use it.”
Section 57
“(1) The motion to obtain permission for secret intelligence gathering as specified in
section 56 may be submitted by director generals of the Information Authority, the
Constitution Protection Authority, the Military National Security Service and – in
order to carry out its task specified in section 8 (1) f) above – the Special Service for
National Security.
(2) The motion shall contain:
SZABÓ AND VISSY v. HUNGARY JUDGMENT 7
Section 58
“(3) The ... Minister in charge of justice ... decides [on the motion] within 72 hours
to be counted from the motion’s submission ... [he] grants permission or, in case of an
ill-founded request, rejects it. No appeal lies against the decision.
(4) Unless this law stipulates otherwise, the authoriser allows the secret intelligence
gathering for a period of a maximum of 90 days upon each request. In justified cases
and upon a motion from the director generals, this time limit may be extended by 90
days, unless this law stipulates otherwise.
(6) The authoriser does not inform the person concerned about the proceedings or
about the occurrence of secret intelligence gathering.”
Section 59
“(1) The directors of the National Security Services themselves may [exceptionally]
authorise the secret gathering of information within the meaning of section 56 at the
latest until the decision given [by the Minister] if the external authorisation procedure
entails such delay as obviously countering, in the given circumstances, the interests of
the successful functioning of the National Security Service.”
Section 60
“(1) Secret intelligence gathering based on external permission shall be discontinued
immediately if
a) it achieved its aim defined in the permission;
b) its continuation does not promise any results;
c) its time-limit has been expired without extension;
d) the secret intelligence gathering is unlawful for any reasons whatsoever.
(2) In the framework of the special procedure defined in section 59 (1), secret
intelligence gathering shall also be discontinued immediately if the authoriser does
not permit its continuation. In that case, the data obtained by secret intelligence
gathering shall be destroyed immediately, according to the laws regulating the
deletion of qualified data.”
Section 74(a) defines the notion of national security interests in the
following terms:
“Securing the sovereignty and protecting the constitutional order of Hungary and,
within that framework,
8 SZABÓ AND VISSY v. HUNGARY JUDGMENT
Section 26 (1)
“Persons or organisations affected by a particular case may, under Article 24 (2) c)
of the Fundamental Law, submit a constitutional complaint to the Constitutional Court
where due to the application in the related court proceedings of a piece of legislation
contravening the Fundamental Law,
a) their rights enshrined in the Fundamental Law have been violated, and
b) legal remedies have been exhausted or no remedy exists.
SZABÓ AND VISSY v. HUNGARY JUDGMENT 9
Section 27
“Against a judicial decision contravening the Fundamental Law within the meaning
of Article 24 (2) d.) of the Fundamental Law, a person or organisation affected by the
particular case may file a constitutional complaint with the Constitutional Court where
the decision on the merits of the case or another decision terminating the judicial
proceedings
a) has violated the complainant’s rights enshrined in the Fundamental Law, and
b) the complainant has already exhausted the legal remedies or no legal remedy
exists.”
20. Decision no. 32/2013. (XI.22.) AB of the Constitutional Court
establishing the constitutional requirement to be met in respect of
section 58 (3) of Nbtv. and rejecting the related constitutional complaint
contains the following passages:
“... 1. The Constitutional Court finds that ... in order to make the external control
effective, the decision of the Minister responsible for justice ... authorising secret
intelligence gathering must be supplied with reasons. ...
[42] 1.1. The regulations in force specify two types of secret intelligence gathering:
secret surveillance linked to the investigation of particular crimes and secret
surveillance not linked to the investigation of particular crimes. ...
[47] 1.2. Secret surveillance not linked to the investigation of particular crimes is
either not subject to external authorisation [sections 54-55 of Nbtv.] or is subject to
external authorisation [sections 54-55 of Nbtv.] In cases specified in the Act
authorisation means authorisation by a judge or by the Minister of Justice.
[48] According to the reasoning of Nbtv., from international practice several
examples can be mentioned for States making a distinction between intelligence
gathering linked to the investigation of particular crimes (including the closely related
fields of crime prevention and crime detection) and intelligence gathering carried out
for national security purposes.
[49] On the basis of this principle, a system of divided authorisation has been
adopted in the Act. For the purpose of detecting actual criminal offences, secret
intelligence gathering is authorised – similarly to the solution applied in the Act on the
Police – by a judge designated for the task by the President of the Budapest High
Court, whereas section 56 activities carried out in the course of general intelligence
gathering shall be authorised by the Minister of Justice. ...
[51] Section 53 (2) of Nbtv., according to which secret intelligence gathering may
only be carried out if the data required to perform the statutory tasks cannot be
obtained in any other manner, shall apply to both cases. ...
10 SZABÓ AND VISSY v. HUNGARY JUDGMENT
[62] Under section 14 (4) of Nbtv. Parliament’s National Security Committee shall
exercise control over the authorisation process of the Minister of Justice. ...
[69] 2. Secret intelligence gathering governed by Nbtv and not linked to the
investigation of particular crimes ... has not been examined by the Constitutional
Court yet. However, in its decision no. 2/2007. (I. 24.) AB (henceforth: Abh.1.) the
Constitutional Court specified the general aspects under which secret intelligence
gathering and secret surveillance are acceptable in a democratic, rule-of-law State.
[70] Since the content of Article B) (1) of the Fundamental Law is identical to the
content of Article 2 (1) of the former Constitution, and since from the rules of
interpretation applicable to the Fundamental Law no conclusion contrary to the above
opinion of the Constitutional Court can be inferred, the statements of principle made
on the necessity and proportionality of secret intelligence gathering can be
maintained.
[71] The Constitutional Court has also taken into consideration the Strasbourg
Court’s jurisprudence, as recalled in its former decisions. Cases related to “covert
investigations” were examined by the Court in light of the Convention provisions set
forth in Article 8 which protects the right to respect for private life. In its judgments
the Court held that in a democratic society the rights enshrined under Article 8 § 1 can
only be restricted within the limits specified in paragraph 2, that is only for the
purposes specified in that provision and only in case the necessity of the restriction is
justified.
[72] Lawfulness under the Court’s case law does not merely require that a given
restriction be specified under the law. The phrase “in accordance with the law”
requires that the regulation itself should meet the rule-of-law principles. Since secret
intelligence gathering does, per definition, exclude the possibility of an effective
remedy, it is imperative that the process authorising such information gathering
should contain sufficient guarantees for the protection of the rights of the individuals.
Therefore, the use of secret intelligence gathering must be subject to a three-stage
control: when the interference is ordered, while the interference is carried out and
when the interference is terminated. Control must be exercised by “bodies”
independent of the executive power. First of all, only constant, continuous and
mandatory control can guarantee that in a given case the requirement of
proportionality is not violated ....
[73] In its judgments the Court laid down the minimum requirements to be met by a
legal regulation on the use of secret intelligence devices. The Court emphasised that
since the interference with the fundamental rights is secret and since the use of such
devices provides “unpredictable” opportunities for the executive power, it is
indispensable that the procedures themselves provide sufficient guarantees for the
observance of the rights of the individuals. Therefore States must create precise and
detailed rules that can be abided by and accessed by the citizens. From the legal
regulation the competence of the authority applying such devices, the essence of the
measures and the manner of their practice should be clear and apparent. As to the
requirement of the clarity of rules the Court also pointed out that the laws should
specify the cases and circumstances which warrant such interference and the
conditions of the interference. As a minimum guarantee the laws should determine the
criteria based on which the scope of persons potentially affected can be determined
and should contain provisions regulating the documentation of the use of secret
intelligence devices and specifying the rules applicable to the protection and
destruction of the documentation. As to decision-making on the application of secret
intelligence devices, an excessively wide margin of appreciation may not be granted
SZABÓ AND VISSY v. HUNGARY JUDGMENT 11
relevance, and those events do not necessarily entail legal consequences. Identifying
and combating endeavours aimed at committing acts having relevance from the
aspects of securing the sovereignty of the State and of protecting the lawful order of
the State may fall outside the sphere of particular criminal offences. Therefore
national security-related tasks are not comparable to secret intelligence gathering
linked to investigating a crime, which is carried out under section 69 of Rtv. and is
subject to authorisation by a court. The prevention and elimination of risks to national
security require political decisions, therefore decisions of this type fall in the
competence of the executive power. This consideration justifies that general character
secret intelligence gathering should be authorised by the Minister responsible for
justice.
[106] However, in granting the authorisation the Minister responsible for justice
must weigh the interests of national security against the injury done to the
fundamental rights. Therefore in addition to assessing the national security interests of
the country from a political (home and foreign affairs) aspect, the person granting the
authorisation should also strike a fair balance between the interests of national
security and fundamental rights. In doing so, it must start from the principle that secret
intelligence methods for national security purposes may only be used even by the anti-
terrorist organ as a last resort means of detection. Section 53 (2) of Nbtv. clearly
provides for the ultima ratio nature of secret intelligence methods: the special devices
and methods of secret intelligence gathering can only be used where the data needed
for the completion of a prescribed task cannot be obtained in any other way, namely
by the traditional means of detection. This provision of Nbtv. is intended to serve as a
legal guarantee similar to that which the specification in the law of the acts amounting
to criminal offences constitutes in the context of secret intelligence gathering linked to
the investigation of a particular crime and carried out upon the suspicion of an
offence.
[107] ... The request for authorisation must be supported with reasons. The ...
grantor of the authorisation shall base his decision on the content of the request: the
request shall be granted or, in case of ill-foundedness, rejected. Hence, in case the
requesting authority cannot sufficiently justify that the data required for performing its
tasks cannot be acquired in any other manner no authorisation for the use of
intelligence devices and methods shall be given. ...
[114] As to the ordering and carrying out of the secret intelligence gathering
external control is a fundamental guarantee. Control over the activities performed by
the anti-terrorist organ under the rules of Nbtv. is exercised by the National Security
Committee (henceforth: Committee) of the Parliament ... Upon the Committee’s
request the Minister of Justice shall provide information on the nature of the
authorised information gathering and on the type of the case (section 14(4) b) Nbtv.).
[115] The Committee may acquire information about irregularities related to the
operation of the Services (anti-terrorist organ) from, among others, its own inquiries,
from citizen complaints or from information from the staff members of the Services.
...
[119] Nbtv. sets one single bar to the Committee’s control: the Committee may not
learn of information which might endanger the prime importance national security
interests in protecting the methods and sources (participating persons) relied on in the
case at issue (section 16(1) of Nbtv.) .
[120] The operation of the National Security Services and of the anti-terrorist organ
and of the Minister of justice’s authorising activity can be controlled, in addition to
the Parliament, by the Parliamentary Commissioner for Fundamental Rights as well.
14 SZABÓ AND VISSY v. HUNGARY JUDGMENT
[121] Under section 18 (1) f) of Act no. CXI of 2011 on the Parliamentary
Commissioner for Fundamental Rights (henceforth: Ajbt.) law enforcement organs,
including the anti-terrorist organ, are authorities that can be examined by the
Ombudsman. ... Hence no obstacle exists to an examination by the Ombudsman, the
only bar being that – similarly to the control by Parliament – the report made on the
examination of the secret intelligence activities of the authorities authorised for using
secret intelligence devices and methods may not contain data from which the secret
intelligence gathering activities carried out by the organ in the case at issue can be
inferred (section 28(3)). The Commissioner for Fundamental Rights may present, in
case the conditions specified under section 38 of Ajbt. are met, the cases examined by
him to Parliament in an annual report and may, with the exception of motions for
amendments, request Parliament to examine a case. ...
[122] On the basis of the above information the Constitutional Court has concluded
that Nbtv. allows for the control of the authorisation granting of the Minister of
Justice by bodies independent of the executive power. ...
[124] 3.3 In examining the reference in section 7/E (3) of Rtv. the Constitutional
Court has observed that section 58 (3) of Nbtv. does not expressly provide for a
reasoned decision ...
[127] A necessary element of any judicial decision to be taken on secret intelligence
gathering under the Rtv. is an examination of the compliance of the request for
authorisation with the statutory requirements. ...
[128] [...] The reference in section 7/E (3) of Rtv. also requires authorisation from
the Minister of Justice for national security-related secret intelligence gathering
carried out by the anti-terrorist organ, which is part of the Police Service, in order to
combat endeavours to commit an act of terrorism in the territory of Hungary or in
relation to the protection of Hungarian nationals who have got into trouble in a foreign
country. ...
[130] Since Nbtv. does not expressly require the Minister of Justice to issue a
reasoned decision, the authoriser is under no obligation to provide reasoning. In the
absence of reasoning, however, no posterior understanding, analysis or review of the
aspects and reasons giving rise to the decision in a particular case is possible for those
who exercise external control.
[131] Though section 58 (3) of Nbtv. prescribes that the authorisation grantor shall
base his decision on the content of the request, this content is, per definition, one-
sided since in arguing for the necessity of the secret information gathering the request
will solely invoke national security interests. The authorisation grantor must strike a
fair balance between the interests of national security and fundamental rights
enshrined under Article VI (1)-(2) of the Fundamental Law for persons affected by
secret intelligence gathering and must ensure, in addition to determining the necessity
of the restriction, that the restriction is proportionate. ...
[132] Given that the special nature of secret surveillance excludes the possibility of
a remedy, a restriction of the right to privacy and of the right to informational
autonomy that is proportionate to the protection of national security will require
effective external control already in granting the authorisation for the use of the secret
intelligence devices.
[133] The National Security Committee and the Commissioner for Fundamental
Rights may only constitute effective external control over the authorisation activity of
the Minister of Justice if the Minister’s decision authorising the secret surveillance
contains sufficiently detailed reasons. The reasons should be of a depth and detail that
SZABÓ AND VISSY v. HUNGARY JUDGMENT 15
enable those who exercise the external control to review the balance struck between
the interests of national security and the fundamental rights at issue.
[134] Upon the authorisation granted in section 46 (3) of Abtv., in order to ensure
effective external control, the Constitutional Court has laid down as a constitutional
requirement ensuring compliance with Article VI (1)-(2) of the Fundamental Law that
in applying section 58 (3) of Nbtv. the decision of the Minister responsible for justice
ordering secret intelligence gathering must be supported by reasons.
[135] 3.4. Thereafter the Constitutional Court has examined whether the data
handling by the anti-terrorist organ following the termination of the secret intelligence
gathering violates the right to informational autonomy. The complainants complained
that Nbtv., contrary to Rtv., fails to provide for the deletion of such recorded
information which is irrelevant for the purposes of the surveillance and of data which
are related to persons not concerned by the case. ...
[138] Based on the above considerations the Constitutional Court has established
that though Nbtv., contrary to section 73 (3) of Rtv., does not expressly provide for
the deletion of such recorded information which is irrelevant for the purposes of the
surveillance and of data which are related to persons not concerned by the case, from
the joint interpretation of the phrase “obviously unnecessary” in section 50 (2) e) and
of section 43 of Nbtv. it clearly follows that any data unnecessary for achieving the
aim serving as a legal ground for the data acquisition, in particular the data related to
persons not concerned by the case, must be deleted ex officio. Therefore the above
regulation meets the principle of being purpose-bound and is suitable to prevent
storing data acquisition. Moreover, Nbtv. allows for the concerned persons to file a
request for the deletion of their personal data, which request can only be rejected by
the Chief Director on specific grounds. External control exists over the data
processing as well, since the reasons for the rejection of a request must also be sent to
the National Data-Protection and Information Freedom Authority [section 48 of
Nbtv.].
[139] Therefore the Constitutional Court dismisses, in this respect as well, the
complaint alleging non-compliance of the contested provision with the Fundamental
Law and seeking the annulment of the contested provision. ...”
the effect of increasing the government’s control over policy at the expense of the
legislative power, and of insulating the former from criticism. This is exacerbated by
the fact that nowadays, there is a link between “external” and “internal” threats to the
State. Accordingly, security and intelligence information tends to form an indivisible
whole. ...
86. It is particularly important, as regards the limited scope of parliamentary and
judicial control, to note the special nature of security intelligence. The heart of a
security agency is its intelligence files. “Hard” data, purely factual information, is
insufficient for a security agency, or for that matter, any police organization. It also
needs to gather speculative intelligence in order to determine which people are, or are
probably or possibly, threatening national security. This information can be obtained
in different ways. A large proportion of non-open source internal security information
comes from informants. Like factual information, such “soft intelligence” can, and
must if the agency is to do its job properly, be collated to produce a personality profile
of a suspect or an analysis of a suspected activity. ...
243. Individuals who allege wrongdoing by the State in other fields routinely have a
right of action for damages before the courts. The effectiveness of this right depends,
however, on the knowledge of the individual of the alleged wrongful act, and proof to
the satisfaction of the courts. As already mentioned, for a variety of reasons, the
capacity of the ordinary courts to serve as an adequate remedy in security fields is
limited. The case law of the European Court of Human Rights ... makes it very clear
that a remedy must not simply be on paper.
244. An alternative is to allow an investigation and report into a complaint against
an agency by an independent official, such as an ombudsman....
245. In these ombudsman-type systems, the emphasis is on an independent official
investigating on behalf of the complainant. These independent offices usually exist to
deal with an administrative failure by public bodies, rather than a legal error. Their
investigations may give less emphasis to the complainant’s own participation in the
process and to transparency than would be the case with legal proceedings. Typically
an investigation of this type will conclude not with a judgment and formal remedies,
but with a report, and (if the complaint is upheld) a recommendation for putting
matters right and future action...
246. A less common variation is for a State to use a parliamentary or expert
oversight body to deal with complaints and grievances of individuals.... There may be
a benefit for a parliamentary oversight body in handling complaints brought against
security and intelligence agencies since this will give an insight into potential failures
– of policy, legality and efficiency. On the other hand, if the oversight body is too
closely identified with the agencies it oversees or operates within the ring of secrecy,
the complainant may feel that the complaints process is insufficiently independent. In
cases where a single body handles complaints and oversight it is best if there are quite
distinct legal procedures for these different roles.
247. On the whole it is preferable that the two functions be given to different bodies
but that processes are in place so that the oversight body is made aware of the broader
implications of individual complaints. This approach is also supported by the ECHR.
The requirement in ECHR Article 13 of a mechanism for remedies for alleging
violations of Convention rights which is independent from the authorization process
means that a State’s control system, e.g. for data processing, may pass the test of
“accordance with the law” and “necessity in a democratic society” but that the
absence of a remedy means that there is nonetheless a violation of the Convention. As
already mentioned, the ECtHR has stated that a remedy must be effective in law and
fact. It should be noted in particular that the ECtHR has ruled that a data inspection
authority which is independent, and which has formal competence in law to award a
remedy for the holding of inaccurate, inappropriate etc. security data, but which in
fact lacks the expertise to evaluate this data, is not an effective remedy within the
meaning of Article 13.
249. In some countries, not only individuals but also members of the services are
permitted to bring service-related issues to the attention of an ombudsman or
parliamentary oversight body...
250. Another method of handling complaints is through a specialist tribunal.”
SZABÓ AND VISSY v. HUNGARY JUDGMENT 19
be sought in circumstances where other available less invasive techniques have been
exhausted.
86. The provision of communications data to the State should be monitored by an
independent authority, such as a court or oversight mechanism. At the international
level, States should enact Mutual Legal Assistance Treaties to regulate access to
communications data held by foreign corporate actors.
87. Surveillance techniques and practices that are employed outside of the rule of
law must be brought under legislative control. Their extra-legal usage undermines
basic principles of democracy and is likely to have harmful political and social effects.
use of these technologies considering their ability to facilitate systematic human rights
violations.
accountability and judicial oversight; whereas they are given special powers and
capabilities only to this end; whereas these powers should be used within the legal
limits imposed by fundamental rights, democracy and the rule of law and their
application should be strictly scrutinised, as otherwise they lose legitimacy and risk
undermining democracy;
BX. whereas the fact that a certain level of secrecy is conceded to intelligence
services in order to avoid endangering ongoing operations, revealing modi operandi or
putting at risk the lives of agents, such secrecy cannot override or exclude rules on
democratic and judicial scrutiny and examination of their activities, as well as on
transparency, notably in relation to the respect of fundamental rights and the rule of
law, all of which are cornerstones in a democratic society;
BY. whereas most of the existing national oversight mechanisms and bodies were
set up or revamped in the 1990s and have not necessarily been adapted to the rapid
political and technological developments over the last decade that have led to
increased international intelligence cooperation, also through the large scale exchange
of personal data, and often blurring the line between intelligence and law enforcement
activities;
BZ. whereas democratic oversight of intelligence activities is still only conducted at
national level, despite the increase in exchange of information between EU Member
States and between Member States and third countries; whereas there is an increasing
gap between the level of international cooperation on the one hand and oversight
capacities limited to the national level on the other, which results in insufficient and
ineffective democratic scrutiny;
CA. whereas national oversight bodies often do not have full access to intelligence
received from a foreign intelligence agency, which can lead to gaps in which
international information exchanges can take place without adequate review; whereas
this problem is further aggravated by the so-called ‘third party rule’ or the principle of
‘originator control’, which has been designed to enable originators to maintain control
over the further dissemination of their sensitive information, but is unfortunately often
interpreted as applying also to the recipient services’ oversight;
CB. whereas private and public transparency reform initiatives are key to ensuring
public trust in the activities of intelligence agencies; whereas legal systems should not
prevent companies from disclosing to the public information about how they handle
all types of government requests and court orders for access to user data, including the
possibility of disclosing aggregate information on the number of requests and orders
approved and rejected;
Main findings
...
6. Recalls the EU’s firm belief in the need to strike the right balance between
security measures and the protection of civil liberties and fundamental rights, while
ensuring the utmost respect for privacy and data protection;
7. Considers that data collection of such magnitude leaves considerable doubts as to
whether these actions are guided only by the fight against terrorism, since it involves
the collection of all possible data of all citizens; points, therefore, to the possible
existence of other purposes including political and economic espionage, which need to
be comprehensively dispelled;
24 SZABÓ AND VISSY v. HUNGARY JUDGMENT
THE LAW
A. Admissibility
according to the Convention right or rights alleged to have been infringed, the secret
character of the measures objected to, and the connection between the applicant and
those measures.
...
36. The Court points out that where a State institutes secret surveillance the
existence of which remains unknown to the persons being controlled, with the effect
that the surveillance remains unchallengeable, Article 8 could to a large extent be
reduced to a nullity. It is possible in such a situation for an individual to be treated in a
manner contrary to Article 8, or even to be deprived of the right granted by that
Article, without his being aware of it and therefore without being able to obtain a
remedy either at the national level or before the Convention institutions. ...
The Court finds it unacceptable that the assurance of the enjoyment of a right
guaranteed by the Convention could be thus removed by the simple fact that the
person concerned is kept unaware of its violation. A right of recourse to the
Commission for persons potentially affected by secret surveillance is to be derived
from Article 25, since otherwise Article 8 runs the risk of being nullified.”
34. Following Klass and Others (cited above) and Malone v. the United
Kingdom (2 August 1984, § 64, Series A no. 82), the former Commission,
in a number of cases against the United Kingdom in which the applicants
alleged actual interception of their communications, emphasised that the test
in Klass and Others could not be interpreted so broadly as to encompass
every person in the United Kingdom who feared that the security services
may have conducted surveillance of him. Accordingly, the Commission
required applicants to demonstrate that there was a “reasonable likelihood”
that the measures had been applied to them (see, for example, Esbester v.
the United Kingdom, no. 18601/91, Commission decision of 2 April 1993;
Redgrave v. the United Kingdom, no. 20271/92, Commission decision of
1 September 1993; and Matthews v. the United Kingdom, no. 28576/95,
Commission decision of 16 October 1996); subsequently, the Court applied
a similar approach (see Halford v. the United Kingdom, 25 June 1997, §§ 56
to 57, Reports of Judgments and Decisions 1997-III).
35. More pertinently with regard to the present application, in other
cases which concerned complaints about the legislation and practice
permitting secret surveillance measures, the Court has reiterated the Klass
and Others approach on a number of occasions (see, inter alia, Weber and
Saravia (dec.), no. 54934/00, § 78, ECHR 2006 XI; Association for
European Integration and Human Rights and Ekimdzhiev v. Bulgaria,
no. 62540/00, §§ 58 to 60, 28 June 2007; Iliya Stefanov v. Bulgaria,
no. 65755/01, § 49, 22 May 2008; Liberty and Others v. the United
Kingdom, no. 58243/00, §§ 56 to 57, 1 July 2008; and Iordachi and Others
v. Moldova, no. 25198/02, §§ 30 to 35, 10 February 2009).
36. In the case of Kennedy v. the United Kingdom (no. 26839/05, § 124,
18 May 2010) the Court held that in order to assess, in a particular case,
whether an individual can claim an interference as a result of the mere
existence of legislation permitting secret surveillance measures, the Court
28 SZABÓ AND VISSY v. HUNGARY JUDGMENT
must have regard to the availability of any remedies at the national level and
the risk of secret surveillance measures being applied to him. Where there is
no possibility of challenging the alleged application of secret surveillance
measures at domestic level, widespread suspicion and concern among the
general public that secret surveillance powers are being abused cannot be
said to be unjustified. In such cases, even where the actual risk of
surveillance is low, there is a greater need for scrutiny by the Court.
Most recently, the Court adopted, in Roman Zakharov v. Russia ([GC],
no. 47143/06, §§ 170-172, 4 December 2015), a harmonised approach based
on Kennedy, according to which firstly the Court will take into account the
scope of the legislation permitting secret surveillance measures by
examining whether the applicant can possibly be affected by it, either
because he or she belongs to a group of persons targeted by the contested
legislation or because the legislation directly affect all users of
communication services by instituting a system where any person can have
his or her communications intercepted; and secondly the Court will take into
account the availability or remedies at the national level and will adjust the
degree of scrutiny depending on the effectiveness of such remedies.
37. The Court observes that the present applicants complained of an
interference with their homes, communications and privacy on the basis of
the very existence of the law permitting secret surveillance and the lack of
adequate safeguards, admitting that their personal or professional situations
were not of the kind that might normally attract the application of
surveillance measures. They nevertheless thought they were at particular
risk of having their communications intercepted as a result of their
employment with civil-society organisations criticising the Government.
38. The Court observes that affiliation with a civil-society organisation
does not fall within the grounds listed in section 7/E (1) point (a) sub-point
(ad) and point (e) of the Police Act, which concern in essence terrorist
threats and rescue operations to the benefit of Hungarian citizens in
dangerous situations abroad. Nevertheless, it appears that under these
provisions any person within Hungary may have his communications
intercepted if interception is deemed necessary on one of the grounds
enumerated in the law (see paragraph 16 above). The Court considers that it
cannot be excluded that the applicants are at risk of being subjected to such
measures should the authorities perceive that to do so might be of use to
pre-empt or avert a threat foreseen by the legislation – especially since the
law contains the notion of “persons concerned identified ... as a range of
persons” which might include indeed any person.
The Court also notes that, by examining their constitutional complaint on
the merits, the Constitutional Court implicitly acknowledged the applicants’
being personally affected by the legislation in question for the purposes of
section 26(1) of the Act on the Constitutional Court (see paragraph
19 above).
SZABÓ AND VISSY v. HUNGARY JUDGMENT 29
B. Merits
to respect for private and family life and for correspondence (see Klass and
Others, cited above, § 41). Given the technological advances since the Klass
and Others case, the potential interferences with email, mobile phone and
Internet services as well as those of mass surveillance attract the Convention
protection of private life even more acutely (see Copland v. the United
Kingdom, no. 62617/00, § 41, ECHR 2007-I).
54. Any interference can only be justified under Article 8 § 2 if it is in
accordance with the law, pursues one or more of the legitimate aims to
which paragraph 2 of Article 8 refers and is necessary in a democratic
society in order to achieve any such aim. This provision, “since it provides
for an exception to a right guaranteed by the Convention, is to be narrowly
interpreted. Powers of secret surveillance of citizens, characterising as they
do the police state, are tolerable under the Convention only in so far as
strictly necessary for safeguarding the democratic institutions” (see Klass
and Others, cited above, § 42).
55. The Court finds that the aim of the interference in question is to
safeguard national security and/or to prevent disorder or crime in pursuance
of Article 8 § 2. This has not been in dispute between the parties. On the
other hand, it has to be ascertained whether the means provided under the
impugned legislation for the achievement of the above-mentioned aim
remain in all respects within the bounds of what is necessary in a
democratic society (see Klass and Others, cited above, § 46).
56. In its case-law on secret measures of surveillance, the Court has
developed the following minimum safeguards that should be set out in law
in order to avoid abuses of power: the nature of offences which may give
rise to an interception order; the definition of the categories of people liable
to have their telephones tapped; a limit on the duration of telephone tapping;
the procedure to be followed for examining, using and storing the data
obtained; the precautions to be taken when communicating the data to other
parties; and the circumstances in which recordings may or must be erased or
destroyed (see Huvig v. France, 24 April 1990, § 34, Series A no. 176-B;
Amann v. Switzerland [GC], no. 27798/95, §§ 56-58, ECHR 2000-11;
Valenzuela Contreras v. Spain, 30 July 1998, § 46, Reports 1998-V; Prado
Bugallo v. Spain, no. 58496/00, § 30, 18 February 2003; Weber and
Saravia, cited above, § 95; Association for European Integration, cited
above, § 76; and Roman Zakharov, cited above, § 231).
57. When balancing the interest of the respondent State in protecting its
national security through secret surveillance measures against the
seriousness of the interference with an applicant’s right to respect for his or
her private life, the national authorities enjoy a certain margin of
appreciation in choosing the means for achieving the legitimate aim of
protecting national security. However, this margin is subject to European
supervision embracing both legislation and decisions applying it. In view of
the risk that a system of secret surveillance set up to protect national
34 SZABÓ AND VISSY v. HUNGARY JUDGMENT
the National Security Act. Their accessibility has not been called into
question.
61. The applicants, however, contended that this law was not sufficiently
detailed and precise to meet the “foreseeability” requirement of Article 8
§ 2, as it did not provide for sufficient guarantees against abuse and
arbitrariness.
62. The reference to “foreseeability” in the context of interception of
communications cannot be the same as in many other fields. Foreseeability
in the special context of secret measures of surveillance, such as the
interception of communications, cannot mean that an individual should be
able to foresee when the authorities are likely to intercept his
communications so that he can adapt his conduct accordingly. However,
especially where a power vested in the executive is exercised in secret, the
risks of arbitrariness are evident. It is therefore essential to have clear,
detailed rules on interception of telephone conversations, especially as the
technology available for use is continually becoming more sophisticated.
The domestic law must be sufficiently clear to give citizens an adequate
indication as to the circumstances in which and the conditions on which
public authorities are empowered to resort to any such measures (see
Roman Zakharov, cited above, § 229).
63. In the present case, two situations may entail secret surveillance,
namely, the prevention, tracking and repelling of terrorist acts in Hungary
(section 7/E (1) a) (ad) of the Police Act) and the gathering of intelligence
necessary for rescuing Hungarian citizens in distress abroad (section 7/E
(1) e), see in paragraph 16 above).
The applicants criticised these rules as being insufficiently clear.
64. The Court is not wholly persuaded by this argument, recalling that
the wording of many statutes is not absolutely precise, and that the need to
avoid excessive rigidity and to keep pace with changing circumstances
means that many laws are inevitably couched in terms which, to a greater or
lesser extent, are vague (see Kokkinakis v. Greece, 25 May 1993, § 40,
Series A no. 260-A). It is satisfied that even in the field of secret
surveillance, where foreseeability is of particular concern, the danger of
terrorist acts and the needs of rescue operations are both notions sufficiently
clear so as to meet the requirements of lawfulness. For the Court, the
requirement of “foreseeability” of the law does not go so far as to compel
States to enact legal provisions listing in detail all situations that may
prompt a decision to launch secret surveillance operations. The reference to
terrorist threats or rescue operations can be seen in principle as giving
citizens the requisite indication (compare and contrast Iordachi and Others,
cited above, § 46). For the Court, nothing indicates in the text of the
relevant legislation that the notion of “terrorist acts”, as used in section 7/E
(1) a) (ad) of the Police Act, does not correspond to the crime of the same
denomination contained in the Criminal Code (see paragraph 16 above).
36 SZABÓ AND VISSY v. HUNGARY JUDGMENT
84. The Court further notes the evidence furnished by the applicants
according to which the Commissioner for Fundamental Rights has never so
far enquired into the question of secret surveillance (see paragraph 18
above).
85. In any event, the Court recalls that in Klass and Others a
combination of oversight mechanisms, short of formal judicial control, was
found acceptable in particular because of “an initial control effected by an
official qualified for judicial office” (cited above, § 56). However, the
Hungarian scheme of authorisation does not involve any such official. The
Hungarian Commissioner for Fundamental Rights has not been
demonstrated to be a person who necessarily holds or has held a judicial
office (see, a contrario, Kennedy, cited above, § 57).
86. Moreover, the Court has held that the question of subsequent
notification of surveillance measures is inextricably linked to the
effectiveness of remedies and hence to the existence of effective safeguards
against the abuse of monitoring powers, since there is in principle little
scope for any recourse by the individual concerned unless the latter is
advised of the measures taken without his or her knowledge and thus able to
challenge their justification retrospectively. As soon as notification can be
carried out without jeopardising the purpose of the restriction after the
termination of the surveillance measure, information should be provided to
the persons concerned (see Weber and Saravia, cited above, §135;
Roman Zakharov, cited above, § 287). In Hungarian law, however, no
notification, of any kind, of the measures is foreseen. This fact, coupled
with the absence of any formal remedies in case of abuse, indicates that the
legislation falls short of securing adequate safeguards.
87. It should be added that although the Constitutional Court held that
various provisions in the domestic law read in conjunction secured
sufficient safeguards for data storage, processing and deletion, special
reference was made to the importance of individual complaints made in this
context (see point 138 of the decision, quoted in paragraph 20 above). For
the Court, the latter procedure is hardly conceivable, since once more it
transpires from the legislation that the persons concerned will not be
notified of the application of secret surveillance to them.
88. Lastly, the Court notes that is for the Government to illustrate the
practical effectiveness of the supervision arrangements with appropriate
examples (see Roman Zakharov, cited above, § 284). However, the
Government were not able to do so in the instant case.
89. In total sum, the Court is not convinced that the Hungarian
legislation on “section 7/E (3) surveillance” provides safeguards sufficiently
precise, effective and comprehensive on the ordering, execution and
potential redressing of such measures.
Given that the scope of the measures could include virtually anyone, that
the ordering is taking place entirely within the realm of the executive and
44 SZABÓ AND VISSY v. HUNGARY JUDGMENT
A. Damage
99. The applicants also claimed, jointly, EUR 7,500 for the costs and
expenses incurred before the Constitutional Court and the Court in
Strasbourg. This corresponds to altogether 50 hours of legal work billable
by their lawyer at an hourly rate of EUR.
100. The Government contested this claim.
101. According to the Court’s case-law, an applicant is entitled to the
reimbursement of costs and expenses only in so far as it has been shown
that these have been actually and necessarily incurred and are reasonable as
to quantum. In the present case, regard being had to the documents in its
possession and the above criteria, the Court considers it reasonable to award
the sum of EUR 4,000 covering costs under all heads.
C. Default interest
102. The Court considers it appropriate that the default interest rate
should be based on the marginal lending rate of the European Central Bank,
to which should be added three percentage points.
6. Holds
(a) that the respondent State is to pay the applicants, jointly, within
three months from the date on which the judgment becomes final in
accordance with Article 44 § 2 of the Convention, EUR 4,000 (four
thousand euros), plus any tax that may be chargeable to the applicants,
in respect of costs and expenses, to be converted into the currency of the
respondent State at the rate applicable at the date of settlement;
46 SZABÓ AND VISSY v. HUNGARY JUDGMENT
(b) that from the expiry of the above-mentioned three months until
settlement simple interest shall be payable on the above amount at a rate
equal to the marginal lending rate of the European Central Bank during
the default period plus three percentage points;
V.D.G.
F.A.
SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 47
1
Roman Zhakarov v. Russia [GC], no. 47143/06, 4 December 2015.
2
Draksas v. Lithuania, no. 36662/04, 31 July 2012.
3
See my opinion joined to the case of Lagutin and Others v. Russia, nos. 6228/09,
19123/09, 19678/07, 52340/08 and 7451/09, 24 April 2014. This case related to law-
enforcement and criminal investigations, whose standards differ from those of secret
surveillance for national security purposes. It should be noted that the Chamber often
confuses these standards (see, for example, paragraphs 22 and 56 of the judgment, citing
elements of international law and Court cases relevant for criminal investigation purposes).
48 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION
4
A/HRC/23/40. The Rapporteur advocated judicial supervision of State surveillance of
communications, the right of the monitored person to be notified once the operation has
been completed and the right to seek redress (paragraphs 81 and 82). Prior to that report,
the UN Special Rapporteur on the promotion and protection of human rights and
fundamental freedoms while countering terrorism put forward the “Compilation of good
practices on legal and institutional frameworks and measures that ensure respect for human
rights by intelligence agencies while countering terrorism, including on their oversight”,
17 May 2010 (A/HRC/14/46). Important documents by civil society were also published on
this topic. The “International Principles on the Application of Human Rights to
Communications Surveillance”, endorsed by almost 400 non-governmental and human
rights organisations, were launched in May 2014. The Open Society Justice Initiative
published the “Global Principles on National Security and the Right to Information
(Tshwane Principles)”, on 12 June 2013, which were drafted by 22 organisations and
academic centres, following the “Johannesburg Principles on National Security, Freedom
of Expression and Access to Information” adopted by a group of experts convened by
Article 19 in 1995, and the “Principles of Oversight and Accountability for Security
Services in a Constitutional Democracy” elaborated in 1997 by the Centre for National
Security Studies (CNSS) and the Polish Helsinki Foundation for Human Rights.
5
Paragraph 9 of the Joint Declaration stated that the law must clearly specify the criteria to
be used for determining the cases in which such surveillance is legitimate for national
security purposes and that such measures shall be authorised only in the event of a clear
risk to protected interests and when the damage that may result would be greater than
society’s general interest in maintaining the right to privacy and the free circulation of ideas
and information. In any event, the collection of this information is to be monitored by an
independent oversight body and governed by sufficient due-process guarantees and judicial
oversight, within the limitations permissible in a democratic society.
SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 49
6
A/RES/68/167. The resolution, which was co-sponsored by 57 Member States, was taken
without a vote.
7
Human Rights Committee Concluding Observations on the 4th USA report,
CCPR/C/USA/CO/4, 26 March 2014, paragraph 22(d).
8
A/HRC/27/37.
50 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION
that, other than the right to privacy, the rights to freedom of opinion and
expression, and to seek, receive and impart information, to freedom of
peaceful assembly and association and to family life may also be affected by
mass surveillance, the interception of digital communications and the
collection of personal data. Targeted surveillance of digital communication
may constitute a necessary and effective measure for intelligence and law-
enforcement entities when conducted in compliance with international and
domestic law, but “it will not be enough that the measures are targeted to
find certain needles in a haystack; the proper measure is the impact of the
measures on the haystack, relative to the harm threatened; namely, whether
the measure is necessary and proportionate”. Mandatory third-party data
retention, whereby Governments require telephone companies and Internet
service providers to store metadata about their customers’ communications
and location for subsequent law-enforcement and intelligence agency
access, appears neither necessary nor proportionate. With the line between
criminal justice and protection of national security blurring significantly, the
sharing of data between law-enforcement agencies, intelligence bodies and
other State organs risks violating the right to privacy, because surveillance
measures that may be necessary and proportionate for one legitimate aim
may not be so for the purposes of another. Thus, States should take steps to
ensure that effective and independent oversight regimes and practices are in
place, with attention to the right of victims to an effective remedy9.
7. More recently, on 24 March 2015 the Human Rights Council decided
to appoint, for a period of three years, a special rapporteur on the right to
privacy10.
8. Within the Council of Europe, the disclosure of the mass surveillance
practices aroused renewed interest in the Convention for the protection of
Individuals with regard to automatic processing of personal data, of
28 January 198111, and the Additional Protocol to the Convention for the
Protection of Individuals with regard to Automatic Processing of Personal
Data, regarding supervisory authorities and transborder data flows of
8 November 200112, as well as in Committee of Ministers Recommendation
No. R (87) 15 on the use of personal data in the police sector, adopted on
17 September 1987, Recommendation No. R (95) 4, on the protection of
personal data in the area of telecommunication services, with particular
reference to telephone services, adopted on 7 February 1995, and
Parliamentary Assembly (PACE) Recommendation 1402(1999)1, on the
control of internal security services in Council of Europe member states,
9
Paragraphs 24-27 and 50 of the report.
10
A/HRC/28/L.27.
11
ETS no. 108.
12
ETS no. 181.
SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 51
13
The PACE expressed its clear preference for extensive a priori and ex post facto judicial
control of surveillance activities with a high potential to infringe upon human rights, on the
basis of “probable cause for belief that an individual is committing, has committed, or is
about to commit an offence”, or “probable cause for belief that particular communications
or specific proof concerning that offence will be obtained through the proposed interception
or house searches, or that (in the case of arrest) a crime can thus be prevented” and “normal
investigative procedures have been attempted but have failed or appear unlikely to succeed
or be too dangerous.” The authorisation to undertake this kind of operative activity should
be time-limited (to a maximum of three months). Once observation or wire-tapping has
ended, the person concerned should be informed of the measure taken.
14
CDL-AD(2007)016-e. The Venice Commission stated its preference for judicial
authorisation and review of surveillance operations directed to “individual cases”, but
noting at the same time that much surveillance work is not directed towards pre-trial legal
procedures, such as data-mining, and this kind of surveillance work tends to escape judicial
control (paragraphs 29, 202-204). Finally, it conceded that “there may not be much in the
way of concrete suspicions to go on at the time when surveillance is requested but other
means of obtaining information may be regarded as impracticable.” (paragraph 207).
15
CRI(2007)39. The ECRI called on the Governments to introduce a reasonable suspicion
standard, whereby powers relating to control, surveillance or investigation activities can
only be exercised on the basis of a suspicion that is founded on objective criteria.
16
The Recommendation encouraged member States of the Council of Europe to take into
account the Tshwane Principles.
17
The Resolution affirmed that the neutrality of the Internet requires that public authorities,
Internet service providers and others abstain from using invasive wiretapping technologies,
such as deep packet inspection, or from otherwise interfering with the data traffic of
Internet users.
18
CommDH/IssuePaper(2014)1. The Commissioner asserted that “suspicion-less mass
retention of communications data” is fundamentally contrary to the rule of law,
incompatible with core data-protection principles and ineffective. Member States should
not resort to it or impose compulsory retention of data by third parties.
52 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION
19
CDL-AD(2015)006, paragraphs 3, 16, 24, 51, and 103-105.
20
COM(2013) 847 final. The Commission identified a number of shortcomings and set out
13 recommendations. On the basis of these recommendations, the Commission has been
holding talks with the US authorities since January 2014 with the aim of putting in place a
renewed and stronger arrangement for transatlantic data exchanges.
SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 53
21
COM(2013) 846 final.
22
20013/20188(INI). This Resolution was preceded by the important “Report on the US
NSA surveillance programme, surveillance bodies in various Member States and their
impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and
Home Affairs” (A7-0139/2014), of 21 February 2014.
23
2015/2635(RSP).
54 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION
downward spiral for the fundamental right to privacy and personal data
protection occurring when every bit of information on human behaviour is
considered to be potentially useful in combating future criminal acts,
necessarily resulting in a mass surveillance culture where every citizen is
treated as a potential suspect and leading to the corrosion of societal
coherence and trust.
15. As a matter of fact, the Luxembourg Court played a major role in
redefining the limits of covert data gathering for national security purposes
in the EU and outside it. In Maximillian Schrems v. Data Protection
Commissioner24, the Court of Justice of the European Union declared that
the Commission’s US Safe Harbour Decision is invalid, because it
authorises, on a generalised basis, storage of all the personal data of all the
persons whose data is transferred from the EU to the United States without
any differentiation, limitation or exception being made in the light of the
objective pursued and without an objective criterion being laid down for
determining the limits of the access of the public authorities to the data and
of its subsequent use. The Court added that legislation permitting the public
authorities to have access on a generalised basis to the content of electronic
communications must be regarded as compromising the essence of the
fundamental right to respect for private life. Likewise, the Court observed
that legislation not providing for any possibility for an individual to pursue
legal remedies in order to have access to personal data relating to him, or to
obtain the rectification or erasure of such data, compromises the essence of
the fundamental right to effective judicial protection, the existence of such a
possibility being inherent in the existence of the rule of law. Finally, the
Court found that the Safe Harbour Decision denies the national data
protection supervisory authorities their powers where a person calls into
question whether the decision is compatible with the protection of the
privacy and of the fundamental rights and freedoms of individuals. The
Court held that the Commission did not have competence to restrict the
national supervisory authorities’ powers in that way.
In the joint cases of Digital Rights Ireland and Seitinger and Others25,
the Luxembourg Court had already declared invalid the Data Retention
Directive 2006/24/EC laying down the obligation on the providers of
publicly available electronic communication services or of public
communications networks to retain all traffic and location data (or
metadata) for periods from six months to two years, in order to ensure that
the data were available for the purpose of the investigation, detection and
prosecution of serious crime, as defined by each Member State in its
national law. Both individually and in the aggregate, these surveillance
24
Case C-362/14, judgment of 6 October 2015.
25
Cases C-293/12 and C-594/12, judgment of 8 April 2014.
SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 55
capabilities allowed the State to build a precise picture of the most intimate
aspects of an individual’s life. The potential threat to privacy resulting from
such compulsory, suspicion-less, untargeted data retention obligation,
generating in the minds of the persons concerned the feeling that their
private lives were subject to constant surveillance, breached Articles 7 and 8
of the EU Charter on Fundamental Rights26.
16. Finally, the European Data Protection Authorities made known their
views on the threats to privacy resulting from mass surveillance tools. The
European Data Protection Supervisor delivered, on 20 February 2014, an
Opinion on the Communications from the Commission to the European
Parliament and the Council on “Rebuilding Trust in EU-US Data Flows”
and on “the Functioning of the Safe Harbour from the Perspective of EU
Citizens and Companies Established in the EU” 27. Subsequently, the
Working Party Article 29 published its Opinion 4/2014 on surveillance of
electronic communications for intelligence and national security purposes,
of 10 April 201428. On 26 November 2014 the European Data Protection
Authorities Assembled in the Article 29 Working Party issued a Joint
Statement29.
17. Act no. XXXIV of 1994 on the Police (the Police Act) does not
contain any definition of a “terrorist act” or “terrorist action”, which could
eventually raise a problem in terms of the foreseeability of the legal
framework of intelligence gathering for national security purposes under
section 7/E (3). It can be argued that the reference of section 69 (5) to
“terrorist act” as defined in section 261 of the former Criminal Code and
sections 314 to 316 of the new Criminal Code fills the definitional gap and
consequently that these concepts refer to the definitions of the Criminal
26
The Luxembourg Court was clearly inspired by the standard established in the data
retention directive case in Germany in 2010 (BVerfG 125, 260).
27
2014/C 116/04.
28
819/14/EN. While focusing on the access to metadata, the Working Party concluded that
secret, massive and indiscriminate surveillance programs are incompatible with the EU
fundamental laws and cannot be justified by the fight against terrorism or other important
threats to national security. The Working Party, amongst others, called for effective, robust
and independent external oversight, performed either by a dedicated body with the
involvement of the data protection authorities or by the data protection authority itself. The
recommendations of the Opinion were based on the legal analysis published in the Working
Document on surveillance of electronic communications for intelligence and national
security purposes, of 5 December 2014.
29
14/EN WP227.
56 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION
30
Paragraph 64 of the judgment.
31
See also my separate opinion in Draksas, cited above, page 26, point (2). Hence, I cannot
share the Chamber’s statement that “the requirement of “foreseeability” of the law does not
go so far as to compel States to enact legal provisions listing in detail all situations that may
prompt a decision to launch secret surveillance operations” (paragraph 64 of the judgment),
which not only downgrades the role of the principle of legality in a field of law where its
rigorous reading is most needed, but also leaves the door wide open to creative
interpretation of the law by Government and therefore to State abuse. An example of this
worrying creative interpretation is given by the Government themselves in the present case,
when they refer to the following two tasks pursued by secret intelligence gathering subject
to ministerial authorisation in Hungary: “one the one hand, to detect and eliminate acts of
terrorism and, on the other hand, to find and rescue Hungarian nationals [who have] got
into trouble in a foreign country. The applicants may only be regarded to be affected by the
contested provisions in so much that the Act does not exclude them from the circle of
persons who in the context of the detection and identification of a person or a group of
persons potentially linked to an act of terrorism may, among the persons or at a location or
in a facility endangered by an act of terrorism, be affected by secret intelligence
gathering…” (see page 8 of the Government observations of 31 October 2014). This means
that any person with a “potential link” to an act of terrorism or a place endangered by an act
of terrorism, including the potential victims, may be submitted to a surveillance measure, as
well as any person potentially linked to an incident with an Hungarian who “got into
trouble in a foreign country”! In their security-purposed logic, the Government conclude
that “the national security aspects to be weighed can be specified under the law in very
broad terms, as in the actual assessment security policy aspects, that is, non-legal aspects
will have priority… In the field of authorising national security-purposed secret
intelligence gathering no positive law specifying an exact criteria system providing grounds
for a judicial decision exists or can be created … Therefore in the field of combatting
terrorism authorisation for national security-purposed secret intelligence gathering is
granted on the basis of a politically influenced criteria-system which cannot be specified
under positive law…” (see page 12 of the Observations). Summing up the Government’s
perspective, State secret surveillance is the realm of politics and no law “exits or can be
created” to limit this realm.
32
Iordachi and Others v. Moldova, no. 25198/02, 10 February 2009. See also my separate
opinion in Draksas, cited above, page 26, point (3), and page 27, for similar defects in the
Lithuanian law.
SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 57
Hungarian law is that of the “persons concerned [to be] identified by name
or as a range of persons” (section 57 (2) (a) of the National Security Act),
which inevitably allows for unfettered ministerial discretion and for a
“strategic, large-scale interception”33. In paragraph 71 of the present
judgment, the Chamber chose the lower standard of an unqualified
“individual suspicion”, which diminishes significantly the degree of
protection set out in Roman Zakharov and previously in Iordachi and
Others34. Worse still, the almost evanescent suspicion criterion chosen by
the Chamber is totally at odds with the growing concern of the United
Nations, the Council of Europe and the European Union with regard to
massive, indiscriminate and secret “bulk surveillance” and the present state
of international law, as established in the above-mentioned documents, such
as Parliamentary Assembly Resolution 2045(2015) and its Recommendation
1402(1999)1, the Venice Commission’s 2007 and 2015 reports, the
European Commission against Racism’s General Policy Recommendation
no. 11 and the European Parliament Resolutions of 12 March 2014 and of
29 October 2015.
19. Implicit in the Chamber’s reasoning, as well as in the Constitutional
Court’s, is the assumption that national security protection is not limited to
the investigation of past, ongoing or future offences and therefore the
“reasonable suspicion” criterion should be dispensed with. This assumption
is wrong in the present case, in face of the letter of section 7/E (3) of the
Police Act, which specifically refers to preventing, tracking and repealing of
attempts to carry out terrorist acts in Hungary (subsection (1) point a) sub-
point ad)) and to rescuing Hungarian citizens who are in distress due to an
imminent and life-threatening danger of act of war, armed conflict, hostage-
taking or terrorist action outside the territory of Hungary (subsection (1)
point (e)). As is clear, these tasks refer either to to the criminal prevention of
acts of terrorism in Hungary or to rescue operations in situations of danger,
war, armed conflict, hostage-taking or terrorist action already ongoing
outside the territory of Hungary. In both the cases of criminal prevention
and rescue operations, nothing hinders the applicability of the criterion of
33
The critique of the Chamber in paragraph 69 of the judgment is entirely right, but
unfortunately the Chamber did not follow through this argument to its logical end.
34
In other words, the Chamber standard is even below the lowest degree of bona fide
suspicion or “initial suspicion” (Anfangsverdacht) relevant in criminal law. The Chamber’s
reference to paragraphs 259 and 261 of Zakharov is misleading, since the Grand Chamber
qualified the “individual suspicion” by restricting it to a “reasonable suspicion” test in
paragraphs 260, 262 and 263, which the Chamber chose to ignore. Furthermore, the
Chamber’s reference to a “sufficient factual basis” adds nothing, because this evidentiary
“basis” refers to the “supportive materials” and not to the degree of suspicion required to
justify the application of any secret intelligence gathering measure. For further discussion
on the three possible degrees of suspicion in the field of criminal law, see my separate
opinion in Lagutin and Others, cited above, page 38, point 9.1).
58 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION
21. Section 53 of the National Security Act provides for the necessity
test. Paragraphs 67, 71, 72, 74, 75 and 88 of the judgment use a “strict
necessity” test and refer it to two purposes: the safeguarding of democratic
institutions and the acquiring of vital intelligence in an individual
35
Paragraph 78 of the judgment.
36
Liberty and Others v. the United Kingdom, no. 58243/00, § 63, 1 July 2008, and Weber
and Saravia v. Germany (dec.), no. 54934/00, § 114, 29 June 2006, both concerned with
generalised “strategic monitoring”.
37
Paragraph 12 of the European Parliament Resolution of 12March 2014, cited above.
SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 59
38
In fact, the Chamber uses a double language. Paragraph 58 refers to the “necessity” test
and the “necessity” requirements, but subsequently the language becomes more demanding,
adding the adjective “strict” to the word necessity.
39
Roman Zakharov, cited above, § 233 (“the bounds of necessity, within the meaning of
article 8 § 2”) and § 236 (“the necessity test”, “to address jointly the “in accordance with
the law” and “necessity” requirements”).
40
See my separate opinion in Draksas, cited above, page 26, point (4), and my separate
opinion in Lagutin and Others, cited above, page 36, point (6).
41
See my separate opinion in Draksas, cited above, page 26, point (5).
60 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION
23. The National Security Act does not provide for an independent
authority to authorize the beginning of the surveillance operation (first stage
or ex ante review stage), since section 58 only refers to the Minister of
Justice as the sole authority to decide on the motion for a secret surveillance
measure, with no further appeal against his or her decision being
admissible42. The legal framework does not include an examination of the
case file or an assessment of the factual and legal grounds for authorisation
of the secret surveillance measure by an independent authority, preferably a
judge, as paragraph 233 of Roman Zakharov stated, following Klass and
Others43. In view of the enlarged consensus in international law mentioned
above and the gravity of the present-day dangers to citizens’ privacy, the
rule of law and democracy, the time has come not to dispense with the
fundamental guarantee of judicial authorisation and review in the field of
covert surveillance gathering44. Obviously, the judicial guarantee is not
incongruous with an additional external guarantee of political, e.g.
parliamentary, nature.
24. In the case at hand, the external control by Parliament’s National
Security Committee and the Commissioner for Fundamental Rights does not
guarantee an independent evaluation of the ministerial exercise of decisional
powers, in view of the external supervisory entities’ own lack of review
powers in concrete cases45. In addition, in the course of his or her inquiry
42
On the three stages of the oversight procedure, when the surveillance is first ordered,
while it is being carried out and after it has been terminated, see paragraph 233 of Roman
Zakharov, cited above, as well as paragraph 72 of Decision no. 32/2013 (XI.22) AB of the
Constitutional Court, cited in paragraph 20 of the present judgment.
43
Klass and Others v. Germany, 6 September 1978, §§ 55 and 56, Series A, no. 28.
44
See also my separate opinion in Draksas, cited above, page 26, point (6). Thus, I cannot
follow the Hungarian Constitutional Court when it argues that “Identifying and combating
endeavours aimed at committing acts having relevance from the aspects of securing the
sovereignty of the State and of protecting the lawful order of the State may fall outside the
sphere of particular criminal offences … The prevention and elimination of risks to
national security require political decisions, therefore decisions of this type fall in the
competence of the executive power” (paragraph 105 of Decision no. 32/2013 (XI.22) AB
of the Constitutional Court, cited in paragraph 20 of the judgment). Neither can I accept the
argument of the Government that judges are not welcomed, “because either due to lack of
expertise or the absence of external – political – accountability on the part of the courts or –
in case of specialisation – due to the courts’ becoming part of the system and their resulting
readiness to give preference to national security interests, courts tend to accept the risk-
assessments of the national security services, hence judicial control constitutes only formal
supervision.” (Government observations of 31 October 2014, page 11).
45
Although the Committee may request information on particular cases under section 14
(4) a) of the National Security Act, and the Minister or the chief director shall, within the
established deadline, reply, the Committee lacks any decision-making power with regard to
the particular cases.
SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 61
46
Article 23 (2) of Act CXI of 2011 on the Commissioner for Fundamental Rights. This
contradicts the principle that oversight institutions should have the power to initiate their
own investigations into areas of the intelligence service’s work that fall under their
mandates, and are granted access to all information necessary to do so (see UN 2010
Compilation of good practices, cited above, paragraph 14, and the UNHCHR 2014 report,
cited above, paragraph 41). In fact, the reality is that the Ombudsman’s office has never
dealt with a case concerning the surveillance of a citizen (see paragraph 18 of the judgment
and annex 2 to the applicants’ observations).
47
Such a holistic assessment was made of the Russian law by the Grand Chamber in
Roman Zakharov, cited above, § 178. The Hungarian Constitutional Court examined both
the authorisation stage and the handling of the collected data following the termination of
the interference and found the protection of the right to privacy satisfactory in the light of
the guarantees subsequent to the authorisation stage, such as the parliamentary external
oversight. The Government themselves referred to these guarantees in paragraphs 16 to 18
of their observations. Although the Chamber considered, in paragraph 58 of the judgment,
that “the Court is required to examine this legislation itself and the safeguards built into the
system allowing for secret surveillance”, it did not deliver what it promised.
62 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION
48
In paragraph 274 of Roman Zakharov, cited above, the Court noted that the domestic
courts had no competence to supervise the implementation stage of the secret surveillance
measure, finding in paragraph 285 that the supervision of this second stage by the public
prosecutor was insufficient.
49
The interpretation proposed by the Constitutional Court in paragraph 138 of Decision
no. 32/2013 (XI.22) AB of the Constitutional Court, cited in paragraph 20 of the judgment
above, deriving from sections 43 and 50 (2) (e), when read in conjunction, a legal
obligation to delete ex officio unnecessary data not only seems forced, but does not really
solve the issue, since no specifics are provided about the competence, timing and procedure
for deletion of data collected for the purposes of Section 7/E (3) of the Police Act.
50
See my separate opinion in Draksas, cited above, page 28, for similar defects in the
Lithuanian law. Paragraph 255 of Roman Zakharov, cited above, censured the automatic
storage for six months of clearly irrelevant data. But the Grand Chamber did not take in
account the interest of the monitored person to invoke the allegedly “irrelevant” data in his
or her defence, as quite rightly argued in Dumitru Popescu v. Romania (no. 2),
no. 71525/01, § 78, 26 April 2007.
SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 63
29. The National Security Act does not set out the conditions to be
fulfilled and the precautions to be taken when the National Security
Services communicate the data obtained to third parties, as paragraph 231 of
Roman Zakharov specifically requests52. The vague reference in section 45
to the transfer of personal data to “foreign data processing authorities within
the framework of laws on protection of personal data” is manifestly
insufficient.
30. The National Security Act does not establish the duty to notify the
person under surveillance of the measure taken when it is over, provided
that the interests of national security are not endangered by such disclosure,
as paragraph 234 of Roman Zakharov lays down, here again following
Klass and Others53. Nor are any special guarantees with regard to the
secrecy of lawyer-client, doctor-patient, priest-penitent and journalist-source
privileged communications included in the Hungarian legal regime54.
31. Section 58 of the National Security Act prohibits appeals against the
Minister of Justice’s decision on any motion for a covert surveillance
measure under section 7/E (3) of the Police Act. The absence of any ex post
51
European Integration and Human Rights and Ekimzhiev v Bulgaria, no. 62540/00,
§ 16,28 June 2007.
52
See also my separate opinion in Draksas, cited above, page 26, point (8).
53
Klass and Others, cited above, §§ 55 and 56. See also my separate opinion in Draksas,
cited above, page 26, point (9), and page 29 for similar defects in the Lithuanian law.
54
See also my separate opinion in Draksas, cited above, page 26, point (10). The
Parliamentary Assembly Resolution 1954 (2013), cited above, reiterated that measures such
as interception orders or actions concerning communication or correspondence of
journalists or their employers or surveillance orders or actions concerning journalists, their
contacts or their employers should not be applied if their purpose is to circumvent the right
of journalists not to disclose information identifying a source. The Venice Commission
underscored very recently the “particularly problematic” nature of interception of
privileged communications by means of covert intelligence of lawyers, priests or journalists
and gave the example of covert surveillance of journalists in order to identify their sources
(Venice Commission Update of the 2007 report, cited above, paragraphs 18 and 106-108).
64 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION
55
This is confirmed by the inexistence of complaints to the National Security Commission
(annex 1 of the applicants’ observations, confirmed by the Government observations of
14 January 2015).
56
In Russia, the general remedies were only available to persons in the possession of
information about the surveillance measure, and therefore their effectiveness was
undermined by the absence of a requirement to notify the subject of the measure at any
point (see Roman Zakharov, cited above, § 298, and previously, Association for European
integration and Human rights and Ekimdzhiev, cited above, § 100).
SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 65
33. Furthermore, although section 50 (2) (b) of the National Security Act
mentions the possibility of deletion of personal data “ordered by a court in
data protection proceedings”, and section 48 allows for the “concerned
persons to file a request for the deletion of their personal data” 57, it is not
clear how the monitored individual concerned may request that his or her
personal data be deleted if he or she does not even have a fair possibility of
obtaining information about the collection of that personal data by the
National Security Services.
34. In sum, by depriving the subject of the secret surveillance measure
of any notification of its existence and therefore of the effective possibility
of challenging it retrospectively, Hungarian law eschews the most important
safeguard against improper use of secret surveillance measures 58. Were
Samuel Warren and Louis Brandeis confronted with this law, they would
undoubtedly repeat the words they used to call for their right to privacy:
“The intensity and complexity of life, attendant upon advancing civilization,
have rendered necessary some retreat from the world, and man, under the
refining influence of culture, has become more sensitive to publicity so that
solitude and privacy have become more essential to the individual” 59.
Conclusion
57
See the Constitutional Court’s interpretation of this provision in paragraph 138 of its
Decision no. 32/2013 (XI.22) AB, cited in paragraph 20 of the judgment.
58
I cannot therefore agree with the Constitutional Court’s statement that “Since secret
intelligence gathering does, per definition, exclude the possibility of an effective
remedy…” (see paragraph 72 of the Decision no. 32/2013 (XI.22) AB of the Constitutional
Court, cited in paragraph 20 of the judgment above).
59
Samuel Warren and Louis Brandeis, “The right to privacy”, in Harvard Law Review,
volume IV, no. 5, 15 December 1890, p. 196.
60
Rotaru v. Romania [GC], no. 28341/95,§ 59, 5 May 2000, paraphrasing Klass and
Others, cited above, § 49: “The Court, being aware of the danger such a law poses of
undermining or even destroying democracy on the ground of defending it, affirms that the
Contracting States may not, in the name of the struggle against espionage and terrorism,
adopt whatever measures they deem appropriate.”
66 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION
law and democracy resulting from such a legal framework 61. Worse still, the
choices made by the Chamber introduce a strong dissonant note in the
Court’s case-law. Paragraph 71 of the judgment departs clearly from
paragraphs 260, 262 and 263 of Roman Zakharov and paragraph 51 of
Iordachi and Others v. Moldova, since the Chamber uses a vague, anodyne,
unqualified “individual suspicion” to apply the secret intelligence gathering
measure, while the Grand Chamber uses the precise, demanding, qualified
criterion of “reasonable suspicion”. Judicial authorisation and review is
watered down if coupled with the Chamber’s ubiquitous criterion, because
any kind of “suspicion” will suffice to launch the heavy artillery of State
mass surveillance on citizens, with the evident risk of the judge becoming a
mere rubber-stamper of the governmental social-control strategy. A
ubiquitous “individual suspicion” equates to overall suspicion, i.e., to the
irrelevance of the suspicion test at all. In practice, the Chamber condones
volenti nolenti widespread, non-(reasonable) suspicion-based, “strategic
surveillance” for the purposes of national security, in spite of the
straightforward rebuke that this method of covert intelligence gathering for
“national, military, economic or ecological security” purposes received from
the Grand Chamber in Roman Zakharov. Only the intervention of the Grand
Chamber will put things right again.
61
This is particularly worrying if one considers that over the past few years, several privacy
and digital rights organizations have pointed to evidence that the Hungarian authorities
have purchased potentially invasive surveillance technologies (Freedom House, Freedom
on the Internet, report on Hungary, 2015, page 15).
computer law & security review 33 (2017) 541–552
ScienceDirect
w w w. c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d c l a w. h t m
Comment
Xavier Tracol *
Data Protection Service, EUROJUST, The Hague, The Netherlands
A B S T R A C T
Keywords: As a follow up to the Digital Rights judgment of 8 April 2014 in which the Grand Chamber
European Court of Justice invalidated the data retention directive, the Administrative Court of Appeal in Stockholm
Tele2 Sverige and Watson and the Court of Appeal in London both referred questions to the Court of Justice for a pre-
Digital Rights Ireland and Seitlinger liminary ruling. On 21 December 2016, the Grand Chamber rendered a landmark judgment
Article 15(1) of e-privacy Directive in which it interpreted Article 15(1) of e-privacy directive 2002/58/EC dated 12 July 2002 in
2002/58/EC of 12 July 2002 light of Article 7 on the right to privacy, Article 8 on the protection of personal data, Article
Telecommunications metadata 11 on freedom of expression and Article 52(1) on the principle of proportionality of the Charter
Retention of personal data of Fundamental Rights. The Grand Chamber ruled that EU law does not allow a general and
Legal validity indiscriminate retention of all traffic and location data. It also ruled that access of compe-
Articles 7, 8, 11 and 52(1) of the tent national authorities to retained data must be restricted solely to fighting serious crime
Charter of Fundamental Rights and subject to prior review by a court or an independent administrative authority.
Access to data © 2017 Xavier Tracol. Published by Elsevier Ltd. All rights reserved.
Prior review by a court or
independent administrative
authority
“Justice raises her voice, but she has difficulty making herself heard
amid the tumult of the passions.” 1. Introduction
Charles-Louis de Sécondat, Baron of Brède and of In its judgment of 8 April 2014 in Digital Rights, the Grand
Montesquiou a/k/a Montesquieu, Persian Letters, Letter 81, Chamber held data retention directive 2006/24/EC to be invalid
Usbek to Rhedi, in Venice, 1721. ex tunc since it seriously interfered with the fundamental rights
to respect for private life and protection of personal data and all traffic data, without any distinction, limitation or excep-
exceeded the limits of the principle of proportionality which tion being made by reference to the objective of fighting crime
are provided for in the Charter of Fundamental Rights. A [. . .] compatible with Article 15(1) of Directive 2002/58, taking
harmonised legal framework regulating the retention of data into account Articles 7, 8 and 52(1) of the Charter?”4
has consequently been unavailable at EU level since the date In the UK, the deputy leader of the Labour party,Tom Watson,
of this judgment. The latter has however not impacted on the Peter Brice and Geoffrey Lewis brought actions against the rules
legal validity of national laws adopted by Member States to provided for in the Data Retention and Investigatory Powers
enact the invalidated directive. Act 2014 (“DRIPA”) which authorised the Home Secretary to
The two cases at hand of Tele2 Sverige and Watson pre- require public telecommunications operators to retain all com-
cisely dealt with national laws which enacted the invalidated munications data except their content for a maximum period
directive. The landmark judgment of the Grand Chamber ac- of 12 months. By judgment of 17 July 2015, the High Court of
cordingly focused on the results and implications of its earlier Justice in London ruled that the regime of the DRIPA was in-
judgment invalidating the data retention directive for the leg- consistent with EU law in that it did not meet the requirements
islative reality in Member States as well as on the compatibility laid down in the Digital Rights judgment that it regarded as ap-
of national data retention measures with fundamental rights plying to the rules in the Member States on the retention of
set out in the Charter. data relating to electronic communications and on access to
such data.5 The Home Secretary appealed against this judgment.
By judgment of 20 November 2015, the Court of Appeal con-
sidered that the Court of Justice had simply identified and
2. Relevant law
described protections which were missing in the harmonised
EU regime in the Digital Rights judgment.6 The Court of Appeal
Article 15(1) of e-privacy directive 2002/58/EC gives Member States requested the Court of Justice to clarify the impact of its judg-
an option to retain data in the electronic communications sector. ment which limited both the collection of and access to data.
This provision sets out that traffic and location data may both The Court of Appeal specifically asked the Court of Justice
be exceptionally retained for a limited period on the basis of whether the Digital Rights judgment and especially para-
a specific legislative measure taken by Member States. The graphs 60 to 62 thereof “lay down mandatory requirements of
retention is only allowed when it “constitutes a necessary, ap- EU law applicable to a Member State’s domestic regime governing
propriate and proportionate measure within a democratic society access to data retained in accordance with national legisla-
to safeguard national security (i.e. State security), defence, public tion, in order to comply with Articles 7 and 8 of the [Charter]”.7
security, and the prevention, investigation, detection and pros- The approach of the two referring courts is thus quite dif-
ecution of criminal offences or of unauthorised use of the ferent since the relevant national systems of data retention
electronic communications system.” substantially differ: the Swedish legislation provides for a general
obligation of retention whilst the British legislation is based on
the discretion of the Secretary of State for the Home Department.
3. Procedural background of the cases In granting the expedited procedure pursuant to Article 105(1)
of the Rules of Procedure of the Court, the president of the Court
of Justice, Judge Koen Lenaerts, considered that the dispute in
The day after the judgment was handed down, Tele2 Sverige
the UK was over the Secretary of State’s powers “to require public
which is a provider of electronic communications services no-
telecommunications operators to retain communications data
tified the Swedish Post and Telecommunications Authority
for a maximum period of 12 months, retention of the content
(“PTS”) of its decision to cease retaining the data referred to
of the communications concerned being excluded.”8 Regard-
in Chapter 6 of Law 2003:389 on electronic communications
ing Sweden, the judge also noted that “it is clear that national
(“the LEK”) from 14 April 2014. Tele2 Sverige also proposed to
legislation that permits the retention of all electronic commu-
delete the data which had been retained until then in accor-
nications data and subsequent access to that data is liable to
dance with this chapter.1 Tele2 Sverige had concluded that the
cause serious interference with the fundamental rights laid down
Swedish legislation enacting then invalidated data retention
in Articles 7 and 8 of the Charter”.9
directive 2006/24 was not in conformity with the Charter.2
The Commission and governments of 15 Member States in-
By decision of 29 April 2015, the Administrative Court of
cluding Sweden and the UK submitted observations. Privacy
Appeal in Stockholm stayed the proceedings and referred the
International, the Law Society and Open Rights Group inter-
following question to the Court of Justice for a preliminary ruling:3
vened in the case.10 The Council did however not intervene.
“Is a general obligation to retain data in relation to all persons
and all means of electronic communication and extending to
4
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 55(1).
1 5
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 44. Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 58.
2 6
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 50; Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 59.
7
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras 15 and Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 60(1).
8
63. Order of the President of the Court, Case C-698/15, 1 February
3
Regarding this decision, see Pam Storr, “Blanket Storage of Com- 2006, para 3.
9
munications Data – Proportional or Not? Sweden Asks CJEU for Order of the President of the Court, Case C-698/15, 1 February
Clarification on Data Retention”, European Data Protection Law Review, 2006, para 10.
10
2015, Volume 1, Issue 3, pp. 230–235. Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 57.
computer law & security review 33 (2017) 541–552 543
A high profile hearing took place on 12 April 2016.11 Judge as exceptions provided for by EU law to the exercise of fun-
Rapporteur Thomas von Danwitz was also Judge Rapporteur damental freedoms and rights, these measures have to comply
in the cases of Digital Rights12 and Schrems.13 with the Charter. He argued that general data retention obli-
gations are “a serious interference with the right to privacy,
enshrined in Article 7 of the Charter, and the right to the pro-
tection of personal data guaranteed by Article 8 of the Charter.”22
4. Analysis of the opinion of Advocate
General Henrik Saugmandsgaard Øe dated
19 July 2016 4.2. Test of strict necessity
4.3. Respect for the essence of the fundamental right to requirement into a positive obligation and “requirement”42 to
privacy and access to communications metadata retain data within the EU.43
The Advocate General considered that all the guarantees
Advocate General Saugmandsgaard Øe reiterated that the Grand described by the Grand Chamber in paragraphs 60 to 68 of the
Chamber held in the Digital Rights judgment that “Directive 2006/ Digital Rights judgment “are mandatory and consequently must
24 did not adversely affect the essence of the right to privacy accompany any general data retention obligation in order to
or of the other rights enshrined in Article 7 of the Charter, since limit the interference [with the fundamental rights] to what
it did not permit the acquisition of knowledge of the content is strictly necessary.”44 In addition, this obligation must be pro-
of the electronic communications as such.”32 He expressed the portionate, within a democratic society, to the objective of
view that this “finding could equally apply to the national regimes fighting serious crime.45
at issue in the main proceedings, since they also do not permit Last but not least, domestic courts bear the onus to deter-
the acquisition of knowledge of the content of the electronic mine, in light of all the relevant characteristics of the national
communications as such.”33 The Advocate General however regimes, whether the requirements are met and sufficient safe-
emphasised that the risks associated with access to commu- guards are in place for data retention.46 Advocate General
nications metadata “may be as great or even greater than those Saugmandsgaard Øe thus questionably left it to domestic courts
arising from access to the content of communications”.34 On the to make their own assessment of proportionality in indi-
basis of specific examples,35 he added that metadata “facili- vidual cases.
tate the almost instantaneous cataloguing of entire populations,
something which the content of communications does not.”36
The Advocate General found that the general obligation to
retain data must be strictly necessary to the fight against serious 5. Analysis of the judgment of the Grand
crime.37 He did state that certain sensitive data such as data Chamber dated 21 December 2016
which is subject to professional privilege or makes it pos-
sible to identify the source of a journalist should be excluded On 21 December 2016, the Court of Justice sitting in the Grand
from the scope of the retention obligation.38 Chamber composed of 15 judges47 rendered its judgment in the
two joint Tele2 Sverige and Watson cases. It ruled that EU law
4.4. Adequate controls on geographical safeguards: does not allow a “general and indiscriminate retention of all
retention and storage of personal data within the EU traffic and location data”.48 The Grand Chamber also ruled that
access of competent national authorities to retained data must
Advocate General Saugmandsgaard Øe’s interpretation of para- be “restricted solely to fighting serious crime”49 and “subject
graph 68 of the Digital Rights judgment contributes to the to prior review by a court or an independent administrative
development of EU personal data law. In this paragraph, the authority”.50
Grand Chamber noted that the data retention directive did not
require the data to be retained within the EU “with the result 5.1. National legislation on the retention of data falls
that it cannot be held that the control, explicitly required by within the scope of EU law
Article 8(3) of the Charter, by an independent authority of com-
pliance with the requirements of protection and security [. . .] The Grand Chamber first considered that “the legislative mea-
is fully ensured.”39 The Grand Chamber thus noted this missing sures that are referred to in Article 15(1) of Directive 2002/58
requirement as one of the reasons why the data retention di- concern activities characteristic of States or State authori-
rective did not “provide for sufficient safeguards [. . .] to ensure ties, and are unrelated to fields in which individuals are active”.51
effective protection of the data retained against the risk of abuse
and against any unlawful access and use of that data.”40 42
Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 240
In his opinion, Advocate General Saugmandsgaard Øe and 241.
however stated that in paragraph 68 of the Digital Rights judg- 43
See Xavier Tracol, “Legislative genesis and judicial death of a
ment, the Grand Chamber “established that service providers directive: the European Court of Justice invalidated the data re-
are under an obligation to retain data”41 within the EU. He thus tention directive (2006/24/EC), thereby creating a sustained period
turned the finding of the Grand Chamber about a missing of legal uncertainty about the validity of national laws which
enacted it”, Computer Law & Security Review, volume 30, issue 6,
December 2014, pp. 744 and 745.
32 44
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 156. Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 244.
33 45
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 157. Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 247.
34 46
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 259. Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 160,
35
Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 257 209, 211, 215, 245 and 261.
47
and 258. See Composition of the Grand Chamber, Official Journal of the
36
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 259. European Union, C 296, 16 August 2016, p. 2.
37 48
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 205. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para
38
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 212. 134(1).
39 49
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para
Seitlinger and Others [2013] para 68. 134(2).
40 50
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para
Seitlinger and Others [2013] para 66. 134(2).
41 51
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 238. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 72.
computer law & security review 33 (2017) 541–552 545
Whilst Articles 1(3) and 15(1) of the directive seem to overlap, general principles of EU law. The latter encompass the Charter
it does not mean that matters permitted on the basis of Article in light of which this provision must be interpreted.60
15(1) of the directive fall outside its scope since “otherwise that The Grand Chamber emphasised that the obligation to retain
provision would be deprived of any purpose. Indeed, Article 15(1) traffic data raises questions on the compatibility with Ar-
necessarily presupposes that the national measures referred ticles 7, 8 and 11 of the Charter on freedom of expression and
to therein [. . .] fall within the scope of that directive, since it information.61 Contrary to the Digital Rights judgment,62 the
expressly authorises the Member States to adopt them only Grand Chamber emphasised that Article 15 of the directive
if the conditions laid down in the directive are met.”52 By adopt- provided further detail in the context of communications whilst
ing measures which are expressly excluded from the scope recital 11 requires measures to be “‘strictly’ proportionate to
of EU law, States continue being paradoxically regarded as the intended purpose”.63
implementing EU law. The scope of the latter thus depends on
the purpose of Article 15(1) of the directive. 5.3. A very far-reaching and particularly
The Grand Chamber held that retention and access both serious interference
lay within the field of the directive.53 It ruled that “a legisla-
tive measure whereby a Member State, on the basis of Article The scope of the judgment dealt with the Swedish legisla-
15(1) of Directive 2002/58, requires providers of electronic com- tion which “provides for a general and indiscriminate retention
munications services, for the purposes set out in that provision, of all traffic and location data of all subscribers and regis-
to grant national authorities, on the conditions laid down in tered users relating to all means of electronic communication,
such a measure, access to the data retained by those provid- and [. . .] imposes on providers of electronic communications
ers, concerns the processing of personal data by those providers, services an obligation to retain that data systematically and
and that processing falls within the scope of that directive.”54 continuously, with no exceptions.”64
The Charter as interpreted by the Grand Chamber in its The Grand Chamber considered that communications
Digital Rights judgment accordingly applies to national regimes metadata described in detail65 allows “very precise conclu-
about both retention of data and access thereto by public au- sions to be drawn concerning the private lives of the persons
thorities on security grounds. whose data has been retained”.66 They make the profiling of
data subjects possible, as observed by Advocate General
5.2. Interpretation of Article 15(1) of the directive
Saugmandsgaard Øe in his opinion that the Grand Chamber
expressly approved, which is as sensitive information as the
The Grand Chamber noted that “as a general rule, any person
actual content of communications. The interference by na-
other than the users is prohibited from storing, without the
tional legislation which provides for the retention of traffic and
consent of the users concerned, the traffic data”.55 It noted that:
location data “in the fundamental rights enshrined in Ar-
ticles 7 and 8 of the Charter is very far-reaching and must be
Under Article 6 of that directive, the processing and storage of
considered to be particularly serious. The fact that the data is
traffic data are permitted only to the extent necessary and for the
retained without the subscriber or registered user being in-
time necessary for the billing and marketing of services and
formed is likely to cause the persons concerned to feel that
the provision of value added services. As regards, in particular,
their private lives are the subject of constant surveillance”67
the billing of services, that processing is permitted only up to the
which are the same terms as the Digital Rights judgment.68 The
end of the period during which the bill may be lawfully chal-
Grand Chamber however considered that the relevant legis-
lenged or legal proceedings brought to obtain payment. Once that
lation did not affect the essence of fundamental rights since
period has elapsed, the data processed and stored must be erased
the retention did not include the content of communications.69
or made anonymous.56
The Grand Chamber justified the different findings on freedom
of expression made in this case and in the Digital Rights judg-
In addition, recital 30 of the directive sets out the prin-
ment by holding that the retention of traffic and location data
ciple of data minimisation.57 Whilst Article 15(1) of the directive
could “have an effect on the use of means of electronic com-
permits exceptions, they must be interpreted strictly so that the
munication and, consequently, on the exercise by the users
exception does not become the rule. The latter would other-
thereof of their freedom of expression, guaranteed in Article
wise “be rendered largely meaningless.”58 The Grand Chamber
11 of the Charter”.70 Accordingly, “only the objective of fighting
emphasised that the list of objectives provided for in Article
15(1) of the directive is exhaustive.59 In fine, this provision re-
60
quires that all the measures referred to in Article 15(1) of the Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 91.
61
directive including the retention of data be in accordance with Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 92.
62
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] paras 28 and 70.
52 63
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 73. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 95.
53 64
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 76. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 97.
54 65
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 78. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 98.
55 66
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 85. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 99.
56 67
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 86. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 100.
57 68
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 87. Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
58
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 89 Seitlinger and Others [2013] para 37.
69
in fine. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 101.
59 70
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 90. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 101.
546 computer law & security review 33 (2017) 541–552
serious crime is capable of justifying such a measure”.71 Al- “any relationship between the data which must be retained
though the Grand Chamber did not cross-refer to the opinion and a threat to public security.”79 It also noted that this legis-
of Advocate General Saugmandsgaard Øe, it agreed with him lation is not limited to retention of “(i) data pertaining to a
that the seriousness of the interference implied that the re- particular time period and/or geographical area and/or a group
tention of communications data should be restricted to “serious of persons likely to be involved, in one way or another, in a
crime”.72 serious crime, or (ii) persons who could, for other reasons, con-
Even in this case, the Grand Chamber found that “while the tribute, through their data being retained, to fighting crime”.80
effectiveness of the fight against serious crime, in particular
organised crime and terrorism, may depend to a great extent 5.4. “Targeted retention” of both traffic and location data
on the use of modern investigation techniques, such an ob- is permitted
jective of general interest, however fundamental it may be,
cannot in itself justify that national legislation providing for The Swedish legislation “therefore exceeds the limits of what
the general and indiscriminate retention of all traffic and lo- is strictly necessary and cannot be considered to be justified,
cation data should be considered to be necessary for the within a democratic society, as required by Article 15(1) of Di-
purposes of that fight”.73 In line with its Digital Rights judgment,74 rective 2002/58, read in the light of Articles 7, 8 and 11 and
the Grand Chamber acknowledged that the use of modern in- Article 52(1) of the Charter.”81
vestigation techniques may contribute to this fight. The Grand Chamber however found that:
The Grand Chamber emphasised that the directive re-
quires the retention of traffic and location data to be the Article 15(1) of Directive 2002/58, read in the light of Articles 7,
exception and not the rule as in the Swedish legislation.75 It 8 and 11 and Article 52(1) of the Charter, does not prevent a
applied the same logic as in its Digital Rights judgment and re- Member State from adopting legislation permitting, as a pre-
iterated its essential finding that: ventive measure, the targeted retention of traffic and location
data, for the purpose of fighting serious crime, provided that the
National legislation such as that at issue in the main proceed- retention of data is limited, with respect to the categories of data
ings, which covers, in a generalised manner, all subscribers and to be retained, the means of communication affected, the persons
registered users and all means of electronic communication concerned and the retention period adopted, to what is strictly
as well as all traffic data, provides for no differentiation, limita- necessary.82
tion or exception according to the objective pursued. It is
comprehensive in that it affects all persons using electronic Importantly, the Grand Chamber did therefore not ques-
communication services, even though those persons are not, even tion or challenge the appropriateness and effectiveness of
indirectly, in a situation that is liable to give rise to criminal pro- targeted retention of traffic and location data which remains
ceedings. It therefore applies even to persons for whom there a lawful purpose for both preventing and fighting serious crime
is no evidence capable of suggesting that their conduct might subject to compliance with requirements to be met by domes-
have a link, even an indirect or remote one, with serious tic law. In addition, the findings of the Grand Chamber went
criminal offences. Further, it does not provide for any ex- against the opinion of Advocate General Saugmandsgaard Øe
ception, and consequently it applies even to persons whose who felt that “a general data retention obligation imposed by
communications are subject, according to rules of national law, a Member State may be compatible with the fundamental rights
to the obligation of professional secrecy.76 enshrined in EU law, provided that it is strictly circumscribed
by a series of safeguards”.83
The Swedish legislation thus provides for generalised mass The Grand Chamber set out two cumulative requirements,
processing and surveillance of metadata which infringes upon i.e., first, “clear and precise rules governing the scope and ap-
the fundamental right to respect for private life77 and is out- plication of such a data retention measure and imposing
lawed in the EU. As in the Digital Rights judgment,78 the Grand minimum safeguards, so that the persons whose data has been
Chamber noted that the Swedish legislation does not require retained have sufficient guarantees of the effective protec-
tion of their personal data against the risk of misuse.”84 National
data retention laws “must, in particular, indicate in what cir-
71
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 102. cumstances and under which conditions a data retention
72
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 262. measure may, as a preventive measure, be adopted, thereby
73
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 103. ensuring that such a measure is limited to what is strictly
74
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and necessary”.85 Second, the Grand Chamber observed that while
Seitlinger and Others [2013] para 51. “conditions may vary according to the nature of the measures
75
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 104.
76
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 105,
79
emphasis added. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 106.
77 80
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 106.
81
Seitlinger and Others [2013] paras 57 and 58; Case C-362/14 Maximillian Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 107.
82
Schrems v Data Protection Commissioner [2014] paras 93 and 94. See Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 108,
Xavier Tracol, “‘Invalidator’ strikes back: The harbour has never been emphasis added.
83
safe”, Computer Law & Security Review, Volume 32, Issue 2, April 2016, Opinion in Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015]
p. 355. para 7.
78 84
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 109.
85
Seitlinger and Others [2013] para 59. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 109.
computer law & security review 33 (2017) 541–552 547
taken for the purposes of prevention, investigation, detection found that the scope of access to retained data must be re-
and prosecution of serious crime, the retention of data must stricted to the purpose of “fighting serious crime”.92 As in
continue nonetheless to meet objective criteria, that estab- the Digital Rights judgment,93 it framed the obligation to retain
lish a connection between the data to be retained and the objective data94 and to make it accessible to national law enforcement
pursued. In particular, such conditions must be shown to be such authorities95 as two distinct interferences with fundamental
as actually to circumscribe, in practice, the extent of that rights.
measure and, thus, the public affected.”86 A data retention measure must “lay down clear and precise
rules indicating in what circumstances and under which con-
5.5. Scope of data retention ditions the providers of electronic communications services
must grant the competent national authorities access to the
The Grand Chamber specified that “the national legislation must data. Likewise, a measure of that kind must be legally binding
be based on objective evidence which makes it possible to iden- under domestic law.”96 Although the Grand Chamber did not
tify a public whose data is likely to reveal a link, at least an expressly cross-refer to the opinion of Advocate General
indirect one, with serious criminal offences, to contribute in Saugmandsgaard Øe on the latter issue, the Advocate General
one way or another to fighting serious crime or to prevent a made this specific point and relied on codes of practice or in-
serious risk to public security.”87 The Grand Chamber ac- ternal guidelines.97 The national legislation must “lay down the
cepted that a geographical criterion could be used to set limits substantive and procedural conditions governing the access of the
on the basis of objective evidence that “there exists, in one or competent national authorities to the retained data”.98
more geographical areas, a high risk of preparation for or com- The Grand Chamber emphasised that “the national legis-
mission of such offences.”88 The Grand Chamber thus repeatedly lation concerned must be based on objective criteria in order
required that national legislation be based on objective evi- to define the circumstances and conditions under which the
dence to meet the standards of proportionality and the test competent national authorities are to be granted access to the
of strict necessity although its analysis about their meaning data of subscribers or registered users.”99 As Advocate General
is far from being as detailed and structured as that of Advo- Saugmandsgaard Øe,100 the Grand Chamber referred to the judg-
cate General Saugmandsgaard Øe.89 In addition, the Grand ment of the Grand Chamber of the European Court of Human
Chamber required objective evidence for competent national Rights (“ECHR”) dated 4 December 2015 in the case of Roman
authorities to consider the level of risk and prevent it if as- Zakharov v. Russia.101 Regarding the scope of access in relation
sessed as serious or high. to the persons whose data can be accessed, the Grand Chamber
In contradiction to the opinion of the Advocate General,90 specified that:
the Grand Chamber found concerning the first question in Tele2
Case C-203/15 that: Access can, as a general rule, be granted, in relation to the ob-
jective of fighting crime, only to the data of individuals suspected
Article 15(1) of Directive 2002/58, read in the light of Articles 7, of planning, committing or having committed a serious crime or
8 and 11 and Article 52(1) of the Charter, must be interpreted as of being implicated in one way or another in such a crime.102
precluding national legislation which, for the purpose of fighting
crime, provides for the general and indiscriminate retention of all The Grand Chamber however lowered the bar for terrorist
traffic and location data of all subscribers and registered users activities: Access to the personal data of other data subjects
relating to all means of electronic communication.91 might be granted where there is “objective evidence”103 that
the data might effectively contribute to combat them.
92
Regarding the second question in Tele2 Case C-203/15 and the Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 115.
93
first question in Watson Case C-698/15, the Grand Chamber Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] paras 34 and 35.
94
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras
86
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 110, 100 and 102.
95
emphasis added. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 115.
87 96
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 111 Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 117,
as rectified by Order of the Grand Chamber dated 16 March 2017 emphasis added.
97
in Joined Cases C-203/15 REC and C-698/15 REC, emphasis added. Opinion in Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015]
88
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 111 para 150.
98
in fine. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 118,
89
Opinion in Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] emphasis added.
99
paras 186–263. See also Report of the Special Rapporteur on the Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 119.
100
right to privacy, Joseph A. Cannataci, A/HRC/34/60, 24 February 2017, Opinion in Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015]
p. 8, para 17. para 243.
90 101
Opinion in Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] CE:ECHR:2015:1204JUD004714306, para 260.
102
para 116. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 119,
91
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras emphasis added.
103
112 and 134(1). Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 119.
548 computer law & security review 33 (2017) 541–552
The Grand Chamber also followed the opinion of Advo- 5.8. Prior review by either a court or an independent body
cate General Saugmandsgaard Øe104 in requiring that “access
of the competent national authorities to retained data should, Member States must also ensure that an independent author-
as a general rule, except in cases of validly established urgency, ity controls compliance with applicable rules on the protection
be subject to a prior review carried out either by a court or by of personal data as required by Article 8(3) of the Charter and
an independent administrative body, and that the decision of previously noted in both the Digital Rights and Schrems judg-
that court or body should be made following a reasoned request ments (strict legality scrutiny).112 Unlike Advocate General
by those authorities submitted, inter alia, within the frame- Saugmandsgaard Øe,113 the Grand Chamber did not specifi-
work of procedures for the prevention, detection or prosecution cally examine whether the safeguards that it had laid down
of crime”.105 The Grand Chamber did not only refer to its own in the Digital Rights judgment114 were mandatory require-
Digital Rights judgment but also to the judgment of the ECHR ments of EU law applicable to a Member State’s domestic regime
in Szabó and Vissy v. Hungary.106 The Grand Chamber consid- for access to data retained in accordance with national legis-
ered that data subjects should be notified by competent national lation to comply with Articles 7 and 8 of the Charter.115
authorities that access has been granted to their own re- The Grand Chamber however considered that referring
tained personal data “as soon as that notification is no longer courts bear the onus “to determine whether and to what extent
liable to jeopardise the investigations being undertaken by those the national legislation at issue in the main proceedings sat-
authorities”.107 The United Nations Special Rapporteur on the isfies the requirements stemming from Article 15(1) of Directive
promotion and protection of human rights and fundamental 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1)
freedoms while countering terrorism welcomed these spe- of the Charter, as set out in paragraphs 115 to 123 of this judg-
cific findings of the judgment.108 ment, with respect to both the access of the competent national
authorities to the retained data and the protection and level
of security of that data.”116
5.7. Data location and destruction The Grand Chamber then summed up its findings and held
that Article 15(1) of the directive read in light of Articles 7, 8,
The Grand Chamber listed the mandatory requirements for the 11 and Article 52(1) of the Charter
lawfulness of relevant data retention that it had already enu-
merated in its Digital Rights judgment, i.e., the notification of Must be interpreted as precluding national legislation governing
data subjects so that they may exercise their right to a legal the protection and security of traffic and location data and, in par-
remedy, rules relating to the security and effective protection ticular, access of the competent national authorities to the retained
of retained data by providers of electronic communications data, where the objective pursued by that access, in the context
services who must ensure “a particularly high level of protec- of fighting crime, is not restricted solely to fighting serious crime,
tion and security by means of appropriate technical and where access is not subject to prior review by a court or an in-
organisational measures”,109 the retention of the latter within dependent administrative authority, and where there is no
the territory of the EU – which raises the issue of cloud requirement that the data concerned should be retained within
computing110 – and “the irreversible destruction of the data at the European Union.117
the end of the retention period”.111
The retention of personal data must accordingly not only
104
Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 205, be targeted but access by the authorities to retained data must
234 and 236. be limited to the purpose of fighting against serious crime, be
105
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 120, subject to a prior review carried out either by a court or by an
emphasis added. independent administrative body and personal data must
106
CE:ECHR:2016:0112JUD003713814. remain on the territory of the EU.
107
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 121.
108
Report of the Special Rapporteur on the promotion and pro-
tection of human rights and fundamental freedoms while
countering terrorism, Ben Emmerson, A/HRC/34/61, 27 January 2017, 6. Comments
p. 12, para 34.
109
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 122.
110
Regarding cloud computing, see Xavier Tracol, “Legislative genesis For the first time, the judgment of the Grand Chamber set EU
and judicial death of a directive: the European Court of Justice in- standards about the retention of personal data for surveil-
validated the data retention directive (2006/24/EC), thereby creating lance purposes that Member States need to comply with. The
a sustained period of legal uncertainty about the validity of na- Grand Chamber applied Article 7 of the Charter on the respect
tional laws which enacted it”, Computer Law & Security Review, volume for private life and Article 8 of the Charter on the protection
30, issue 6, December 2014, p. 745; “‘Invalidator’ strikes back: The
harbour has never been safe”, Computer Law & Security Review, April
112
2016, Volume 32, Issue 2, p. 360. On 27 January 2017, an industry Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 123.
113
body of Cloud Infrastructure Services Providers operating in Europe Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 221,
has established and signed up to a new data protection code of 226, 244 and 262.
114
conduct available at https://cispe.cloud/wp-content/uploads/2017/ Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
02/CISPE-CodeOfConduct-27012017.pdf.The code requires providers Seitlinger and Others [2013] paras 60–68.
115
to offer customers the option to process and store personal data Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 59(1).
116
entirely within the European Economic Area (pp. 7 and 14). Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 124.
111 117
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 122. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 125.
computer law & security review 33 (2017) 541–552 549
of personal data together in its analysis of the consequences 6.2. Plea raised ex officio
of domestic measures which provide for retention of per-
sonal data118 as it had already done in the Google Spain case.119 Although the two referring courts had not asked any ques-
The Grand Chamber has however clearly distinguished the ap- tion about the compliance of national measures on the retention
plication of these two different provisions in the Digital Rights120 of data with Article 11 of the Charter for a preliminary ruling,
and Schrems121 judgments. In the judgment rendered in the the Grand Chamber examined the compatibility of the data re-
two joint Dutch immigration cases,122 the Court of Justice also tention obligation imposed on providers with this provision in
applied Article 8 of the Charter but not Article 7 of the Charter. light of “the particular importance accorded to that freedom
In this case, the Grand Chamber thus regrettably blurred the in any democratic society.”126 It characterised this fundamen-
different scopes of the two provisions which had however been tal right as “one of the essential foundations of a pluralist,
clearly distinguished in the three Digital Rights, Schrems and joint democratic society, and is one of the values on which, under
Dutch immigration judgments. Article 2 TEU, the Union is founded”.127
The Court of Justice thus raised this plea ex officio for the
first time concerning the substance of the case where funda-
6.1. Legal effects of the judgment mental rights set out in the Charter are involved. This precedent
stands in stark contrast to the traditional reluctance of the Court
6.1.1. Effect ex tunc of Justice to raise pleas ex officio.128
The interpretation of Article 15(1) of the directive by the Grand
Chamber in its judgment delivered on a reference for a pre-
liminary ruling clarifies the meaning and scope of this provision 6.3. Distinction between content and metadata
as it must be or ought to have been understood and applied
from the date when it entered into force.123 Pursuant to Article The reasoning of the Grand Chamber that communications
20 of this directive, it entered into force on the day of its pub- metadata “is no less sensitive, having regard to the right to
lication in the Official Journal, i.e. 31 July 2002. The judgment privacy, than the actual content of communications”129 but that
of the Grand Chamber is purely declaratory with the conse- the Swedish legislation does not “affect adversely the essence”
quence that it takes effect from this date.124 of both Articles 7 and 8 of the Charter since it “does not permit
retention of the content of a communication”130 is rather dif-
ficult to follow. It is even more challenging to reconcile the views
6.1.2. Effect erga omnes of Advocate General Saugmandsgaard Øe that the risks
The judgment of the Grand Chamber has an effect erga associated with access to communications metadata may
omnes. The consequences of the interpretation of Article 15(1) be greater than those arising from access to the content of
of the directive as well as Articles 7, 8, 11 and 52(1) of the Charter communications131 with those that national regimes which
apply to the parties to the proceedings before the two refer- provide for general data retention obligations do not ad-
ring courts, all other national courts, third parties, institutions versely affect the essence of the right to privacy since they do
and Member States as well as to all situations covered by these not permit the acquisition of knowledge of the content of elec-
five provisions.125 tronic communications as such.132
Beyond the merged and confused application of the two dif-
ferent fundamental rights to respect for private life and
118
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras protection of personal data which has already been pointed
53, 92 and 100. out, metadata about communications contain “very sensitive,
119
Case C-131/12 Google Spain and Google [2013] paras 69, 74, 81, 97, valuable and extensive information.”133 They “can provide a very
99 and 100(4). detailed profile of an individual and processing it can be just
120
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
as intrusive as processing ‘content’ of communications.”134 The
Seitlinger and Others [2013] paras 29, 30, 34 to 36, 39, 40, 53, 66 and
68.
UNESCO report on human rights and encryption of 2016 noted
121
Case C-362/14 Maximillian Schrems v Data Protection Commis- “the pervasive availability of metadata and the possibility to
sioner [2014] paras 39, 47, 53, 54, 58, 65, 72, 94 and 99. use metadata to make inferences about people and user
122
Joined Cases C-141/12 and C-372/12 YS v. Minister voor Immigratie,
Integratie en Asiel and Minister voor Immigratie, Integratie en Asiel v.
126
M, S [2013], paras 58–60. See Xavier Tracol, “Back to basics: The Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 93.
127
European Court of Justice further defined the concept of personal Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 93.
128
data and the scope of the right of data subjects to access it”, Com- René Barents, Remedies and Procedures before the EU Courts, Wolters
puter Law & Security Review, Volume 31, Issue 1, February 2015, Kluwer, Alphen aan den Rijn, 2016, p. 880, § 24.12.
129
pp. 112–119. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 99.
123 130
Case C-453/00 Kühne & Heitz [2003] paras 21 and 22. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 101.
124 131
Case C-2/06 Kempter [2007] para 35; Cases C-89/10 and C-96/10 Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 259.
132
Q-Beef and Bosschaert [2010] para 48; Case C-429/12 Pohl [2013] para Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 157.
133
30. United Nations, Summary of the Human Rights Council panel
125
Case 69/85 Wünsche v. Germany [1985] para 13: “a judgment in discussion on the right to privacy in the digital age, A/HRC/28/39,
which the Court gives a preliminary ruling on the interpretation 19 December 2014, p. 9, para 28. See also ibidem, p. 4, para 9.
134
[. . .] of an act of a Community institution conclusively deter- Preliminary European Data Protection Supervisor Opinion 2/2016
mines [. . .] questions of Community law”; C-231/06 to C-233/06 on the review of the ePrivacy Directive (2002/58/EC), 22 July 2016,
Jonkman [2006] para 38. p. 17.
550 computer law & security review 33 (2017) 541–552
behavior”.135 A study by Stanford University of 12 March 2014 within the meaning of Article 52(1) of the Charter and conse-
showed that medical, financial and legal information could be quently infringe upon Article 7 of the Charter.
obtained from metadata.136 It has been shown that “intimate
details about a person’s lifestyle and beliefs, such as political
leanings and associations, medical issues, sexual orientation, 6.4. Notion of serious crime
habits of religious worship, and even marital infidelities can
be discovered through mobile phone traffic data”.137 A “trend The Grand Chamber repeatedly referred to the notion of serious
towards increased protection of metadata”138 has already been crime145 and ruled that “only the objective of fighting serious
noted. For instance, the International Association of Lawyers crime is capable of justifying”146 the retention of both traffic
stated that metadata “deserves strong privacy protections and and location data and that access of competent national au-
at least same protection than the content” (sic).139 thorities to retained data must be “restricted solely to fighting
The Grand Chamber has already held in the Digital Rights serious crime”.147 The latter notion should accordingly become
judgment that the essence of the fundamental right to private an autonomous concept of EU law.
life was not adversely affected since the data retention direc- The exhaustive list of ten “areas of crimes” set out in Article
tive did not permit the acquisition of content data.140 The Grand 83(1) of the Treaty on the Functioning of the EU (“TFEU”)148 may
Chamber thus examined whether the interference with this provide guidance in this respect. These ten areas of crime should
right was justified141 and applied the tests of proportionality142 meet the two cumulative and undefined requirements of “par-
and strict necessity.143 In the subsequent Schrems judgment, the ticularly serious crimes” and “cross-border dimension” resulting
Grand Chamber consistently found that “legislation permit- from three alternative criteria, i.e. “nature or impact of such
ting the public authorities to have access on a generalised offences or from a special need to combat them on a common
basis to the content of electronic communications must be basis.”149
regarded as compromising the essence of the fundamental
right to respect for private life, as guaranteed by Article 7 of the
Charter”.144 The Grand Chamber did accordingly not examine 6.5. Consequences and impact on national data
whether the interference with this right was justified and retention laws
did not apply the tests of proportionality and strict necessity
either. The two cases were remitted back to the Administrative Court
The distinction drawn by the Grand Chamber between re- of Appeal of Stockholm and the UK Court of Appeal which had
tention and access to content data, which does not respect the referred the questions to the Court of Justice for a prelimi-
essence of the fundamental right to private life provided for nary ruling and must now rule on the legal challenges to the
in Article 7 of the Charter and to telecommunications metadata relevant Swedish and British legislation. The situation of the
which does, is far from being persuasive. The Court of Justice UK is especially complex.
should accordingly depart from the two Digital Rights and Tele2 The judgment of the Grand Chamber relates to the DRIPA
Sverige judgments and consider that both retention of and which expired on 31 December 2016. The decision to be ren-
access to telecommunications metadata do not respect the dered by the UK Court of Appeal will consequently be academic.
essence of the fundamental right to respect for private life New legislation, the Investigatory Powers Act 2016 (“IPA”), has
however been in force since 1 January 2017. This very contro-
versial law substantially extended the powers of government
135
Wolfgang Schulz and Joris van Hoboken, Human rights and en- and its demands on firms. It requires telecommunications op-
cryption, UNESCO Series on Internet Freedom, 2016, available at erators, providers of Internet access, social media companies
http://unesdoc.unesco.org/images/0024/002465/246527E.pdf, p. 23. and data storage firms to collect and retain communications
136
Jonathan Mayer and Patrick Mutchler, “MetaPhone: The Sensi- data such as the Web browsing history of users for a year and
tivity of Telephone Metadata”, available at http://webpolicy.org/
give free access to public authorities including the police and
2014/03/12/metaphone-the-sensitivity-of-telephone-metadata/.
137
Preliminary European Data Protection Supervisor Opinion 2/2016
security services. The IPA also allows State hacking of tele-
on the review of the ePrivacy Directive (2002/58/EC), 22 July 2016, phones and computers. The judgment of the Grand Chamber
p. 13. may trigger legal challenges to the IPA. Even though the British
138
United Nations, Summary of the Human Rights Council panel government is not legally bound to amend the IPA, it may elect
discussion on the right to privacy in the digital age, A/HRC/28/39,
19 December 2014, p. 9, para 28 in fine.
139 145
Resolution on “Privacy in the Digital Communications”, Valen- Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras
cia Congress 2015, available at http://www.uianet.org/en/content/ 102, 103, 106, 108, 110, 111, 114, 115, 118, 119, 125 and 134(2).
146
resolution-privacy-digital-communications-valencia. Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 102.
140 147
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para
Seitlinger and Others [2013] para 39. 134(2).
141 148
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and “[T]errorism, trafficking in human beings and sexual exploita-
Seitlinger and Others [2013] para 60. tion of women and children, illicit drug trafficking, illicit arms
142
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and trafficking, money laundering, corruption, counterfeiting of means
Seitlinger and Others [2013] para 61. of payment, computer crime and organised crime.”
143 149
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Perrine Simon, “The Criminalisation Power of the European
Seitlinger and Others [2013] paras 61, 62, 64 and 65. Union after Lisbon and the Principle of Democratic Legitimacy”,
144
Case C-362/14 Maximillian Schrems v Data Protection Commis- New Journal of European Criminal Law, 2012, Volume 3, Issue 3–4,
sioner [2014] para 94. pp. 247 and 248.
computer law & security review 33 (2017) 541–552 551
to do so in light of the judgment of the Grand Chamber since On 11 January 2017, the Commission proposed a new
some of its findings may be difficult to reconcile with it. e-privacy regulation which would replace the directive.152 The
The judgment of the Grand Chamber may compel other draft regulation aims to align the applicable regime to that of
Member States to reconsider, adjust and revise rules pro- the GDPR. The draft regulation does no longer contain a pro-
vided for in their national legislation to make sure that they vision similar to Article 15(1) of the directive on the retention
comply with its requirements. For instance, Articles L. 34-1 III of data. It however includes Article 11 which is similar to Article
and R. 10–13 of the French Code of Posts and Electronic Com- 23 of the GDPR and leaves the option of targeted retention mea-
munications both set out a general and indiscriminate retention sures for the EU and Member States subject to compliance with
by electronic communications operators including Internet the Charter as interpreted in the case law of the Court of
access providers of all communications metadata of users for Justice.153 As the directive, Articles 6(2)(b) and 7(3) of the draft
a year. In addition, Law No. 2015-912 of 24 July 2015150 estab- regulation also allow providers of electronic communications
lished a commission which may however carry out judicial or to process and retain metadata if necessary for billing and cal-
administrative review only after national authorities have culating interconnection payments.
already been granted access to intelligence. After the Digital Rights judgment, the Commission had to
Coming back to the UK, the latter may continue applying determine whether it intended to propose the adoption of a
the General Data Protection Regulation (“GDPR”)151 after Brexit. new data retention directive which would have needed to take
If the UK however elects not to do so, transferring personal data account and address the findings contained in the judgment.154
to non EU countries will be subject to certification by the EU The Commission has elected not to do so more than three years
about the adequate level of protection of personal data in the later. In the meantime, the situation has evolved. If the Com-
UK. In this case, the judgment of the Grand Chamber could mission were to propose a new data retention directive, national
negatively impact on the ability of the UK to meet the require- legislation adopted by Member States to enact the directive
ment of essential equivalence and to obtain adequacy status would need to comply with all the requirements set out by the
for the purposes of foreign data transfers under the post- Grand Chamber in the Tele2 judgment.
Brexit data protection regime. Transfers of personal data from The current trend is however for the Commission to propose
the EU to the UK could then be challenged on the basis that the adoption of regulations instead of directives in the area
British law is insufficiently adequate in comparison to EU stan- of personal data protection. For instance, the GDPR replaces
dards. The judgment of the Grand Chamber may also provide directive 95/46/EC whilst the e-privacy regulation would replace
an authority to support this challenge. the e-privacy directive. Regulations are directly applicable in
the legal order of Member States without any need to adopt
national legislation enacting them. If the Commission were
6.6. Need for a harmonised legal framework on data to propose the adoption of a regulation on data retention, the
retention at EU level latter would need to comply with the findings of the Digital
Rights judgment. The adoption of a regulation on data reten-
The judgment of the Grand Chamber shows that the legisla- tion would however avoid the need for Member States to
tion in force in two Member States, i.e. Sweden and the UK, adopt national legislation which would have to comply with
substantially differ. This situation is not surprising since the the requirements set out by the Grand Chamber in the Tele2
Grand Chamber did not invalidate national laws enacting the judgment.
data retention directive in the Digital Rights judgment since it
was not seized of the matter and does not have the jurisdic-
tion to rule on their legal validity, pursuant to Article 267 of 7. Conclusion
the TFEU. National laws consequently remain valid and
applicable.
The Grand Chamber showed by this new judgment its firm will-
In the last three years, some Member States such as Sweden
ingness to scrupulously monitor compliance with Article 7 on
did accordingly not amend their national law enacting the ju-
respect for private life, Article 8 on protection of personal data,
dicially invalidated data retention directive. Other Member
States such as the UK adopted a new law. National legisla-
152
tion of yet other Member States has been legally challenged Proposal for a regulation of the European Parliament and of the
before domestic courts. For instance, the Constitutional Court Council concerning the respect for private life and the protection
of Belgium has repealed the domestic law by judgment of 11 of personal data in electronic communications and repealing
Directive 2002/58/EC (Regulation on Privacy and Electronic Com-
July 2015.
munications), COM(2017) 10 final.
As a result, a mosaic if not a patchwork of inconsistent na- 153
Proposal for a regulation of the European Parliament and of the
tional legislation on the retention of data is currently in force. Council concerning the respect for private life and the protection
A harmonised legal framework on data retention at EU level of personal data in electronic communications and repealing
is necessary to create a level-playing field on the issue. Directive 2002/58/EC (Regulation on Privacy and Electronic Com-
munications), COM(2017) 10 final, p. 3, Section 1.3.
154
See Xavier Tracol, “Legislative genesis and judicial death of a
directive: the European Court of Justice invalidated the data re-
150
Published in the Official Journal of 26 July 2015, p. 12735. tention directive (2006/24/EC), thereby creating a sustained period
151
Regarding an analysis of the GDPR, see Xavier Tracol, “The regu- of legal uncertainty about the validity of national laws which
lation and the directive on the protection of personal data”, Europe, enacted it”, Computer Law & Security Review, Volume 30, Issue 6,
October 2016, No. 10, pp. 5–10. December 2014, p. 746.
552 computer law & security review 33 (2017) 541–552
Article 11 on freedom of expression and Article 52(1) on the draft EU-Canada passenger name record (“PNR”) agreement
principle of proportionality of the Charter. This judgment thus about data directly transferred by companies to law enforce-
represents a new step in the process of reconciling legisla- ment authorities in third countries with no limit.157
tion of Member States against serious crime and terrorism with
fundamental rights. The Grand Chamber is increasingly build-
ing up a real and effective privacy shield155 to protect European
values which are increasingly eroded by domestic legislation
of Member States aiming to organise the fight against serious
Acknowledgement
crime and terrorism.
Last, the Court of Justice may refer back to the list of re- The views expressed herein are those of the author in his per-
quirements for access by competent national authorities to sonal capacity and do not necessarily reflect those of EUROJUST
retained personal data156 when it renders its opinion on the or the EU in general.
155
See Xavier Tracol, “EU-U.S. Privacy Shield: The saga contin-
ues”, Computer Law & Security Review, Volume 32, Issue 5, October
2016, pp. 775–777.
156 157
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras Request for an opinion submitted by the European Parlia-
119–121 and 125. ment, draft EU-Canada PNR agreement (opinion 1/15).
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
ScienceDirect
www.compseconline.com/publications/prodclaw.htm
Comment
Xavier Tracol*
Senior Legal Officer, Data Protection Service, EUROJUST, The Hague, The Netherlands
abstract
Keywords: The Grand Chamber has ruled that the data retention directive was invalid ex tunc since it
European Court of Justice seriously interfered with the fundamental rights to respect for private life and protection of
Digital Rights Ireland and Seitlinger personal data and exceeded the limits of the principle of proportionality which are pro-
E-privacy directive vided for in the Charter. The scope and temporal effects of this ruling should be clarified,
Data retention directive 2006/24/EC especially its legal impacts on national laws of Member States which enacted the directive.
Telecommunications metadata In addition, the findings of the Grand Chamber on geographical safeguards have far-
Retention of personal data reaching implications on the retention and storage of personal data in the EU.
Legal validity © 2014 Xavier Tracol. Published by Elsevier Ltd. All rights reserved.
Articles 7, 8, 11 and 52(1) of the
Charter of fundamental rights
Data security and cross-border
transfers
Cloud computing
*
The views expressed herein are those of the author in his personal capacity and do not necessarily reflect those of EUROJUST or the
EU in general.
* Data Protection Service, EUROJUST, P.O. Box 16183, 2500 BD, The Hague, The Netherlands.
E-mail address: xtracol@eurojust.europa.eu.
http://dx.doi.org/10.1016/j.clsr.2014.09.008
0267-3649/© 2014 Xavier Tracol. Published by Elsevier Ltd. All rights reserved.
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6 737
1. Introduction
3. Relevant law
In the landmark judgment in the Digital Rights Ireland and
3.1. E-privacy directive
Seitlinger cases which drew a lot of attention,1 the Grand
Chamber invalidated the data retention directive2 on the basis
Article 5 of the e-privacy directive5 sets out the general prin-
of the Charter of Fundamental Rights. By adopting the direc-
ciple of confidentiality of electronic communications and
tive, the Court found that the EU legislature had exceeded the
related traffic data. Article 6(1) thereof also provides for the
limits of the principle of proportionality in light of Article 7 on
general obligation to erase traffic data which are no longer
respect for private life, Article 8 on protection of personal data
needed.
and Article 52(1) on limitations to their exercise of the
Article 15(1) of the directive however provides for a
Charter.3
broadly formulated derogation6 on the retention of data.
The Court sat in the Grand Chamber of fifteen judges which
This provision sets out that traffic and location data may
includes both the President and the Vice-President of the
both be exceptionally retained for a limited period on the
Court as well as three Presidents of Chambers of five Judges,
basis of a specific legislative measure taken by Member
pursuant to Article 16(2) and (3) of the Statute of the Court and
States. The retention is only allowed when it “constitutes a
Article 27 of the Rules of Procedure of the Court. The fact that
necessary, appropriate and proportionate measure within a
the Grand Chamber is composed of senior Judges of the Court
democratic society to safeguard national security (i.e. State
shows the importance of the cases.
security), defence, public security, and the prevention,
investigation, detection and prosecution of criminal of-
fences or of unauthorised use of the electronic communi-
2. Procedural background of the cases cations system.”
adopted by Parliament11 unusually differed in some key points challenged its legal basis and validity. They both submitted
to the draft directive initially adopted by the Committee on that Council and Parliament had legally erred in adopting
Civil Liberties, Justice and Home Affairs.12 the directive pursuant to then Article 95 of the former EC
Treaty (now Article 114 of the Treaty on the Functioning of
3.2.2. Scope of the directive the European Union, hereinafter the “TFEU”) which dealt
The data retention directive constituted an exception to the with the ex-first pillar legal basis. Ireland and Slovakia
general principle of confidentiality of electronic communi- further submitted that the main or predominant purpose of
cations and to the general obligation to erase data which are the directive was to combat crime and to fight against
no longer needed set out in the e-privacy directive. The terrorism and that the purpose of data retention was the
scope of the data retention directive covered the retention prevention, investigation, detection and prosecution of
of telecommunications metadata which was necessary to serious crime. The Council and Parliament should conse-
identify the subscriber or user but only provided an quently have adopted a framework decision on the legal
abstraction of the real communication. Article 5(1) of the basis of then title VI of the Treaty on the EU which dealt
directive provided for an exhaustive list of both traffic and with the ex-third pillar legislative procedure as proposed
location data which had to be retained. This provision inter alia by Ireland and Slovakia.
defined them as including inter alia data on the source, date, The Grand Chamber dismissed the action and found that
time, duration and recipient of a communication as well as the directive generally dealt with the functioning of the inter-
location of the communication device. It also included data nal market and specifically aimed at ensuring that harmonised
on unsuccessful call attempts. requirements of data retention apply to communication ser-
Article 5(2) of the directive did not permit the retention of vice providers in Member States. The directive was thus
content data of communications. For instance, the subject line correctly based on the former first pillar. The Grand Chamber
or header of an e-mail message, information consulted using stated that the scope of the action related solely to the choice of
an electronic communications network such as the destina- legal basis and not to any possible infringement of funda-
tion IP address and the URL of an Internet site, the list of all mental rights arising from interference with the exercise of the
recipients of e-mail messages in copy (“cc” mode) at the right to privacy contained in the directive.15
destination mail server and the port number allocated to users
by the Internet service provider13 were excluded from the 3.2.4. Content of the directive
scope of the directive. Articles 1(1) and 4 of the directive mentioned key phrases
such as “serious crime” and “competent national author-
3.2.3. Challenge to the legal basis of the directive ities” without harmonizing them. These two provisions
The directive “ranks among the most controversial pieces of cross-referred to national laws of Member States which
counter-terrorism legislation the EU has ever adopted and were given discretion in defining them. The absence of
fierce debate as to its legitimacy and effectiveness has raged consistent definitions in all Member States provided legal
since the earliest stages of its drafting to the present day.”14 uncertainty.
Ireland, joined by Slovakia, requested the annulment of the Article 4 of the directive emphasised that national rules
directive by the Court of Justice. The two Member States should be in accordance with the requirements of necessity and
proportionality which are particularly provided for in the Euro-
11
European Parliament legislative resolution on the proposal pean Convention on Human Rights. Article 6 of the directive
for a directive of the European Parliament and of the Council on allowed the retention of both traffic and location data for a
the retention of data processed in connection with the provision period of six months to two years for law enforcement purposes.
of public electronic communication services and amending
Directive 2002/58/EC (COM(2005)0438 - C6-0293/2005 - 2005/ 3.2.5. Enactment of the directive in Member States
0182(COD)), published in the Official Journal of the European Union
Commenting that the directive has always been highly
C 286 E of 23 November 2006, p. 264 to 273; Position of the Eu-
controversial in many Member States would be an under-
ropean Parliament adopted at first reading on 14 December 2005
with a view to the adoption of Directive 2006/…/EC of the Eu- statement. First, national laws enacting the directive have
ropean Parliament and of the Council on the retention of data been the subject of several legal challenges before domestic
generated or processed in connection with the provision of courts.16 Five high courts of Member States (Bulgarian Su-
publicly available electronic communications services or of preme Administrative Court in 2008,17 Romanian Constitu-
public communications networks and amending Directive 2002/
58/EC, 14 December 2005, 2005/0182(COD), P6_TC1-COD(2005)
0182.
12
Report on the proposal for a directive of the European
15
Parliament and of the Council on the retention of data processed Case C-301/06 Ireland v. Parliament and Council [2009] ECR I-593
in connection with the provision of public electronic communi- paras 57, 72, 73, 82 to 85 and 91. See Christopher Docksey, “The
cation services and amending Directive 2002/58/EC (2005/ European Court of Justice and the decade of surveillance”, Data
0182(COD)), 28 November 2005, PE 364.679v02-00, A6-0365/2005. Protection Anno 2014: How to Restore Trust?, Hielke Hijmans and
13
Report 01/2010 on the second joint enforcement action, WP Herke Kranenborg (eds), Intersentia, Cambridge d Antwerp d
172 of 13 July 2010, p. 9. Portland, 2014, p. 107 and 108.
14 16
Chris Jones and Ben Hayes (Statewatch), The EU Data Reten- Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
tion Directive: a case study in the legitimacy and effectiveness of Ireland and Seitlinger and Others [2014], footnote 102.
17
EU counter-terrorism policy, Securing Europe through Counter- Varhoven administrativen sad, decision No. 13627 of 11
Terrorism: Impact, Legitimacy and Effectiveness, 2013, p. 4. December 2008.
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6 739
tional Court in 2009,18 German Constitutional Court in 2010,19 an action requesting that the Court of Justice impose a penalty
Cypriot Supreme Court also in 201120 and Czech Constitu- payment of V 315,036.54 per day under Article 260(3) of the
tional Court in both 2011 and 2012)21 found that domestic laws TFEU.29
or some provisions of such laws which enacted the directive
infringed upon constitutional rights. 3.2.6. Criticisms of both the Article 29 Working Party and the
Second, the implementation of the directive has been slow. EDPS
The Court of Justice declared that Ireland,22 Greece,23 Austria24 The Article 29 Working Party heavily criticised the imple-
and Sweden25 had all failed to fulfil their obligations under the mentation of the directive in national laws and its imple-
directive because they had not enacted it within the pre- mentation in the procedures of national communication
scribed period. In addition, the Court of Justice ordered Swe- service providers as a breach of privacy rights. It shrewdly
den to pay a lump sum of V 3,000,000 to the Commission for requested that “safeguards be introduced at least with regard
delaying implementation of the directive.26 Sweden complied to purpose specification, access limitation, data minimisation,
with the order of the court and paid this amount to the prohibition on data mining, judicial/independent scrutiny of
Commission. authorised access, ban on the use by providers of the data that
Third, the enactment of the directive has been uneven.27 is retained solely for public order purposes under the DR
The Commission launched a procedure against Germany for Directive e which led to the request for system separation and
failing to fulfil its obligation to implement the directive, pur- the definition of minimum standards for the security mea-
suant to Article 258 of the TFEU.28 On 11 July 2012, it brought sures to be taken by providers.”30
Peter Hustinx, the EDPS, characterised the directive as
18
Curtea Constitucionala , decision No. 1.258 of 8 October 2009 “without doubt the most privacy invasive instrument ever
available at both http://www.ccr.ro/files/products/D1258_091.pdf adopted by the EU in terms of scale and the number of people
and http://www.legi-internet.ro/en/jurisprudenta-it-romania/ it affects”.31 The EDPS issued an opinion reiterating that “[t]he
decizii-it/romanian-constitutional-court-decision-regarding- retention of telecommunications data clearly constitutes an
data-retention.html. See Adrian Bannon, “Romania retrenches on
interference with the right to privacy of the persons con-
data retention” (2010), International Review of Law, Computers and
Technology, Volume 24, Issue 2, p. 145 to 152; Cian C. Murphy, cerned as laid down by Article 8 of the European Convention of
Common Market Law Review, 2010, Volume 47, Issue 3, p. 933 to 941. Human Rights [ … ] and Article 7 of the EU Charter of Funda-
19
Bundesverfassungsgericht, 2 March 2010, 1 BvR 256/08, 1 BvR mental Rights.”32
263/08 and 1 BvR 586/08, available in German at http://www.
bundesverfassungsgericht.de/entscheidungen/rs20100302_
1bvr025608.html, para 1e345. See Anna-Bettina Kaiser, “German
Federal Constitutional Court: German data retention provisions 4. Analysis of the opinion of the Advocate
unconstitutional in their present form; Decision of 2 March 2010, General
NJW 2010, p. 833”, European Constitutional Law Review, 2010, Vol-
ume 6, Issue 3, p. 503 to 517; Katja de Vries et al., “The German The Advocate General proposed that the directive as a whole
Constitutional Court Judgment on Data Retention: Proportionality was incompatible with Article 52(1) of the Charter. He also
Overrides Unlimited Surveillance (Doesn't It?)”, Computers, Privacy
proposed that Article 6 of the directive was incompatible with
and Data Protection: an Element of Choice, Serge Gutwirth et al. (eds),
Springer, Dordrecht, 2011, p. 3 to 24, available at http://works.
both Articles 7 and 52(1) of the Charter.
bepress.com/cgi/viewcontent.cgi?article ¼ 1052&context ¼ serge_ First, the Advocate General mentioned that the directive
gutwirth; Dominik Hanf, “Vers une pre cision de la Euro- pursued a legitimate objective, i.e. ensuring the availability of
parechtsfreundlichkeit de la loi fondamentale: l’apport de l’arre ^t the collected and retained data for the purpose of the inves-
‘retention des donne es’ et de la decision Honeywell du BVerfG”, tigation, detection and prosecution of serious crime.33
Cahiers de droit europeen, 2010, Volume 46, No. 3-4, p. 519 to 549. Second, the Advocate General recognised that data protection
20
Anotato Dikastirio tis Kypriakis Dimokratias, decision of 1
is subject to an “autonomous regime”34 since specific EU sec-
February 2011 on civil requests 65/2009, 78/2009, 82/2009 and 15/
2010-22/2010. See Christiana Markou, “The Cyprus and other EU ondary legislation governs it. He viewed protection of personal
court rulings on data retention: the Directive as a privacy bomb”, data as a right which applies to the “personal sphere” rather than
Computer Law and Security Review, 2012, Volume 28, Issue 4, p. 468
29
to 475. Case C-329/12 Commission v. Germany.
21 30
Ústavnı́ Sound, decision of 22 March 2011, translation by the Report 01/2010 on the second joint enforcement action, WP
court available in English and published at http://www.usoud.cz/ 172 of 13 July 2010, p. 4.
31
en/decisions/?tx_ttnews[tt_news]¼ Speech about “The moment of truth for the Data Retention
40&cHash¼bbaa1c5b1a7d6704af6370fdfce5d34c. See Pavel Molek, Directive” of 3 December 2010 published and available on the
“Czech Constitutional Court”, European Constitutional Law Review, Internet site of the EDPS at https://secure.edps.europa.eu/
2012, Volume 8, Issue 2, p. 338 to 353; decision of 4 January 2012. EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/
22
Case C-202/09, Commission v. Ireland [2009], ECR I-00203*. Publications/Speeches/2010/10-12-03_Data_retention_speech_
23
Case C-211/09, Commission v. Greece [2009], ECR I-00204*. PH_EN.pdf, p. 1.
24 32
Case C-189/09 Commission v. Austria [2010], ECR 2010 I-00099. Opinion of the European Data Protection Supervisor on the
25
Case C-185/09 Commission v. Sweden [2010], ECR I-00014*. Evaluation report from the Commission to the Council and the
26
Case C-270/11 Commission v. Sweden [2013], ECR I-0000. European Parliament on the Data Retention Directive (Directive
27
Report from the Commission to the Council and the European 2006/24/EC), 31 May 2011, para 6.
33
Parliament, Evaluation report on the Data Retention Directive Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
(Directive 2006/24/EC), COM(2011) 225 final, 18 April 2011. Ireland and Seitlinger and Others [2014], para 136.
28 34
http://ec.europa.eu/eu_law/eulaw/decisions/dec_20110616. Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
htm. Ireland and Seitlinger and Others [2014], para 55.
740 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
the “private sphere”, unlike the right to respect for private life. should be divulged or processed.”43 It “implies an increased
The Advocate General distinguished between “data that are participation of the citizens in the processing of their personal
personal as such [ … ] to which the structure and guarantees of information and an advanced empowerment of the citizens
[the right to protection of personal data] are best suited”35 and that can be realised via the introduction and strengthening of
“data which are in a sense more personal”.36 He submitted that the importance of his consent.”44 The reference by the Advo-
use of “special” personal data may “make it possible to create cate General to this right shows the influence of the German
both a faithful and exhaustive map of a large portion of a person's legal system on EU personal data protection law.45
conduct strictly forming part of his private life; or even a com-
plete and accurate picture of his private identity”.37
Whilst the two rights under Articles 7 and 8 of the Charter 5. Analysis of the judgment of the Grand
should be clearly distinguished, there is however no legal Chamber dated 8 April 2014
basis for the distinction drawn by the Advocate General be-
tween these categories of personal data. Personal data pro- The reasoning of the Grand Chamber resembles that of the
tection law equally applies to all personal data including Advocate General. Holding its office of protecting funda-
telecommunications metadata. mental rights and referring quasi exclusively to the Charter of
Third, the Advocate General submitted that Article 7 of the Fundamental Rights, the Grand Chamber turns out to be a
Charter applied to both the collection and retention of data resolute guarantor of individual rights. To a question of
whilst Article 8 of the Charter applied to their subsequent use. principle, it provided a reply of the same nature.
Since the directive did not deal with the latter, the Advocate
General submitted that it was necessary to assess the legal 5.1. Relevant provisions of the Charter
validity of the directive “primarily from the perspective of
interference with the right to privacy.”38 The Court first narrowed the numerous questions referred by
Fourth, the directive should have defined safeguards which the Irish and Austrian courts down to a single overarching
must govern access to retained data and their use in light of issue, i.e. whether the directive was legally valid in light of
the serious interference with private life.39 The Advocate Articles 7, 8 and 11 of the Charter. It noted that the data “may
General took the opportunity to outline a non-exhaustive list allow very precise conclusions to be drawn concerning the
of safeguards. private lives”46 of individuals, thereby recognising the dangers
Fifth, the Advocate General considered that the directive posed by aggregated telecommunications metadata. Where
was incompatible with the principle of proportionality to the the personal data in question enable a precise intrusion in
extent that it required Member States to ensure that the data private life, the protection of personal data thus attracts the
were retained for a period the upper limit of which was set at protection of privacy. The Court then conducted its consid-
two years. The Advocate General has not found any sufficient erations in three parts.
justification for not limiting the retention period of data to be First, the Court examined the relevance of the three above-
established by Member States to less than a year.40 mentioned provisions with regard to the legal validity of the
Last, the Advocate General referred to “the right to infor- directive. Although the Court recognised that data retention
mational self-determination”41 of the individual. The German may have a chilling effect on individual freedom of expres-
Constitutional Court recognised this new constitutional right sion,47 it selected not to examine the legal validity of the
(informationelles Selbstbestimmungsrecht) in the population directive in light of Article 11 of the Charter. This effect
census decision of 1983.42 This German constitutional consequently remains merely potential.
construct guarantees “the authority of the individual in prin- The Court followed the European Court of Human Rights in
ciple to decide for himself whether or not his personal data considering that “[t]he retention of data for the purpose of
possible access to them by the competent national authorities
35 [ … ] directly and specifically affects private life”.48 It therefore
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], para 64. found that the directive must be considered in light of Article 7
36
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights of the Charter.
Ireland and Seitlinger and Others [2014], para 65.
37 43
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights Eleni Kosta, Consent in European Data Protection Law, Martinus
Ireland and Seitlinger and Others [2014], para 74. Nijhoff Publishers, Leiden-Boston, 2013, p. 134.
38 44
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights Eleni Kosta, Consent in European Data Protection Law, Martinus
Ireland and Seitlinger and Others [2014], paras 55 to 67. Nijhoff Publishers, Leiden-Boston, 2013, p. 108.
39 45
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights See the decision of the Czech Constitutional Court dated 22
Ireland and Seitlinger and Others [2014], para 113. March 2011 finding that the Czech law which enacted the direc-
40
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights tive infringed upon the right to informational self-determination,
Ireland and Seitlinger and Others [2014], para 149. translation by the court available in English and published at
41
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights http://www.usoud.cz/en/decisions/?tx_ttnews[tt_news]¼
Ireland and Seitlinger and Others [2014], para 57 in fine. 40&cHash¼bbaa1c5b1a7d6704af6370fdfce5d34c.
42
Bundesverfassungsgericht, 65,1 vom 15.12.1983 (Volksza €hlungs- 46
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Urteil), Human Rights Law Journal, 1984, 5, p. 94 to 116. See Gerrit Seitlinger and Others [2014], para 27.
Hornung and Christoph Schnabel, “Data Protection in Germany I: 47
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
The population census decision and the right to informational Seitlinger and Others [2014], para 28.
48
self-determination”, Computer Law and Security Review, 2009, Vol- Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
ume 25, Issue 1, p. 84 to 88. Seitlinger and Others [2014], para 29.
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6 741
The Court also considered that the mere retention of com- personal data were justified. It reiterated that Article 52(1) of
munications metadata constitutes the processing of personal the Charter provides that three requirements must be met
data within the meaning of Article 8 of the Charter. The re- to justify limitations to fundamental rights, i.e. limitations
quirements for the protection of personal data set out in this must be provided for by law; respect the essence of the
provision must therefore be met.49 These two findings differ rights; and limitations must be genuinely necessary to meet
from the opinion of the Advocate General on this specific objectives of general interest, subject to the principle of
issue.50 proportionality. The Court held that the essence of the
The Grand Chamber applied a similar reasoning to the fundamental right to privacy was respected since the
European Court of Human Rights by first establishing an directive did not permit the acquisition of content data.58
interference (5.2) before considering whether the interference This finding is questionable at best because a structural
is justified (5.3) since the two fundamental rights to respect for analysis of telecommunications metadata precisely permits
private life and protection of personal data relied upon are not the acquisition of in-depth knowledge about data subjects,
absolute. thereby adversely affecting the essence of the fundamental
right to privacy as the Court itself somehow contradictorily
5.2. Interference with the fundamental rights to respect found.59 As the Office of the United Nations High Commis-
for private life and protection of personal data sioner for Human Rights observed, the “aggregation of in-
formation commonly referred to as ‘metadata’ may give an
Second, the Court considered whether there was an interfer- insight into an individual's behaviour, social relationships,
ence with the rights laid down in Articles 7 and 8 of the private preferences and identity that go beyond even that
Charter. It found that the directive required the retention of conveyed by accessing the content of a private communi-
the listed telecommunications metadata but also allowed cation.”60 The Court also held that the essence of the right
competent national authorities to access the data.51 The Court to protection of personal data was respected since the
noted that the directive derogated from the system of pro- directive required Member States to ensure that “appro-
tection provided for in both the data protection directive and priate technical and organisational measures are adopted
the e-privacy directive.52 It held that the obligations to retain against accidental or unlawful destruction, accidental loss
data imposed by the data retention directive constituted an or alteration of data”.61
interference with the right to respect for private life53 as did
the access of competent authorities to that data.54 The Court 5.4. Objective of general interest
also held that the directive interfered with the right to pro-
tection of personal data for the simple reason that “it provides When considering whether the interference satisfied an
for the processing of personal data.”55 Following again the objective of general interest, the Court drew a distinction
opinion of the Advocate General, it stated that these in- between the aim and material objective of the directive. It
terferences were both wide-ranging and particularly serious.56 noted that the directive aimed at harmonising provisions of
The Court evocatively considered that “the fact that data are Member States about obligations on data retention whilst
retained and subsequently used without the subscriber or the Court found that the material objective of the directive
registered user being informed is likely to generate in the was “to ensure that the data are available for the purpose of
minds of the persons concerned the feeling that their private the investigation, detection and prosecution of serious
lives are the subject of constant surveillance.”57 crime, as defined by each Member State in its national law.
The material objective of that directive is, therefore, to
contribute to the fight against serious crime and thus, ulti-
5.3. Justification of the interference
mately, to public security.”62 The Court interestingly noted
that “Article 6 of the Charter lays down the right of any
Third, the Court considered whether the interferences with
person not only to liberty, but also to security.”63 It therefore
the rights to respect for private life and protection of
held that the directive “genuinely satisfies an objective of
49
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and general interest”64 and proceeded to examine the propor-
Seitlinger and Others [2014], paras 29 and 30. tionality of the directive.
50
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
58
Ireland and Seitlinger and Others [2014], paras 55 to 67. Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
51
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others [2014], para 39.
59
Seitlinger and Others [2014], para 32. Ibidem, para 27. Regarding the essence of the fundamental
52
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and right to private and family life, see Case C-400/10 J. McB. v. L.E.
Seitlinger and Others [2014], para 32. [2010], ECR I-8965, paras 55 and 57.
53 60
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Report on the right to privacy in the digital age, A/HRC/27/37,
Seitlinger and Others [2014], para 34. 30 June 2014, p. 7.
54 61
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 35. Seitlinger and Others [2014], para 40.
55 62
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 36. Seitlinger and Others [2014], para 41.
56 63
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 37. Seitlinger and Others [2014], para 42 in fine.
57 64
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 37. Seitlinger and Others [2014], para 44.
742 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
rejected the “submission that the rules in question conflict of protection of personal data and thus justifies the applica-
with the requirements of the protection of fundamental rights bility of Article 8 of the Charter. It does however not demon-
in the Community legal order”.82 The Charter which applies to strate any interference with the fundamental right to the
EU organisations pursuant to Article 51(1) thereof subse- protection of personal data. This shortcoming of the judgment
quently entered into force on 1 December 2009. The judgment does not imply that the finding of the Grand Chamber is le-
of the Grand Chamber which is based on the Charter thus gally erroneous but simply shows the weakness of its
reflects its deep impact on the case law of the Court.83 reasoning on this specific point.
Even more importantly, the Court added that the “directive The implications of the ruling of invalidity and the
does not require the data in question to be retained within the adequate controls on geographical safeguards of the judg-
European Union”. As a result, “an independent authority” ment need to be clarified.
cannot control compliance with applicable provisions of data
protection and requirements of data security in the EU
“explicitly required by Article 8(3) of the Charter”. The Court 6.1. Effects of the ruling of invalidity
characterised this control as “an essential component of the
protection of individuals with regard to the processing of 6.1.1. Scope
personal data”.84 The legal risks for privacy thus outweighed The finding of invalidity deals with the whole directive. The
the potential use of intelligence. general and radical nature of the ruling is unprecedented. The
The Grand Chamber ruled that the directive was invalid. It Grand Chamber has already invalidated two provisions of a
did not follow the opinion of the Advocate General who, out of Council regulation which breached the fundamental right to
concern for pragmatism, for overriding considerations of legal protection of personal data provided for in Article 8 of the
certainty85 and the fact that Member States had generally Charter.88 In addition, the Grand Chamber has already ruled
exercised their powers with moderation with respect to the that a specific provision of a directive was invalid. For instance,
maximum period of data retention, had proposed “to suspend it invalidated Article 5(2) of Council directive 2004/113/EC of 13
the effects of the finding that Directive 2006/24 is invalid December 2004 implementing the principle of equal treatment
pending adoption by the European Union legislature of the between men and women in the access to and supply of good
measures necessary to remedy the invalidity found to exist”.86 and services with effect from 21 December 2012 because it was
incompatible with Article 21 on non-discrimination and Article
23 on equality between men and women of the Charter.89 As a
6. Comments result of the entire invalidation of the directive in this case, no
applicable directive currently in force mandates the retention
The finding of the Court that the directive interfered with the of telecommunications metadata.
right to protection of personal data since “it provides for the
processing of personal data”87 is simplistic and unpersuasive. 6.1.2. Temporal effects of the judgment
The latter fact shows that the directive falls within the scope Since the Court did not limit the temporal effect of its ruling,
the finding of invalidity takes effect ex tunc, i.e. from the date on
82
Case 5/88 Wachauf v. Bundesamt für Erna €hrung und For- which the directive entered into force, as clarified by a mere
stwirthschaft [1989], ECR 02609, paras 22 and 23. footnote of the press release published by the Court.90 Article
83
See 2013 Report on the Application of the EU Charter of 16 of the directive provided that it “shall enter into force on the
Fundamental Rights, COM(2014) 224 final, 14 April 2014.
84 twentieth day following that of its publication in the Official
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 68.
Journal of the European Union.” The directive was published on 13
85
See Case 13/61 Bosch v. van Rijn [1962], in which the Court April 2006. It therefore entered into force on 3 May 2006. The
established the notion of legal certainty as a general principle of ruling of invalidity thus takes effect from this date.
EU law (p. 52). See also Case 48/69 Imperial Chemical Industries Ltd v.
Commission [1972], ECR 619, para 49; Case C-63/93 Duff and Others 6.1.3. National legislation
[1996], ECR I-569, para 20; Case C-199/03 Ireland v. Commission Digital Rights Ireland, the government of the province of Car-
[2005], para 69; Case F-125/10 Mendes v. Commission [2013], para 71
inthia and Austrian citizens challenged the validity of national
finding that the principle of legal certainty requires that legal
rules be clear and precise and aims to ensure that situations and legislations which enacted the directive before domestic
legal relationships governed by EU law remain foreseeable. courts. The latter referred the legal validity of the underlying
Regarding legal certainty, see Paul Craig, EU Administrative Law, directive to a preliminary ruling of the Court of Justice. The
Oxford University Press, New York, Second Edition, 2012, p. 549 to ruling of the Grand Chamber about the invalidity of the
556; Takis Tridimas, The General Principles of EU Law, Oxford Uni- directive ex tunc raises in turn interesting questions about the
versity Press, New York, Second Edition, 2007, section 6.1, p. 242
status of all national laws which enacted the directive.
to 251; Jürgen Schwarze, European Administrative Law, Sweet &
The judgment of the Grand Chamber legally binds both the
Maxwell, London, 2010, p. 870 to 873 and 938 to 1172; Leonard
Besselink et al. (eds), The Eclipse of the Legality Principle in the Eu- referring Constitutional Court of Austria and the High Court of
ropean Union, Kluwer Law International, Alphen aan den Rijn, Ireland, pursuant to Article 91(1) of the Rules of Procedure of the
2011.
86 88
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights Joined Cases C-92/09 and C-93/09 Volker and Markus Scheke
Ireland and Seitlinger and Others [2014], para 158. See also ibidem, [2010], ECR I-11063.
89
paras 156 and 157. Case C-236/09 Test-Achats and Others v. Council [2011], ECR
87
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and I-00773, para 32.
90
Seitlinger and Others [2014], para 36. Press release No 54/14 of 8 April 2014, footnote 2.
744 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
Court of Justice. By decision of 27 June 2014,91 the Constitu- justify an obstruction of a fundamental freedom guaranteed by
tional Court of Austria invalidated the domestic data retention the Treaty must be regarded as “implementing Union law”
law. The Court ruled that it was unconstitutional since it within the meaning of Article 51(1) of the Charter.96 Domestic
infringed upon the fundamental right to data protection as well courts may therefore invalidate national laws for breaches of
as Article 8 of the European Convention on Human Rights the Charter as the Court of Justice invalidated the directive. For
which deals with the right to respect of private life. The instance, the Constitutional Court of Slovenia abrogated eight
reasoning of the Austrian Constitutional Court is thus in line provisions of the domestic law on retention of data as dispro-
with that of the Grand Chamber. Similarly to the latter, the portionate by judgment of 3 July 2014 following the judgment of
Court also ruled that although regulations such as the data the Grand Chamber.97 It instructed operators of electronic
retention law could be used to fight serious crime, they must communications to delete retained data immediately after the
comply with data protection requirements and the European date when the judgment is published in the Official Gazette.
Convention of Human Rights. In this case, the Court found that Alternatively, governments of Member States may pro-actively
the challenged data retention provisions excessively interfere examine their national legislation in light of the judgment of
with and infringe upon the fundamental right to the protection the Grand Chamber98 and accordingly make appropriate de-
of personal data. The referring High Court of Ireland must now cisions including amendments thereto. For instance, the
also apply the judgment of the Grand Chamber to the on-going British Parliament passed on 17 July 2014 the controversial Data
legal proceedings about the national law before it. Retention and Investigatory Powers Bill99 which provides for
Regarding Sweden, the Commission will reimburse to its emergency powers to ensure that police and security services
government the sum of V 3,000,00092 that it paid for delaying can continue to access phone and internet records. Accompa-
implementation of the directive, pursuant to the order of the nying the new powers are provisions to “increase transparency
Court of Justice.93 and oversight” including the creation of a new Privacy and Civil
On 8 April 2014, the Commission quickly published Liberties Oversight Board to scrutinise the impact of the law. In
frequently asked questions about the directive, stating that any event, this situation creates a sustained period of legal
“[n]ational legislation needs to be amended only with regard to uncertainty about the impact of the judgment on national laws
aspects that become contrary to EU law after a judgment by the of Member States which enacted the directive.
European Court of Justice. Furthermore, a finding of invalidity Last, Germany which has not adopted any national law to
of the Directive does not cancel the ability for Member States enact the directive no longer bears the obligation to do so. In
under the e-Privacy Directive (2002/58/EC) to oblige retention of addition, the Commission no longer had any legal basis to
data.”94 The legal service of Parliament similarly considered continue the action brought against Germany for failing to
that the judicial invalidation of the directive “in principle did fulfil its obligation to enact the directive and requesting the
not affect national legislation.”95 These opinions are legally Court of Justice to impose the penalty payment of V 315,036.54
correct. The Grand Chamber did not invalidate national laws per day.100 It accordingly stated that it would terminate this
enacting the directive since it was not seized of the matter and procedure.101 The Commission withdrew its action except for
does not have the jurisdiction to rule on their legal validity, the costs and the President of the Court of Justice ordered the
pursuant to Article 267 of the TFEU. National laws remain valid case to be removed from the register by order of 5 June 2014,102
and applicable. Obligations to retain telecommunications pursuant to Article 148 of the Rules of Procedure of the Court
metadata stand on these legal bases despite the invalidation of of Justice. All Member States may however adopt and apply
the directive by the Grand Chamber. This situation is legally specific legislative measures, pursuant to Article 15(1) of the e-
clumsy since domestic laws were precisely adopted pursuant privacy directive on the exceptional retention of both traffic
to the now invalidated directive. Depending on their content, and location data for a limited period.
national legislation enacting the directive may be legally chal-
lenged before national courts for breaches of the fundamental 6.2. Adequate controls on geographical safeguards:
rights to respect for private life and protection of personal data, retention and storage of personal data within the EU
applying the criteria laid down by the Grand Chamber in this
case. Regarding the scope of the Charter, the Court of Justice The Court criticised both Council and Parliament for failing to
ruled in the Pfleger judgment of 30 April 2014 that it applies to impose an obligation to retain telecommunications metadata
national derogations from EU law. Importantly, the use by
96
Member States of fundamental rights provided for by EU law to Case C-390/12, paras 31 to 36.
97
Judgment U-I-65/13-19. See the press release of the Informa-
tion Commissioner of 11 July 2014 available at https://www.ip-rs.
91
Verfassungsgerichtshof, decision No. G 47/2012, the press si/index.php?id¼272&tx_ttnews%5btt_news%
release is available in German only at: http://www.vfgh.gv.at/ 5d¼1256&cHash¼2885f4a56e6ff9d8abc6f94da098f461.
98
cms/vfgh-site/attachments/5/0/0/CH0003/CMS1403853653944/ For instance, see press release, ministry of justice of
presseinformation_verkuendung_vorratsdaten.pdf. Luxembourg, 8 April 2014, announcing that a detailed analysis of
92
Plenary session of Parliament, debates of 16 April 2014, dec- possible implications for the domestic law will be undertaken,
larations of the Commissioner for Home Affairs. available at http://www.gouvernement.lu/3641093/08-cjue.
93 99
Case C-270/11 Commission v. Sweden [2013] ECR I-0000. Available at https://www.gov.uk/government/uploads/
94
Available at http://europa.eu/rapid/press-release_MEMO-14- system/uploads/attachment_data/file/328939/draft-drip-bill.pdf.
100
269_en.htm. Case C-329/12 Commission v. Germany.
95 101
Summary of the meeting of the European Parliament Com- Plenary session of Parliament, debates of 16 April 2014, dec-
mittee on Civil Liberties, Justice and Home Affairs, held in Brus- larations of the Commissioner for Home Affairs.
102
sels on 10 April 2014, document 8940/14, 11 April 2014, p. 5. Case C-329/12 Commission v. Germany [2014].
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6 745
within the EU. It emphasised the need to store retained data “consideration might be given by national governments and
within the EU to ensure oversight by an independent EU au- European Union institutions to further investigate the concept
thority about compliance with applicable provisions on pro- of a European Governmental cloud as a supra national virtual
tection of personal data and requirements of data security, in space where a consistent and harmonised set of rules could be
accordance with Article 8(3) of the Charter. The Court found applied. [ … ] Transferring personal data to a European cloud
that data storage facilities must be subject to “control, carried provider, sovereignly governed by European data protection
out on the basis of EU law” by “an independent authority”.103 It law, could bring great data protection advantages to cus-
thus made clear that personal data of European data subjects tomers [ … ] as well as legal certainty.”105
must remain and be held and managed in the EU under EU
laws and safeguards.
These findings indicate the position of the Court towards
7. Concluding remarks
international transfers of personal data. It is consistent with
the restrictions inserted by Parliament in Article 36 of the draft
The judgment of the Grand Chamber shows that personal data
proposal for a directive on the protection of personal data in
protection law can adapt to the challenges provided by the
the area of law enforcement to tighten up transfers of per-
evolutions of telecommunication technology. It also shows
sonal data to third states which are not members of the EU.104
the increasing legal importance and weight of the Charter in
Regarding cloud computing, the implications of these
the case law of the Court of Justice106 including that on per-
findings for EU data controllers are that retained personal data
sonal data protection law, computer law and cloud
may only be stored where necessary safeguards such as the
computing.107 The Grand Chamber has played the role of an
control carried out by an independent data protection au-
EU Constitutional Court108 which has applied and interpreted
thority on the basis of EU law are in place. The findings of the
Articles 7, 8 and 11 of the Charter as well as checked and
Grand Chamber are consistent with the opinion of the Article
controlled the compliance of the directive with its two pro-
29 Data Protection Working Party which stated that
visions about fundamental rights to respect for private life and
protection of personal data. The judges thus appeared as
103
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and resolute defenders of individual rights on the basis of the
Seitlinger and Others [2014], para 68. Charter in the area of personal data protection, which is of
104
Texts adopted at the sitting of Wednesday 12 March 2014, part
acute public interest.
I, PE 531.357.
105
Article 29 Data Protection Working Party, Opinion 05/2012 on
The EU legislature should however learn lessons from this
Cloud Computing, 1 July 2012, p. 23 and 24. This opinion is taken from debacle which may now have a snowball effect on national
the recommendation of the European Network and Information legislation of Member States. The Council and Parliament both
Security Agency (ENISA), Security & Resilience in Governmental adopted a directive which seriously interfered with two
Clouds, January 2011, p. 9. See also ENISA, Cloud Computing. Bene- fundamental rights. One and a half months before the dates of
fits, risks and recommendations for information security, November the European elections, this situation specifically poses
2009; Opinion of the European Data Protection Supervisor on the
intriguing questions on the exact role played by Parliament
Commission's Communication on “Unleashing the potential of
Cloud Computing in Europe”, 16 November 2012; Information Com- about their protection.109 The directive remained in force
missioner's Office, Guidance on the use of cloud computing, 2012. See nearly eight years before the Grand Chamber finally invali-
also Paolo Balboni, “Contracting with the cloud: analyzing the EU dated it. Had an Irish advocacy group, a provincial govern-
position”, Data Protection Law & Policy, 2012, Volume 9, Issue 10; Paolo ment and Austrian residents not taken the initiative to
Balboni and Enrico Pelino, “Law Enforcement Agencies' Activities in challenge the legal validity of national laws enacting the
the Cloud Environment: a European Legal Perspective”, Information &
directive and had the two domestic courts not requested a
Communications Technology Law, Volume 22, Issue 2, 2013, p. 165 to
preliminary ruling of the Court of Justice, the Grand Chamber
190; Paolo Balboni, Security and Privacy in Cloud Computing: The
European Regulatory Approach. Executive Action Report, No. 335, would not have been seized of the matter and had the op-
The Conference Board, October 2010; W. Kuan Hon et al., “Could portunity to invalidate the directive. The latter would there-
Accountability: The Likely Impact of the Proposed EU Data Protection fore remain in force. Ireland and Slovakia regrettably could
Regulation”, Queen Mary School of Law Legal Studies Research Paper No. not submit to the Grand Chamber that the directive infringed
172/2014, Tilburg Law School Research Paper No. 07/2014, available at upon fundamental rights provided for in two provisions of the
http://papers.ssrn.com/sol3/papers.cfm?abstract_id¼2405971#;
Charter in 2006110 since they brought the action for annulment
Simon Bradshaw et al., “Contracts for Clouds: Comparison and
Analysis of the Terms and Conditions of Cloud Computing Services”,
three years before the date when the Charter entered into
Queen Mary University of London, School of Law Legal Studies Research force on 1 December 2009. The Grand Chamber could not raise
Paper No. 63/2010, 1 September 2010, available at http://papers.ssrn. this plea ex officio in light of the traditional case law of the
com/sol3/papers.cfm?abstract_id¼1662374. Regarding B2B cloud
computing, see Paolo Balboni, “Data Protection and Data Security 106
See Xavier Tracol, “The new rules of procedure on the review
Issues Related to Cloud Computing in the EU”, Norbert Pohlmann procedure and the application of general principles in EU civil
et al. (eds), ISSE 2010 Securing Electronic Business Processes, Vieweg, service law and litigation: Strack”, Common Market Law Review,
Wiesbaden, 2011, p. 163 to 172, available at https://archive.org/ Volume 51, No. 3, June 2014, p. 993 to 1014.
107
details/ISSE_2010_Securing_Electronic_Business_Processes. See Case C-131/12 Google Spain and Google [2014], para 81.
108
Regarding B2C cloud computing, see Yves Poullet et al., Cloud See Case C-131/12 Google Spain and Google [2014], para 81.
109
computing and its implications on data protection, Council of See the debates during the plenary session of Parliament on
Europe, 5 March 2010, available at http://www.coe.int/t/dghl/ 16 April 2014.
110
cooperation/economiccrime/cybercrime/Documents/Reports- Case C-301/06 Ireland v. Parliament and Council [2009] ECR I-593,
Presentations/2079_reps_IF10_yvespoullet1b.pdf. para 57.
746 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
Court of Justice on this issue.111 As a result, all data subjects of sonal data with the manifest intent to ensure a high level of
the EU were unfortunately left in a state of legal uncertainty protection of this fundamental right for data subjects.
on a matter of fundamental rights which led to additional Furthermore, this judgment shows the impact of personal
litigation to resolve the matter four years later. data protection law on criminal justice. It may be considered
In addition, the judgment in this case shows the growing by supreme courts of non-Member States such as the US Su-
impact of preliminary rulings rendered by the Grand Chamber preme Court if they are seized of the lawfulness of retaining
on the development of EU personal data protection law. In just metadata in the context of law enforcement.114
over a month, it rendered another ground-breaking judgment Last, the new Commission will have to determine whether
on the legal responsibility of an Internet search engine oper- it intends to propose the adoption of a new data retention
ator for the processing of personal data contained on Web- directive. If it does, the proposal will need to take account and
sites112 as well as a judgment on the independence of national address the findings contained in the judgment of the Grand
supervisory authorities.113 In all three judgments, the Grand Chamber.
Chamber adopted a strict approach to the protection of per-
111
Fernando Castillo de la Torre, “Le releve d’office par la juri-
diction communautaire”, Cahiers de droit europeen, 2005, No. 3-4, p.
d’office devant le juge com-
395 to 463; Bo Vesterdof, “Le releve
munautaire”, Une communaute de droit, Festschrift für Gil Carlos
Rodriguez Iglesias, Ninon Colneric et al. (eds), Berliner
Wissenschafts-Verlag, Berlin, 2003, p. 551 to 568.
112 114
Case C-131/12 Google Spain and Google [2014]. Regarding searches and privacy, see the recent case of Riley v.
113
Case C-288/12 Commission v. Hungary [2014]. California, US Supreme Court, 25 June 2014.
L 291/40 EN Official Journal of the European Union 7.11.2009
III
(Acts adopted under the EU Treaty)
THE COUNCIL OF THE EUROPEAN UNION, (5) On 19 February 2009 the General Secretariat of the
Council notified the United States of America of the
designations pursuant to Articles 2(3) and 10(2) of the
Agreement on extradition and pursuant to Articles 4(3)
Having regard to the Treaty on European Union, and in
and 8(2)(b) of the Agreement on mutual legal assistance,
particular Articles 24 and 38 thereof,
as well as of limitations invoked under Article 4(4) of the
Agreement on mutual legal assistance,
Whereas:
(1) Following the authorisation given by the Council on HAS DECIDED AS FOLLOWS:
26 April 2002 to the Presidency, assisted by the
Commission, to enter into negotiations with the United
States of America, two Agreements on international
cooperation in criminal matters, one on extradition and
one on mutual legal assistance, have been negotiated
with the United States of America. Article 1
The Agreement on extradition between the European Union
and the United States of America and the Agreement on
(2) In accordance with Council Decision 2003/516/EC of mutual legal assistance between the European Union and the
6 June 2003 (1), the Agreement on extradition between United States of America are hereby approved on behalf of the
the European Union and the United States of America (2) European Union.
and the Agreement on mutual legal assistance between
the European Union and the United States of America (3)
have been signed on behalf of the European Union on
25 June 2003.
Article 2
(3) The Agreements should now be approved. The President of the Council is hereby authorised to designate
the person empowered, on behalf of the European Union, to
exchange the instruments of approval provided for in Article 22
(4) The Agreements provide in their Article 3(2) that written of the Agreement on extradition between the European Union
instruments be exchanged between the USA and the and the United States of America and in Article 18 of the
Member States of the Union on the application of Agreement on mutual legal assistance between the European
bilateral treaties. Article 3(3) of the Agreement on Union and the United States of America, in order to express
mutual legal assistance provides a similar obligation for the consent of the European Union to be bound.
those Member States that do not have a bilateral mutual
legal assistance treaty with the United States. These
written instruments have been exchanged between all
Member States and the United States of America.
Article 3
(1) OJ L 181, 19.7.2003, p. 25.
(2) OJ L 181, 19.7.2003, p. 27. This Decision shall be published in the Official Journal of the
(3) OJ L 181, 19.7.2003, p. 34. European Union.
7.11.2009 EN Official Journal of the European Union L 291/41
II
(Acts whose publication is not obligatory)
COUNCIL
COUNCIL DECISION
of 6 June 2003
concerning the signature of the Agreements between the European Union and the United States of
America on extradition and mutual legal assistance in criminal matters
(2003/516/EC)
THE COUNCIL OF THE EUROPEAN UNION, needed, through revision of the Agreements. The
Union states that Article 10 does not constitute a
precedent for negotiations with third states.’
Having regard to the Treaty on European Union, and in parti-
cular Articles 24 and 38 thereof,
(5) The Agreements foresee in their Article 3(2) that written
instruments be exchanged between the United States of
Whereas: America and the Member States of the Union on the
application of bilateral treaties. Article 3(3) of the Agree-
ment on mutual legal assistance provides a similar obli-
(1) The Member States of the European Union cooperate in gation for those Member States that do not have a bilat-
criminal matters with the United States of America on eral mutual legal assistance treaty with the United States.
the basis of bilateral agreements, conventions, treaties, With a view to the drawing up of such written instru-
national law and arrangements. ments the Member States should coordinate their action
within the Council,
(2) The European Union is determined to improve this
cooperation in order to be able to combat, in particular,
transnational crime and terrorism in a more effective
way.
HAS DECIDED AS FOLLOWS:
(4) The Agreements should be signed on behalf of the 2. The text of the Agreements and the accompanying Expla-
European Union, subject to their subsequent conclusion. natory Notes, the latter recording an understanding between
The European Union will, at the time of the signature the European Union and the United States of America, are
make the following declaration: annexed to this Decision.
In case of extension of the territorial application of the Agree- Done at Luxembourg, 6 June 2003.
ments in accordance with Article 20(1)(b), second indent, of
the Agreement on Extradition or Article 16(1)(b), second For the Council
indent, of the Agreement on Mutual Legal Assistance, the
Council shall decide by unanimity on behalf of the European The President
Union. M. CHRISOCHOÏDIS
L 138/14 EN Official Journal of the European Union 4.6.2009
III
(Acts adopted under the EU Treaty)
THE COUNCIL OF THE EUROPEAN UNION, (4) In order to ensure continuous and effective contribution
from the Member States to the achievement by Eurojust
of its objectives, the national member should be required
to have his regular place of work at the seat of Eurojust.
Having regard to the Treaty on European Union, and in
particular Articles 31(2) and 34(2)(c) thereof,
(5) It is necessary to define a common basis of powers
which every national member should have in his
Having regard to the initiative of the Kingdom of Belgium, the capacity as a competent national authority acting in
Czech Republic, the Republic of Estonia, the Kingdom of Spain, accordance with national law. Some of these powers
the French Republic, the Italian Republic, the Grand Duchy of should be granted to the national member for urgent
Luxembourg, the Kingdom of the Netherlands, the Republic of cases where it is not possible for him to identify or to
Austria, the Republic of Poland, the Portuguese Republic, the contact the competent national authority in a timely
Republic of Slovenia, the Slovak Republic and the Kingdom of manner. It is understood that these powers will not
Sweden, have to be exercised in so far as it is possible to
identify and to contact the competent authority.
Having regard to the Opinion of the European Parliament (1), (6) This Decision does not affect the manner in which the
Member States organise their internal judicial system or
administrative procedures for the designation of the
national member and the setting up of the internal
Whereas: working of the national desks at Eurojust.
(1) Eurojust was set up by Council Decision (7) The setting up of an On-Call Coordination (OCC) within
2002/187/JHA (2) as a body of the European Union Eurojust is necessary to make Eurojust available around
with legal personality to stimulate and to improve coor the clock and to enable it to intervene in urgent cases. It
dination and cooperation between competent judicial should be the responsibility of each Member State to
authorities of the Member States. ensure that their representatives in the OCC are able to
act on a 24-hour/7-day basis.
(2) On the basis of an assessment of the experience gained (8) Member States should ensure that competent national
by Eurojust, a further enhancement of its operational authorities respond without undue delay to requests
effectiveness is needed by taking account of that made under this Decision, even if competent national
experience. authorities refuse to comply with requests made by the
national member.
(10) Eurojust national coordination systems should be set up traffic data and location data and the related data
in the Member States to coordinate the work carried out necessary to identify the subscriber or user of a
by the national correspondents for Eurojust, the national publicly available electronic communications service;
correspondent for Eurojust for terrorism matters, the this should not include data revealing the content of
national correspondent for the European Judicial the communication. It is not intended that Eurojust
Network and up to three other contact points of the carry out an automated comparison of DNA profiles or
European Judicial Network, as well as representatives in fingerprints.
the Networks for Joint Investigation Teams, War Crimes,
Asset Recovery and Corruption.
(15) Eurojust should be given the opportunity to extend the
deadlines for storage of personal data in order to achieve
its objectives. Such decisions should be taken following
(11) The Eurojust national coordination system should ensure careful consideration of particular needs. Any extension
that the Case Management System receives information of deadlines for processing personal data, where prose
related to the Member State concerned in an efficient and cution is statute barred in all Member States concerned,
reliable manner. However, the Eurojust national coordi should be decided only where there is a specific need to
nation system should not have to be responsible for provide assistance under this Decision.
actually transmitting information to Eurojust. Member
States should decide on the best channel to be used for
the transmission of information to Eurojust. (16) The Rules on the Joint Supervisory Body should facilitate
its functioning.
(12) In order to enable the Eurojust national coordination (17) With a view to increasing the operational effectiveness of
system to fulfil its tasks, a connection to the Case Eurojust, transmission of information to Eurojust should
Management System should be ensured. The connection be improved by providing clear and limited obligations
to the Case Management System should be made taking for national authorities.
due account of national information technology systems.
Access to the Case Management System at national level
should be based on the central role played by the (18) Eurojust should implement priorities set by the Council,
national member who is responsible for the opening in particular those set on the basis of the Organised
and management of temporary work files. Crime Threat Assessment (OCTA), as referred to in the
Hague Programme (2).
(13) Council Framework Decision 2008/977/JHA of (19) Eurojust is to maintain privileged relations with the
27 November 2008 on the protection of personal data European Judicial Network based on consultation and
processed in the framework of police and judicial coop complementarity. This Decision should help clarify the
eration in criminal matters (1) is applicable to the respective roles of Eurojust and the European Judicial
processing by the Member States of the personal data Network and their mutual relations, while maintaining
transferred between the Member States and Eurojust. the specificity of the European Judicial Network.
The relevant set of data protection provisions of
Decision 2002/187/JHA will not be affected by
Framework Decision 2008/977/JHA and contains
specific provisions on the protection of personal data (20) Nothing in this Decision should be construed to affect
regulating these matters in more detail because of the the autonomy of the secretariats of the networks
particular nature, functions and competences of Eurojust. mentioned in this Decision when they discharge their
function as Eurojust staff in accordance with the Staff
Regulations of Officials of the European Communities
laid down by Regulation (EEC, Euratom, ECSC) No
259/68 of the Council (3).
(14) Eurojust should be authorised to process certain personal
data on persons who, under the national legislation of
the Member States concerned, are suspected of having (21) It is also necessary to strengthen Eurojust’s capacity to
committed or having taken part in a criminal offence work with external partners, such as third States, the
in respect of which Eurojust is competent, or who European Police Office (Europol), the European Anti-
have been convicted of such an offence. The list of Fraud Office (OLAF), the Council’s Joint Situation
such personal data should include telephone numbers, Centre and the European Agency for the Management
e-mail addresses, vehicle registration data, DNA profiles of Operational Cooperation at the External Borders of
established from the non-coding part of DNA, photo the Member States of the European Union (Frontex).
graphs and fingerprints. The list should also include
(2) OJ C 53, 3.3.2005, p. 1.
(1) OJ L 350, 30.12.2008, p. 60. (3) OJ L 56, 4.3.1968, p. 1.
L 138/16 EN Official Journal of the European Union 4.6.2009
(22) Provision should be made for Eurojust to post liaison agreement of the College, have their regular place of
magistrates to third States in order to achieve objectives work at Eurojust.
similar to those assigned to liaison magistrates seconded
by the Member States on the basis of Council Joint
Action 96/277/JHA of 22 April 1996 concerning a 3. The national member shall have a position which
framework for the exchange of liaison magistrates to grants him the powers referred to in this Decision in
improve judicial cooperation between the Member order to be able to fulfil his tasks.
States of the European Union (1).
(a) the national member shall be required to have his (a) point (a) shall be replaced by the following:
regular place of work at the seat of Eurojust;
(b) each national member shall be assisted by one deputy (2) At the time of adoption of this Decision, the competence of Europol
and by another person as an assistant. The deputy and is set out in Article 2(1) of the Convention of 26 July 1995 on the
the assistant may have their regular place of work at establishment of a European Police Office (Europol Convention) (OJ
Eurojust. More deputies or assistants may assist the C 316, 27.11.1995, p. 2), as amended by the 2003 Protocol (OJ C
national member and may, if necessary and with the 2, 6.1.2004, p. 1), and in the Annex thereto. However, once the
Council Decision establishing the European Police Office (Europol)
enters into force, the competence of Eurojust will be as set out in
(1) OJ L 105, 27.4.1996, p. 1. Article 4(1) of that Decision and in the Annex thereto.
4.6.2009 EN Official Journal of the European Union L 138/17
(c) in point (c), the words ‘in points (a) and (b)’ shall be (ii) accept that one of them may be in a better
replaced by ‘in point (a)’; position to undertake an investigation or to
prosecute specific acts;
‘Article 5a
(iv) set up a joint investigation team in keeping
On-Call Coordination with the relevant cooperation instruments;
1. In order to fulfil its tasks in urgent cases, Eurojust
shall put in place an On-Call Coordination (OCC) able to
receive and process at all times requests referred to it. The (v) provide it with any information that is
OCC shall be contactable, through a single OCC contact necessary for it to carry out its tasks;
point at Eurojust, on a 24-hour/7-day basis.
‘Article 8
Follow up to requests and opinions of Eurojust 8. the following Articles shall be inserted:
If the competent authorities of the Member States
concerned decide not to comply with a request referred
to in Article 6(1)(a) or Article 7(1)(a) or decide not to ‘Article 9a
follow a written opinion referred to in Article 7(2) and Powers of the national member granted to him at
(3), they shall inform Eurojust without undue delay of national level
their decision and of the reasons for it. Where it is not
possible to give the reasons for refusing to comply with a 1. When a national member exercises the powers
request because to do so would harm essential national referred to in Articles 9b, 9c and 9d, he does so in his
security interests or would jeopardise the safety of indi capacity as a competent national authority acting in
viduals, the competent authorities of the Member States accordance with national law and subject to the conditions
may cite operational reasons. laid down in this Article and Articles 9b to 9e. In the
performance of his tasks the national member shall,
where appropriate, make it known whenever he is acting
in accordance with the powers granted to national
Article 9 members under this Article and Articles 9b, 9c and 9d.
National members
1. The length of a national member’s term of office shall 2. Each Member State shall define the nature and extent
be at least four years. The Member State of origin may of the powers it grants its national member as regards
renew the term of office. The national member shall not judicial cooperation in respect of that Member State.
be removed before the end of a term without informing the However, each Member State shall grant its national
Council before the removal and indicating to it the reason member at least the powers described in Article 9b and,
therefor. Where a national member is President or Vice- subject to Article 9e, the powers described in Articles 9c
President of Eurojust, his term of office as a member and 9d, which would be available to him as a judge,
shall at least be such that he can fulfil his function as prosecutor or police officer, whichever is applicable, at
President or Vice-President for the full elected term. national level.
Article 9b Article 9d
Ordinary powers Powers exercised in urgent cases
1. National members, in their capacity as competent In their capacity as competent national authorities, national
national authorities, shall be entitled to receive, transmit, members shall, in urgent cases and in so far as it is not
facilitate, follow up and provide supplementary information possible for them to identify or to contact the competent
in relation to the execution of requests for, and decisions national authority in a timely manner, be entitled:
on, judicial cooperation, including regarding instruments
giving effect to the principle of mutual recognition.
When powers referred to in this paragraph are exercised, (a) to authorise and to coordinate controlled deliveries in
the competent national authority shall be informed their Member State;
promptly.
Article 9c
Article 9e
Powers exercised in agreement with a competent
national authority Requests from national members where powers
cannot be exercised
1. National members may, in their capacity as
competent national authorities, in agreement with a 1. The national member, in his capacity as a competent
competent national authority, or at its request and on a national authority, shall be at least competent to submit a
case-by-case basis, exercise the following powers: proposal to the authority competent for the carrying out of
powers referred to in Articles 9c and 9d when granting
such powers to the national member is contrary to:
or
(b) in paragraph 3, the words ‘in accordance with (a) ensuring that the Case Management System referred to
Article 7(a)’ shall be replaced by ‘in accordance with in Article 16 receives information related to the
Article 7(1)(a), (2) and (3)’; Member State concerned in an efficient and reliable
manner;
6. In order to meet the objectives referred to in 20 September 2005 on the exchange of information and
paragraph 5, persons referred to in paragraph 1 and cooperation concerning terrorist offences (*).
paragraph 2(a), (b) and (c) shall, and persons referred to
in paragraph 2(d) may, be connected to the Case
Management System in accordance with this Article and 5. Member States shall ensure that national members are
Articles 16, 16a, 16b and 18 as well as with the Rules informed of the setting up of a joint investigation team,
of Procedure of Eurojust. The connection to the Case whether it is set up under Article 13 of the Convention on
Management System shall be at the charge of the general Mutual Assistance in Criminal Matters between the Member
budget of the European Union. States of the European Union or under Framework
Decision 2002/465/JHA, and of the results of the work
of such teams.
7. Nothing in this Article shall be construed to affect 6. Member States shall ensure that their national
direct contacts between competent judicial authorities as member is informed without undue delay of any case in
provided for in instruments on judicial cooperation, such which at least three Member States are directly involved
as Article 6 of the Convention on Mutual Assistance in and for which requests for or decisions on judicial cooper
Criminal Matters between the Member States of the ation, including regarding instruments giving effect to the
European Union. Relations between the national member principle of mutual recognition, have been transmitted to at
and national correspondents shall not preclude direct least two Member States and
contacts between the national member and his competent
authorities.
(a) the offence involved is punishable in the requesting or
issuing Member State by a custodial sentence or a
___________ detention order for a maximum period of at least five
(*) OJ L 167, 26.6.2002, p. 1. or six years, to be decided by the Member State
(**) OJ L 332, 18.12.2007, p. 103. concerned, and is included in the following list:
(***) OJ L 301, 12.11.2008, p. 38.’;
(i) trafficking in human beings;
11. Article 13 shall be replaced by the following:
(ii) sexual exploitation of children and child porno
graphy;
‘Article 13
(iii) drug trafficking;
Exchanges of information with the Member States and
between national members
(iv) trafficking in firearms, their parts and components
1. The competent authorities of the Member States shall and ammunition;
exchange with Eurojust any information necessary for the
performance of its tasks in accordance with Articles 4 and
5 as well as with the rules on data protection set out in this (v) corruption;
Decision. This shall at least include the information referred
to in paragraphs 5, 6 and 7. (vi) fraud affecting the financial interests of the
European Communities;
(c) there are indications that the case may have a serious
4. This Article shall be without prejudice to other obli cross-border dimension or repercussions at European
gations regarding the transmission of information to Union level or that it might affect Member States
Eurojust, including Council Decision 2005/671/JHA of other than those directly involved.
L 138/22 EN Official Journal of the European Union 4.6.2009
7. Member States shall ensure that their national 12. the following Article shall be inserted:
member is informed of:
‘Article 13a
(a) cases where conflicts of jurisdiction have arisen or are Information provided by Eurojust to competent
likely to arise; national authorities
1. Eurojust shall provide competent national authorities
with information and feedback on the results of the
processing of information, including the existence of links
(b) controlled deliveries affecting at least three States, at with cases already stored in the Case Management System.
least two of which are Member States;
(b) jeopardising the safety of individuals. 14. Article 15(1) shall be amended as follows:
10. Information transmitted to Eurojust pursuant to (b) the following points shall be added:
paragraphs 5, 6 and 7 shall at least include, where
available, the types of information contained in the list
provided for in the Annex.
‘(l) telephone numbers, e-mail addresses and data
referred to in Article 2(2)(a) of Directive
2006/24/EC of the European Parliament and of
the Council of 15 March 2006 on the retention
11. Information referred to in this Article shall be trans
of data generated or processed in connection with
mitted to Eurojust in a structured way.
the provision of publicly available electronic
communications services or of public communi
cations networks (*);
12. By 4 June 2014 (*), the Commission shall establish,
on the basis of information transmitted by Eurojust, a
report on the implementation of this Article, accompanied (m) vehicle registration data;
by any proposal it may deem appropriate, including with a
view to considering an amendment of paragraphs 5, 6 and
7 and the Annex. (n) DNA profiles established from the non-coding part
of DNA, photographs and fingerprints.
___________ ___________
(*) OJ L 253, 29.9.2005, p. 22.’; (*) OJ L 105, 13.4.2006, p. 54.’;
4.6.2009 EN Official Journal of the European Union L 138/23
15. Article 16 shall be replaced by the following: 16. the following Articles shall be inserted:
(a) the index, unless the national member who has decided
to introduce the data in the index expressly denied such
4. The index shall contain references to temporary work access;
files processed within the framework of Eurojust and may
contain no personal data other than those referred to in
Article 15(1)(a) to (i), (k) and (m) and in Article 15(2).
(b) temporary work files opened or managed by the
national member of their Member State;
5. In the performance of their duties in accordance with
this Decision, the national members of Eurojust may
process data on the individual cases on which they are (c) temporary work files opened or managed by national
working in a temporary work file. They shall allow the members of other Member States and to which the
Data Protection Officer to have access to the work file. national member of their Member States has received
The Data Protection Officer shall be informed by the access unless the national member who opened or
national member concerned of the opening of each new manages the temporary work file expressly denied
temporary work file that contains personal data. such access.
3. Each Member State shall decide, after consultation ‘(aa) the date on which the person was acquitted
with its national member, on the extent of access to the and the decision became final;’
index which is granted in that Member State to persons
referred to in Article 12(2) in so far as they are connected
to the Case Management System in accordance with (iii) point (b) shall be replaced by the following:
Article 12(6). Member States shall notify Eurojust and the
General Secretariat of the Council of their decision
regarding the implementation of this paragraph so that ‘(b) three years after the date on which the judicial
the latter can inform the other Member States. decision of the last of the Member States
concerned by the investigation or prosecutions
became final;’
However, persons referred to in Article 12(2), in so far as
they are connected to the Case Management System in
accordance with Article 12(6), shall at least have access (iv) in point (c), the words ‘, unless there is an obli
to the index to the extent necessary to access the gation to provide Eurojust with this information in
temporary work files to which they have been granted accordance with Article 13(6) and (7) or with
access in accordance with paragraph 2 of this Article. instruments referred to in Article 13(4)’ shall be
added after the word ‘prosecutions’;
(a) in paragraph 1, the words ‘take instructions from no- (b) paragraph 3 shall be amended as follows:
one’ shall be replaced by ‘act independently’;
(i) in points (a) and (b) the words ‘in paragraph 2’ shall
(b) in paragraphs 3 and 4, the words ‘the Officer’ shall be be replaced by ‘in paragraph 2(a), (b), (c) and (d)’;
replaced by ‘the Data Protection Officer’;
(ii) in point (b) the following sentence shall be added:
18. Article 18 shall be replaced by the following:
‘However, once prosecution is statute barred in all
‘Article 18 Member States concerned as referred to in
paragraph 2(a), data may only be stored if they
Authorised access to personal data are necessary in order for Eurojust to provide
Only national members, their deputies and their assistants assistance in accordance with this Decision.’;
referred to in Article 2(2), persons referred to in
Article 12(2) in so far as they are connected to the Case
Management System in accordance with Article 12(6) and 21. Article 23 shall be amended as follows:
authorised Eurojust staff may, for the purpose of achieving
Eurojust’s objectives and within the limits provided for in (a) paragraph 1 shall be amended as follows:
Articles 16, 16a and 16b, have access to personal data
processed by Eurojust.’;
(i) in the first subparagraph, the words ‘in Articles 14
to 22’ shall be replaced by ‘in Articles 14 to 22,
19. in Article 19(4)(b), the words ‘which Eurojust is assisting’
26, 26a and 27’;
shall be deleted;
(iii) in the third subparagraph, second sentence, the (b) in paragraph 4, the words ‘Article 9(1)’ shall be
words ‘eighteen months’ shall be replaced by replaced by ‘Article 2(4)’.
‘three years’;
3. The network set up by Decision 2008/852/JHA may including personal data, to such entities, in so far as this
request that Eurojust provide a secretariat to the network. If is necessary for the legitimate performance of the recipient’s
such request is made, paragraph 2 shall apply.’; tasks and in accordance with the rules on data protection
provided in this Decision.
(d) the Council, in particular its Joint Situation Centre. ‘Article 26a
Relations with third States and organisations
1. In so far as is required for the performance of its
Eurojust shall also establish and maintain cooperative
tasks, Eurojust may establish and maintain cooperative
relations with the European Judicial Training Network.
relations with the following entities:
2. Eurojust may conclude agreements with the entities 9. However, even if the conditions referred to in
referred to in paragraph 1. Such agreements may, in paragraph 7 are not fulfilled, a national member may,
particular, concern the exchange of information, including acting in his capacity as a competent national authority
personal data, and the secondment of liaison officers or and in conformity with the provisions of his own
liaison magistrates to Eurojust. Such agreements may only national law, by way of exception and with the sole aim
be concluded after consultation by Eurojust with the Joint of taking urgent measures to counter imminent serious
Supervisory Body concerning the provisions on data danger threatening a person or public security, carry out
protection and after the approval by the Council, acting an exchange of information involving personal data. The
by qualified majority. Eurojust shall inform the Council of national member shall be responsible for the legality of
any plans it has for entering into any such negotiations and authorising the communication. The national member
the Council may draw any conclusions it deems appro shall keep a record of communications of data and of
priate. the grounds for such communications. The communication
of data shall be authorised only if the recipient gives an
undertaking that the data will be used only for the purpose
3. Agreements referred to in paragraph 2 containing for which they were communicated.’
provisions on the exchange of personal data may only be
concluded if the entity concerned is subject to the Council
of Europe Convention of 28 January 1981 or after an 26. Article 27 shall be replaced by the following:
assessment confirming the existence of an adequate level
of data protection ensured by that entity.
‘Article 27
4. Agreements referred to in paragraph 2 shall include Transmission of data
provisions on the monitoring of their implementation,
including implementation of the rules on data protection. 1. Before Eurojust exchanges any information with the
entities referred to in Article 26a, the national member of
the Member State which submitted the information shall
5. Prior to the entry into force of the agreements give his consent to the transfer of that information. In
referred to in paragraph 2, Eurojust may directly receive appropriate cases the national member shall consult the
information, including personal data in so far as this is competent authorities of the Member States.
necessary for the legitimate performance of its tasks.
7. Eurojust may, under the conditions laid down in 27. the following Articles shall be inserted:
Article 27(1), transmit personal data to the entities
referred to in paragraph 1, where:
‘Article 27a
(a) this is necessary in individual cases for the purposes of Liaison magistrates posted to third States
preventing or combating criminal offences for which
Eurojust is competent; and 1. For the purpose of facilitating judicial cooperation
with third States in cases in which Eurojust is providing
assistance in accordance with this Decision, the College
(b) Eurojust has concluded an agreement as referred to in may post liaison magistrates to a third State, subject to
paragraph 2 with the entity concerned which has an agreement as referred to in Article 26a with that third
entered into force and which permits the transmission State. Before negotiations are entered into with a third
of such data. State, the Council, acting by qualified majority, shall give
its approval. Eurojust shall inform the Council of any plans
it has for entering into any such negotiations and the
8. Any subsequent failure, or substantial likelihood of Council may draw any conclusions it deems appropriate.
failure, on the part of the entities referred to in
paragraph 1 to meet the conditions referred to in
paragraph 3, shall immediately be communicated by 2. The liaison magistrate referred to in paragraph 1 is
Eurojust to the Joint Supervisory Body and the Member required to have experience of working with Eurojust and
States concerned. The Joint Supervisory Body may adequate knowledge of judicial cooperation and how
prevent the further exchange of personal data with the Eurojust operates. The posting of a liaison magistrate on
relevant entities until it is satisfied that adequate remedies behalf of Eurojust shall be subject to the prior consent of
have been provided. the magistrate and of his Member State.
L 138/28 EN Official Journal of the European Union 4.6.2009
3. Where the liaison magistrate posted by Eurojust is and require execution in a third State, are made, Eurojust
selected among national members, deputies or assistants: may also, with the agreement of the Member States
concerned, facilitate judicial cooperation with that third
State.
(i) he shall be replaced in his function as a national
member, deputy or assistant, by the Member State;
Article 27b
Requests for judicial cooperation to and from third 4. The injured party shall have the right to demand that
States Eurojust refrain from taking, or cease, any action.
1. Eurojust may, with the agreement of the Member
States concerned, coordinate the execution of requests for
judicial cooperation issued by a third State where these
requests are part of the same investigation and require 5. The national courts of the Member States competent
execution in at least two Member States. Requests to deal with disputes involving Eurojust’s liability as
referred to in this paragraph may also be transmitted to referred to in this Article shall be determined by
Eurojust by a competent national authority. reference to Council Regulation (EC) No 44/2001 of
22 December 2000 on jurisdiction and the recognition
and enforcement of judgments in civil and commercial
matters (**).
2. In case of urgency and in accordance with Article 5a,
the OCC may receive and process requests referred to in
paragraph 1 of this Article and issued by a third State ___________
which has concluded a cooperation agreement with
Eurojust. (*) OJ L 56, 4.3.1968, p. 1.
(**) OJ L 12, 16.1.2001, p. 1.’;
3. Without prejudice to Article 3(2), where requests for 28. in the second sentence of Article 28(2), the words ‘acting
judicial cooperation, which relate to the same investigation by qualified majority,’ shall be inserted after ‘the Council’;
4.6.2009 EN Official Journal of the European Union L 138/29
29. Article 29 shall be amended as follows: ‘Informing the European Parliament, the Council and
the Commission’;
(a) in paragraph 1:
(b) the following paragraph shall be added:
‘The Commission shall be entitled to participate in 32. Article 33 shall be replaced by the following:
the selection process and to sit on the selection
board.’;
‘Article 33
(b) in paragraph 2, the second sentence shall be replaced Finance
by the following:
1. The salaries and emoluments of the national
members, deputies and assistants referred to in
Article 2(2) shall be borne by their Member State of origin.
‘It may be extended once without a need for a call for
applications, provided that the College so decides by a
three-fourths majority and appoints the Administrative
Director with the same majority.’; 2. Where national members, deputies and assistants act
within the framework of Eurojust’s tasks, the relevant
expenditure related to these activities shall be regarded as
(c) in paragraph 5, the following sentence shall be added: operational expenditure within the meaning of
Article 41(3) of the Treaty.’;
30. Article 30 shall be amended as follows: (b) the following sentence shall be added:
(a) in paragraph 2:
‘The European Judicial Network and networks referred
to in Article 25a(2) shall be informed on the parts
related to the activities of their secretariats in due
(i) in the fourth sentence, the words ‘who may also time before the forwarding of the estimate to the
assist the national member’ shall be added; Commission.’;
(b) paragraph 3 shall be replaced by the following: evaluation of the implementation of this Decision as well
as of the activities carried out by Eurojust.
‘3. Eurojust shall send the report on the budgetary
and financial management for the financial year to the 2. Each evaluation shall assess the impact of this
European Parliament and the Council by 31 March of Decision, Eurojust’s performance in terms of achieving
the following year.’; the objectives referred to in this Decision as well as the
effectiveness and efficiency of Eurojust. The College shall
(c) in paragraph 10, the words ‘30 April’ shall be replaced issue specific terms of reference in consultation with the
by ‘15 May’; Commission.
‘Article 41
2. The Commission shall at regular intervals examine the
Reporting implementation by the Member States of Decision
2002/187/JHA as amended and shall submit a report thereon
1. Member States shall notify Eurojust and the General
to the European Parliament and to the Council together with, if
Secretariat of the Council of the designation of national
appropriate, necessary proposals to improve judicial cooper
members, deputies, assistants as well as persons referred
ation and the functioning of Eurojust. This shall in particular
to in Article 12(1) and (2) and of any change to this
apply to Eurojust’s capacities to support Member States in
designation. The General Secretariat of the Council shall
fighting terrorism.
keep an updated list of these persons and shall make
their names and contact details available to all Member
States and to the Commission. Article 3
Taking of effect
2. The definitive appointment of a national member can
not take effect before the day on which the General Secre This Decision shall take effect on the day of its publication in
tariat of the Council receives the official notifications the Official Journal of the European Union.
referred to in paragraph 1 and Article 9a(3).’;
ANNEX
‘ANNEX
List referred to in Article 13(10) setting out the minimum types of information to be transmitted, where
available, to Eurojust pursuant to Article 13(5), (6) and (7)
(e) details of the leader of the team for each participating Member State;
(a) data which identify the person, group or entity that is the object of a criminal investigation or prosecution;
(d) data related to the requests for, or decisions on, judicial cooperation including regarding instruments giving effect
to the principle of mutual recognition, which are issued, including:
(v) whether or not the request has been executed, and if not on what grounds.
(b) data which identify the person, group or entity that is the object of a criminal investigation or prosecution;
(b) data which identify the person, group or entity that is the object of a criminal investigation or prosecution;
L 138/32 EN Official Journal of the European Union 4.6.2009
(d) type of offence in connection with which the controlled delivery is carried out.
ScienceDirect
w w w. c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d c l a w. h t m
Comment
Xavier Tracol *
Senior Legal Officer, Data Protection Service, EUROJUST, The Hague, The Netherlands
A B S T R A C T
Keywords: The Grand Chamber ruled that Commission decision 2000/520 on “safe harbour” was invalid
European Court of Justice since Article 1 thereof failed to comply with the requirements laid down in Article 25(6) of
Maximillian Schrems v Data Protection Directive 95/46 read in the light of the Charter; the Commission had exceeded the power
Commissioner which was conferred upon it in the same provision in adopting Article 3 of the decision;
Facebook and Articles 1 and 3 and the decision of the Commission in its entirety were accordingly
Directive 95/46/EC of 24 October invalid. The Grand Chamber made critical observations about the safe harbour framework.
1995 The legal effects of this ruling should be clarified. In addition, the findings of the Grand
Commission decision 2000/520/EC Chamber on the powers of national data protection authorities and on transfers of per-
of 26 July 2000 sonal data to the US have far-reaching legal implications for organisations in both the US
“Safe harbour” and the EU.1
National data protection authorities © 2016 Xavier Tracol. Published by Elsevier Ltd. All rights reserved.
Adequate level of protection
Requirements and derogations
Content of communications
Legal validity
Articles 7, 8, 11 and 47 of the
Charter of Fundamental Rights
“Umbrella agreement”
“One might say that the old world was ending, and the new
beginning.” 1. Introduction
François-René, viscount of Chateaubriand, Mémoires d’Outre- In the ground-breaking judgment in the Maximillian Schrems v
Tombe, Book XLII: Chapter 18, 1848 Data Protection Commissioner case which led to diverse
The views expressed herein are those of the author in his personal capacity and do in no way reflect those of EUROJUST or the EU in
general.
* P.O. Box 16183, 2500 BD The Hague, The Netherlands.
E-mail address: xtracol@eurojust.europa.eu.
1
In the specific context of this commentary, the term “EU” also covers Member States of the European Economic Area (hereinafter the
“EEA”), which include the 28 Member States of the EU as well as Iceland, Liechtenstein and Norway.
http://dx.doi.org/10.1016/j.clsr.2016.01.011
0267-3649/© 2016 Xavier Tracol. Published by Elsevier Ltd. All rights reserved.
346 computer law & security review 32 (2016) 345–362
comments,2 the Grand Chamber invalidated the decision of the Any question relating to the adequacy of the protection of that
Commission in which it declared that the implementation of data in the US had to be settled in accordance with that de-
the “safe harbour” framework ensured an adequate level of pro- cision which prevented him from examining the problem raised
tection in the US. The Grand Chamber found that the decision by the complaint.The Commissioner considered himself legally
of the Commission infringed upon the directive read in the light barred from investigating the complaint. This finding of legal
of the Charter of Fundamental Rights and that the Commis- impediment triggered the whole court case.
sion infringed upon the authority granted to it by the EU Max Schrems challenged the decision of the Commis-
legislature. sioner before the High Court of Ireland. He submitted that the
The Court sat in the Grand Chamber of fifteen judges, which decision was unlawful and that the disclosures made by Edward
includes both the President and the Vice-President of the Court Snowden demonstrated that there was no effective data pro-
as well as three Presidents of Chambers of five Judges, pursu- tection regime in the US. Although Max Schrems has not directly
ant to Article 16(2) and (3) of the Statute of the Court and Article challenged the legal validity of the Commission decision, he
27 of the Rules of Procedure of the Court. The fact that the Grand objected in reality to the terms of the safe harbour regime itself.
Chamber is composed of senior Judges of the Court shows the By judgment of 18 June 2014,3 Judge Gerard Hogan of the
importance of the case. High Court considered that the data protection rights of ordi-
Judge Rapporteur Thomas von Danwitz was also Judge Rap- nary citizens “have been seriously compromised by mass and
porteur in the case of Digital Rights Ireland. largely unsupervised surveillance programmes.”4 He found that
it was “irrelevant that Mr. Schrems cannot show that his own
personal data was accessed in this fashion by the NSA, since
what matters is the essential inviolability of the personal data
2. Procedural background of the case itself.”5 Judge Hogan also considered that “the essential ques-
tion [. . .was] whether, as a matter of European Union law, the
The background of the case originates from a complaint lodged Commissioner [was. . .] absolutely bound by that finding of the
on 25 June 2013 by Maximillian (Max) Schrems as an EU Face- European Commission as manifested in the 2000 Decision in
book user since 2008 with the Irish Data Protection relation to the adequacy of data protection in the law and prac-
Commissioner which is the Irish Data Protection Authority tice of the United States having in particular to the subsequent
(hereinafter “DPA”). Max Schrems complained that some or all entry into force of Article 8 of the Charter, the provisions of Article
of the data that he provided to Facebook were transferred by 25(6) of the 1995 Directive notwithstanding.”6 The judge con-
Facebook’s Irish subsidiary to servers located in the US where sequently referred the case to the Court of Justice for a
it was processed and kept. In light of the disclosures made by preliminary ruling. He asked the Court of Justice whether the
Edward Snowden in 2013 about the activities of the US intel- decision of the Commission had the effect of preventing a na-
ligence services in general, and the National Security Agency tional supervisory authority from investigating a complaint
(hereinafter the “NSA”) in particular, he submitted that the law which alleged that the third country did not ensure an ad-
and practices of the US did not offer sufficient protection of equate level of protection and, where appropriate, from
the personal data transferred to this country and kept there suspending the contested transfer of personal data. Judge Hogan
against surveillance by public authorities. Max Schrems has specifically requested an interpretation but not a ruling on the
however not formally challenged the legal validity of the Com- legal validity of the Commission decision.
mission decision. On 24 March 2015, the Grand Chamber held an oral hearing
By a letter of 25 July 2013, the then Commissioner, Billy in which the Commission made submissions defending the
Hawkes, refused to investigate the complaint and rejected it legal validity of its own decision.7 Parliament and the Euro-
on the ground that there was “no evidence of a contravention pean Data Protection Supervisor (hereinafter the “EDPS”), that
in this case” and “no evidence – and you have not asserted – the Grand Chamber invited for the second time in a prelimi-
that your personal data has been disclosed to the US authori- nary procedure8 to appear in the case, also made submissions.9
ties.”The Commissioner considered that Max Schrems had not
shown that data that he had placed on Facebook Ireland had
3
been compromised when it was thereafter transferred and stored Ireland, High Court, Maximillian Schrems v Data Protection Com-
in the US, and that he consequently suffered some particularised missioner [2014] IEHC 310, available at http://www.courts.ie/
harm. By a letter of 26 July 2013, the Commissioner added that Judgments.nsf/0/481F4670D038F43380257CFB004BB125
4
Ireland, High Court, Maximillian Schrems v Data Protection Com-
“the ‘Safe Harbour’ agreement stands as a formal decision of
missioner [2014] IEHC 310, para 8.
the EU Commission [. . .] under Article 25(6) of the Data Pro- 5
Ireland, High Court, Maximillian Schrems v Data Protection Com-
tection Directive 95/46/EC that the agreement provides adequate missioner [2014] IEHC 310, para 75. See also ibidem, para 42.
protection for personal data transferred from the EU to the USA.” 6
Ireland, High Court, Maximillian Schrems v Data Protection Com-
The agreement includes principles on the protection of per- missioner [2014] IEHC 310, para 70.
7
sonal data that US undertakings may voluntarily subscribe to. Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 224.
8
The first time was in the case of Digital Rights Ireland, see Xavier
2
Sarah Cadiot and Laura De Boel, “Safe Harbor invalid: What to Tracol, “Legislative genesis and judicial death of a directive: the Eu-
expect after the ruling ?”, Privacy Laws & Business – International Report, ropean Court of Justice invalidated the data retention directive (2006/
Issue 137, October 2015, p. 1, 3 and 4; Sylvie Peyrou, “La Cour de 24/EC), thereby creating a sustained period of legal uncertainty about
justice de l’Union européenne, à l’avant-garde de la défense des the validity of national laws which enacted it”, Computer Law and
droits numériques”, Journal de droit européen, 2015, p. 395 to 398. Security Review, Volume 30, Issue 6, December 2014, p. 737.
computer law & security review 32 (2016) 345–362 347
Unlike Digital Rights Ireland, which participated in the pro- self-certify with the US Department of Commerce their “ad-
ceedings as amicus curiæ, Facebook and the US government did herence to the Principles implemented in accordance with the
not request to intervene and to make direct submissions to FAQs” and bore the legal obligation to renew the self-certification
the Grand Chamber. annually.
Under Article 3(1) of the Commission decision, the na-
tional supervisory authorities may “[w]ithout prejudice to their
powers to take action to ensure compliance with national pro-
visions adopted pursuant to provisions other than Article 25”
3. Relevant law
of the directive “[. . .] suspend data flows to an organisation that
3.1. Directive 95/46/EC has self-certified its adherence” to the principles under re-
strictive conditions establishing a high threshold for
The relevant provisions of the applicable directive clearly dis- intervention.
tinguish between transfers of personal data to third countries, The safe harbour was unusual to the extent that it pro-
i.e. countries outside of the EU, which ensure an adequate level vided for a voluntary system based on self-regulation, trust and
of protection (Article 25) and to third countries, which have not public disclosure by private organisations and on their will-
been found to ensure an adequate level of protection (Article ingness to comply with its principles. The safe harbour
26). Personal data of EU data subjects can only be transferred attempted at bridging cultural and legal differences between
from the EU to countries with an adequate level of protec- the EU where the protection of personal data is a fundamen-
tion, pursuant to Article 25(1) of the directive. Pursuant to Article tal right and the US where it is mainly considered in terms of
25(6) of the directive, the Commission may find that a country consumer protection leaving room for trade-offs.
ensures an adequate level of protection by reason of its do-
mestic law or of the international commitments that it has
entered into for the protection of the private lives and basic 3.2.1. Scope of the privacy principles
freedom and rights of individuals. Only 11 countries satisfy this The second paragraph of Annex I to the Commission deci-
requirement, i.e. Andorra, Argentina, Canada, Faroe Islands, sion provided that the safe harbour principles were “intended
Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzer- for use solely by US organisations receiving personal data from
land and Uruguay.10 Recital 57 of the directive specifies that the European Union for the purpose of qualifying for the safe
transfers of personal data to third countries where an ad- harbour and the presumption of ‘adequacy’ it creates”. The prin-
equate level of protection has not been established in a decision ciples legally bound private organisations and not US public
of the Commission pursuant to Article 25(6) of the directive authorities.
are prohibited. These third countries include the US. Annex I to the decision of the Commission however pro-
vided that adherence to the privacy principles may be limited
“to the extent necessary to meet national security, public in-
3.2. Safe harbour terest, or law enforcement requirements”. Regarding the limits
to which the safe harbour principles’ applicability is subject,
The EU and the US negotiated and established a framework – Part B of Annex IV to the decision of the Commission stated
the “safe harbour” – to transfer personal data from the EU to that “[c]learly, where US law imposes a conflicting obligation,
organisations established in the US. On 26 July 2000, the Com- US organisations whether in the safe harbour or not must
mission adopted executive decision 2000/52011 based on Article comply with the law”.
25(6) of the directive in which it declared that the implemen- On 26 September 2013, 3246 private organisations, such as
tation of the safe harbour framework ensured an adequate level Apple Inc., Microsoft Corp., Google Inc., Yahoo! Inc., Adobe,
of protection. The unilateral decision of the Commission then Weight Watchers and pharmaceutical giant Merck, but also
entered into force, thereby allowing transfers of personal data many small organisations,13 were safe harbour self-certified.14
from the EU to the US. Pursuant to the decision of the Commission, some EU
The US Department of Commerce issued seven privacy prin- organisations such as the Commission and the European
ciples set out in Annex I appended to the decision of the Central Bank transferred personal data collected for surveys
Commission and the FAQs in Annex II thereto.12 Pursuant to and pensions of former staff members to the US. 15 A
Article 1(3) of the Commission decision, organisations had to
9
EDPS Pleading before the Court of Justice. Case C-362/14, Schrems
13
v Data Protection Commissioner. Luxembourg, 24 March 2015, avail- Center for Strategic & International Studies, “The Safe Harbor:
able on the Internet site of the EDPS at: https://secure.edps Data Protection or Protectionism?” 10 June 2014, available at
.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/ http://csis.org/event/safe-harbor-data-protection-or-protectionism
14
Consultation/Court/2015/15-03-24_EDPS_Pleading_Schrems Case C-362/14 Maximillian Schrems v Data Protection Commis-
_vs_Data_Commissioner_EN.pdf sioner [2015] para 19. See Department of Commerce, U.S.–EU Safe
10
See http://ec.europa.eu/justice/data-protection/international- Harbor List, available at http://safeharbor.export.gov/list.aspx
15
transfers/adequacy/index_en.htm See EDPS, Position paper on the transfer of personal data to third
11
Available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri countries and international organisations by EU institutions and
=CELEX:32000D0520:EN:HTML bodies, 14 July 2014, available at https://secure.edps.europa.eu/
12
Case C-362/14 Maximillian Schrems v Data Protection Commis- EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/
sioner [2015] para 79. Papers/14-07-14_transfer_third_countries_EN.pdf
348 computer law & security review 32 (2016) 345–362
considerable quantity of personal data transferred from the EU suspension of the Commission decision and the promotion of
to the US on the basis of the Commission decision dealt with the wide use of encryption.24
human resources documents concerning the organisations’ own
European employees,16 social media or pay-roll information.
3.2.4. Two highly critical Communications of the Commission
In 2013, the Commission issued two Communications, which
3.2.2. Weak enforcement of the safe harbour identified a number of shortcomings. The Commission stated
FAQ 11 described the powers of the US Federal Trade Com- that “[t]he personal data of EU citizens sent to the US under
mission (hereinafter the “FTC”), which is a purely civil law the Safe Harbour may be accessed and further processed by
enforcement agency.17 Its powers were limited to commercial US authorities in a way incompatible with the grounds on which
disputes18 if organisations infringed upon the safe harbour or the data was originally collected in the EU and the purposes
falsely stated that they were certified. for which it was transferred to the US”25 and that “[a] major-
On 17 August 2015, the FTC stated that it had “brought more ity of the US internet companies that appear to be more directly
than two dozen cases alleging false claims regarding Safe concerned by [the surveillance] programmes are certified under
Harbor compliance.”19 Seven companies falsely claimed to hold the Safe Harbour scheme”.26
up-to-date certifications although they had not renewed The Commission noted a number of weaknesses in the ap-
them. plication of the decision. First, it stated that some certified US
Galexia, an Australian-based consulting company on Inter- companies did not comply with the principles referred to in
net law and privacy, however, conducted a research in which Article 1(1) of Decision 2000/520 (“the safe harbour prin-
it found 206 false claims of membership in 2008.20 On 7 October ciples”) and that improvements had to be made to that decision
2013, Christopher Connolly, a director at Galexia, informed the regarding “structural shortcomings related to transparency and
Committee on Civil Liberties, Justice and Home Affairs of Par- enforcement, the substantive Safe Harbour principles and the
liament that this figure had increased to 427.21 operation of the national security exception.”27 Second, the Com-
mission observed that “Safe Harbour also acts as a conduit for
the transfer of the personal data of EU citizens from the EU
3.2.3. Criticisms of Parliament to the US by companies required to surrender data to US in-
On 5 July 2000, Parliament expressed its reluctance in a reso- telligence agencies under the US intelligence collection
lution on the Draft Commission Decision on the adequacy of programmes.”28 The Commission concluded that whilst, “[g]iven
the protection provided by the Safe Harbour Privacy Prin- the weaknesses identified, the current implementation of Safe
ciples and related Frequently Asked Questions issued by the Harbour cannot be maintained, [. . .] its revocation would
US Department of Commerce.22 In its report filed on 8 January [however] adversely affect the interests of member compa-
2014, the Investigation Committee created by Parliament called nies in the EU and in the US.”29 Last, the Commission added
for the suspension by the Commission of the safe harbour that it would “engage with the US authorities to discuss the
decision.23 On 12 March 2014, Parliament adopted a compre- shortcomings identified”.30
hensive and very critical resolution in which it called for the
24
European Parliament resolution of 12 March 2014 on the US NSA
surveillance programme, surveillance bodies in various Member
States and their impact on EU citizens’ fundamental rights and on
16
Center for Strategic & International Studies, “The Safe Harbor: transatlantic cooperation in Justice and Home Affairs (2013/
Data Protection or Protectionism?” 10 June 2014, available at 2188(INI)), available at http://www.europarl.europa.eu/sides/
http://csis.org/event/safe-harbor-data-protection-or-protectionism getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0230
17 25
Commissioner Julie Brill, “Transatlantic Privacy After Schrems: Communication from the Commission to the European Parlia-
Time for An Honest Conversation”, Keynote Address at the Am- ment and the Council, “Restoring Trust in EU-US data flows”,
sterdam Privacy Conference, 23 October 2015, available at https:// COM(2013) 846 final, 27 November 2013, available at http://eur-
www.ftc.gov/public-statements/2015/10/transatlantic-privacy-after- lex.europa.eu/resource.html?uri=cellar:4d874331-784a-11e3-b889-
schrems-time-honest-conversation, p. 8. 01aa75ed71a1.0001.01/DOC_1&format=PDF, section 2.
18 26
Case C-362/14 Maximillian Schrems v Data Protection Commis- Communication from the Commission to the European Parlia-
sioner [2015] para 89. ment and the Council, “Restoring Trust in EU-US data flows”,
19
Federal Trade Commission, “U.S.-EU Safe Harbor compliance: COM(2013) 846 final, 27 November 2013, section 2.
27
Don’t run aground”, Lesley Fair, 17 August 2015. Communication from the Commission to the European Parlia-
20
The US Safe Harbor – Fact or Fiction? (2008) available at http:// ment and the Council, “Restoring Trust in EU-US data flows”,
www.galexia.com/public/research/assets/safe_harbor_fact_or COM(2013) 846 final, 27 November 2013, section 3.2.
28
_fiction_2008/safe_harbor_fact_or_fiction.pdf, p. 4, 5, 8 and 17. Communication from the Commission to the European Parlia-
21
“Hundreds of US companies make false data protection claims”, ment and the Council, “Restoring Trust in EU-US data flows”,
EU Observer, available at https://euobserver.com/justice/121695 COM(2013) 846 final, 27 November 2013, section 3.2.
22 29
C5-0280/2000 – 2000/2144(COS) available at http:// Communication from the Commission to the European Parlia-
www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2F%2FEP ment and the Council, “Restoring Trust in EU-US data flows”,
%2F%2FTEXT%2BTA%2BP5-TA-2000-0306%2B0%2BDOC%2BXML COM(2013) 846 final, 27 November 2013, section 3.2.
30
%2BV0%2F%2FEN&language=EN Communication from the Commission to the European Parlia-
23
Draft report on the US NSA surveillance programme, surveil- ment and the Council, “Restoring Trust in EU-US data flows”,
lance bodies in various Member States and their impact on EU COM(2013) 846 final, 27 November 2013, section 3.2. See also the
citizens’ fundamental rights and on transatlantic cooperation in related Memorandum “Restoring Trust in EU-US data flows – Fre-
Justice and Home Affairs, 2013/2188(INI), 8 January 2014. quently Asked Questions”, MEMO/13/1059, 27 November 2013.
computer law & security review 32 (2016) 345–362 349
The Commission noted that a significant number of self- agencies to data transferred to the US by Safe Harbour certi-
certified companies did not comply or did not fully comply with fied companies raises additional serious questions regarding
the Safe Harbour principles.31 In addition, the Commission the continuity of data protection rights of Europeans when their
stated that “all companies involved in the PRISM programme data is transferred to the US.”38
[a large-scale intelligence collection programme], and which The Commission made thirteen recommendations. The last
grant access to US authorities to data stored and processed in two dealt with access to data by US authorities, i.e. excep-
the US, appear to be Safe Harbour certified”32 and that “[t]his tions for national security, public interest or law enforcement
has made the Safe Harbour scheme one of the conduits through requirements.39 At the end of 2013, the Commission prompted
which access is given to US intelligence authorities to collect- negotiations with the US Department of Commerce to improve
ing personal data initially processed in the EU.”33 In that regard, the transparency and enforcement of the programme and
the Commission noted that “a number of legal bases under US enhance dispute resolution.
law allow large-scale collection and processing of personal data
that is stored or otherwise processed [by] companies based in 3.2.5. Additional recommendations of the Article 29 Working
the US” 34 and that the “large-scale nature of these pro- Party
grammes may result in data transferred under Safe Harbour The Article 29 Working Party is an independent influential EU
being accessed and further processed by US authorities beyond advisory body to the Commission, which is legally based on
what is strictly necessary and proportionate to the protec- Article 29 of the directive, hence its name. The Working Party
tion of national security as foreseen under the exception is composed of DPAs of all Member States and the EDPS who
provided in the Safe Harbour Decision.”35 was established on the basis of Regulation 45/2001 to monitor
In section 7.2 of this communication, headed “Limitations EU organisations. Although the opinions of the Working Party
and redress possibilities”, the Commission noted that “safe- do not legally bind EU courts,40 they provide helpful guidance
guards that are provided under US law are mostly available to on concepts such as controllers and processors.41 On 10 April
US citizens or legal residents” and that “[m]oreover, there are 2014, the Working Party made additional recommendations to
no opportunities for either EU or US data subjects to obtain the Commission about weaknesses in the safe harbour
access, rectification or erasure of data, or administrative or ju- framework.42
dicial redress with regard to collection and further processing
of their personal data taking place under the US surveillance
programmes”. The certified companies included “Web com-
panies such as Google, Facebook, Microsoft, Apple, Yahoo”,36 4. Analysis of the opinion of the Advocate
which had “hundreds of millions of clients in Europe”37 and General dated 23 September 2015
transferred personal data to the US for processing. The Com-
mission concluded that “the large-scale access by intelligence In a highly anticipated, detailed and controversial opinion, Ad-
vocate General Yves Bot who was Advocate General in the
challenge to the legal basis of the data retention directive43 went
31
Communication from the Commission to the European Parlia- further than simply suggesting replies to the two specific ques-
ment and the Council on the Functioning of the Safe Harbour from
tions posed by the High Court of Ireland in the request for a
the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, available at http://eur- preliminary ruling.44 Both questions were limited to the legally
lex.europa.eu/resource.html?uri=cellar:551c0723-784a-11e3-b889- binding nature of the Commission decision on DPAs and their
01aa75ed71a1.0001.01/DOC_1&format=PDF, sections 3 to 5 and 8. powers in relation to complaints under the decision of the Com-
32
Communication from the Commission to the European Parlia- mission. Although the request did not expressly refer the legal
ment and the Council on the Functioning of the Safe Harbour from validity of the Commission decision to the Court of Justice, the
the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, section 7.
33 38
Communication from the Commission to the European Parlia- Communication from the Commission to the European Parlia-
ment and the Council on the Functioning of the Safe Harbour from ment and the Council on the Functioning of the Safe Harbour from
the Perspective of EU Citizens and Companies Established in the the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, section 7. EU, COM(2013) 847 final, 27 November 2013, section 8.
34 39
Communication from the Commission to the European Parlia- Communication from the Commission to the European Parlia-
ment and the Council on the Functioning of the Safe Harbour from ment and the Council on the Functioning of the Safe Harbour from
the Perspective of EU Citizens and Companies Established in the the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, section 7.1. EU, COM(2013) 847 final, 27 November 2013, p. 19 in fine.
35 40
Communication from the Commission to the European Parlia- Opinion in Joined Cases C-141/12 and C-372/12, footnote 40.
41
ment and the Council on the Functioning of the Safe Harbour from Opinion 1/2010 of 16 February 2010 on the concepts of “con-
the Perspective of EU Citizens and Companies Established in the troller” and “processor”, available at http://ec.europa.eu/justice/
EU, COM(2013) 847 final, 27 November 2013, section 7.1. policies/privacy/docs/wpdocs/2010/wp169_en.pdf
36 42
Communication from the Commission to the European Parlia- Available at http://ec.europa.eu/justice/data-protection/article-
ment and the Council on the Functioning of the Safe Harbour from 29/documentation/other-document/files/2014/20140410_wp29
the Perspective of EU Citizens and Companies Established in the _to_ec_on_sh_recommendations.pdf
43
EU, COM(2013) 847 final, 27 November 2013, section 8. Case C-301/06 Ireland v Parliament and Council [2009] ECR I-593.
37 44
Communication from the Commission to the European Parlia- Reference for a preliminary ruling from High Court of Ireland
ment and the Council on the Functioning of the Safe Harbour from made on 25 July 2014 – Maximillian Schrems v Data Protection Com-
the Perspective of EU Citizens and Companies Established in the missioner (Case C-362/14), Official Journal of the European Union, 6
EU, COM(2013) 847 final, 27 November 2013, section 8. October 2014, C 351/5.
350 computer law & security review 32 (2016) 345–362
Advocate General considered that it should determine it because the circumstances of a case.54 He considered that “a third
both Max Schrems and the High Court of Ireland indirectly had country ensures an adequate level of protection only where”55
cast doubts on it.45 This reason was a weak basis on which to the Commission can “establish that that third country offers
justify examining the legal validity of a Commission deci- a level of protection that is essentially equivalent to that
sion. Even though Max Schrems did not request the invalidation afforded”56 by the directive. However, the latter does not provide
of such decision, Advocate General Bot proposed that the Grand for any test to define the practical meaning of “an adequate
Chamber should invalidate it. Advocate General Cruz Villalón level of protection”. The Advocate General accordingly inter-
had already made a similar submission about the invalidity preted the phrase “adequate level of protection” and set the
of the data retention directive in the case of Digital Rights bar quite high by contending that adequacy not only means
Ireland.46 equivalence in practice, but requires essential equivalence.
In addition, the Advocate General proposed that the Grand The Advocate General harshly criticised the safe harbour.
Chamber should find that DPAs may investigate a complaint He referred to “a mass and indiscriminate surveillance and in-
alleging that a third country does not ensure an adequate level terception” of personal data by the NSA57 and “the large-
of protection and suspend the transfer of personal data. The scale collection of the personal data of citizens of the Union,
Irish Commissioner would accordingly have been required to which is transferred under the safe harbour scheme”.58 Advo-
examine the complaint of Max Schrems.47 Advocate General cate General Bot submitted that the problem primarily arose
Bot relied on the case law of EU courts about the indepen- from the excessive use of derogations permitted under the de-
dence of DPAs, which legally characterises them as guardians cision of the Commission59 and the absence of any independent
of fundamental rights48 to support his submission that DPAs authority capable of verifying that the implementation of the
are totally independent even from the Commission.49 Conse- derogations from the safe harbour principles is limited to what
quently, if “on completion of its investigations, a national is strictly necessary.60 He analysed that since Facebook acted
supervisory authority considers that the contested transfer of in compliance with US law and the decision of the Commis-
data undermines the protection which citizens of the Union sion provided for disclosures in this case, “the question of the
must enjoy with regard to the processing of their data, it has compatibility of such derogations with primary EU law”61 was
the power to suspend the transfer of data in question, irre- in reality raised in this case. The Advocate General thus as-
spective of the general assessment made by the Commission sessed the legitimacy of US surveillance.
in its decision.”50 The Advocate General observed that Article Advocate General Bot considered that the “access enjoyed
25 of the directive provides that Member States or the Com- by the United States intelligence services to the transferred data
mission may alternatively find that a third country ensures an therefore also constitutes an interference with the fundamen-
adequate level of protection.51 A decision adopted by the Com- tal right to protection of personal data guaranteed in Article
mission pursuant to Article 25(6) of the directive can therefore 8 of the Charter, since such access constitutes a processing of
not eliminate or reduce the powers expressly granted to the that data.”62 The Advocate General also considered that “the
national supervisory authorities by Article 8(3) of the Charter interference thus identified is wide-ranging and must be con-
and Article 28 of the directive.52 sidered to be particularly serious, given the large number of
Where the legal validity of a Commission decision adopted users concerned and the quantities of data transferred. Those
pursuant to Article 25(6) of the directive is examined, account factors, associated with the secret nature of the United States
must be taken of the circumstances that have arisen after the authorities’ access to the personal data transferred to the un-
date when this decision was adopted.53 (French) Advocate dertakings established in the United States, make the interference
General Bot implicitly relied on the phrasing used in the case
law of the French Council of State about inferences drawn from
54
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 137: the Commission “confirms implic-
45
Opinion in Case C-362/14 Maximillian Schrems v Data Protection itly, but necessarily, the initial assessment.” See for instance Council
Commissioner [2015] paras 123 in fine, 124, 126 and 128. of State, Judgments No. 369808 of 21 September 2015, 366498 of 23
46
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights June 2014, 343705 of 21 October 2013, 343837 of 26 July 2011 and
Ireland and Seitlinger and Others [2014] Section VI. 305314 of 24 July 2009.
47 55
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 39 in fine. Commissioner [2015] para 141.
48 56
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 70. See Case C-518/07 Commission v Germany Commissioner [2015] para 141.
57
para 23, Case C-614/10 Commission v Austria para 52 and C-288/12 Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commission v Hungary para 53. Commissioner [2015] para 155.
49 58
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 73. Commissioner [2015] para 158.
50 59
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 81. Commissioner [2015] para 164.
51 60
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 86. Commissioner [2015] para 208.
52 61
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 61, 93 and 116. Commissioner [2015] para 168.
53 62
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 134 and 135. Commissioner [2015] para 170 in fine.
computer law & security review 32 (2016) 345–362 351
extremely serious.”63 The characterisation of the interferences effectively monitored and controlled compliance with the re-
by the Advocate General as “extremely serious” therefore goes quirements for the protection and security of personal data
further than the “particularly serious interferences” with the provided for in Article 8(3) of the Charter.74 Procedures before
fundamental rights to privacy and to the protection of per- the FTC and the private dispute resolution mechanisms dealt
sonal data found by the Grand Chamber in its judgment with compliance by the US undertakings with the safe harbour
invalidating the data retention directive.64 principles and could not be applied in disputes on the legal-
The Advocate General further submitted that the US “in- ity of interference with fundamental rights, which resulted from
telligence services’ access to the data transferred seems to measures originating from the State.75 The Advocate General
extend to the content of the electronic communications, which considered that the reference in the fourth paragraph of Annex
would compromise the essence of the fundamental right to respect I “to limits to the application of the safe harbour principles
for privacy and the other rights enshrined in Article 7 of the ought to have been accompanied by the establishment of a
Charter. [. . .I]t could be considered that those limitations com- control mechanism operated by an independent authority
promise the essence of the fundamental right to protection of personal specialising in personal data protection.”76
data.”65 The fact that Advocate General Bot hedged is disap- Advocate General Bot roundly criticised the Commission and
pointing and even more incomprehensible since he later submitted that by “adopting Decision 2000/520 and then main-
considered that “the access which the United States intelli- taining it in force, the Commission therefore exceeded the limits
gence authorities may have to the personal data transferred imposed by compliance with the principle of proportionality
covers, in a generalised manner, all persons and all means of in the light of Articles 7, 8 and 52(1) of the Charter.”77 The as-
electronic communication and all the data transferred, includ- sessment is dynamic and continuous and the “Commission
ing the content of the communications, without any differentiation, ought to have suspended the application of Decision 2000/520.”78
limitation or exception according to the objective of general The Advocate General concluded that “[s]uch a failure to act
interest pursued.”66 The opinion is consistent with the judg- on the part of the Commission, which directly impairs the fun-
ment invalidating the data retention directive in which the damental rights protected by Articles 7, 8 and 47 of the Charter,
Grand Chamber found no infringement upon the fundamen- is to my mind an additional ground on which to declare De-
tal right to the respect of privacy because the data retention cision 2000/520 invalid in the context of the present reference
directive did “not permit the acquisition of knowledge of the for a preliminary ruling.”79 The harsh opinion of the Advo-
content of the electronic communications as such”.67 cate General thus sent a loud and clear message to the
As in the case of Digital Rights Ireland,68 the discretion of the Commission.
EU legislature was limited due to the importance of the rights
at stake and the extent of the interference with them.69 In ad-
dition, the Advocate General considered that the “mass,
indiscriminate surveillance is inherently disproportionate and
constitutes an unwarranted interference with the rights guar- 5. Challenges to the factual basis contained
anteed by Articles 7 and 8 of the Charter.”70 The approach of in the opinion of the Advocate General
Advocate General Bot is consistent with the judgment of the
Grand Chamber in the case of Digital Rights Ireland.71 Follow- That same day, the Director General of DIGITALEUROPE, John
ing the latter judgment which stressed the crucial importance Higgins, expressed his concern “about the potential disrup-
of guarantees for the protection of personal data,72 the US tion to international data flows if the Court follows today’s
system did not suffice.73 In particular, no independent authority Opinion”.80 On 28 September 2015, the US mission to the EU
issued a statement hoping that the judgment of the Grand
Chamber takes note of the “inaccuracies and far-reaching con-
63
Opinion in Case C-362/14 Maximillian Schrems v Data Protection sequences of the Advocate General’s opinion, as well as the
Commissioner [2015] para 171, emphasis added.
64
significant harm to the protection of individual rights and the
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014] paras 39 and 65.
65
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
74
Commissioner [2015] para 177, emphasis added. Opinion in Case C-362/14 Maximillian Schrems v Data Protection
66
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] paras 72, 145 and 207 to 210.
75
Commissioner [2015] para 198, emphasis added. Opinion in Case C-362/14 Maximillian Schrems v Data Protection
67
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Commissioner [2015] paras 204 to 206.
76
Seitlinger and Others [2014] para 39. Opinion in Case C-362/14 Maximillian Schrems v Data Protection
68
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Commissioner [2015] para 209 in fine.
77
Seitlinger and Others [2014] paras 47 and 48. Opinion in Case C-362/14 Maximillian Schrems v Data Protection
69
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] para 215.
78
Commissioner [2015] paras 187 and 189. Opinion in Case C-362/14 Maximillian Schrems v Data Protection
70
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] para 226.
79
Commissioner [2015] para 200. Opinion in Case C-362/14 Maximillian Schrems v Data Protection
71
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Commissioner [2015] para 236.
80
Seitlinger and Others [2014] para 37. DIGITALEUROPE reaction to the Advocate General’s opinion in
72
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and the case Schrems Vs the Irish Data Protection Commissioner, available
Seitlinger and Others [2014] para 54. at http://www.digitaleurope.org/DesktopModules/Bring2mind/DMX/
73
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Download.aspx?Command=Core_Download&EntryId=1015&PortalId
Commissioner [2015] paras 207 and 224. =0&TabId=353
352 computer law & security review 32 (2016) 345–362
free flow of information that would occur if it were to follow The Grand Chamber held that DPAs have the power over
the Advocate General’s opinion.”81 transfers of personal data from a Member State to a third
That same day, the Electronic Privacy Information Center country on the basis that transfers constitute processing carried
issued a statement in which it noted “the growing impor- out in the territory despite the wording of Article 28(1) and (6)
tance of Articles 7 and 8 of the Charter of Fundamental Rights” of the directive, which do not grant powers over processing in
and legal certainty as “a key element of trust that promotes a third country.87
trade and commerce.” On 29 September 2015, the American The Grand Chamber clarified that adequacy decisions
Chamber of Commerce to the EU also issued a reactive state- adopted by the Commission on the basis of Article 25(6) of the
ment. Last, Professor Peter Swire published a critical directive legally bind all Member States and their organs.88 The
commentary of the opinion.82 Grand Chamber found that until such time as the Court of
Justice declared the decision of the Commission invalid,
“Member States and their organs, which include their inde-
6. Analysis of the judgment of the Grand pendent supervisory authorities, admittedly cannot adopt
Chamber dated 6 October 2015 measures contrary to that decision, such as acts intended to
determine with binding effect that the third country covered
by it does not ensure an adequate level of protection.”89
The Grand Chamber largely affirmed in substance the opinion
The Court of Justice alone has ultimately the task of ex-
of Advocate General Bot delivered only a fortnight earlier. The
amining whether an EU act such as a decision of the
fact that the term of office of the President of the Court who
Commission is valid and the exclusive jurisdiction to declare
sat in the Grand Chamber ended the day after the date of the
it invalid for “guaranteeing legal certainty by ensuring that EU
judgment83 probably explains the unusual fast procedure.
law is applied uniformly”.90
The pithy reasoning of the Grand Chamber closely fol-
Regarding the role of DPAs in handling complaints of data
lowed the opinion of the Advocate General. The Grand Chamber
subjects on the protection of their personal data, the Grand
heavily relied on its own judgment rendered one and a half
Chamber found that an obligation to investigate rests on DPAs.
year earlier in Digital Rights Ireland.84 The latter extensively relied
The latter need to examine complaints with “complete
on the case law of the European Court of Human Rights (here-
independence”91 and “with all due diligence”92 to determine
inafter the “ECHR”) although the Grand Chamber did not cite
whether the processing operation complies with the require-
any case law of the ECHR in the Schrems judgment.
ments laid down in the directive. DPAs bear the legal obligation
to refuse a transfer of data to an unsafe country for the pro-
6.1. Applicable law, exclusive jurisdiction of the Court of tection of personal data even though an assessment performed
Justice and powers of national data protection authorities by the Commission may have led to a contrary decision. The
heavy burden on DPAs to investigate complaints of data sub-
The Grand Chamber highlighted the importance of reading all jects implies the ability to choose. In the inspired words of the
the provisions of the directive “in the light of the fundamen- Commissioner for Justice, Consumers and Gender Equality, Věra
tal rights guaranteed by the Charter”,85 notably the right to Jourová, “where the personal data travels, the protection has
respect for private life. The directive must accordingly be in- to travel with it.”93 There is however a tension if not an incon-
terpreted in line with the Charter. sistency between the complete independence of DPAs and the
Regarding the relationship between fundamental rights and ultimate purpose of guaranteeing legal certainty by ensuring
international agreements, the Charter must always be com- the uniform application of EU law. DPAs of the 28 Member States
plied with even in international agreements.86 The Commission may order the suspension of data flows from the EU to third
can accordingly not sign an international agreement, which countries if they consider erroneous an adequacy decision of
infringes upon the provisions of the Charter. The Grand the Commission that the Court of Justice has the exclusivity
Chamber thus applied fundamental rights to international to invalidate.
relations. In addition, Member States must provide for the possibil-
ity to bring a case before a domestic court which may in turn
81
“Safe Harbor Protects Privacy and Provides Trust in Data Flows
that Underpin Transatlantic Trade”, available at: http://useu
87
.usmission.gov/st-09282015.html Case C-362/14 Maximillian Schrems v Data Protection Commis-
82
“Don’t Strike Down the Safe Harbor Based on Inaccurate Views sioner [2015] paras 44 and 45.
88
About U.S. Intelligence Law, 5 October 2015, available at https:// Case C-362/14 Maximillian Schrems v Data Protection Commis-
iapp.org/news/a/dont-strike-down-the-safe-harbor-based-on- sioner [2015] para 51.
89
inaccurate-views-on-u-s-intelligence-law Case C-362/14 Maximillian Schrems v Data Protection Commis-
83
See Press Release No 121/15 of 8 October 2015, available at http:// sioner [2015] para 52.
90
curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/ Case C-362/14 Maximillian Schrems v Data Protection Commis-
cp150121en.pdf sioner [2015] para 61.
84 91
Case C-362/14 Maximillian Schrems v Data Protection Commis- Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] paras 58, 78 and 91 to 94. sioner [2015] paras 40 and 57.
85 92
Case C-362/14 Maximillian Schrems v Data Protection Commis- Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 38. See also ibidem, paras 64, 65, 66, 67, 73, 74, 78, sioner [2015] para 63 in fine.
93
98, 99, 104 and 107(1). Speech by Commissioner Jourová: The future of U.S.–EU data
86
Case C-362/14 Maximillian Schrems v Data Protection Commis- transfer arrangements at the Brookings Institution, Washington,
sioner [2015] paras 72 to 74 and 78. 16 November 2015.
computer law & security review 32 (2016) 345–362 353
trigger the exclusive jurisdiction of the Court of Justice by way accordingly determine whether they may sign agreements with
of a request for a preliminary ruling, pursuant to Article 267 them to exchange personal data. The standard set in the judg-
of the Treaty on the Functioning of the EU. If a DPA examines ment is however imprecise.
a complaint and finds it well founded, it has to bring the case The Grand Chamber interpreted Article 25(6) of the direc-
to a domestic court, which may request the Court of Justice tive as requiring that “the legal order of the third country [. . .]
for a preliminary ruling on the legal validity of the Commis- must ensure an adequate level of protection.”100 The Grand
sion adequacy decision. DPAs and domestic courts may however Chamber followed the opinion of Advocate General Bot101 and
not invalidate the adequacy decision of the Commission. The found that where the legal validity of a Commission decision
Court of Justice has exclusive jurisdiction to invalidate it. From adopted pursuant to Article 25(6) of the directive is exam-
the perspective of data subjects, the judicial architecture of ined, account must be taken of the circumstances which have
DPAs, domestic courts and the Court of Justice94 implies lengthy arisen after the date when this decision was adopted. It thus
procedures. provided for a continuous obligation to examine an ad-
equacy decision. The latter is a living document, which must
6.2. Adequate level of protection for transfers of personal
be periodically reviewed in light of developments in the third
data to third countries, adequacy decisions of the
country. The Grand Chamber thus criticised the passivity of the
Commission and consequences of the judgment on them
Commission. Article 41(3) of the Proposal for a General Data
Protection Regulation similarly provides for a systematic and
In reply to the specific question asked by the High Court of
periodic review of adequacy decisions.102
Ireland, the Grand Chamber interpreted Article 25(6) of the di-
As in the case of Digital Rights Ireland,103 the Grand Chamber
rective read in light of Articles 7, 8 and 47 of the Charter as
stated that the discretion of the Commission was reduced in
meaning that a decision adopted pursuant to that provision
view of the important role played by the protection of per-
by which the Commission finds that a third country ensures
sonal data in light of the fundamental right to respect for private
an adequate level of protection does not prevent a supervi-
life and the large number of persons whose fundamental rights
sory authority of a Member State, within the meaning of Article
are liable to be infringed where personal data are transferred
28 of that directive, from examining the complaint of a data
to a third country not ensuring an adequate level of
subject on the protection of his rights and freedoms about the
protection.104 This finding is similar to the opinion of the Ad-
processing of personal data relating to him which has been
vocate General105 to which the Grand Chamber did not refer.
transferred from a Member State to that third country when
The Commission is thus subject to a strict control of compli-
such data subject contends that the law and practices in force
ance with applicable fundamental rights.
in the third country do not ensure an adequate level.95
The Grand Chamber acknowledged that the directive does
not define the concept of “an adequate level of protection.”96
6.3. Legal invalidity of the Commission decision
It followed the opinion of Advocate General Bot97 and inter-
preted the phrase “adequate level of protection” “as requiring
The Grand Chamber considered that the request related “in
the third country in fact to ensure, by reason of its domestic
essence, to the validity” of the Commission decision106 and
law or its international commitments, a level of protection of
shared the opinion of Advocate General Bot about the doubts
fundamental rights and freedoms that is essentially equiva-
expressed by both Max Schrems and Judge Hogan of the Irish
lent to that guaranteed within the European Union by virtue
High Court on the legal validity of the Commission decision.107
of Directive 95/46 read in the light of the Charter.”98 In broad,
The Grand Chamber thus re-characterised the request for an
sweeping language, the Grand Chamber thus established a high
interpretation into a request for a ruling on the legal validity
standard of protection. The scope of this important finding is
of the Commission decision and went beyond the specific ques-
clearly limited to the directive. It does therefore not apply to
tion asked by Judge Hogan. In an implicit reply to the statement
EU organisations such as Eurojust99 and Europol which imple-
issued by the US mission to the EU on 28 September 2015 about
ment their own legal frameworks to assess whether third
the alleged inaccuracies contained in the opinion of Advocate
countries ensure an adequate level of data protection and
94
Case C-362/14 Maximillian Schrems v Data Protection Commis-
100
sioner [2015] paras 64 and 65. Case C-362/14 Maximillian Schrems v Data Protection Commis-
95
Case C-362/14 Maximillian Schrems v Data Protection Commis- sioner [2015] para 74. See also ibidem, para 71.
101
sioner [2015] para 66 in fine and disposition, para 1. Case C-362/14 Maximillian Schrems v Data Protection Commis-
96
Case C-362/14 Maximillian Schrems v Data Protection Commis- sioner [2015] paras 134 and 135.
102
sioner [2015] para 70. Inter-institutional File: 2012/0011 (COD), 17 December 2015.
97 103
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Commissioner [2015] para 141. Seitlinger and Others [2014] paras 47 and 48.
98 104
Case C-362/14 Maximillian Schrems v Data Protection Commis- Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 73. sioner [2015] para 78.
99 105
Article 26a(3) of the Eurojust decision provides that agree- Opinion in Case C-362/14 Maximillian Schrems v Data Protection
ments “containing provisions on the exchange of personal data may Commissioner [2015] paras 187 and 189.
106
only be concluded if the entity concerned is subject to the Council Case C-362/14 Maximillian Schrems v Data Protection Commis-
of Europe Convention of 28 January 1981 or after an assessment sioner [2015] para 1.
107
confirming the existence of an adequate level of data protection Case C-362/14 Maximillian Schrems v Data Protection Commis-
ensured by that entity.” sioner [2015] para 67.
354 computer law & security review 32 (2016) 345–362
General Bot,108 the Grand Chamber heavily relied on the two existence of such interference.116 Reiterating this finding was
Communications of the Commission as evidence to establish important in light of the background of the case since the Irish
the facts of the judgment.109 The Grand Chamber could also Commissioner had refused to investigate the complaint of Max
have relied on the report of Pieter Omtzigt to the Committee Schrems and rejected it on the ground that no evidence was
on Legal Affairs and Human Rights of the Parliamentary As- available that his personal data had been disclosed to the US
sembly of the Council of Europe110 and on resolution 2045 (2015) authorities.
about mass surveillance of the Parliamentary Assembly of the In addition, the Grand Chamber noted that the decision of
Council of Europe. In the latter, the Assembly stated that mass the Commission did not contain any finding on “the exis-
surveillance practices by US intelligence services “endanger fun- tence, in the United States, of rules adopted by the State
damental human rights, including the rights to privacy [and] intended to limit any interference, with the fundamental rights
a fair trial” (para 4). of the persons whose data is transferred from the European
The Grand Chamber found that recourse by a third country Union to the United States, interference which the State en-
to a system based on self-certification, such as the Safe Harbour tities of that country would be authorised to engage in when
Privacy Principles, did not exclude an adequacy finding pur- they pursue legitimate objectives, such as national security.”117
suant to Article 25(6) of the directive and was acceptable, The Grand Chamber added that the decision of the Commis-
provided there were “effective detection and supervision sion did not “refer to the existence of effective legal protection
mechanisms”111 which made it possible in practice to iden- against interference of that kind.”118 It followed the opinion of
tify and sanction any infringement upon the applicable rules Advocate General Bot119 and found that the scope of proce-
for the protection of personal data. dures before the FTC and the private dispute resolution
Regarding the scope of the safe harbour principles, the Grand mechanisms was limited to compliance by the United States
Chamber critically found that they are “applicable solely to self- undertakings with the safe harbour principles”120 and could not
certified United States organisations receiving personal data be applied in disputes on the legality of interference with fun-
from the European Union, and United States public authori- damental rights, which resulted from measures originating from
ties are not required to comply with them. 112 The Grand the State. However, the Grand Chamber did not examine such
Chamber noted that the decision of the Commission laid down procedures and mechanisms in light of Article 8(3) of the
that “‘national security, public interest, or law enforcement re- Charter and regrettably, did not consider their compatibility
quirements’ have primacy over the safe harbour principles, with this provision unlike the Advocate General.121
primacy pursuant to which self-certified United States The Grand Chamber applied the test on the requirements
organisations receiving personal data from the European Union of proportionality and strict necessity122 that it had set out in
are bound to disregard those principles without limitation where its judgment in the case of Digital Rights Ireland by analogy to
they conflict with those requirements and therefore prove in- international transfers of personal data to assess whether the
compatible with them.”113 laws of third countries provide an adequate level of protec-
In light of the general nature of the derogation set out in tion. The Grand Chamber considered that the Commission had
the fourth paragraph of Annex I to the decision of the Com- found in its two Communications of 2013 that the US authori-
mission, the Grand Chamber found that such decision enabled ties could access “the personal data transferred from the
“interference, founded on national security and public inter- Member States to the United States and process it in a way
est requirements or on domestic legislation of the United States, incompatible, in particular, with the purposes for which it was
with the fundamental rights of the persons whose personal transferred, beyond what was strictly necessary and propor-
data is or could be transferred from the European Union to the tionate to the protection of national security.”123 The Grand
United States.”114 The Grand Chamber referred to its judg-
ment in the case of Digital Rights Ireland115 and reiterated that
116
whether the data subjects have suffered any adverse conse- Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 87. See Roman Zakharov v Russia, application no.
quence on account of an interference with the fundamental
47143/06, 4 December 2015 in which the Grand Chamber consid-
right to respect for private life was irrelevant to establish the ered that given that the domestic system did not afford an effective
remedy to the person who suspected that he or she was sub-
jected to secret surveillance, the very existence of the contested
108
“Safe Harbor Protects Privacy and Provides Trust in Data Flows legislation amounted in itself to an interference with Mr Zakharov’s
that Underpin Transatlantic Trade”, available at: http://useu rights under Article 8 of the European Convention.
117
.usmission.gov/st-09282015.html Case C-362/14 Maximillian Schrems v Data Protection Commis-
109
Case C-362/14 Maximillian Schrems v Data Protection Commis- sioner [2015] para 88.
118
sioner [2015] paras 14 to 16 and 20 to 25. Case C-362/14 Maximillian Schrems v Data Protection Commis-
110
Doc. 13734 of 18 March 2015. sioner [2015] para 89.
111 119
Case C-362/14 Maximillian Schrems v Data Protection Commis- Opinion in Case C-362/14 Maximillian Schrems v Data Protection
sioner [2015] para 81. Commissioner [2015] paras 204 to 206.
112 120
Case C-362/14 Maximillian Schrems v Data Protection Commis- Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 82 in fine. sioner [2015] para 89, emphasis added.
113 121
Case C-362/14 Maximillian Schrems v Data Protection Commis- Opinion in Case C-362/14 Maximillian Schrems v Data Protection
sioner [2015] para 86. Commissioner [2015] paras 205 and 209.
114 122
Case C-362/14 Maximillian Schrems v Data Protection Commis- See Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
sioner [2015] para 87. Seitlinger and Others [2014] paras 46, 52, 54, 61, 62, 64 and 65.
115 123
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Case C-362/14 Maximillian Schrems v Data Protection Commis-
Seitlinger and Others [2014] para 33. sioner [2015] para 90.
computer law & security review 32 (2016) 345–362 355
Chamber also considered that the Commission had “noted that between legal cultures of respect for private life in the EU and
the data subjects had no administrative or judicial means of the concept of privacy in the US.
redress enabling, in particular, the data relating to them to be Second, the Grand Chamber considered that “legislation not
accessed and, as the case may be, rectified or erased.”124 providing for any possibility for an individual to pursue legal
Regarding the level of protection of fundamental rights and remedies in order to have access to personal data relating to
freedoms which is guaranteed within the EU, EU legislation in- him, or to obtain the rectification or erasure of such data, does
volving interference with the fundamental rights guaranteed not respect the essence of the fundamental right to effective judi-
by Articles 7 and 8 of the Charter must “lay down clear and cial protection, as enshrined in Article 47 of the Charter.”132 These
precise rules governing the scope and application of a measure clear considerations of the Grand Chamber went further than
and imposing minimum safeguards, so that the persons whose the cautious ones of Advocate General Bot.133
personal data are concerned have sufficient guarantees en- The Grand Chamber did however not consider Article 8 of
abling their data to be effectively protected against the risk of the Charter. The reasons for this omission are unknown. This
abuse and against any unlawful access and use of that data.”125 omission is even more regrettable since Advocate General Bot
The Grand Chamber then reiterated the principles about the considered that the Commission had “exceeded the limits
legitimacy of surveillance measures that it had established in imposed by compliance with the principle of proportionality
this judgment. in the light of Articles 7, 8 and 52(1) of the Charter”134 by adopt-
First, the Grand Chamber found that “[l]egislation is not ing decision 2000/520 and then maintaining it in force and that
limited to what is strictly necessary where it authorises, on a the failure of the Commission to act directly impaired “the fun-
generalised basis, storage of all the personal data of all the damental rights protected by Articles 7, 8 and 47 of the
persons whose data has been transferred from the European Charter”.135 The Advocate General thus considered that the Com-
Union to the United States without any differentiation, limi- mission had failed in its legal obligations to comply with Article
tation or exception being made in the light of the objective 8 of the Charter. Although the judgment of the Grand Chamber
pursued and without an objective criterion being laid down by contains many references to personal data,136 it does not really
which to determine the limits of the access of the public au- consider the right to the protection of personal data as a dis-
thorities to the data, and of its subsequent use, for purposes tinct fundamental right.
that are specific, strictly restricted and capable of justifying the In Article 1 of its decision, the Commission merely exam-
inference, which both access to that data and its use entail. ined the safe harbour scheme. It did not find as it was required
In particular, legislation permitting the public authorities to to find that the US in fact ensures a level of protection of fun-
have access on a generalised basis to the content of electronic damental rights essentially equivalent to that guaranteed within
communications must be regarded as compromising the essence the EU under Article 25(6) of the directive read in light of the
of the fundamental right to respect for private life, as guaranteed Charter by reason of its domestic law or its international
by Article 7 of the Charter.”126 The tortuous phrase “access on commitments.137 The Grand Chamber thus moved the focus
a generalised basis to the content of electronic communica- from the assessment of the legitimacy of US surveillance in
tions” should be contrasted to the much more straightforward the opinion of Advocate General Bot138 to the analysis in its judg-
terminology of “generalised surveillance”,127 “mass, indiscrimi- ment of the compliance by the Commission decision with
nate surveillance”128 and “extremely serious interference”129 used Article 25(6) of the directive read in light of the Charter. The
by Advocate General Bot.130 Mass surveillance however inher- Grand Chamber did not assess the US legal system including
ently and intrinsically infringes upon Article 7 of the Charter, the national intelligence activities139 and examined neither the
regardless of the safeguards put in place to limit the abuse. US surveillance programmes nor the legal basis thereof. Im-
This finding is in line with the judgment of the Grand Chamber portantly, it did not find that the US lacked the protections
in the case of Digital Rights Ireland.131 The Grand Chamber thus required by applicable EU law either. As the newly elected
found that mass surveillance breaches this fundamental right
twice in one and a half year. The judgment shows differences 132
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 95, emphasis added.
133
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 177.
124 134
Case C-362/14 Maximillian Schrems v Data Protection Commis- Opinion in Case C-362/14 Maximillian Schrems v Data Protection
sioner [2015] para 90. Commissioner [2015] para 215.
125 135
Case C-362/14 Maximillian Schrems v Data Protection Commis- Opinion in Case C-362/14 Maximillian Schrems v Data Protection
sioner [2015] para 91. Commissioner [2015] para 236.
126 136
Case C-362/14 Maximillian Schrems v Data Protection Commis- Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] paras 93 and 94, emphasis added. sioner [2015] paras 1, 2, 3, 4, 6, 7, 8, 11 to 15, 22 to 24, 27 to 33, 36(1),
127
Opinion in Case C-362/14 Maximillian Schrems v Data Protection 37 to 42, 44 to 51, 53 to 59, 63, 65, 66, 68, 72, 73, 75, 78, 79, 81, 82,
Commissioner [2015] para 167. 86, 87, 90 to 93, 95 and 99.
128 137
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Case C-362/14 Maximillian Schrems v Data Protection Commis-
Commissioner [2015] para 200. sioner [2015] paras 73, 74, 83, 96 and 97.
129 138
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 171 in fine. Commissioner [2015] paras 155, 157, 167, 173, 200, 201, 211, 212 and
130
Opinion in Case C-362/14 Maximillian Schrems v Data Protection 223.
139
Commissioner [2015] paras 167 and 200. See Commissioner Jourová’s remarks on Safe Harbour EU Court
131
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and of Justice judgement before the Committee on Civil Liberties, Justice
Seitlinger and Others [2014] paras 57 to 61. and Home Affairs (Libe), Strasbourg, 26 October 2015.
356 computer law & security review 32 (2016) 345–362
President of the Court of Justice, Koen Lenaerts, who was sitting Transfers of personal data between the EU and the US can
in the Grand Chamber as then Vice-President of the Court thus no longer be carried out on the basis of the Commission
stated, the Grand Chamber was “not judging the US system decision. Transfers of personal data to the US will only be lawful
here; we are judging the requirements of EU law in terms of if the data exporter may rely on one of the alternative tools.
the conditions to transfer data to third countries, whatever they In the absence of an adequacy decision, the data exporter is
may be.”140 The Grand Chamber considered that the Commis- responsible for ensuring that the requirements to rely on one
sion did not address the central issue, i.e. whether the legal of these tools are fulfilled with regard to the transfer of per-
order of the third country ensures an adequate level of pro- sonal data under the control of DPAs.
tection. It thus maligned the Commission, which had not The scope of the judgment is limited to the decision of the
examined the applicable legal framework of data protection Commission on safe harbour. However, the 11 adequacy de-
in the US in its decision. The Commission however knew that cisions adopted about Andorra, Argentina, Canada, Faroe Islands,
the protection of personal data was problematic in the US since Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzer-
most of the reasons given by the Grand Chamber about the land and Uruguay145 all contain a restriction on the powers of
deficient protection in the US were based on the communi- DPAs, which is identical to Article 3 of the Commission deci-
cations of the Commission. The Grand Chamber criticised the sion that the Grand Chamber invalidated.
Commission both for having adopted the decision and for The Commission stated that it would draw the necessary
having failed to suspend it. The Grand Chamber thus ensured consequences from the judgment by “preparing a decision, to
the equal treatment of all third countries for the adequate level be adopted pursuant to the applicable comitology procedure,
of personal data protection and pointed out that the US is not replacing that provision in all existing adequacy decisions.”146
“more equal” than other third countries. Since Article 1 of the The Commission also stated that it would “engage in a regular
Commission decision failed to comply with Article 25(6) of the assessment of existing and future adequacy decisions, includ-
directive, the Grand Chamber found this provision invalid and ing through the periodic joint review of their functioning
considered that it did not even need to examine the content together with the competent authorities of the third country
of the safe harbour principles.141 The strongly worded find- in question.”147
ings of the Grand Chamber are based on reasons which are
particularly harsh for the Commission. In addition, the judg-
ment of the Grand Chamber drives a wedge into the EU–US
relation.
Last, the executive decision on safe harbour is an imple- 7. Comments
menting act. The Commission may only adopt its content to
the extent that the EU legislature has granted it the author- After the judgment on the data retention directive of 8 April
ity to do so. The EU legislature fell short of granting the 2014, the Grand Chamber invalidated for the second time an
Commission the authority to limit the powers of DPAs to at instrument that the Commission had spent years defending.
least investigate the complaints of data subjects. The EU leg- This bold judgment shows that the Grand Chamber scruti-
islature itself determined such powers in Article 28 of the nised the legal validity of EU acts in light of the Charter and
directive. The Grand Chamber accordingly held that the Com- took the fundamental rights to respect for privacy and effec-
mission did not have the authority to restrict the powers of tive judicial protection very seriously. It also scrutinised the
national supervisory authorities.142 The Commission thus acted way in which US law treats personal data that it receives from
ultra vires. The Grand Chamber further held that the Commis- the EU. The Grand Chamber took a strong stance in affirming
sion had exceeded the power that is conferred upon it in Article a robust level of data protection within the EU as set out in
25(6) of the directive read in light of the Charter in adopting its judgment in the case of Digital Rights Ireland and in estab-
Article 3 of the decision and that this provision was there- lishing a high standard in transfers of personal data to third
fore invalid.143 The Commission must accordingly comply with countries on the basis of both the directive and the Charter.
the authority granted to it and act according to such author- This judgment thus confirms the major role played by the
ity. The judgment of the Grand Chamber is a scathing call to Grand Chamber in the protection of personal data after its two
order for the Commission. The Grand Chamber concluded that famous judgments in the cases of Google Spain148 and Digital
the decision of the Commission was invalid in its entirety.144 Rights Ireland. These three judgments show the willingness of
140 145
Valentina Pop, “European Court Chief Defends Decision to Strike See http://ec.europa.eu/justice/data-protection/international-
Down Data-Transfer Agreement”, The Wall Street Journal, 13 October transfers/adequacy/index_en.htm
146
2015, available at http://www.wsj.com/articles/european-court- Communication from the Commission to the European Parlia-
chief-defends-decision-to-strike-down-data-transfer-agreement- ment and the Council on the Transfer of Personal Data from the
1444768419 EU to the United States of America under Directive 95/46/EC fol-
141
Case C-362/14 Maximillian Schrems v Data Protection Commis- lowing the Judgment by the Court of Justice in Case C-362/14
sioner [2015] para 98. (Schrems), COM(2015) 566 final, 6 November 2015, p. 15.
142 147
Case C-362/14 Maximillian Schrems v Data Protection Commis- Communication from the Commission to the European Parlia-
sioner [2015] para 103. ment and the Council on the Transfer of Personal Data from the
143
Case C-362/14 Maximillian Schrems v Data Protection Commis- EU to the United States of America under Directive 95/46/EC fol-
sioner [2015] para 104. lowing the Judgment by the Court of Justice in Case C-362/14
144
Case C-362/14 Maximillian Schrems v Data Protection Commis- (Schrems), COM(2015) 566 final, 6 November 2015, p. 15.
148
sioner [2015] paras 105 and 106 and disposition, para 2. Case C-131/12 Google Spain and Google [2014].
computer law & security review 32 (2016) 345–362 357
the Grand Chamber to behave as a Constitutional Court of the this issue.155 It could accordingly not exercise its discretion-
EU149 in charge of ensuring compliance with the Charter. ary power to suspend the effects of invalidity pending the
The Grand Chamber legally based its clear and persuasive adoption of a new decision by the Commission.156
findings on provisions of EU primary law such as Articles 7, 8 A preliminary ruling of the Court of Justice, which invali-
and 47 of the Charter and on the provisions of the directive dates an EU act such as the decision of the Commission legally
as well as examined compliance by the Commission with Ar- binds all the institutions of the EU and domestic courts of all
ticles 25(6) of the directive. The entry into force of the General Member States.157 The effects of the judgment are thus erga
Data Protection Regulation,150 which will replace the direc- omnes.
tive will therefore not impact on the judgment of the Grand
Chamber.
7.3. Distinction between content and metadata
personal data of Facebook’s European subscribers to the US consent.167 According to the Working Party, reliance on consent
should be suspended on the ground that the US does not ensure should be confined to cases where the worker has a genuine
an adequate level of protection of personal data. free choice and can subsequently withdraw the consent without
On 9 October 2015, the US Department of Commerce stated detriment.168 Regarding its scope, consent is consequently not
that it would “continue to administer the Safe Harbor program, generally regarded as freely given in an employment context.
including processing submissions for self-certification to the It can accordingly not provide a proper legal basis to transfer
Safe Harbor Framework.”162 personal data of employees to the US.
The judgment of the Grand Chamber does not focus on the Data subjects must be properly informed in advance that
practices of Facebook as the subject of this case. This issue of the personal data may be transferred outside the EU, to which
the judgment goes far beyond the case of Facebook and has third country and under which conditions (purpose, identity
major legal implications not only for Facebook, but also for other and details of the recipients). This information should include
US Internet companies such as Google, Apple, Microsoft and the specific risk that their personal data will be transferred to
Yahoo as well as many small companies.163 a third country, which lacks an adequate level of protection.169
The judgment of the Grand Chamber created a legal vacuum. As pointed out by the Working Party, withdrawal of consent
Processing operations of personal data, which were lawful before by the data subject should prevent any further processing of
the judgment of the Grand Chamber have become unlawful personal data as a matter of principle although it is not
since the date of the judgment. The US is in the same situa- retroactive.170 In light of these limits, the Working Party sug-
tion as other third countries without any adequacy decision. gested that consent is unlikely to provide data controllers with
an adequate long-term framework for repeated or even struc-
tural transfers.171
7.4.1. Overview of the available legal tools for transatlantic The Working Party recommended that transfers of per-
transfers of personal data under the directive in the absence of sonal data, which might be legally characterised as repeated,
an adequacy decision massive or structural should be carried out, where possible,
The 3246 companies that are safe harbour self-certified can use within a specific legal framework such as Standard Contrac-
alternative legal mechanisms for lawfully transferring per- tual Clauses (hereinafter “SCCs”) or Binding Corporate Rules
sonal data to the US under Article 26 of the directive. First, they (hereinafter “BCRs”).172 They may only be carried out on the basis
can legally rely on the exhaustive list of exceptions provided for of a derogation where recourse to SCCs or BCRs is impossible
in Article 26(1) of the directive. in practice and where the risks to data subjects are small such
The Article 29 Working Party considered that the interpre- as international money transfers.173
tation of Article 26(1) of the directive “must necessarily be Article 44(1)(a) of the Proposal for a General Data Protec-
strict”164 since this provision sets out exemptions from a general tion Regulation however provides that “[i]n the absence of an
principle and exceptions should not become the rule. The adequacy decision [. . .] or of appropriate safeguards [. . .] in-
Working Party has issued several non-legally binding guid- cluding binding corporate rules, a transfer or a set of transfers
ance documents on the application of Article 26(1) of the of personal data to a third country or an international
directive.165 They include best practices which are devised to organisation may take place only on condition that [. . .] the
assist the enforcement action of DPAs.166 data subject has explicitly consented to the proposed trans-
Derogations, such as unambiguous prior consent of the data fer, after having been informed of the possible risks of such
subject for the particular transfer or a particular category of transfers for the data subject due to the absence of an ad-
transfers, may be relied on in limited instances. Pursuant to equacy decision and appropriate safeguards”.174
Article 2(h) of the directive, consent must be freely given, spe-
cific and informed. According to the Article 29 Working Party,
167
the first requirement means that any “pressure” may invali- Opinion 8/2001 on the processing of personal data in the em-
ployment context, WP 28, 13 September 2001, p. 3, 23 and 26.
date the consent. This is particularly relevant to the employment 168
Working document on a common interpretation of Article 26(1)
context where the relationship of subordination and inher- of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005,
ent dependency of employees calls into question reliance on p. 11.
169
Working Document: Transfers of personal data to third coun-
tries: Applying Articles 25 and 26 of the EU data protection directive,
162
Available at http://export.gov/safeharbor/ WP 12, 24 July 1998, p. 24.
163 170
Center for Strategic & International Studies, “The Safe Harbor: Opinion 15/2011 on the definition of consent, WP 187, 13 July
Data Protection or Protectionism?” 10 June 2014, available at 2011, p. 9.
171
http://csis.org/event/safe-harbor-data-protection-or-protectionism Working document on a common interpretation of Article 26(1)
164
Working Document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005,
of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005, p. 11; Working Document on surveillance of electronic communi-
p. 7. See also ibidem, p. 2 and 17. cations for intelligence and national security purposes, WP 228, 5
165
Working Document: Transfers of personal data to third coun- December 2014, p. 49.
172
tries: Applying Articles 25 and 26 of the EU data protection directive, Working document on a common interpretation of Article 26(1)
WP 12, 24 July 1998; Working document on a common interpreta- of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005,
tion of Article 26(1) of Directive 95/46/EC of 24 October 1995, WP p. 9.
173
114, 25 November 2005. See Commission, Frequently Asked Questions Relating to Trans-
166
Working document on a common interpretation of Article 26(1) fers of Personal Data from the EU/EEA to Third Countries (FAQ D.1),
of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005, p. 49.
174
p. 8 to 10. Interinstitutional File: 2012/0011 (COD), 17 December 2015.
computer law & security review 32 (2016) 345–362 359
Second, companies may legally rely on adequate safeguards Regarding their scope, these rules are enforceable in the EU.
provided for in Article 26(2) of the directive. The Commission pre- They therefore have implications for the rights of data sub-
pared model agreements or standard data protection clauses in jects since data subjects whose personal data is being processed
contracts between companies exchanging personal data.175 In by an entity of the group are entitled as third-party benefi-
accordance with Article 26(4) of the directive, the Commis- ciaries to enforce compliance with BCRs by lodging a complaint
sion has approved four sets of SCCs regarded as meeting the before a DPA and bringing an action before the Court of a
requirements provided for in Article 26(2) of the directive.176 Member State. In addition, BCRs must designate an entity
In Member States such as Belgium and Spain, SCCs need to within the EU which accepts liability for infringement upon
be notified to the DPA prior to the transfer of any personal data. the rules by any member of the group outside the EU which
In a few Member States such as Austria, France, Ireland, is legally bound by these rules. The Article 29 Working Party
Romania and Slovenia, the DPA needs to approve SCCs prior has established a standardised application form180 and a spe-
to use. In addition, DPAs have the power to examine these cific co-operation procedure between relevant DPAs,181 which
clauses in light of the requirements set out in the judgment includes the designation of a “lead authority” responsible for
of the Grand Chamber. Most contracts currently used by com- handling the approval procedure. Regarding transparency, com-
panies to transfer personal data are based on SCCs approved panies with approved BCRs are listed on the Internet site of
by the Commission.177 The problem of SCCs is however their the Commission.182 The specific terms of the rules that each
lack of enforcement. Companies may also rely on other legal company creates for itself are however not public except if
instruments such as ad hoc contractual arrangements to show that the company publishes them.183
they transfer personal data to the US with sufficient safe- The approval process for SCCs and BCRs can be both lengthy
guards within the meaning of Article 26(2) of the directive. DPAs and expensive, making them potentially unsuitable for all, but
need to approve such arrangements on a case-by-case basis, the largest companies.
pursuant to the same provision. SCCs and BCRs both provide that if the data importer has
Companies may also develop BCRs. The latter may be defined reasons to believe that the legislation that applies to the re-
as internal rules such as codes of conduct adopted by multi- cipient country may prevent it from fulfilling its legal obligations,
national companies for international transfers of personal it must promptly inform the data exporter in the EU. In such
data within the same corporate group from the EU to entities a situation, the exporter bears the onus to consider taking the
located in countries which do not provide an adequate level appropriate measures necessary to ensure the protection of
of protection. Regarding their purpose, multi-national compa- personal data.184 These may range from technical, organisational,
nies use them to adduce adequate safeguards for the protection business-model related or legal measures185 to the suspen-
of the privacy and fundamental rights and freedoms of indi- sion of personal data transfers and the termination of
viduals within the meaning of Article 26(2) of the directive contracts.
for all transfers of personal data protected under European
law. To that extent, BCRs ensure that all transfers made within
a corporate group benefit from an adequate level of protec- 7.4.2. Way forward
tion. BCRs thus present the advantage of preventing the risks SCCs, ad hoc contractual arrangements and BCRs should all
which result from transfers of personal data to third coun- provide for the implementation of strong and secure encryption
tries. DPAs need to approve BCRs.178 The Article 29 Working as a security practice which “aims to provide the confidenti-
Party has spelled out both the substantive and procedural ality of a communication channel between identified parties
requirements for BCRs based on EU data protection standards.179 (human beings, devices, or pieces of software/hardware) to avoid
175 180
See Article 29 Working Party, “Transfers of personal data to third Standard Application for Approval of Binding Corporate Rules
countries: Applying Articles 25 and 26 of the EU data protection for the Transfer of Personal Data, WP 133, 10 January 2007.
181
directive”, WP 12, 24 July 1998. Working Document Setting Forth a Co-Operation Procedure for
176
Communication from the Commission to the European Parlia- Issuing Common Opinions on Adequate Safeguards Resulting from
ment and the Council on the Transfer of Personal Data from the “Binding Corporate Rules”, WP 107, 14 April 2005.
182
EU to the United States of America under Directive 95/46/EC fol- List of companies for which the EU BCR procedure is closed,
lowing the Judgment by the Court of Justice in Case C-362/14 available at http://ec.europa.eu/justice/data-protection/international-
(Schrems), COM(2015) 566 final, 6 November 2015, p. 6. transfers/binding-corporate-rules/bcr_cooperation/index_en.htm
177 183
See Article 29 Working Party, “Working Document Setting Forth See for instance the BCRs of eBay Inc., available at http://
a Co-Operation Procedure for Issuing Common Opinions on ‘Con- www.ebayprivacycenter.com/sites/default/files/user_corporate
tractual clauses’ Considered as compliant with the EC Model Clause”, _rules_11-2-09_v1-01.pdf
184
WP 226, 26 November 2014, p. 2. See Clause 5 of the Annex to the Commission decision 2010/
178
See the overview on BCRs available at http://ec.europa.eu/ 87/EU and Article 29 Working Party, “Working Document setting up
justice/data-protection/international-transfers/binding-corporate- a framework for the structure of Binding Corporate Rules, WP 154,
rules/index_en.htm 24 June 2008, p. 8.
179 185
Working Document setting up a table with the elements and See guidance issued by the European Network and Informa-
principles to be found in Binding Corporate Rules, WP 153, 24 June tion Security Agency, available at https://resilience.enisa.europa.eu/
2008; Working Document on Frequently Asked Questions (FAQs) article-13/guideline-for-minimum-security-measures/Article
related to Binding Corporate Rules, WP 155, 24 June 2008. _13a_ENISA_Technical_Guideline_On_Security_Measures_v2_0.pdf
360 computer law & security review 32 (2016) 345–362
eavesdropping or unintended disclosure.”186 Strengthening en- possible. Organisations that rely on them should expect future
cryption of content as called for by Parliament in its resolution legal challenges.
of 12 March 2014187 to reduce the level of risk that US authori- In the short term, organisations may consider keeping per-
ties including the NSA may access the data “on a generalised sonal data in the EU and avoiding transfers to the US. Some
basis”188 may thus assist and be part of the equation even US companies offer cloud customers the option to store per-
though it somewhat goes against the current trend.189 sonal data in Europe so that it is not sent for storage elsewhere.192
DPAs must ultimately assess compliance with such require- For instance, Amazon announced on 6 November 2015 that it
ments on a case-by-case basis as part of the exercise of their would be building data centres in the UK in 2016.193 A few days
supervision and enforcement functions, encompassed in the later, the CEO of Microsoft, Satya Nadella, also announced that
context of the approval of contractual arrangements and BCRs Microsoft was opening data centres in the UK for the first time.
or on the basis of individual complaints. The new data centres will enable UK users of Microsoft’s cloud
The Grand Chamber however considered that legislation per- services, Azure and Office 365, to keep their data within Europe
mitting the public authorities to access on a generalised basis at all times.194 Companies that provide cloud services within
the content of electronic communications compromises “the the EU and rely on data centres in the US may invest in data
essence of the fundamental right to respect for private life, as centres within the EU provided they sign contracts with Eu-
guaranteed by Article 7 of the Charter”.190 The Grand Chamber ropean companies only. European based cloud providers that
also considered that “legislation not providing for any possi- ensure compliance with EU law could thus benefit from the
bility for an individual to pursue legal remedies in order to have situation. A note on surveillance requested by the Commit-
access to personal data relating to him, or to obtain the rec- tee on Civil Liberties, Justice and Home Affairs of Parliament
tification or erasure of such data, does not respect the essence has advocated the creation and proposed the development of
of the fundamental right to effective judicial protection, as en- a “European cloud”,195 which would require all data from Eu-
shrined in Article 47 of the Charter.”191 These considerations ropean data subjects to be stored or processed on servers within
apply to both Articles 25 and 26 of the directive. They accord- the EU to alleviate concerns of data security and data
ingly apply to alternative legal bases for transfers of personal sovereignty.
data to the US, which offer no greater protection against access In the longer term, the most satisfying solution would
by public authorities to such data than the now invalidated de- involve important changes to US legislation to offer adequate legally
cision of the Commission and no mechanism to override binding protection to the personal data of EU data subjects and
surveillance. Even if companies use the SCCs or BCRs as legal introduce effective judicial remedies for EU data subjects in
bases for transferring personal data to the US, there is accord- all sectors including national security. The effective and ad-
ingly no guarantee that intelligence services such as the NSA equate protection of personal data in the US is the core question
and law enforcement agencies of the US will not access such of this judgment. The latter thus represents a historical turn
data. There is therefore no logical reason why they would for transatlantic transfers of data. The message provided by
provide acceptable legal alternatives to the invalidated deci- the Grand Chamber to the US is to better control the NSA and
sion of the Commission. Organisations should accordingly to establish adequate safeguards. The question then becomes
evaluate legal risks and benefits of SCCs and BCRs and whether the US government will be willing to amend its ap-
re-evaluate their collection and transfer of personal data where plicable legal framework to meet all the requirements set by
the Grand Chamber in the findings of the judgment.
In the meantime, knowing the positions of DPAs provides
186
Article 29 Data Protection Working Party, Opinion 05/2014 on legal predictability for both data subjects and companies. The
Anonymisation Techniques, 10 April 2014, WP 216, p. 29. Regard- practical implication of the judgment is the need to ensure a
ing encryption, see Parliament resolution of 8 September 2015 on co-ordinated and uniform European approach in the frame-
“Human rights and technology: the impact of intrusion and sur- work of the Article 29 Working Party and legal clarity for
veillance systems on human rights in third countries” (2014/
companies.
2232(INI)), P8_TA-PROV(2015)0288, available at http://www
.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML
+TA+P8-TA-2015-0288+0+DOC+PDF+V0//EN
187
European Parliament resolution of 12 March 2014 on the US NSA
192
surveillance programme, surveillance bodies in various Member See Karlin Lillington, “Oracle keeps European data within its EU-
States and their impact on EU citizens’ fundamental rights and on based data centres”, Irish Times, 28 October 2015, available at http://
transatlantic cooperation in Justice and Home Affairs (2013/ www.irishtimes.com/business/technology/oracle-keeps-european-
2188(INI)), available at http://www.europarl.europa.eu/sides/ data-within-its-eu-based-data-centres-1.2408505?ot=example
getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0230, paras .AjaxPageLayout.ot&mode=print
193
36, 93, 95, 97, 98, 101, 106, 107 and 109. Tim Anderson, “Amazon’s chomping at the Brits: UK to get AWS
188
Case C-362/14 Maximillian Schrems v Data Protection Commis- data center region”, The Register, 6 November 2015, available at
sioner [2015] para 94. http://www.theregister.co.uk/2015/11/06/aws_to_build_uk_data
189
See the official document of the Dutch government dated 4 _centers/
194
January 2016, Kabinetsstandpunt encryptie, available at http:// Leo Kelion, “Microsoft to open UK data centres”, BBC, 10 No-
www.tweedekamer.nl/kamerstukken/brieven_regering/detail?id vember 2015, available at http://www.bbc.com/news/technology-
=2016Z00009&did=2016D00015 34777373
190 195
Case C-362/14 Maximillian Schrems v Data Protection Commis- The US surveillance programmes and their impact on EU citi-
sioner [2015] para 94. zens’ fundamental rights, PE 474.405, 28 September 2013, available
191
Case C-362/14 Maximillian Schrems v Data Protection Commis- at http://www.europarl.europa.eu/meetdocs/2009_2014/documents/
sioner [2015] para 95. libe/dv/briefingnote_/briefingnote_en.pdf, Section 3.1, p. 28.
computer law & security review 32 (2016) 345–362 361
7.4.3. Statement of the Article 29 Working Party dated 16 Working Party and the Commission thus both stressed the need
October 2015 for uniform application of the judgment in the EU.
In a concise but important statement,196 the Working Party ac-
knowledged the legal uncertainty created by the judgment of 7.4.4. Position papers adopted by German DPAs
the Grand Chamber since transfers of personal data could no On 26 October 2015, the Conference of the German Data Pro-
longer be legally based on the decision of the Commission. The tection Authorities at both Federal and State Levels issued a
Working Party emphasised that “massive and indiscriminate joint position paper stressing that the judgment contains strict
surveillance is a key element of the Court’s analysis.” It reit- substantive requirements that the Commission and DPAs must
erated that “it has consistently stated that such surveillance all comply with.201 The paper indicates that German DPAs will
is incompatible with the EU legal framework and that exist- assess the lawfulness of personal data transfers based on al-
ing transfer tools are not the solution to this issue.” The Working ternative tools (SCCs, BCRs) and will no longer grant new
Party stated that “transfers to third countries where the powers authorisations for the use of these tools for transfers of per-
of state authorities to access information go beyond what is sonal data to the US. The Conference emphasised the limited
necessary in a democratic society will not be considered as safe validity of consent: consent may be a valid legal basis trans-
destinations for transfers.”197 The Working Party considered that ferring personal data of employees in exceptional cases only
companies may use SCCs and BCRs to legitimise transfers of and may not a valid legal basis for massive or routine transfers.
personal data to the US whilst it continues its assessment and In addition, DPAs for the Länder of Schleswig-Holstein202 and
without prejudice to the powers of DPAs to investigate par- Rheinland-Pfalz203 have both issued clear warnings that the al-
ticular cases. The Working Party set a deadline of three months ternative transfer tools are under legal scrutiny. They expressed
for the EU and the US to conclude negotiations and imple- doubts about the possibility to use transfer instruments such
ment a new safe harbour regime. as SCCs and BCRs for transatlantic data flows. In its position
However, the statement of the Working Party does not legally paper, the DPA of Schleswig-Holstein stated that a proper ap-
bind any DPA. In addition, the deadline set by the Working Party plication of the judgment meant that alternative methods of
has no legal basis. Last, the Working Party adopted inconsis- legitimising transfers were unsafe and questioning the ability
tent positions. It initially recommended that transfers of of companies to rely on SCCs to transfer personal data to the
personal data that might be legally characterised as re- US. Given the mass surveillance conducted by US intelli-
peated, massive or structural should be carried out, where gence agencies, data subjects cannot provide informed consent
possible, within a specific legal framework such as SCCs or to transfer their personal data to the US, which means that
BCRs.198 In a subsequent document, the Working Party however this legal basis may not be used to legally transfer personal
considered that SCCs and BCRs contain exceptions which “are data from the EU to the US either.204 Although the DPA of
restrictions to a fundamental right and [. . .] could not be a basis Schleswig–Holstein has not mentioned BCRs, its position implies
for massive, structural or repetitive transfers.”199 that they remain the only available mechanisms to lawfully
On 6 November 2015, the Commission issued an explana- transfer personal data to the US.
tory Communication, which provides guidance on the The position papers of German DPAs contradict the state-
implications of the judgment, an overview of alternative tools ment made by the Article 29 Working Party since the latter
to transfer personal data to the US, the conditions under which accepted SCCs and BCRs as legitimate at least for a transi-
they can be used and their limits.200 Most notably, the Com- tional period. This patchwork of contradicting positions by DPAs
mission joined the position of the Working Party that companies shows that the united European common front fell apart.
could still use alternative tools authorising data flows to law- A new period of legal uncertainty across the EU conse-
fully transfer personal data to the US. The Commission then quently started after the judgment of the Grand Chamber. The
explained each of these alternative tools in more detail. The legal risks include complaints made by data subjects to con-
trollers, DPAs and Courts as well as orders and injunctions of
DPAs and Courts to stop transfers. They also include differ-
ent interpretations of applicable standards on the protection
196
Available at http://ec.europa.eu/justice/data-protection/article- of personal data made by the 28 national DPAs and domestic
29/press-material/press-release/art29_press_material/2015/ fragmentation of EU personal data protection law when data
20151016_wp29_statement_on_schrems_judgement.pdf flow to the US originate from multiple Member States and
197
See Roman Zakharov v Russia, application no. 47143/06, 4 De- German Länder. Some DPAs may be more “US friendly” in both
cember 2015 in which the Grand Chamber found that the domestic
law was incapable of keeping the “interference” to what was “nec-
201
essary in a democratic society”. Available at https://www.datenschutz.hessen.de/ft-europa
198
Working document on a common interpretation of Article 26(1) .htm#entry4521
202
of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005, Available at https://www.datenschutzzentrum.de/uploads/
p. 9. internationales/20151014_ULD-PositionPapier-on-CJEU_EN.pdf
199 203
Working Document on surveillance of electronic communica- Available at https://www.datenschutz.rlp.de/de/aktuell/2015/
tions for intelligence and national security purposes, WP 228, 5 images/20151026_Folgerungen_des_LfDI_RLP_zum_EuGH-Urteil
December 2014, executive summary. See also ibidem, p. 45. _Safe_Harbor.pdf
200 204
Communication from the Commission to the European Parlia- See also the Hamburg Commissioner for Data Protection and
ment and the Council on the Transfer of Personal Data from the Freedom of Information, Information on the Safe Harbor Ruling of
EU to the United States of America under Directive 95/46/EC fol- the Court of Justice, 5 November 215, available at https://
lowing the by the Court of Justice in Case C-362/14 (Schrems), www.datenschutz-hamburg.de/fileadmin/user_upload/documents/
COM(2015) 566 final, 6 November 2015. Information_on_the_Safe_Harbor_ruling_of_the_Court_of_Justice.pdf
362 computer law & security review 32 (2016) 345–362
their interpretation and enforcement whilst others may take enforceability of rights, EU citizens who do not reside in the
a stricter position and simply refuse to authorise data trans- US cannot currently obtain redress before US courts if their in-
fers from the EU to the US since they would infringe upon their correct or unlawfully processed personal data are transferred
domestic law. Last, the legal risks include forum shopping by to US law enforcement authorities unlike US citizens who may
international companies that would establish their European currently seek redress before European courts. Articles 18 and
seat in Member States where DPAs provide the most favourable 19 of the agreement provide for equal treatment of EU citi-
interpretation and enforcement of applicable standards on the zens who will enjoy the same reciprocal rights of redress as
protection of personal data. US citizens. They specifically provide that EU citizens will have
the right to seek judicial redress before US courts if the US au-
thorities have denied access or rectification, or unlawfully
8. Concluding remarks disclosed their personal data. The agreement will be signed and
formally concluded only after the US Congress adopts the US
Judicial Redress Act208 formally introduced on 18 March 2015.
The watershed judgment of the Grand Chamber originates from
If enacted, this bill would extend the core of the judicial redress
an initially isolated 27 year-old data subject who took the ini-
provisions of the US Privacy Act of 1974 to EU citizens who may
tiative to lodge a complaint to a national DPA, which refused
then sue the US government to access, amend or correct records
to investigate it. The data subject challenged this decision before
or to seek redress for unlawful disclosure. This bill does however
the High Court of Ireland and Judge Hogan referred the case
not deal with the collection and storage of personal data by
to the Court of Justice for a preliminary ruling in the exercise
US intelligence agencies. It does therefore not address all the
of his discretion. Credit must be given to both Max Schrems
considerations of the Grand Chamber. On 17 September 2015,
and Judge Hogan for their actions against an agreement in-
the Judiciary Committee of the US House of Representatives
volving 29 States. Such actions show the extraordinary
unanimously approved the Judicial Redress Act which was
asymmetrical power of individuals in the digital world. Con-
passed by the House itself on 20 October 2015. The Judiciary
versely, the Commission and the Irish Commissioner failed to
Committee of the US Senate also passed it on 28 January 2016.
protect fundamental rights to the respect of private life and
It however approved a controversial amendment proposed by
to an effective remedy.205
Senator John Cornyn which provides for two cumulative re-
Globalised relations need trust and in this case, trust was
quirements on the extension of US court legal redress to non-
breached. Mutual trust and public confidence between trans-
US citizens, i.e. (1) the other country must permit commercial
atlantic partners should now be restored. From a transatlantic
data transfers with the US and (2) the other country may not
perspective, Eurojust and the US signed an agreement on 6 No-
impede the national security interests of the US. The Com-
vember 2006.206 Articles 9 to 11 and 13 to 17 of this agreement
mission has already rejected the first requirement. On the basis
deal with the protection of personal data. Europol and the US
of a proposal by the Commission, Council will adopt a deci-
also signed a supplemental agreement on the exchange of per-
sion authorising the signature of the agreement after obtaining
sonal data and related information.207 In addition, the EU and
the approval of Parliament, which is required.
US authorities have now both approved the so called “Um-
The Commission has been negotiating a safer harbour agree-
brella Agreement” on the Protection of Personal Information
ment with the US for almost three years. The judgment has
Relating to the Prevention, Investigation, Detection, and Pros-
put pressure on negotiators to complete it. The agreement
ecution of Criminal Offenses which deals with law enforcement
should aim at creating a transatlantic data transfer mecha-
co-operation. Its scope includes all personal data of suspects,
nism which ensures compliance with the considerations of the
victims and witnesses such as names, addresses and crimi-
Grand Chamber, thereby protecting the privacy of EU data sub-
nal records exchanged between the EU and the US for the
jects and providing legal certainty to organisations, which need
purpose of prevention, detection, investigation and prosecu-
to transfer personal data to the US. In the longer term, an in-
tion of criminal offences including terrorism. The agreement
ternational solution such as a treaty would be welcome.
applies to personal information transferred between the com-
Last, the “elephant in the room” is the massive surveil-
petent authorities of the EU, its Member States and the US. The
lance in Member States of the EU209 and European double
scope of the agreement does however not cover access to per-
standards on surveillance laws and practices. The judgment
sonal data by national security authorities that the Grand
is in line with the approach in the case law of the ECHR. The
Chamber considered in the Schrems judgment and by the Central
latter may apply the reasoning of the Grand Chamber in its
Intelligence Agency, which is part of law enforcement. In ad-
own case law.210 The judgment may thus have ripple effects
dition, the legal framework that applies to the transfer of
on Member States.
personal data from national security authorities to law en-
forcement agencies is unclear. Regarding judicial redress and
208
HR 1428.
205 209
See Grand Chamber, Roman Zakharov v Russia, application no. See EU Agency for Fundamental Rights, Report on surveil-
47143/06, 4 December 2015. lance by intelligence services: fundamental rights safeguards and
206
Available at http://eurojust.europa.eu/doclibrary/Eurojust- remedies in the EU, November 2015, available at http://fra.europa.eu/
framework/agreements/Agreement%20Eurojust-USA%20(2006)/ sites/default/files/fra_uploads/fra-2015-surveillance-intelligence-
Eurojust-USA-2006-11-06-EN.pdf services_en.pdf
207 210
Available at https://www.europol.europa.eu/content/page/ See Szabó and Vissy v Hungary, application no. 37138/14, 12 January
external-cooperation-31 2016, paras 13 and 15.
L 181/34 EN Official Journal of the European Union 19.7.2003
AGREEMENT
on mutual legal assistance between the European Union and the United States of America
CONTENTS
Preamble
Article 2 Definitions
Article 3 Scope of application of this Agreement in relation to bilateral mutual legal assistance treaties
with Member States and in the absence thereof
Article 11 Consultations
Article 13 Non-derogation
Article 14 Future bilateral mutual legal assistance treaties with Member States
Article 17 Review
Explanatory Note
DESIRING further to facilitate cooperation between the European Union Member States and the United States of
America,
DESIRING to combat crime in a more effective way as a means of protecting their respective democratic societies and
common values,
HAVING DUE REGARD for rights of individuals and the rule of law,
MINDFUL of the guarantees under their respective legal systems which provide an accused person with the right to a fair
trial, including the right to adjudication by an impartial tribunal established pursuant to law,
Article 1 (d) Article 7 shall be applied to provide for the use of expe-
dited means of communication in addition to any authority
already provided under bilateral treaty provisions;
4. If the process described in paragraph 2(b) and 3(c) is not 3. Requests for assistance under this Article shall be trans-
completed by the date of accession, the provisions of this mitted between:
Agreement shall apply in the relations between the United
States of America and that new Member State as from the date
on which they have notified each other and the European (a) central authorities responsible for mutual legal assistance in
Union of the completion of their internal procedures for that Member States, or national authorities of Member States
purpose. responsible for investigation or prosecution of criminal
offences as designated pursuant to Article 15(2); and
1. (a) Upon request of the requesting State, the requested State (i) offences punishable under the laws of both the
shall, in accordance with the terms of this Article, requested and requesting States;
promptly ascertain if the banks located in its territory
possess information on whether an identified natural or (ii) offences punishable by a penalty involving depriva-
legal person suspected of or charged with a criminal tion of liberty or a detention order of a maximum
offence is the holder of a bank account or accounts. The period of at least four years in the requesting State
requested State shall promptly communicate the results and at least two years in the requested State; or
of its enquiries to the requesting State.
(iii) designated serious offences punishable under the
laws of both the requested and requesting States.
(b) The actions described in subparagraph (a) may also be
taken for the purpose of identifying:
(b) A State which limits its obligation pursuant to subpara-
(i) information regarding natural or legal persons
graph (a)(ii) or (iii) shall, at a minimum, enable identifi-
convicted of or otherwise involved in a criminal
cation of accounts associated with terrorist activity and
offence;
the laundering of proceeds generated from a compre-
(ii) information in the possession of non-bank financial hensive range of serious criminal activities, punishable
institutions; or under the laws of both the requesting and requested
States.
(iii) financial transactions unrelated to accounts.
2. A request for information described in paragraph 1 shall 5. Assistance may not be refused under this Article on
include: grounds of bank secrecy.
3. The competent authorities determined by the respective 6. This Article is without prejudice to application of provi-
States concerned shall communicate directly for the purposes sions of bilateral mutual legal assistance agreements between
of the establishment and operation of such team except that Member States and the United States of America that require or
where the exceptional complexity, broad scope, or other permit the use of video conferencing technology for purposes
circumstances involved are deemed to require more central other than those described in paragraph 1, including for
coordination as to some or all aspects, the States may agree purposes of identification of persons or objects, or taking of
upon other appropriate channels of communications to that investigative statements. Where not already provided for under
end. applicable treaty or law, a State may permit the use of video
conferencing technology in such instances.
2. (a) Requests for assistance under this Article shall be trans- (b) Generic restrictions with respect to the legal standards
mitted between the central authorities designated of the requesting State for processing personal data may
pursuant to the bilateral mutual legal assistance treaty in not be imposed by the requested State as a condition
force between the States concerned, or between such under subparagraph (a) to providing evidence or infor-
other authorities as may be agreed by the central autho- mation.
rities.
3. Where, following disclosure to the requesting State, the
(b) In the absence of a treaty, requests shall be transmitted requested State becomes aware of circumstances that may cause
between the United States Department of Justice and the it to seek an additional condition in a particular case, the
Ministry of Justice or, pursuant to Article 15(1), compar- requested State may consult with the requesting State to deter-
able Ministry of the Member State concerned responsible mine the extent to which the evidence and information can be
for transmission of mutual legal assistance requests, or protected.
between such other authorities as may be agreed by the
Department of Justice and such Ministry.
4. A requested State may apply the use limitation provision
of the applicable bilateral mutual legal assistance treaty in lieu
3. The Contracting Parties shall take measures to avoid the of this Article, where doing so will result in less restriction on
imposition of extraordinary burdens on requested States the use of information and evidence than provided for in this
through application of this Article. Where extraordinary Article.
burdens on a requested State nonetheless result, the
Contracting Parties shall immediately consult with a view to
facilitating the application of this Article, including the taking 5. Where a bilateral mutual legal assistance treaty in force
of such measures as may be required to reduce pending and between a Member State and the United States of America on
future burdens. the date of signature of this Agreement, permits limitation of
the obligation to provide assistance with respect to certain tax
offences, the Member State concerned may indicate, in its
exchange of written instruments with the United States of
America described in Article 3(2), that, with respect to such
Article 9 offences, it will continue to apply the use limitation provision
of that treaty.
Limitations on use to protect personal and other data
Review
Article 15
The Contracting Parties agree to carry out a common review of
this Agreement no later than five years after its entry into force.
Designations and notifications The review shall address in particular the practical implementa-
tion of the Agreement and may also include issues such as the
consequences of further development of the European Union
1. Where a Ministry other than the Ministry of Justice has relating to the subject matter of this Agreement.
been designated under Article 8(2)(b), the European Union shall
notify the United States of America of such designation prior
to the exchange of written instruments described in Article 3(3)
between the Member States and the United States of America.
Article 18
2. The Contracting Parties, on the basis of consultations
between them on which national authorities responsible for the
investigation and prosecution of offences to designate pursuant Entry into force and termination
to Article 4(3), shall notify each other of the national authori-
ties so designated prior to the exchange of written instruments
described in Article 3(2) and (3) between the Member States 1. This Agreement shall enter into force on the first day
and the United States of America. The European Union shall, following the third month after the date on which the
for Member States having no mutual legal assistance treaty with Contracting Parties have exchanged instruments indicating that
the United States of America, notify the United States of they have completed their internal procedures for this purpose.
America prior to such exchange of the identity of the central These instruments shall also indicate that the steps specified in
authorities under Article 4(3). Article 3(2) and (3) have been completed.
3. The Contracting Parties shall notify each other of any 2. Either Contracting Party may terminate this Agreement at
limitations invoked under Article 4(4) prior to the exchange of any time by giving written notice to the other Party, and such
written instruments described in Article 3(2) and (3) between termination shall be effective six months after the date of such
the Member States and the United States of America. notice.
L 181/40 EN Official Journal of the European Union 19.7.2003
Done at Washington D.C. on the twenty-fifth day of June in the year two thousand and three in duplicate
in the Danish, Dutch, English, Finnish, French, German, Greek, Italian, Portuguese, Spanish and Swedish
languages, each text being equally authentic.
Explanatory Note on the Agreement on Mutual Legal Assistance between the European Union and
the United States of America
This note reflects understandings regarding the application of certain provisions of the Agreement on
Mutual Legal Assistance between the European Union and the United States of America (hereinafter ‘the
Agreement’) agreed between the Contracting Parties.
On Article 8
With respect to the mutual legal assistance to administrative authorities under Article 8(1), the first
sentence of Article 8(1) imposes an obligation to afford mutual legal assistance to requesting United States
of America federal administrative authorities and to requesting national administrative authorities of
Member States. Under the second sentence of that paragraph mutual legal assistance may also be made
available to other, that is non-federal or local, administrative authorities. This provision however, is avail-
able at the discretion of the requested State.
The Contracting Parties agree that under the first sentence of Article 8(1) mutual legal assistance will be
made available to a requesting administrative authority that is, at the time of making the request,
conducting investigations or proceedings in contemplation of criminal prosecution or referral of the inves-
tigated conduct to the competent prosecuting authorities, within the terms of its statutory mandate, as
further described immediately below. The fact that, at the time of making the request referral for criminal
prosecution is being contemplated does not exclude that, other sanctions than criminal ones may be
pursued by that authority. Thus, mutual legal assistance obtained under Article 8(1) may lead the
requesting administrative authority to the conclusion that pursuance of criminal proceedings or criminal
referral would not be appropriate. These possible consequences do not affect the obligation upon the
Contracting Parties to provide assistance under this Article.
However, the requesting administrative authority may not use Article 8(1) to request assistance where
criminal prosecution or referral is not being contemplated, or for matters in which the conduct under
investigation is not subject to criminal sanction or referral under the laws of the requesting State.
The European Union recalls that the subject matter of the Agreement for its part falls under the provisions
on police and judicial cooperation in criminal matters set out in Title VI of the Treaty on European Union
and that the Agreement has been concluded within the scope of these provisions.
On Article 9
Article 9(2)(b) is meant to ensure that refusal of assistance on data protection grounds may be invoked
only in exceptional cases. Such a situation could arise if, upon balancing the important interests involved
in the particular case (on the one hand, public interests, including the sound administration of justice and,
on the other hand, privacy interests), furnishing the specific data sought by the requesting State would raise
difficulties so fundamental as to be considered by the requested State to fall within the essential interests
grounds for refusal. A broad, categorical, or systematic application of data protection principles by the
requested State to refuse cooperation is therefore precluded. Thus, the fact the requesting and requested
States have different systems of protecting the privacy of data (such as that the requesting State does not
have the equivalent of a specialised data protection authority) or have different means of protecting
personal data (such as that the requesting State uses means other than the process of deletion to protect
the privacy or the accuracy of the personal data received by law enforcement authorities), may as such not
be imposed as additional conditions under Article 9(2a).
On Article 14
Article 14 provides that the Agreement shall not preclude the conclusion, after its entry into force, of bilat-
eral agreements on mutual legal assistance between a Member State and the United States of America
consistent with the Agreement.
L 181/42 EN Official Journal of the European Union 19.7.2003
Should any measures set forth in the Agreement create an operational difficulty for the United States of
America and one or more Member States, such difficulty should in the first place be resolved, if possible,
through consultations between the Member State or Member States concerned and the United States of
America, or, if appropriate, through the consultation procedures set out in the Agreement. Where it is not
possible to address such operational difficulty through consultations alone, it would be consistent with the
Agreement for future bilateral agreements between a Member State and the United States of America to
provide an operationally feasible alternative mechanism that would satisfy the objectives of the specific
provision with respect to which the difficulty has arisen.
8.9.2017 CURIA - Documents
Provisional text
Opinion 1/15
(Request for an opinion — Admissibility — Draft agreement between Canada and the European Union on the
transfer and processing of Passenger Name Record data — ‘Passenger Name Record ()’ data — Compatibility of the
draft agreement with Article 16 TFEU and Articles 7 and 8 and Article 52(1) of the Charter of Fundamental Rights of
the European Union — Legal basis)
Table of contents
I – Introduction
II – Legal framework
VI – The appropriate legal basis for the act concluding the agreement envisaged (second question)
A – Analysis of the arguments of the Parliament and the other interested parties
B – Assessment
(b) The need to base the act concluding the agreement envisaged on the first subparagraph of Article 16(2)
TFEU
VII – The compatibility of the agreement envisaged with the provisions of the FEU Treaty and the Charter (first
question)
A – Analysis of the Parliament’s request and observations and also of the observations of the other interested parties
B – Assessment
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 1/46
8.9.2017 CURIA - Documents
1. Preliminary observations
2. The existence of an interference with the rights guaranteed by Articles 7 and 8 of the Charter
3. The justification for the interference with the rights guaranteed by Articles 7 and 8 of the Charter
(a) An interference ‘provided for by law’, within the meaning of Article 52(1) of the Charter
i) General considerations
ii) The ability of the interference to achieve the ‘public security’ objective pursued by the agreement
envisaged
– The sufficiently precise nature of the purpose for which PNR data processing is authorised
– Identification of the competent authority responsible for processing the PNR data
VIII – Conclusion
I – Introduction
1. In application of Article 218(11) TFEU, the European Parliament has requested the Court to deliver an opinion
on the agreement envisaged between Canada and the European Union on the transfer and processing of Passenger
Name Record data (‘the agreement envisaged’), in order to enable it to answer the Council of the European Union’s
request, of July 2014, that the Parliament should approve the proposal for a decision on the conclusion of the
agreement envisaged. (2)
2. Schematically, the agreement envisaged provides that Passenger Name Record data (‘PNR data’), which is
collected from passengers for the purpose of reserving flights between Canada and the European Union, is to be
transferred to the Canadian competent authorities and then processed and used by those authorities in order to prevent
and detect terrorist offences and other serious transnational criminal offences, while providing a number of
guarantees in relation to privacy and the protection of passengers’ personal data.
3. The request for an opinion, which concerns both the compatibility of the agreement envisaged with primary
EU law and the appropriate legal basis for the Council decision concluding the agreement envisaged, is worded as
follows:
‘Is the [agreement envisaged] compatible with the provisions of the Treaties (Article 16 TFEU) and the Charter of
Fundamental Rights of the European Union (Articles 7, 8 and Article 52(1)) as regards the right of individuals to
protection of personal data?
Do Articles 82(1)(d) and 87(2)(a) TFEU constitute the appropriate legal basis for the act of the Council concluding
the [agreement envisaged] or must that act be based on Article 16 TFEU?’
4. Irrespective of its content, the Court’s answer to that request will necessarily have implications for the
Agreements already in force between the European Union and Australia (3) and the European Union and the United
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 2/46
8.9.2017 CURIA - Documents
States of America, (4) and also on the future Passenger Name Record system, put in place within the Union itself,
which was recently approved by the Parliament, although the present proceedings were still pending. (5)
5. The present request for an opinion requires an examination of questions which are both unprecedented and
delicate.
6. From the aspect of determining the appropriate legal basis for the act concluding the agreement envisaged, this
request must lead the Court, in particular, to examine for the first time the scope of Article 16(2) TFEU, which was
introduced following the adoption of the Treaty of Lisbon, and also the way in which that article interacts with the
Treaty provisions on the area of freedom, security and justice (‘the AFSJ’). In that regard, as I shall show in this
Opinion, (6) the objectives pursued by and the content of the agreement envisaged are interdependent and the act
concluding that agreement must therefore in my view be based on both Article 16 TFEU and Article 87(2)(a) TFEU.
7. This is also the first time that the Court will be required to rule on the compatibility of a draft international
agreement with the fundamental rights enshrined in the Charter of Fundamental Rights of the European Union (‘the
Charter’), and more particularly with those relating to respect for private and family life, guaranteed by Article 7, and
the protection of personal data, guaranteed by Article 8. The examination of that question will thus undoubtedly
benefit from the valuable guidance to be derived from the judgments of 8 April 2014, Digital Rights Ireland and
Others (C‑293/12 and C‑594/12, EU:C:2014:238), and of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650). As
will be more fully explained, I consider that it is indeed appropriate to follow the route outlined by those judgments
and to subject the agreement envisaged to a strict review of compliance with the requirements laid down in Articles 7
and 8 and Article 52(1) of the Charter. Nonetheless, it must be borne in mind that the draft agreement referred to the
Court is the outcome of international negotiations with a third country, which, in the absence of a satisfactory
agreement, may well decline to conclude the agreement envisaged and prefer, as it does now, to apply its system
unilaterally to air carriers established in the EU which provide flights to Canada.
8. That does not mean that the Court must lower the degree of vigilance which it has shown in relation to respect
for the fundamental rights protected in EU law. It is necessary that, at a time when modern technology allows the
public authorities, in the name of combating terrorism and serious transnational crime, to develop extremely
sophisticated methods of monitoring the private life of individuals and analysing their personal data, the Court should
ensure that the proposed measures, even when they take the form of international agreements envisaged, reflect a fair
balance between the legitimate desire to maintain public security and the equally fundamental right for everyone to be
able to enjoy a high level of protection of his private life and his own data.
9. As my subsequent observations will illustrate, it cannot be denied that the contracting parties have attempted,
sometimes insufficiently, to strike a balance between those two objectives inseparably pursued by the agreement
envisaged. To my mind, that effort must be acknowledged. However, without calling in question either the object of
or the need for the agreement envisaged, I consider, as this Opinion will demonstrate, that in order to be compatible
with Articles 7 and 8 and Article 52(1) of the Charter, the agreement envisaged will have to be brought up to date
and/or some of its present terms will have to be deleted so that it does not exceed what is strictly necessary in order to
achieve its security objective.
II – Legal framework
‘1. Everyone has the right to the protection of personal data concerning them.
2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall
lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union
institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the
scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be
subject to the control of independent authorities.
…’
11. Article 82 TFEU, in Chapter 4, entitled ‘Judicial cooperation in criminal matters’, of Title V of Part Three of
that Treaty, provides:
‘1. Judicial cooperation in criminal matters in the Union shall be based on the principle of mutual recognition of
judgments and judicial decisions and shall include the approximation of the laws and regulations of the Member
States in the areas referred to in paragraph 2 …
The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall adopt
measures to:
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 3/46
8.9.2017 CURIA - Documents
(d) facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings
in criminal matters and the enforcement of decisions.
…’
12. Article 87 TFEU, which is part of Chapter 5, entitled ‘Police cooperation’, of Title V of Part Three of that
Treaty, provides as follows:
‘1. The Union shall establish police cooperation involving all the Member States’ competent authorities, including
police, customs and other specialised law enforcement services in relation to the prevention, detection and
investigation of criminal offences.
2. For the purposes of paragraph 1, the European Parliament and the Council, acting in accordance with the
ordinary legislative procedure, may establish measures concerning:
(a) the collection, storage, processing, analysis and exchange of relevant information;
…’
‘Everyone has the right to respect for his or her private and family life, home and communications.’
‘1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person
concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been
collected concerning him or her, and the right to have it rectified.
15. Article 52 of the Charter, entitled ‘Scope and interpretation of rights and principles’, provides as follows:
‘1. Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by
law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may
be made only if they are necessary and genuinely meet objectives of general interest recognised by the or the need to
protect the rights and freedoms of others.
…’
16. Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security
and justice provides as follows, in Articles 1, 3 and 6a:
‘Article 1
Subject to Article 3, the United Kingdom and Ireland shall not take part in the adoption by the Council of proposed
measures pursuant to Title V of Part Three of the [TFEU]. The unanimity of the members of the Council, with the
exception of the representatives of the governments of the and , shall be necessary for decisions of the Council which
must be adopted unanimously.
For the purposes of this Article, a qualified majority shall be defined in accordance with Article 238(3) [TFEU].
Article 3
1. The United Kingdom or Ireland may notify the President of the Council in writing, within three months after a
proposal or initiative has been presented to the Council pursuant to Title V of Part Three of the [TFEU], that it wishes
to take part in the adoption and application of any such proposed measure, whereupon that State shall be entitled to
do so.
Article 6a
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 4/46
8.9.2017 CURIA - Documents
The United Kingdom and Ireland shall not be bound by the rules laid down on the basis of Article 16 [TFEU] which
relate to the processing of personal data by the Member States when carrying out activities which fall within the
scope of Chapter 4 or Chapter 5 of Title V of Part Three of that Treaty where the United Kingdom and Ireland are not
bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which
require compliance with the provisions laid down on the basis of Article 16.’
17. Protocol (No 22) on the position of Denmark provides as follows, in Articles 1, 2 and 2a:
‘Article 1
shall not take part in the adoption by the Council of proposed measures pursuant to Title V of Part Three of the
[TFEU]. The unanimity of the members of the Council, with the exception of the representative of the government of
, shall be necessary for the decisions of the Council which must be adopted unanimously.
For the purposes of this Article, a qualified majority shall be defined in accordance with Article 238(3) of the
[TFEU].
Article 2
None of the provisions of Title V of Part Three of the [TFEU], no measure adopted pursuant to that Title, no
provision of any international agreement concluded by the Union pursuant to that Title, and no decision of the Court
of Justice of the European Union interpreting any such provision or measure or any measure amended or amendable
pursuant to that Title shall be binding upon or applicable in Denmark; and no such provision, measure or decision
shall in any way affect the Community or Union acquis nor form part of Union law as they apply to Denmark. …
Article 2a
Article 2 of this Protocol shall also apply in respect of those rules laid down on the basis of Article 16 [TFEU] which
relate to the processing of personal data by the Member States when carrying out activities which fall within the
scope of Chapter 4 or Chapter 5 of Title V of Part Three of that Treaty.’
18. On 18 July 2005, the Council approved the Agreement between the European Community and the Government
of Canada on the processing of Advance Passenger Information and Passenger Name Record data (‘the 2006
Agreement’). (7)
19. In accordance with the preamble thereto, the 2006 Agreement was concluded having regard to the Government
of Canada requirement of air carriers carrying persons to Canada to provide Advance Passenger Information and
Passenger Name Record data (‘API/ data’) to the Canadian competent authorities, to the extent that it is collected and
contained in carriers’ automated reservation systems and departure control systems.
20. According to Article 1 of the 2006 Agreement, the purpose of that agreement was ‘to ensure that / data of
persons on eligible journeys is provided in full respect of fundamental rights and freedoms, in particular the right to
privacy’. The competent authority for Canada was, in accordance with Annex I to the 2006 Agreement, ‘the Canada
Border Services Agency ()’.
21. In the light of that commitment, the European Commission, acting on the basis of Article 25(2) of Directive
95/46/EC, (8) adopted Decision 2006/253/EC, (9) Article 1 of which provided that the was to be considered to ensure
an adequate level of protection for data transferred from the European Community concerning flights bound for
Canada. As Decision 2006/253 expired in September 2009 (10) and the duration of the 2006 Agreement was linked to
the duration of that decision, (11) that agreement therefore also expired in September 2009.
22. On 5 May 2010, the Parliament adopted a Resolution on the launch of negotiations for Passenger Name
Record (PNR) data agreements with the United States, Australia and Canada. (12) In that resolution, the Parliament
called for a coherent approach on the use of data for law enforcement and security purposes, establishing a single set
of principles to serve as a basis for agreements with third countries. To that end, it invited the Commission to present
a proposal for such a single model and a draft mandate for negotiations with third countries, while setting out the
minimum requirements to be met. (13)
23. On 21 September 2010, the Commission adopted three proposals aimed at authorising the initiation of
negotiations with the , and . (14) Subsequently, agreements were signed and concluded with the and , with the
approval of the Parliament. (15) Those agreements entered into force in 2012.
24. Following the close of the negotiations with Canada, the Commission, on 19 July 2013, adopted proposals for
Council decisions relating to the signature and conclusion of the agreement envisaged.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 5/46
8.9.2017 CURIA - Documents
25. The European Data Protection Supervisor (‘the EDPS’) delivered his opinion on those proposals on
30 September 2013. (16) In that opinion, the EDPS raised a number of questions concerning the necessity and
proportionality of schemes and of bulk transfers of data to third countries, cast doubt on the choice of the substantive
legal basis and made various observations and proposals concerning the various provisions of the agreement
envisaged.
26. On 5 December 2013, the Council adopted a decision on the signature of the agreement envisaged, which had
not been amended following the opinion of the EDPS. The agreement envisaged was signed on 25 June 2014, subject
to its conclusion at a later date.
27. By letter dated 7 July 2014, the Council sought the Parliament’s approval of the draft decision relating to the
conclusion, on behalf of the Union, of the agreement envisaged. That draft decisions refers, as legal bases, to
Article 82(1)(d) TFEU and Article 87(2)(a) TFEU read in conjunction with Article 218(6)(a)(v) TFEU.
28. On 25 November 2014, the Parliament decided to request the Court to provide the present opinion, submitting
the questions set out in paragraph 3 of this Opinion.
29. Following the submission of the request by the Parliament, written observations were lodged by the Bulgarian
and Estonian Governments, Ireland, the Spanish, French and United Kingdom Governments and by the Council and
the Commission.
30. The Court put a number of questions to be answered in writing, concerning, in particular, certain practical and
factual aspects of the processing of the data, the legal basis for the agreement envisaged, the scope ratione territoriae
of that agreement and the compatibility of its terms with the provisions of the FEU Treaty and the Charter, in the light
of the guidance to be derived from the case-law, especially the judgments of 8 April 2014, Digital Rights Ireland and
Others (C‑293/12 and C‑594/12, EU:C:2014:238), and of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650).
Furthermore, in application of the second paragraph of Article 24 of the Statute of the Court of Justice of the
European Union, the Court requested the EDPS to answer those questions. The EDPS, and also Ireland, the Spanish,
French and United Kingdom Governments, the Parliament, the Council and the Commission, answered the questions
put to them within the prescribed period.
31. The representatives of the Estonian Government, Ireland, the Spanish, French and United Kingdom
Governments, those of the Parliament, the Council and the Commission, and the representative of the EDPS
presented oral argument at the hearing on 5 April 2016.
32. While the Bulgarian and Estonian Governments and the Commission share the Parliament’s view that the
request for an opinion is admissible in its entirety, the French Government and the Council question the admissibility
of the second question in the Parliament’s request, which deals with the appropriate legal basis for the Council
decision concluding the agreement envisaged.
33. In essence, the French Government and the Council claim that that question does not relate to either the power
of the European Union to conclude the agreement envisaged or the allocation of powers between the Union and the
Member States. In addition, they maintain that the possible incorrect application of Articles 82 and 87 TFEU would
have no impact on the procedure to be followed in adopting the Council act concluding the agreement envisaged, as
both the application of Article 16 TFEU and the application of Articles 82 and 87 TFEU require compliance with the
ordinary legislative procedure, in particular the approval of the Parliament, pursuant to Article 218(6)(a)(v) TFEU.
34. I suggest that the Court should declare the request for an opinion admissible in its entirety.
35. Generally, it should first of all be borne in mind that, in accordance with Article 218(11) TFEU and the case-
law of the Court, the opinion of the Court may be sought as to whether an ‘agreement envisaged’ (17) is compatible
with the substantive rules of the Treaties or with those which determine the extent of the powers of the European
Union and its institutions, including questions relating to the allocation of powers between the EU and the Member
States to conclude a specific agreement with third States, (18) as confirmed by Article 196(2) of the Rules of
Procedure of the Court of Justice.
36. There can thus be no doubt — as, moreover, all the interested parties acknowledge — that in so far as the
request for an opinion relates to the compatibility of the agreement envisaged with the substantive provisions of EU
primary law, including the provisions of the Charter, which have the same value as the Treaties, it is admissible. (19)
37. I consider that that is also the case of the second question, relating to the determination of the appropriate legal
basis for the act whereby the Council concludes the agreement envisaged.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 6/46
8.9.2017 CURIA - Documents
38. Admittedly, as the French Government and the Council have claimed, none of the interested parties has any
doubt that, in this instance, the European Union has the power to approve the agreement envisaged, nor is that
question the subject matter of the request for an opinion.
39. However, it should be noted that, when examining previous requests for opinions, the Court has already agreed
to answer the question of the appropriate legal basis for the act concluding the proposed agreements at issue. (20)
That position was based, in essence, on two essential considerations, which are closely linked.
40. The choice of the appropriate legal basis for the act concluding an international agreement has ‘constitutional
significance’ (21) since the Union has conferred powers only and must therefore be able to tie the international
agreements which are deemed to come within its legal order to a Treaty provision which empowers it to approve
those acts. The use of an incorrect legal basis is therefore apt to invalidate the act concluding the agreement and thus
to vitiate the European Union’s consent to be bound by that agreement. (22)
41. Furthermore, failure to take the opportunity to examine the choice of the appropriate legal basis for the act
concluding a draft agreement in the procedure for submitting a prior request to the Court might ultimately lead to
complications, both at EU level and in the international legal order, if the act concluding the agreement should
subsequently be declared invalid because of the error in the legal basis. In fact, the preventive procedure laid down in
Article 218(11) TFEU is specifically designed to ensure that such complications cannot arise, in the interest of the
contracting parties. (23)
42. Although they do not deny the existence of that case-law, the French Government and the Council maintain, in
essence, that none of the legal complications to which the Court has referred in its previous opinions could arise in
the present case. Thus, according to those interested parties, in the present case, the choice of Article 16 TFEU as the
substantive legal basis for the agreement envisaged, as defended by the Parliament in its request for an opinion,
would not affect the allocation of powers between the Union and the Member States, nor would it lead to a ‘different
legislative procedure’ from that followed by the Council and the Commission in the present case, within the meaning
of those opinions.
44. It should be pointed out that the situations to which the Court referred in paragraph 5 of Opinion 2/00 of
6 December 2001 (EU:C:2001:664), and paragraph 110 of Opinion 1/08 of 30 November 2009 (EU:C:2009:739),
respectively, are merely examples of situations in which the use of an incorrect legal basis is liable to vitiate the
European Union’s consent to be bound by the agreement to which it has subscribed or to entail legal difficulties at
internal level or in the Union’s external relations. The two situations referred to in those paragraphs of the two
opinions — namely the situation in which the EU has committed itself although the Treaty does not confer on it
sufficient power to ratify an agreement in its entirety, which calls for an examination of the allocation of powers
between the European Union and the Member States, and the situation in which the appropriate legal basis for the act
concluding the agreement provides for a different legislative procedure from that actually followed by the
institutions — were introduced by the expression ‘that is so in particular where’. Other situations giving rise to legal
difficulties at internal EU level or in the context of international relations cannot therefore be precluded.
45. Next, it must not be forgotten that the opinion procedure is of a non-contentious and preventive nature, (24)
which to my mind justifies a certain flexibility on the part of the Court when it examines the admissibility of a
question relating to the appropriate legal basis for the act concluding an agreement envisaged.
46. Thus, at the admissibility stage, I consider that the Court must simply ask whether, if it declines to answer the
question referred to it, there will be a serious risk that the act concluding the agreement may subsequently be declared
invalid, on the same ground as that raised in the request for an opinion, resulting in a situation giving rise to
difficulties at internal EU level or in the context of external relations that the opinion procedure could have prevented.
47. In the present case, I am convinced that such a risk cannot be precluded.
48. In fact, as I shall examine later in the present Opinion, the grounds which the Parliament puts forward in
support of the argument that Article 16 TFEU constitutes the appropriate substantive legal basis for the act
concluding the agreement envisaged are very serious, to such an extent that I consider them to be well founded in
part.
49. Consequently, failure to answer that argument in the present procedure would be apt to lead the Parliament to
challenge the validity of the act concluding the agreement or, as the case may be, to lead a national court hearing an
action brought by an individual harmed by the transfer of his data to the Canadian competent authority to request the
Court to give a preliminary ruling on the validity of the agreement and the act concluding it.
50. Furthermore, to my mind the French Government and the Council are wrong to play down the consequences of
a declaration that the act concluding the agreement envisaged is invalid if it should eventually transpire that,
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 7/46
8.9.2017 CURIA - Documents
following an action for annulment or a request for a preliminary ruling on validity, that act ought to have been
adopted, as the Parliament maintains, on the sole legal basis of Article 16 TFEU.
51. In fact — and I shall return to this point later —, and as suggested in certain written observations, if Article 16
TFEU were taken as the sole legal basis of the act concluding the agreement envisaged, that would alter the status of
the Kingdom of Denmark, Ireland and the United Kingdom of Great Britain and Northern Ireland, as those Member
States would then be directly and automatically bound by the agreement, contrary to Article 29 of the agreement
envisaged. As regards the Kingdom of Denmark, in particular, any international commitment that it might have
concluded with Canada, alongside the agreement envisaged, would then be unlawful, since that Member State would
no longer have the necessary power to give such a commitment.
52. It therefore seems to me that, all things considered, by analogy with the Court’s observation in paragraph 47 of
Opinion 1/13 of 14 October 2014 (EU:C:2014:2303), it is particularly appropriate that the Court should answer the
second question in the present request for an opinion in order, in particular, to forestall the legal complications that
might be caused by situations in which a Member State enters into international commitments without the requisite
authorisation when, under EU law, it would no longer have the necessary power to enter into or give effect to such a
commitment.
53. I therefore propose that the Court should declare that the second question raised by the Parliament in its
request for an opinion is admissible.
54. Furthermore, as that question relates to the procedural validity of the act concluding the agreement and
requires an analysis of the objectives and the content of the agreement envisaged, I suggest that it should be dealt
with before the question relating to the compatibility of the agreement with the provisions of the FEU Treaty and the
rights enshrined in the Charter.
VI – The appropriate legal basis for the act concluding the agreement envisaged (second question)
A– Analysis of the arguments of the Parliament and the other interested parties
55. The Parliament and all the interested parties who have lodged observations are agreed that, in accordance with
the case-law of the Court, the choice of the legal basis must be founded on objective criteria amenable to judicial
review, and those objective criteria include the purpose and the content of the act at issue.
56. The Parliament emphasises that the agreement envisaged has two purposes, which are set out in Article 1
thereof. However, the main purpose of the agreement envisaged is to ensure the protection of personal data. In the
Parliament’s submission, the agreement envisaged has an effect analogous to an ‘adequacy decision’ and its aim is to
replace Commission Decision 2006/253, adopted under Article 25(6) of Directive 95/46, in which the Commission
established, in the context of the 2006 Agreement, the adequate level of protection of the data transferred to the
CBSA. In addition, the agreement envisaged does not seek to create an obligation for air carriers to transfer data to
the Canadian or European police authorities, which makes it difficult to justify the choice of Article 82(1)(d) and
Article 87(2)(a) TFEU as the substantive legal bases. According to the case-law, those findings justify, in the
Parliament’s view, that the agreement envisaged should be founded on the legal basis corresponding to the main
purpose of the agreement envisaged, namely, in this instance, Article 16 TFEU. The content of the agreement
envisaged confirms that assessment. The Parliament states, last, that Article 16 TFEU permits the adoption of rules
on the protection of personal data in all fields of EU law, including the ‘AFSJ’.
57. In answer to a question put at the hearing before the Court, the Parliament stated that, in the event that the
Court should consider that the agreement envisaged pursues inseparable purposes, it had no objection to the act
concluding the agreement envisaged being based on Article 16, Article 82(1)(d) and Article 87(2)(a) TFEU.
58. With the exception of the Spanish Government and the EDPS and also, in the context of an alternative
observation, the French Government, the other interested parties maintain that the purpose of the agreement
envisaged is to combat terrorism and serious transnational crime, while data protection constitutes, in essence, only
an instrument whereby that purpose may be achieved. In that regard, the Commission observes that, in the judgment
of 30 May 2006, Parliament v Council and Commission (C‑317/04 and C‑318/04, EU:C:2006:346, paragraph 56), the
Court held that the transfer of data to the United States constituted processing operations concerning public security
and the activities of the Member States in areas of criminal law. The choice of the legal basis for the act concluding
the agreement envisaged should be made in accordance with that reasoning.
59. The great majority of those interested parties further submit that, if data protection were to be considered to
constitute an objective of the agreement envisaged, that objective would be merely incidental to the main purpose and
would therefore have no consequence on the actual choice of the legal basis for the act concluding the agreement. In
that regard, the Council and the Commission submit that acts having as their purpose the implementation of sectoral
policies requiring the processing of personal data should be based on the legal basis corresponding to the policy
concerned and not on Article 16 TFEU.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 8/46
8.9.2017 CURIA - Documents
60. As for the possibility of combining Article 16, Article 82(1)(d) and Article 87(2)(a) TFEU as the substantive
legal bases of the act concluding the agreement envisaged, the French Government maintains, in the alternative, in its
written observations, that such a combination is perfectly conceivable. On the other hand, and the Council maintain
the opposite. At the hearing before the Court, the Council submitted that the voting procedure within the Council, as
defined in Protocols (No 21) and (No 22), would preclude such a hypothesis.
B – Assessment
61. According to settled case-law, the choice of the legal basis for a European Union measure, including the
measure adopted for the purpose of concluding an international agreement, must rest on objective factors amenable to
judicial review, which include the purpose and the content of that measure. If examination of the EU measure reveals
that it pursues a twofold purpose or that it has a twofold component, and if one of those is identifiable as the main or
predominant purpose or component, whereas the other is merely incidental, the act must be based on a single legal
basis, namely, that required by the main or predominant purpose or component. (25)
62. However, the Court accepts, ‘by way of exception’, that an act may be founded on various legal bases
corresponding to the number of the objectives or components of that act where those objectives or components are
inseparably linked, without one being incidental in relation to the other. (26) In such a case, the Court further
ascertains whether recourse to more than one legal basis might be precluded on the ground that the procedures laid
down for the different legal bases are mutually incompatible. (27)
63. It is in the light of that case-law that it must be determined whether, having regard to the purpose and the
content of the agreement envisaged, the act concluding that agreement should be based exclusively on Article 82(1)
(d) and Article 87(2)(a) TFEU, as substantive legal bases, as the Council’s draft decision indicates and as most of the
interested parties maintain, or whether it should be based on Article 16 TFEU, whether exclusively or read in
conjunction with those two articles. (28)
64. On the latter point, I would make clear that, contrary to the Council’s contention in its written observations, the
Court is in my view perfectly entitled, in the light of the non-contentious and preventive nature of the opinion
procedure, to examine the second question submitted by the Parliament from the angle of the combination of
substantive legal bases, even though the wording of that question does not envisage it. Furthermore, the interested
parties had the opportunity, both during the written procedure and at the hearing, to express their views on that point.
65. That is all the more important because the examination of the purpose and the content of the agreement
envisaged must in my view lead to the finding that the agreement pursues two objectives and has two components,
although, overall, neither those two objectives nor those different components can be ranked and separated. To my
mind, that justifies the act concluding the agreement envisaged taking as its substantive legal bases Article 16 and
Article 87(2)(a) TFEU, which means that the procedures referred to in those two articles may co-exist.
66. It is apparent from the second paragraph of the preamble to the agreement envisaged that the contracting
parties recognise ‘the importance of preventing, combating, repressing and eliminating terrorism and terrorist-related
offences, as well as other serious transnational crime, while preserving fundamental rights and freedoms, in particular
rights to privacy and data protection’, while the fourth paragraph further states that the use of data is a critically
important instrument to pursue those goals.
67. The simultaneous pursuit of the objective of combating terrorism and other serious transnational crime and
respecting private life and the protection of personal data is confirmed by the fifth and sixth paragraphs of the
preamble, which emphasise, respectively, the contracting parties’ desire to ‘safeguard public security’ and the
recognition that they ‘share common values with respect to data protection and privacy’.
68. Likewise, it is expressly stated in the 15th paragraph of the preamble that Canada has given a commitment that
its competent authority will process ‘PNR data for the purpose of preventing, detecting, investigating and prosecuting
terrorist offences and serious transnational crime in strict compliance with safeguards on privacy and the protection of
personal data, as set out in [the agreement envisaged]’.
69. The agreement envisaged is therefore intended to allow Canada to process the data of passengers carried by
airlines flying between the European Union and Canada, for the purpose of combating terrorism and other serious
transnational crime while safeguarding the right to respect for privacy and the right to protection of personal data
under the conditions laid down in the agreement envisaged itself.
70. The need to reconcile those two objectives is confirmed out by Article 1 of the agreement envisaged, which
states that the contracting parties are to set out the conditions for the transfer and use of data ‘to ensure the security
and safety of the public and prescribe the means by which the data is protected’.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 9/46
8.9.2017 CURIA - Documents
71. It is also clear on examining the content of the agreement envisaged that the means of combating terrorism and
other serious transnational crime by the transfer and processing of data is authorised only if the data in question
benefits from an adequate level of protection.
72. Thus, in the words of Article 3(1) of the agreement envisaged, Canada is to ensure that the Canadian
competent authority processes data received ‘strictly for the purpose of preventing, detecting, investigating or
prosecuting terrorist offences or serious transnational crime’, while making clear that that processing must be carried
out ‘pursuant to this Agreement’. That means, in particular, that, in application of Article 5 of the agreement
envisaged, ‘subject to compliance with [that agreement], the Canadian Competent Authority is deemed to provide an
adequate level of protection, within the meaning of relevant European Union data protection law’.
73. Likewise, in the context of the retention of data and the gradual depersonalisation of that data by masking,
provided for in Article 16 of the agreement envisaged, paragraph 4 of that article authorises the subsequent
unmasking of that data by the Canadian authorities only where, ‘on the basis of available information, it is necessary
to carry out investigations under the scope of Article 3’ of the agreement envisaged.
74. In addition, Articles 18(1) and 19(1) of the agreement envisaged authorise the subsequent disclosure of the
data to other Canadian government authorities or to government authorities in third countries only in strictly limited
circumstances, including where the authorities in question perform ‘functions [which] are directly related to the scope
of Article 3 [of the agreement envisaged]’ and where those authorities afford ‘protection equivalent to the safeguards
described in [the agreement envisaged]’.
75. However, although the need to reconcile the two objectives is not affected, some of the terms of the agreement
envisaged are more concerned with the aim of combating terrorism and serious transnational crime while others are
more concerned with the aim of safeguarding adequate protection of personal data.
76. Thus, as specifically regards the first objective, under Article 6(2) of the agreement envisaged Canada is
required to share, in specific cases, and at the request of the European Police Office (Europol), the European Union
Judicial Cooperation Unit (Eurojust), within the scope of their respective mandates, or the police or a judicial
authority of a Member State of the European Union, data or analytical information containing data obtained under the
agreement envisaged ‘to prevent, detect, investigate, or prosecute within the European Union a terrorist offence or
serious transnational crime’. Under Article 23(2) of the agreement envisaged, moreover, it is provided that the
contracting parties are to cooperate to pursue the coherence of their respective data processing regimes ‘in a manner
that further enhances the security of citizens of Canada, the European Union and elsewhere’.
77. As for the terms relating rather to the guarantees afforded by the agreement envisaged concerning data
protection, the agreement lays down a number of rules relating to data security and integrity (Article 9 of the
agreement envisaged), access, correction and annotation of data for individuals (Articles 12 and 13 of the agreement
envisaged), oversight of data processing and administrative and judicial redress for the persons concerned
(Articles 10 and 14 of the agreement envisaged).
78. In the light of the aim and the content of the agreement envisaged, that agreement therefore pursues two
objectives and has two essential components, as, in fact, most of the interested parties have acknowledged or at least
conceded.
79. Contrary to what the interested parties assert in support of opposing arguments, it is indeed difficult, in my
view, to determine which of those two objectives prevails over the other.
80. In fact, as the description of the aim and the content of the agreement envisaged tends to show, those two
objectives must be pursued simultaneously and in fact appear to be inseparable. As I have emphasised, the transfer to
and processing of data by the Canadian competent authority for the purposes set out in Article 3 of the agreement
envisaged are authorised only where those operations are accompanied by adequate protection of the data, within the
meaning of European Union data protection law, in accordance with Article 5 of the agreement envisaged. In other
words, if such protection is not ensured, the transfer of the data provided for in the agreement envisaged cannot be
lawfully effected. In addition, the guarantees laid down in the agreement envisaged in terms of protection of personal
data are necessary only because the data must be transferred to the Canadian competent authority under the Canadian
legislation and the terms of the agreement envisaged. As illustrated by a number of provisions of the agreement
envisaged, such as Articles 16, 18 and 19 thereof, the agreement envisaged is therefore designed to reconcile the
security objective with the objective of protecting the fundamental rights of the individuals concerned, particularly
the right to protection of their personal data.
81. All in all, I consider that those two objectives and those two components of the agreement envisaged are
inseparably linked and that neither of them is secondary and indirect by reference to the other.
82. That assessment cannot be undermined by the Commission’s argument, based on paragraph 56 of the judgment
of 30 May 2006, Parliament v Council and Commission (C‑317/04 and C‑318/04, EU:C:2006:346), that the Court
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 10/46
8.9.2017 CURIA - Documents
has held that the transfer of data to the United States constituted processing operations concerning public security and
the activities of the Member States in areas of criminal law.
83. First of all, the present opinion procedure has as its subject matter the agreement envisaged with Canada and
not the first agreement concluded with the United States in 2004 and the Commission adequacy decision adopted in
that year, to which the actions for annulment brought by the Parliament related.
84. Next, and more fundamentally, the Commission is taking out of context the finding made by the Court in
paragraph 56 of the judgment of 30 May 2006, Parliament v Council and Commission (C‑317/04 and C‑318/04,
EU:C:2006:346), which, it must be recalled, was delivered well before the adoption of the Treaty of Lisbon.
85. The Court was asked by the Parliament to determine, in particular, whether the Commission was authorised to
adopt an adequacy decision, based on Article 25 of Directive 95/46 on the adequate protection of personal data
contained in the Passenger Name Record of air passengers transferred to the United States, when Article 3(2) of that
directive expressly excluded from its scope processing operations concerning, in particular, public security and the
activities of the State in areas of criminal law. The Court logically replied in the negative. In fact, the processing of
the data in the context of the agreement with the United States could not be associated with the supply of services, but
fell within a framework established by the public authorities that related to public security, which did not come within
the scope of Directive 95/46. (29)
86. That finding does not mean that the Court made a definitive ruling on the object of agreements, including, for
the purpose of the argument, the object of the agreement envisaged or, a fortiori, that it definitively held that the
exclusive, principal or predominant objective of those agreements is to combat terrorism or serious transnational
crime, as the Commission wrongly implies.
87. Nor, clearly, does the finding of the Court in the judgment of 30 May 2006, Parliament v Council and
Commission (C‑317/04 and C‑318/04, EU:C:2006:346) mean that, in ruling on the scope ratione materiae of
Directive 95/46, the Court on the same occasion defined in advance the limits of the scope ratione materiae of
Article 16 TFEU.
88. In support of the argument that the security objective of the agreement envisaged is predominant and therefore
justifies the legal basis chosen, the Commission also attempts to draw an analogy between the present case and the
case giving rise to the judgment of 6 May 2014, Commission v Parliament and Council (C‑43/12, EU:C:2014:298).
89. In that case, which concerned the determination of the appropriate legal basis for Directive 2011/82/EU of the
European Parliament and of the Council of 25 October 2011 facilitating the cross-border exchange of information on
road safety related traffic offences, (30) the Court, after establishing that the predominant objective of that directive
was to improve road safety (and therefore transport safety), held that the information exchange system set up by the
directive provides ‘the means of pursuing [that] objective’. (31) The directive should therefore have been adopted not
on the basis of Article 87(2) TFEU (Police Cooperation) but on the basis of Article 91(1)(c) TFEU, under the title on
transport policy.
90. While I am prepared to accept that there is a partial analogy between the two situations, that does not alter the
conclusion that the agreement envisaged has two objectives and has two inseparable components. Thus, the fact that
the transfer of data to the Canadian competent authority may constitute the means whereby the contracting parties
pursue the public security objective of the agreement envisaged does not alter the finding that the object of the
agreement envisaged, as stated, in particular, in Article 1 of that agreement, is twofold. Moreover, the specific feature
of the agreement envisaged, which distinguishes it from Directive 2011/82, relates to the fact that the maximum
efficiency sought by the means consisting in the transfer of data in order to achieve the aims set out in Article 3 of the
agreement envisaged, must be weighed against the guarantees afforded to the protection of personal data laid down in
that agreement, which form part of the second objective pursued by that agreement.
91. Also lacking in conviction are the Parliament’s arguments in support of its position that the ‘centre of gravity’
of the agreement envisaged is predominantly situated in the guarantees which its terms afford to passengers in
relation to the protection of their data, which, it claims, means that the decision concluding that act should be based
exclusively on Article 16 TFEU.
92. It is incorrect to claim that the agreement envisaged lays down no obligation for the airlines to transfer the data
to the Canadian competent authority so that the data can be processed according to the purposes listed in Article 3 of
the agreement envisaged. It is true, as the Parliament remarked in its written observations, that Article 4(1) of the
agreement envisaged states that the Union is to ensure only that air carriers ‘are not prevented’ from transferring data
to the Canadian competent authority. However, it follows from the interpretation of that article, entitled ‘Ensuring
data is provided’, in conjunction with that of Articles 5, (32) 20 (33) and 21 (34) of the agreement envisaged, as,
moreover, the Parliament acknowledged in answer to a written question put by the Court, that air carriers are entitled
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 11/46
8.9.2017 CURIA - Documents
and in practice required to provide the Canadian competent authority systematically with access to the data for the
purposes defined in Article 3 of the agreement envisaged.
93. Furthermore, the object of the agreement envisaged cannot principally be treated as equivalent to an adequacy
decision, comparable to the decision which the Commission had adopted under the 2006 Agreement. (35) As already
stated, both the aim and the content of the agreement envisaged show, on the contrary, that that agreement is intended
to reconcile the two objectives which it pursues and that those objectives are inseparably linked.
94. What consequence, therefore, does that assertion have for the determination of the legal basis of the act
concluding the agreement envisaged?
95. As already stated, it is common ground that the draft Council decision concluding the agreement envisaged is
based on Article 82(1)(d) and Article 87(2)(a) TFEU, both of which come under Title V of Part Three of the FEU
Treaty, on the ‘Area of Freedom, Security and Justice’ (‘the AFSJ’).
96. In the light of the two objectives and the two inseparable components of the agreement envisaged described
above, those substantive legal bases seem to me to be relevant, at least in part, but insufficient. I consider it
appropriate and possible, having regard to the case-law, to base the act concluding the agreement envisaged on the
first subparagraph of Article 16(2) TFEU.
97. As for the first point, namely the relevance of Article 82(1)(d) and Article 87(2)(a) TFEU, it must first of all be
agreed that the construction of an AFSJ requires that the Union be able to exercise its external powers.
98. Except in the case of readmission agreements, provided for in Article 79(3) TFEU, relating to immigration
policy and not relevant in the present case, the EU has not been explicitly granted any general external powers in
relation to the AFSJ. However, Article 216(1) TFEU permits the Union to conclude international agreements,
including in the area of police and/or judicial cooperation in criminal matters, in particular where the conclusion of
such agreements is necessary in order to achieve one of the objectives referred to in the Treaties.
99. None of the interested parties questions that possibility. To my mind, however, the Court cannot merely rely on
that fact, but should devote argument to that question in the opinion which it is called upon to deliver.
100. If it is to be accepted that the Union has external powers in the sphere of the AFSJ, the exercise of those powers
in the sphere of police and judicial cooperation in criminal matters must be firmly fixed in the objectives pursued by
the AFSJ.
101. Those objectives are set out in Article 3(2) TEU and Article 67 TFEU. The first of those provisions states that
‘the Union shall offer its citizens an [AFSJ] without internal frontiers, in which the free movement of persons is
ensured in conjunction with appropriate measures with respect to external border controls … and the prevention and
combating of crime’. Article 67 TFEU, which opens Chapter 1 of Title V of Part Three of the FEU Treaty, provides,
in paragraph 3, that the Union ‘shall endeavour to ensure a high level of security through measures to prevent and
combat crime, racism and xenophobia, and through measures for coordination and cooperation between police and
judicial authorities and other competent authorities …’.
102. As Advocate General Bot correctly argued in his Opinion in Parliament v Council (C‑658/11, EU:C:2014:41,
points 111 and 112), the external dimension of the AFSJ is functional and instrumental having regard to the objectives
set out in those provisions. Accordingly, while the construction of the AFSJ may require external action on the part of
the Union, an agreement must, if it is to be able to be regarded as falling within the AFSJ, have a close link with
freedom, security and justice within the union, that is to say, a direct link between the purpose of safeguarding the
internal security of the Union and the police and/or judicial cooperation which is developed outside the Union. (36)
103. In a different context, but long the same lines, the Court, interpreting Article 87(2) TFEU in the light of
Article 67 TFEU, stated that, in order for an act of the Union, having regard to its purpose and its content, to be able
to be based on the first of those articles, it must be directly linked to the objectives set out in Article 67 TFEU. (37)
105. In the first place, that agreement applies to the transfer, processing and use of data for the purposes of public
security and the activities of the State in areas of criminal law, (38) that is to say, more particularly, the prevention,
detection, investigation and prosecution of terrorist offences and serious transnational crime. According to Article 1
of the agreement envisaged, that agreement is intended to ‘ensure the security and safety of the public’, which clearly
means the security and safety of citizens of the Union, in particular those flying between Canada and the European
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 12/46
8.9.2017 CURIA - Documents
Union. (39) Furthermore, under Article 6(2) of the agreement envisaged Canada is required, at the request of, among
others, the police or a judicial authority of a Member State of the Union, to share, in specific cases, data or analytical
information containing data obtained under the agreement envisaged in order to prevent or detect ‘within the
European Union’ a terrorist offence or serious transnational crime.
106. In the second place, although the collection and initial transfer of the data are carried out by the air carriers, the
terms of the agreement envisaged constitute a legal framework established by the public authorities for criminal
purposes. (40) As already stated, the agreement envisaged thus establishes rules on access to data and/or analytical
information containing data by the Canadian competent authorities and also the subsequent sharing of such data with,
among others, the competent police and judicial authorities of the Union and its Member States and also with those of
third countries, in particular for the purposes set out in Article 3 of the agreement envisaged. Furthermore, as was
clear from the discussion before the Court, the five-year retention period for the data laid down in Article 16(1) and
(5) of the agreement envisaged was set with a view to enabling and facilitating investigations, prosecutions and
judicial proceedings relating, in particular, to international serious crime networks. In the light of the very open
wording of Article 16(5) of the agreement envisaged, those investigations and prosecutions are perfectly capable of
including those carried out by the police and judicial authorities of the Member States of the Union. Such rules fall, in
principle, within the sphere covered by police and judicial cooperation in criminal matters. (41)
107. I conclude, first, that in so far as it relates to measures which the Parliament and the Council may establish in
connection with ‘the collection, storage, processing, analysis and exchange of relevant information’ for the purposes
of police cooperation ‘in relation to the prevention, detection and investigation of criminal offences’ provided for in
Article 87(1) TFEU, Article 87(2)(a) TFEU constitutes an appropriate legal basis for the act concluding the
agreement envisaged. I would add, for all practical purposes, that that cooperation and those exchanges do not
necessarily have to be between authorities who are specifically defined, in national law, as police services in the strict
sense. Article 87(1) TFEU associates with police cooperation, in a particularly broad manner, ‘all the Member States’
competent authorities, including police, customs and other … law enforcement services’, (42) an expression which
perfectly authorises, in the context of the external dimension of the AFSJ, cooperation with the in order to safeguard
the internal security of the Union.
108. As regards, second, the ‘judicial cooperation in criminal matters’ aspect of the agreement envisaged, in spite of
the matters to which attention was drawn in paragraphs 105 and 106 of this Opinion, I confess to having some
hesitation in considering that the agreement envisaged may constitute a measure which contributes directly to
‘facilitat[ing] cooperation between judicial or equivalent authorities of the Member States in relation to proceedings
in criminal matters and the enforcement of decisions’, within the meaning of Article 82(1)(d) TFEU. As the United
Kingdom Government acknowledged in its reply to one of the written questions put by the Court, it is only in certain
cases that the agreement envisaged might promote such cooperation between Member States’ judicial authorities.
Such cooperation depends, however, on a number of parameters, both factual and legal, which are outside the terms
of the agreement envisaged. Cooperation between the judicial authorities of the Member States therefore appears to
be only an indirect consequence of the framework established by the agreement envisaged. Admittedly, the fact that
Article 6 of the agreement envisaged places an obligation not only on the Canadian competent authority but, more
generally, on ‘Canada’ to share data or analytical information with the judicial authorities of the Member States may
be understood as also imposing such an obligation on the judicial authorities of that third State. On the assumption
that that interpretation is correct and that an exchange of data between the judicial authorities may be envisaged, the
fact nonetheless remains that, as currently drafted, the agreement envisaged does not really seem to contribute to
facilitating cooperation between the judicial or equivalent authorities of the Member States. To my mind, it is only if
the Court were to adopt a more generous interpretation of Article 82(1)(d) TFEU, together, where appropriate, with
Article 67(3) TFEU, which provides that the Union is to ‘endeavour to ensure a high level of security … through
measures for coordination and cooperation between police and judicial authorities and other competent authorities’,
or if the contracting parties were to amend the terms of the agreement envisaged in such a way that the judicial
dimension of the agreement envisaged were taken more directly into account, that Article 82(1)(d) TFEU might
genuinely constitute an additional legal basis for the act concluding that agreement.
109. I would add that the conclusion that Article 82(1)(d) TFEU cannot properly serve as a basis for the act
concluding the agreement envisaged is not affected by the fact, to which certain of the interested parties refer, that the
Council decisions concluding the Agreements with Australia and the United States are based on that provision, read
in conjunction with Article 87(2)(a) TFEU. (43) In fact, it is settled case-law that, in a review of the legal basis for the
act concluding the agreement envisaged in the present case, the legal basis used for the adoption of other Union
measures that might display similar characteristics is irrelevant. (44)
110. In those circumstances, having regard to way in which the agreement envisaged is currently drafted, I am of the
view that Article 87(2)(a) TFEU constitutes an appropriate legal basis for the act concluding the agreement
envisaged.
111. Accordingly, that substantive legal basis, properly set out in the draft act concluding the agreement envisaged,
seems to me to be insufficient to enable the Union to conclude that agreement.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 13/46
8.9.2017 CURIA - Documents
(b) The need to base the act concluding the agreement envisaged on the first subparagraph of Article 16(2) TFEU
112. As the Parliament correctly maintained in its request, Article 87(2)(a) TFEU and, generally, Title V of Part Three
of the FEU Treaty on the AFSJ do not provide for the adoption of rules in the area of personal data protection.
113. As I have shown above, one of the two essential objectives of the agreement envisaged, as stated in Article 1, is
specifically to ‘prescribe the means by which the [] data’ of passengers flying between Canada and the European
Union ‘is protected’. As already pointed out, the content of the agreement envisaged supports that objective, in
particular the terms in the chapter on ‘Safeguards applicable to the processing of data’, consisting of Articles 7 to 21
of the agreement envisaged.
114. In that context, action taken by the Union must necessarily be based, in my view, on the first subparagraph of
Article 16(2) TFEU, which, it will be recalled, confers on the Parliament and the Council the task of laying down the
rules relating to the protection of individuals with regard to the processing of personal data by, inter alia, the Member
States when carrying out activities which fall within the scope of application of EU law and the rules relating to the
free movement of such data. Three main principles underlie that approach.
115. First of all, in line with the reasoning developed above in relation to the external dimension of the AFSJ, the
European Union must be considered, in accordance with Article 216(1) TFEU, to be authorised to conclude an
international agreement with a third country with the object of laying down rules relating to the protection of personal
data where it is necessary to do so in order to achieve one of the objectives referred to in the Treaties, in this instance
the objectives of Article 16 TFEU. That applies to the agreement envisaged, one of the essential purposes of which
consists, in essence, in prescribing the means of safeguarding the protection of the data of passengers flying between
and the European Union. To my mind, moreover, there is no doubt that the terms of the agreement envisaged must be
characterised as ‘rules’ relating to the protection of the data of natural persons, within the meaning of the first
subparagraph of Article 16(2) TFEU, and intended to bind the contracting parties.
116. Next, and unlike the situation of the former Article 286 EC, the first subparagraph of Article 16(2) TFEU, which
is part of Title II of Part One of that Treaty, entitled ‘Provisions having general application’, is intended to constitute
the legal basis for all rules adopted at EU level relating to the protection of individuals with regard to the processing
of their personal data, including the rules coming within the framework of the adoption of measures relating to the
provisions of the FEU Treaty on police and judicial cooperation in criminal matters. As stated in paragraph 2 of that
article, only the rules relating to the protection of personal data adopted in the context of the common foreign and
security policy must be based on Article 39 TEU. That interpretation of the first subparagraph of Article 16(2) TFEU
is confirmed by the omission of any reference to the possible adoption of provisions relating to the protection of
personal data on the basis of Article 87(2)(a) TFEU. It should be borne in mind that, before the entry into force of the
Treaty of Lisbon, Article 30(1)(b) TEU provided, on the contrary, that common action in the field of police
cooperation could cover, inter alia, the processing, analysis and exchange of relevant information, ‘subject to
appropriate provisions on the protection of personal data’, which, moreover, authorised the Council to adopt
Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the
framework of police and judicial cooperation in criminal matters. (45) Furthermore — and I shall return to this point
later — it must be emphasised that the provisions of Protocols (No 21) and (No 22) did indeed envisage the situation
in which rules based on the first subparagraph of Article 16(2) TFEU might be adopted in the context of the exercise
of activities which fall within the chapters of the FEU Treaty on police and judicial cooperation in criminal matters.
117. It follows, and in order to dispel any doubt as to the ambiguity of the position defended by the Commission in its
written observations, that Article 16 TFEU, on the one hand, and Articles 87(2)(a) and 82(1)(d) TFEU, on the other,
cannot maintain relationships of a ‘lex generalis — lex specialis’ hierarchical type. As the abovementioned protocols
illustrate, the High Contracting Parties envisaged the possibility that a Union act might be based on those three
articles at the same time, precisely because those provisions have different and separate scopes.
118. Last, as the Parliament, the Commission and the EDPS, in particular, maintained in their replies to a written
question put by the Court, the relevance of Article 16 TFEU as a legal basis for the act concluding the agreement
envisaged cannot be put in doubt because the protective measures which can be adopted under that article relate to the
processing of data by authorities of the Member States and not, as in this instance, to the transfer of data previously
obtained by private entities (the air carriers) to a third country.
119. In fact, to paraphrase Advocate General Léger, the obligation by which an air carrier is bound under Articles 4,
5, 20 and 21 of the agreement envisaged, when read together, is not ‘fundamentally different from a direct exchange
of data between public authorities’. (46) Furthermore, as the Court has confirmed that the definition of ‘data
processing’, within the meaning of Directive 95/46, covers the transfer of personal data by a private operator from a
Member State to a third country, (47) to put a strictly literal interpretation on the new legal basis constituted by the
first subparagraph of Article 16(2) TFEU would be tantamount to splitting up the system for the protection of
personal data. Such an interpretation would run counter to the intention of the High Contracting Parties to create, in
principle, a single legal basis expressly authorising the EU to adopt rules relating to the protection of the personal
data of natural persons. It would therefore represent a step backwards from the preceding scheme based on the Treaty
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 14/46
8.9.2017 CURIA - Documents
provisions relating to the internal market, which would be difficult to explain. That strictly literal interpretation of
Article 16 TFEU would thus have the consequence of depriving that provision of a large part of its practical effect.
120. Consequently, in the light of the objectives and the components of the agreement envisaged, which are
inseparably linked, the act concluding that agreement must in my view be based on the first subparagraph of
Article 16(2) TFEU and Article 87(2)(a) TFEU as its substantive legal bases.
121. In accordance with the case-law, when multiple legal bases are used when adopting an act of the Union the
procedures referred to in the different legal bases in question must be compatible. (48)
122. In this instance, both the first subparagraph of Article 16(2) and Article 87(2)(a) TFEU provide that, when
adopting the measures envisaged by those two articles, the Parliament and the Council are to act in accordance with
the ordinary legislative procedure. The same applies, moreover, in the case of the measures based on Article 82(1)(d)
TFEU should the Court consider that that article constituted an appropriate substantive legal basis for the act
concluding the agreement envisaged.
123. Accordingly, the procedures specifically referred to in those articles are compatible, within the meaning of the
case-law. They therefore do not preclude the Court accepting a plurality of legal bases for the act concluding the
agreement envisaged.
124. The Council, supported by Ireland, claimed, however, that it is necessary to go further than that finding and to
examine the detailed rules governing the participation of the Kingdom of Denmark, Ireland and the United Kingdom,
within the Council, as provided for in the provisions of Protocols (No 21) and No 22) respectively. According to
those interested parties, those detailed rules preclude the joint application, as substantive legal bases, of Article 16
TFEU and Article 87(2)(a) TFEU. More specifically, the Council explained at the hearing before the Court, not
without some contradictions and inconsistencies, (49) that the provisions of those protocols distinguish the question
of the non-binding nature of the rules established on the basis of Article 16 TFEU concerning the processing of
personal data in the exercise of activities in connection with police and judicial cooperation in criminal matters from
the question of the participation of those three Member States in the vote in the Council when the Council is called
upon to adopt such rules. In the Council’s submission, it follows that, while those three Member States would not
participate in the adoption of measures falling within the scope of police and judicial cooperation in criminal matters,
except where Ireland and the United Kingdom have decided to exercise their right to ‘opt in’, they would still
participate in the adoption of the rules which took Article 16 TFEU as their basis, in spite of the fact that, under those
protocols, those measures would not be binding on those Member States.
125. That argument merits a certain amount of attention, even though, ultimately, I consider that it should be rejected.
126. It will be recalled that the Court has already held that the two protocols in question are not capable of having
‘any effect whatsoever on the question of the correct legal basis’ for the adoption of an EU measure. (50) Thus,
according to that case-law, if, following the analysis of the objective and the content of the agreement envisaged, and
contrary to what I have argued above, the act concluding that agreement had to be based exclusively on the first
subparagraph of Article 16(2) TFEU, the two protocols in question, in spite of the wording of Article 29 of the
agreement envisaged, could not ‘neutralise’ that situation. In other words, the three Member States in question would
have to participate in the act concluding the agreement envisaged and be bound by it.
127. The application of that case-law in a situation in which there are two competing legal bases, which lay down the
same adoption procedure (the ordinary legislative procedure and vote by a qualified majority within the Council), but
which would affect in a different way the participation, within the Council, of the three Member States concerned in
the adoption of the act in question, is more delicate.
128. Since it is a question here of determining the appropriate legal basis for a specific act, namely the act concluding
the agreement envisaged, that question does not need to be resolved so far as Ireland and the United Kingdom are
concerned. In fact, it is common ground that, in accordance with Article 3 of Protocol (No 21), those two Member
States have notified their intention to be bound by the agreement envisaged and will, consequently, participate in the
adoption of the act concluding that agreement. No argument of a procedural nature relating to those two Member
States therefore precludes the act concluding the agreement envisaged being based jointly on the first subparagraph of
Article 16(2) and Article 87(2)(a) TFEU.
129. As for the Kingdom of Denmark’s position, it should be borne in mind that, in accordance with Article 2a of
Protocol (No 22), Article 2 of that protocol, which provides, in particular, that no measure or international agreement
adopted pursuant to Title V of Part Three of the FEU Treaty is to be binding upon the Kingdom of Denmark, also
applies with respect to the rules laid down on the legal basis of Article 16 TFEU which relate to the processing of
personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter
V of Part Three of that Treaty, namely activities which fall within the scope of police and judicial cooperation in
criminal matters.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 15/46
8.9.2017 CURIA - Documents
130. The Kingdom of Denmark will therefore not be bound by the terms of the agreement envisaged. However, the
Council maintains that, in referring only to Article 2 of Protocol (No 22) and not to Article 1, which states that the
Kingdom of Denmark is not to take part in the adoption by the Council of proposed measures pursuant to Title V of
Part Three of the FEU Treaty, Article 2a of that protocol implies, conversely, that the Kingdom of Denmark would
participate in the adoption of the act concluding the agreement envisaged if that act were to be based on Article 16
TFEU.
131. That line of reasoning fails to convince me or, at least, does not have the consequences which the Council
ascribes to it as regards the choice of the legal basis for the act concluding the agreement envisaged.
132. In fact, I do not think that it was the intention of the High Contracting Parties to allow the Kingdom of Denmark
not to be bound by an act having as its legal basis both Article 16 TFEU and one of the provisions of the FEU Treaty
relating to police and judicial cooperation in criminal matters, but to participate in the adoption of that act, with the
inherent risk that the Kingdom of Denmark might join a group of Member States opposed to the actual adoption of
that act, and thereby prevent a qualified majority from being formed within the Council. That seems to me to be
contrary to the object of Protocol (No 22), which is to seek a balance between the need to manage the Kingdom of
Denmark’s specific position and the need to allow the other Member States (including, where appropriate, Ireland and
the United Kingdom) to pursue their cooperation within the sphere of the AFSJ.
133. The objection might be raised, admittedly, that, according to the preamble to Protocol (No 22), the High
Contracting Parties note that the Kingdom of Denmark will not prevent the other Member States from further
developing their cooperation with respect to measures not binding on that Member State. Thus, according to that
argument, although it would be authorised to take part in the adoption of acts falling under Article 2a of that protocol
which are not binding on it, the Kingdom of Denmark has undertaken never to oppose their adoption.
134. If that were the correct interpretation of the relevant provisions of Protocol (No 22), the consequence would be
that the act concluding the agreement envisaged could not be based on Article 16 TFEU in conjunction with
Article 87(2)(a) TFEU, on the ground of an alleged incompatibility between the procedures leading to the adoption of
that act, for the simple reason that the Kingdom of Denmark would participate in a purely formal sense in the
adoption of that act. Consequently, that purely formal participation by the Kingdom of Denmark in the adoption of
the act concluding the agreement envisaged would ‘neutralise’ the objective analysis of the legal basis for that act, an
analysis which, it will be recalled, is based on an examination of the purposes and the components of that agreement.
That consequence would clearly run counter to the case-law according to which it is not the procedure that defines the
legal basis for an act, but the legal basis for an act that determines the procedure to be followed when adopting it. (51)
In my view, that case-law applies a fortiori where the procedure that it was claimed had to be followed would entail,
within the Council, a purely formal participation by the Kingdom of Denmark in the adoption of an act in respect of
which that Member State will not in any way be bound.
135. In the light of the all of the foregoing considerations, I propose that the Court should answer the second question
submitted by the Parliament by stating that the act concluding the agreement envisaged, in the light of the objectives
and the components of that agreement, which are inseparably linked, without some of them being incidental by
comparison with the others, must be based on the first subparagraph of Article 16(2) TFEU and Article 87(2)(a)
TFEU, read in conjunction with Article 218(6)(a)(v) TFEU. (52)
VII – The compatibility of the agreement envisaged with the provisions of the FEU Treaty and the Charter
(first question)
A– Analysis of the Parliament’s request and observations and also of the observations of the other interested
parties
136. The Parliament maintains that, in the light, in particular, of the Court’s case-law, there is legal uncertainty as to
whether the agreement envisaged is compatible with Article 16 TFEU and Articles 7 and 8 and Article 52(1) of the
Charter.
137. In the Parliament’s submission, it is clear that the collection, transfer, analysis, retention and subsequent transfer
of data provided for in the agreement envisaged constitute different forms of ‘processing’ and different forms of
interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter. In its various forms, that
interference is far-reaching and particularly serious. (53)
138. The Parliament emphasises that, in accordance with Article 52(1) of the Charter, such an interference could be
justified only if it is ‘provided for by law’ and is necessary and proportionate to an objective of general interest
recognised by the Union.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 16/46
8.9.2017 CURIA - Documents
139. As for the first point, the Parliament asks, in essence, whether an international agreement constitutes a ‘law’
within the meaning of that provision and whether it may place limitations on the exercise of the rights guaranteed by
Articles 7 and 8 of the Charter. It observes that, according to the case-law of the European Court of Human Rights
(‘ECtHR’) on the expression ‘provided for by law’ in Article 8 of the European Convention for the Protection of
Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950 (‘ECHR’), any interference should
have a basis ‘in domestic law’. Because the Treaty of Lisbon profoundly changed the Union legal order by
introducing the concept of ‘legislative act’, the expression ‘provided for by law’ coincides, in EU law, with the
concept of ‘legislative act’. In the Parliament’s view, an international agreement does not meet that description.
140. As regards the second point, namely the necessity for the interference, the Parliament maintains that it is for the
Council and the Commission to demonstrate, on the basis of objective factors, that the conclusion of the agreement
envisaged is actually necessary within the meaning of Article 52(1) of the Charter. In its submission, it appears that
such factors are absent.
141. Last, as for the third point, concerning the proportionality of the interference provided for in the agreement
envisaged, the Parliament maintains that the discretion of the EU legislature is reduced, with the consequence that it
is appropriate to carry out a strict review of the requirements laid down in the Charter, including the context in which
an international agreement is concluded. In that regard, the agreement envisaged comes within the category of
‘generalised “strategic monitoring”‘, within the meaning of the case-law of the ECtHR, (54) and the reasoning
followed by the Court in the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12,
EU:C:2014:238) is also applicable in the present case.
142. First, in the Parliament’s view, the agreement envisaged concerns, generally, persons travelling to Canada,
without there being any connection between the persons concerned, their data and a threat to public security.
143. Second, the Parliament is uncertain as to whether the agreement envisaged lays down objective criteria that
make it possible to restrict the Canadian authorities’ access to the data and the subsequent use of that data for the
purposes of preventing, detecting or prosecuting criminal offences which might themselves be regarded as
sufficiently serious. However, the criteria listed in the draft agreement are vague. Thus, the Parliament observes that
the agreement envisaged does not define the ‘Canadian competent authority’ with access to the data and Article 3(2)
of the agreement envisaged refers, with respect to the expression ‘serious crime’, to the Canadian legislation without
any limits recognised by EU law and without any identification of the offences covered by that expression. Likewise,
Article 3(5) of the agreement envisaged allows the data to be processed by ‘Canada’ in areas other than criminal law
and might allow the transfer of data by ‘the Canadian Competent Authority’ to other Canadian authorities, or even to
individuals. Furthermore, Article 16(2) of the agreement envisaged does not specify the number of persons with
access to the data, while access to that data by the Canadian authorities is not subject to any prior control by a court or
by an independent administrative authority.
144. Third, the Parliament asks the Court to declare that the five-year period for the retention of the data laid down in
Article 16(5) of the agreement envisaged is not justified. That period is not based on objective criteria and no
justification has been provided. That period, moreover, was extended by reference to the period provided for under
the 2006 Agreement, and no explanation was provided.
145. Fourth, the Parliament submits that the agreement envisaged does not require that the data be retained within the
Union. Thus, control of compliance with the requirements of protection and security, by an independent authority,
expressly required by Article 8(3) of the Charter and Article 16(2) TFEU, is not fully guaranteed. In that context,
there are serious doubts as to whether the measures to be taken by the Canadian authorities satisfy the essential
requirements of those articles. In particular, Article 10 of the agreement envisaged does not guarantee control by an
independent Canadian authority and does not specify to the requisite legal standard the powers, including the power
to undertake a review in advance, which that authority has in order to verify whether those powers are ‘adequate’
within the meaning of EU law.
146. In answer to the written questions put by the Court, the Parliament stated, in particular, that the guidance to be
derived from the judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650) apply mutatis mutandis to the
assessment of the compatibility of the agreement envisaged. It further states that actual compliance with the
substantive and procedural conditions relating to initial access to the personal data should also apply to the
subsequent transfer of that data and to access to it by other Canadian authorities or the authorities of third States. In
its submission, that is not the case of the conditions laid down in Articles 18 and 19 of the agreement envisaged.
Furthermore, in the Parliament’s view, the wording of Article 14(2) of the agreement envisaged is ambiguous.
147. As regards the other interested parties, while, in essence, the EDPS, in his replies to the written questions put by
the Court and his oral observations, shares the doubts and concerns expressed by the Parliament, the governments
which have participated in the present proceedings and the Council and the Commission maintain that the agreement
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 17/46
8.9.2017 CURIA - Documents
envisaged is compatible with Article 16 TFEU and Articles 7 and 8 and Article 52(1) of the Charter. Their
observations relate essentially to the interference represented by the rules laid down in the agreement envisaged with
the fundamental right of persons to the protection of their personal data and to compliance with the criteria laid down
in Article 52(1) of the Charter (an interference ‘provided for by law’, with the aim of meeting an objective of general
interest recognised by the Union and which is necessary and proportionate in order to meet that objective).
148. In the first place, the Estonian and French Governments expressly acknowledge that the terms of the agreement
envisaged constitute an interference with the fundamental right to protection of personal data, guaranteed by Article 8
of the Charter. The French Government states, however, that the obligation placed on air carriers to transfer the data
does not constitute such an interference since it is provided for not by the agreement envisaged but by the Canadian
legislation. The Court cannot be requested to deliver an opinion on the compatibility of the legislation of a third State
with the Treaties. In addition, the French Government maintains that the interferences contained in the agreement
envisaged are less far-reaching than those at the origin of the case giving rise to the judgment of 8 April 2014, Digital
Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238). Thus, in the French Government’s submission,
less data would be transferred and fewer persons would be concerned by the agreement envisaged than by the
directive at issue in that judgment. In addition, the data does not allow very precise conclusions concerning the
private life of passengers to be drawn. Last, the agreement envisaged imposes, in Article 11, an obligation of
transparency, and it cannot therefore be concluded that the collection of the data and its subsequent use is apt to give
rise in the minds of the persons concerned to the feeling that their private life is under constant surveillance.
149. In the second place, as regards the question of the legal source of such an interference, the Estonian
Government, Ireland, the French and United Kingdom Governments and the Council and the Commission maintain
that that interference meets the condition of being ‘provided for by law’ within the meaning of Article 52(1) of the
Charter.
150. In the third place, as regards the objective pursued by that interference, the Bulgarian and Estonian
Governments, Ireland, the Spanish and French Governments and the Council and the Commission claim that the
transfer and subsequent use of the data is aimed in particular at combating terrorism and thus meets an objective of
general interest.
151. In the fourth place, as regards the necessity for such an interference, the French and United Kingdom
Governments and the Council and the Commission maintain, first of all, that there is an increasing demand from third
countries which consider that the transfer of data is necessary for public security purposes. The Commission accepts
that there are no precise statistics indicating the contribution which data makes to the prevention and detection of
crime and terrorism, and to the investigation and prosecution of offences of those types. However, the essential use of
the data is confirmed by information from third countries and from Member States which already use such data for
law enforcement purposes. The experience acquired in those countries shows that the use of data has enabled
significant progress to be made in combating drug trafficking, people trafficking and terrorism and leads to a better
understanding of the composition and functioning of terrorist networks and other criminal networks. The United
Kingdom Government and the Commission further observe that the information supplied by the shows that the data
has made a decisive contribution to the ability to locate and identify persons potentially suspected of being involved
in terrorist acts or serious transnational crime.
152. In the fifth place, as regards the proportionality of the interference at issue, the Estonian Government, the
Council and the Commission refer, first, to the requirements arising from the case-law of the Court, in particular those
referred to in the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12,
EU:C:2014:238). In particular, the Estonian Government is of the view that the guidance that can be derived from
that judgment concerning the extent of the discretion of the legislature and of the judicial control of the limits of that
discretion is applicable in the present case. , on the other hand, claims that it is necessary to take account of the
international and negotiated nature of the act at issue, while the French Government maintains that the discretion of
the EU legislature cannot be excessively restricted, having regard to the fact that the interference at issue in the
present case is not particularly serious. The United Kingdom Government maintains that public security and safety by
their nature raise questions in respect of which the legislature must be recognised as having a ‘reasonable margin of
discretion’ in order to determine whether a measure is manifestly inappropriate. The agreement envisaged cannot be
characterised as a ‘general surveillance mechanism’, but relates rather to normal border control procedures.
153. Second, the Bulgarian and Estonian Governments, Ireland and the Spanish, French and United Kingdom
Governments, and the Council and the Commission maintain that the agreement envisaged complies with the
principle of proportionality. The United Kingdom Government claims, first of all, that in the absence of the
agreement envisaged, measures taken in relation to passengers arriving from the European Union would be at risk of
being less targeted and more intrusive. The data allows ‘persons of interest’ travelling to particular events or places to
be targeted more effectively, thus reducing security checks and delays for other passengers. Next, those governments
and those institutions are, in essence, of the view that the agreement envisaged can be distinguished from the directive
at the origin of the case of Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238). In particular,
unlike that directive, the agreement envisaged contains strict rules on the conditions for access to and the use of the
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 18/46
8.9.2017 CURIA - Documents
data and rules on data security and monitoring by an independent authority. In addition, the agreement envisaged
makes provision for control of compliance with those rules, for the persons concerned to be informed about the
transfer and processing of their data, a procedure for access to and correction of the data and also for administrative
and judicial remedies in order to ensure that those rights are guaranteed.
154. As regards the Parliament’s argument that the agreement envisaged requires no connection between the data and
a threat to public security, the Estonian, French and United Kingdom Governments and the Commission claim, in
essence, that the use of the data is designed to identify persons hitherto unknown to the competent services as
presenting a potential risk to security, while persons known to present such a risk can be identified on the basis of
advance passenger information (). The objective of prevention could thus not be achieved if only the data of persons
already suspected were transferred.
155. Third, according to those interested parties, the criticisms made by the Parliament and by the EDPS concerning
the redaction and omissions from the agreement envisaged should also be rejected.
156. Thus, according to the Council and the Commission, the fact that Article 3(3) of the agreement envisaged refers
to Canadian law does not permit the conclusion that it is too vague. It is difficult to include in an international
agreement a definition of an act that might be characterised as ‘serious crime’, which is provided for only in EU law.
Likewise, as regards Article 3(5)(b) of the agreement envisaged, the Council and the Commission observe that that
provision reflects the obligation which the Canadian Constitution imposes on all Canadian public authorities to
comply with a court order. In addition, the possibility of access to the data would, in such a case, have been examined
by the judicial authority in the light of the criteria of necessity and proportionality and the reasons would be set out in
the order of the court.
157. In addition, as regards the limits concerning the authorities and individuals having access to the data, the Council
and the Commission maintain that the failure to identify the Canadian competent authority in the agreement
envisaged is a procedural issue which has no impact on the principle of proportionality. In any event, the Canadian
competent authority, within the meaning of Article 2(d) of the agreement envisaged, was notified to the Commission
in June 2014. That authority is the , which alone is authorised to receive and process the data. The ‘limited number of
officials specifically authorised’ in that respect referred to in Article 16(2) of the agreement envisaged means that the
officials concerned must be officials of the and that they must be authorised to process the data. Additional guarantees
are set out in Article 9(2)(a) and (b), (4) and (5) of the agreement envisaged.
158. Furthermore, as regards the absence of prior control of access to the data, the Commission observes that the very
object of the agreement envisaged is to permit the data to be transferred to the for the purpose of access to that data
and that such prior control would alter that object. adds that such prior control is not necessary, since the agreement
envisaged provides that the number of persons authorised to access the data and use it is to be limited to what is
strictly necessary and lays down a range of additional guarantees in Articles 11 to 14, 16, 18 and 20.
159. In addition, as regards the question of the retention of the data, Ireland first of all observed that, in the light of
the fact that, in accordance with Article 5 of the agreement envisaged, the Canadian competent authority is to be
deemed to provide an adequate level of protection of the PNR data, and that there is surveillance by an independent
authority, there is no need, unlike in the situation applicable to the directive at the origin of the judgment in Digital
Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), for the data to be kept within the European
Union. Next, according to the Council and the Commission, the five-year retention period laid down in Article 16 of
the agreement envisaged does not go beyond what is strictly necessary in the light of the public security objective
pursued and cannot therefore be evaluated in the abstract. The period of three and a half years laid down in the 2006
Agreement significantly prevented the Canadian authorities from using the data effectively in order to detect cases
presenting a high risk of terrorism or organised crime since the relevant investigations take time. Furthermore, in the
Council’s submission, the period during which the data is to be retained was fixed by reference to the average
duration of criminal investigations, the average lifetime of serious crime networks and the fact that terrorist cells may
be dormant for a number of years. The Estonian Government, Ireland and the French Government add that, given the
complexity and difficulty of investigations of offences involving terrorism and serious transnational crime, the period
that elapses between the time of travel and the time when the law enforcement authorities need to have access to the
data in order to detect, investigate and prosecute such offences may sometimes be several years. In their respective
replies to the written questions put by the Court, the Spanish and French Governments also provide a number of
specific examples in which the process of checking and cross-checking information has taken around five years and
for which the data was or might have been of great use. The Estonian Government, Ireland and the French
Government and the Council and the Commission, also maintain, in essence, that Article 16 of the agreement
envisaged contains strict rules on the masking (or depersonalisation) and unmasking of the data, which are aimed at
providing more protection for the personal data of airline passengers.
160. Last, as regards the control of compliance with the rules on data protection by an independent authority, required
by Article 8(3) of the Charter and Article 16(2) TFEU, the Council and the Commission maintain that the fact that the
agreement envisaged does not identify the Canadian competent authority does not undermine the adequacy of the
measures to be taken by Canada. The identity of the competent authorities for the purposes of Articles 10 and 14 of
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 19/46
8.9.2017 CURIA - Documents
the agreement envisaged has been communicated to the Commission. The authorities in question are the Privacy
Commissioner of and the Recourse Directorate. Those authorities satisfy the condition of independence enabling
them to carry out their tasks without any outside influence, even though the Recourse Directorate is an ‘authority
created by administrative means’, within the meaning of Articles 10 and 14 of the agreement envisaged. The
Recourse Directorate is, in accordance with the explanations provided by the Canadian authorities, an independent
authority responsible for examining complaints and administrative appeals lodged by aliens not residing in .
Furthermore, the Commission submits that the decisions of that authority may be challenged before the Privacy
Commissioner of through a person residing in .
161. In the sixth place, in their replies to the written questions put by the Court and at the hearing, the United
Kingdom Government, the Council and the Commission provided information about the 19 categories of data in the
annex to the agreement envisaged. In particular, according to the Commission, only the 17th heading, ‘General
remarks including Other Supplementary Information (), Special Service Information (SSI) and Special Service
Request (SSR) information’, contains sensitive information, within the meaning of the agreement envisaged. That
data is transferred only on a voluntary basis, since it is liable to be disclosed only in connection with the booking of
additional services requested by the passenger and, according to the United Kingdom Government, can be consulted
only in exceptional circumstances, according to the terms of the agreement envisaged. In addition, the French
Government stated that the guidance to be derived from the judgment of 6 October 2015, Schrems (C‑362/14,
EU:C:2015:650) is not applicable to the examination of the compatibility of the agreement envisaged with the
Treaties, while Ireland maintains that that judgment provides important guidance as to the adequacy of the level of
protection which a third country must satisfy. As for the Council and the Commission, they share the opinion that
only paragraphs 91 to 93 and 95 of that judgment, which concern the interpretation of the Charter, are applicable in
the context of the examination of the compatibility of the agreement envisaged. On the other hand, those institutions
take the view that the examination of the agreement envisaged should lead to a different conclusion from that reached
by the Court in that judgment. Finally, as regards the subsequent disclosure provided for in Articles 18 and 19 of the
agreement envisaged, Ireland, the Council and the Commission recall that that disclosure is subject to strict
conditions and to compliance with the purposes laid down in Article 3 of the agreement envisaged. Furthermore, the
Commission emphasises that Article 19 of the agreement envisaged should be read in the light of the relevant
Canadian legislation.
B – Assessment
1. Preliminary observations
162. Before I address the central issue of the first question in the Parliament’s request for an opinion, three
preliminary observations must in my view be made regarding the scope of the examination that must be carried out.
163. First of all, as is clear from their observations, the interested parties referred on a number of occasions during the
proceedings to Canadian legislation and practice, in particular in order to explain, or even to supplement, certain
terms of the agreement envisaged. It is clear that, in order to examine the compatibility with an agreement envisaged
with primary EU law in the context of the procedure laid down in Article 218(11) TFEU, the Court cannot express a
view on the legislation or the practice of a third country. The Court’s examination can relate only to the terms of the
agreement envisaged as they were submitted to it.
164. However understandable and logical that substantive limit on judicial review in the context of the opinion
procedure may be, it nonetheless raises certain difficulties. Thus, while it is common ground that the agreement
envisaged must, in particular, provide the Canadian authorities with a legal framework that allows them, on the basis
of the analysis of the data, to apply methods relating to the identification of passengers who have not hitherto been
known to the law enforcement services, on the basis of patterns of behaviour of ‘concern’ or presenting an
‘interest’, (55) none of the terms of the agreement envisaged deals with the establishment of those methods, of the
right of each ‘targeted’ passenger to be informed of the methods used and to be assured that such ‘targeting’ methods
are subject to administrative and/or judicial control, as those questions all seem to be entirely within the discretion of
the Canadian authorities. (56) To my mind, it is permissible to ask whether, having regard to compliance with
Articles 7 and 8 of the Charter, those questions and those guarantees should not be regulated by the terms of the
agreement envisaged themselves. That example shows that one of the difficulties of the present case relates to the fact
that it entails ascertaining, in the light, in particular, of the right to protection of personal data, not merely what the
agreement envisaged makes provision for but also, and above all, what it has failed to make provision for.
165. Next, it is important to observe that the Parliament’s request for an opinion merely referred to certain terms of
the agreement envisaged which in its view indicate, in some cases more clearly and more strongly than in others, that
the agreement envisaged is incompatible with Article 16 TFEU and Articles 7 and 8 and Article 52(1) of the Charter.
Given the preventive purpose and the non-contentious nature of the opinion procedure, the Court cannot be required
to comply with such a delimitation of the request, whether deliberate or not. That position has already been perfectly
illustrated by Opinion 1/00 of 18 April 2002 (EU:C:2002:231, paragraph 1), in which the Court incorporated in its
examination of the compatibility of an agreement envisaged several rules in that agreement which were not expressly
stated to be the subject matter of the request for an opinion submitted by the Commission, and Opinion 1/08 of
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 20/46
8.9.2017 CURIA - Documents
30 November 2009 (EU:C:2009:739, paragraphs 96 to 105), in which the Court rejected the suggestion of the
institution requesting the opinion that it should confine its examination to certain parts of the draft agreement at issue
forming the subject matter of the request for an opinion.
166. In the present procedure, I consider it appropriate that the Court should include in its examination the
compatibility of terms of the agreement envisaged, such as Articles 18 and 19, which were not specifically mentioned
by the Parliament in its request for an opinion, but which deserve the Court’s attention. I would add that the
Parliament and the other interested parties have had the opportunity to comment on those articles, either in their
replies to the written questions put by the Court or at the hearing before the Court.
167. Last, in the light of the discussions before the Court, I consider it useful to point out that, under Article 218(11)
TFEU, the only provisions by reference to which the compatibility of the agreement envisaged may be examined are
the provisions of EU primary law, that is to say, in this instance, the Treaties and the rights set out in the Charter, (57)
to the exclusion of secondary law. In that regard, there is nothing to prevent the Court from including in its
examination of the substantive validity of the agreement envisaged provisions of primary law which are not
mentioned in the question submitted by the Parliament, such as Article 47 of the Charter, should it prove necessary to
do so for the purposes of the opinion procedure and if the interested parties have had the opportunity to submit their
comments on those provisions. That is indeed the case as regards respect for the effective judicial remedy guaranteed
by Article 47 of the Charter.
168. Those observations having been made, the following developments will essentially focus on the criteria for the
application of Articles 7 and 8 and Article 52(1) of the Charter. Although that is not fundamentally disputed, I shall
examine whether the terms of the agreement envisaged constitute an interference with the fundamental rights to
privacy and the protection of personal data and whether that interference may be justified. It is clearly the
examination of the justification for the interference, and in particular its proportionality, that proves to be
controversial.
2. The existence of an interference with the rights guaranteed by Articles 7 and 8 of the Charter
169. Without there being any need to examinee individually and exhaustively the 19 categories of data set out in the
annex to the agreement envisaged, it is common ground that they deal, inter alia, with the passenger’s identity,
nationality and address, all contact information (address of residence, email address, telephone number) available
about the passenger who made the reservation, available payment information, including, where appropriate, the
number of the credit card used to reserve the flight, information relating to luggage, passenger travel habits and habits
relating to additional services requested by the passengers concerning any health problems, including mobility, or
their dietary requirements during the flight, which might provide information concerning, in particular, the health of
one or more passengers, their ethnic origin or their religious beliefs.
170. That data, taken as a whole, touches on the area of the privacy, indeed intimacy, of persons and indisputably
relates to one or more ‘identified or identifiable individual or individuals’. (58) There can therefore be no doubt, in
the light of the Court’s case-law, that the systematic transfer of data to the Canadian public authorities, access to that
data and the use of that data and its retention for a period of five years by those public authorities and also, where
relevant, its subsequent transfer to other public authorities, including those of third countries, under the terms of the
agreement envisaged, are operations which fall within the scope of the fundamental right to respect for private and
family life guaranteed by Article 7 of the Charter and to the ‘closely connected’ (59) but nonetheless distinct right to
protection of personal data guaranteed by Article 8(1) of the Charter and constitute an interference with those
fundamental rights.
171. In fact, the Court has already held, with regard to Article 8 of the ECHR, on which Articles 7 and 8 of the
Charter are based, (60) that the communication of personal data to third parties, in that particular case a public
authority, constitutes an interference within the meaning of that article (61) and that the obligation to retain that data,
required by the public authorities, and subsequent access of the competent national authorities to data relating to a
person’s private life also constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter
. (62) Likewise, an EU act prescribing any form of processing of personal data constitutes an interference with the
fundamental right, laid down in Article 8 of the Charter, to protection of such data. (63) That assessment applies,
mutatis mutandis, with regard to an EU act in the form of an international agreement concluded by the , such as the
agreement envisaged, which is designed, in particular, to enable one or more public authorities of a third country to
process and retain the personal data of air passengers. The lawfulness of such an act depends on its respect for the
fundamental rights protected in the EU legal order, (64) especially those guaranteed by Articles 7 and 8 of the
Charter.
172. The fact, put forward by the United Kingdom Government, that the persons affected by the agreement
envisaged, or at least most of them, will not suffer any inconvenience as a result of that interference is irrelevant for
the purposes of establishing the existence of such an interference. (65)
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 21/46
8.9.2017 CURIA - Documents
173. At the same time, it is irrelevant that the information communicated, or at least most of it, may well not be
sensitive. (66)
174. Moreover, I note that the contracting parties are fully aware of the interference constituted by the
communication, use, retention and subsequent transfer of the data provided for in the agreement envisaged, since, as
expressly stated in the preamble to that agreement, it is specifically because of that interference that the agreement
envisaged attempts to reconcile the requirements relating to public security and respect for the fundamental rights to
protection of private life and of personal data.
175. It is true that the contracting parties’ attempt to reconcile those elements is liable to reduce the intensity or the
gravity of the interference which the agreement envisaged entails in the fundamental rights guaranteed by Articles 7
and 8 of the Charter.
176. The fact nonetheless remains that the interference constituted by the agreement envisaged is of a considerable
size and a not insignificant gravity. It systematically affects all passengers flying between Canada and the Union, that
is to say, several tens of millions of persons a year. (67) Furthermore, as most of the interested parties have
confirmed, no one can fail to be aware that the transfer of voluminous quantities of personal data of air passengers,
which includes sensitive data, requiring, by definition, automated processing, and the retention of that data for a
period of five years, is intended to permit a comparison, which will be retroactive where appropriate, of that data with
pre-established patterns of behaviour that is ‘at risk’ or ‘of concern’, in connection with terrorist activities and/or
serious transnational crime, in order to identify persons not hitherto known to the police or not suspected. Those
characteristics, apparently inherent in the scheme put in place by the agreement envisaged, are capable of giving the
unfortunate impression that all the passengers concerned are transformed into potential suspects. (68)
177. I should add, however, that, unlike the Parliament, I do not consider that that conclusion should extend to the
collection of the data by the air carriers.
178. In fact, the agreement envisaged does not govern the collection of such data, but is based on the presumption of
law and of fact that the air carriers gather the data in any event for their own commercial use. It cannot be denied,
admittedly, that certain terms of the agreement envisaged refer to the collection of the data. Thus, Article 4(2) states
that is not to require an air carrier to provide elements of data which are not already collected or held by the air
carrier. Likewise, Article 11 of the agreement envisaged requires Canada to ensure that the Canadian Competent
Authority makes available on its website, inter alia, ‘the reason for the collection of data’, while the contracting
parties are also to work with, in particular, the air travel sector to promote transparency, by providing information to
passengers, ‘preferably at the time of booking’ flights, about ‘the reasons for data collection’. While such an
obligation to act in a transparent manner could in my view appropriately be reinforced if passengers were
systematically informed individually about the reasons for data collection at the time of booking flights, the fact
nonetheless remains that the agreement envisaged does not regulate the collection operation properly so called any
more than the procedures for collecting the data, which all come within the competence of the air carriers, which, in
that regard, must act in compliance with the relevant national provisions and with EU law.
179. The collection of the data therefore does not constitute a processing of personal data entailing an interference
with the fundamental rights guaranteed by Articles 7 and 8 of the Charter that results from the agreement envisaged
itself. In the light of the limited power of the Court in the context of the opinion procedure, that operation will
therefore not form the subject matter of the following developments.
180. Independently of that observation relating to data collection, the fact nonetheless remains that, for the reasons
stated in paragraphs 169 to 175 of this Opinion, the agreement envisaged entails, in my view, a serious interference
with the fundamental rights guaranteed by Articles 7 and 8 of the Charter. In order to be authorised, that interference
must be justified.
3. The justification for the interference with the rights guaranteed by Articles 7 and 8 of the Charter
181. Neither the right to respect for private and family life nor the right to protection of personal data is an absolute
prerogative.
182. Thus, Article 52(1) of the Charter accepts that limitations may be placed on the exercise of rights such as those
enshrined in Article 7 and Article 8(1) of the Charter, provided that those limitations are provided for by law, that
they respect the essence of those rights and that, subject to the principle of proportionality, they are necessary and
genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms
of others.
183. Furthermore, Article 8(2) of the Charter permits the processing of personal data ‘for specified purposes and on
the basis of the consent of the person concerned or some other legitimate basis laid down by law’.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 22/46
8.9.2017 CURIA - Documents
184. It should be noted at the outset with regard to one of the conditions set out in Article 8(2) of the Charter that the
agreement envisaged does not seek to base the processing of the data communicated to the Canadian competent
authority on the consent of the air passengers. (69) In the light of the obligation placed on air carriers to communicate
the categories of data set out in the annex to the agreement envisaged, those passengers cannot object to that data
being transferred if they wish to travel by air to Canada. In addition, the fact, referred to at the hearing before the
Court, that certain data, containing, where appropriate, sensitive information, may be communicated to the air carrier
only where the passenger requires specific services does not mean that that passenger consented to that data being
processed by the Canadian competent authority for the purposes of Article 3 of the agreement envisaged.
185. In addition, it has not been maintained before the Court, nor is it apparent to me, that the interference contained
in the agreement envisaged is of such a kind as to harm the ‘essence’, within the meaning of Article 52(1) of the
Charter, fundamental right enshrined in Article 7 and Article 8(1) of the Charter.
186. In fact, the nature of the data forming the subject matter of the agreement envisaged does not permit any precise
conclusions to be drawn as regards the essence of the private life of the persons concerned. The data in question
continues to be limited to the pattern of air travel between Canada and the Union. In addition, the agreement
envisaged lays down, in Articles 8, 16, 18 and 19, a series of guarantees relating to the masking and gradual
depersonalisation of the data which has been communicated to, used by and retained by the Canadian authorities and,
where appropriate, subsequently transferred, the essential object of which is to preserve private life.
187. Furthermore, as regards the essence of the protection of personal data, it should be observed that, under Article 9
of the agreement envisaged, Canada is required, in particular, to ‘ensure compliance verification and the protection,
security, confidentiality and integrity of the data’, and also to implement ‘regulatory, procedural or technical measures
to protect data against accidental, unlawful or unauthorised access, processing or loss’. In addition, any breach of data
security must be amenable to effective and dissuasive corrective measures which might include sanctions.
188. It is therefore necessary to ascertain whether the other conditions of justification provided for in Article 8(2) of
the Charter and those laid down in Article 52(1) thereof, which, moreover, overlap in part, are satisfied.
189. I shall not dwell unnecessarily on two of those conditions, namely the condition that the interference must (a) be
‘provided for by law’ and (b) meet objectives of general interest (or have a ‘legitimate basis’, according to the
expression used in Article 8(2) of the Charter), which to my mind are manifestly satisfied. On the other hand, I shall
examine more fully (c) the question of the proportionality of the interference.
(a) An interference ‘provided for by law’, within the meaning of Article 52(1) of the Charter
190. As for the first point, the essentially formal doubts expressed by the Parliament as to the ‘lawful’ origin of the
interference can clearly be dispelled. According to the case-law of the ECtHR, the expression ‘provided for by law’ in
Article 8(2) of the ECHR means, in particular, that the measure in question has a basis in domestic law (70) and must
be understood in its substantive and not its formal sense. (71) The ECtHR thus accepts that unwritten rules satisfy
that condition. (72) In addition, the ECtHR has already held that an international treaty, incorporated into national
domestic law, also satisfies that requirement. (73)
191. Like the ECtHR, the Court confirms the substantive and not the formal meaning of the expression ‘provided for
by law’ in Article 52(1) of the Charter. Thus, the Court has considered that that condition was satisfied in the case of
limitations placed on the rights guaranteed by Articles 7 and 8 of the Charter by provisions of EU regulations,
adopted by the Commission (74) and by the Council, (75) respectively, and therefore without the Parliament having
been involved as ‘co-legislature’ in the adoption of those measures.
192. In this instance, it is common ground that the act concluding the agreement envisaged can be adopted by the
Council only if, pursuant to Article 218(6)(a)(v) TFEU, the agreement envisaged is first approved by the Parliament,
since it covers fields, namely those of police cooperation and the retention of personal data, to which the ordinary
legislative procedure applies. When those procedures have been completed, pursuant to Article 216(2) TFEU the
agreement will be an integral part of the EU legal order and will prevail over acts of secondary law. (76) It follows, in
my view that the interference resulting from the agreement envisaged is indeed ‘provided for by law’, within the
meaning of Article 52(1) of the Charter.
193. Still on that point, I would add, although it has not been discussed between the interested parties in the present
proceedings, that, generally, the agreement envisaged also seems to me to satisfy the second aspect covered by the
expression ‘provided for by law’ within the meaning of Article 8 of the ECHR, as interpreted by the ECtHR, namely
that of the ‘quality of the law’. According to the case-law of the ECtHR, that expression requires, in essence, that the
measure in question be accessible and sufficiently foreseeable, or, in other words, that its terms be sufficiently clear to
give an adequate indication as to the circumstances in which and the conditions on which it allows the authorities to
resort to measures affecting their rights under the ECHR. (77) In fact, once it has been concluded, the agreement
envisaged will be published in full in the Official Journal of the European Union, which clearly satisfies the
‘accessibility’ criterion. As for the ‘foreseeability’ criterion, apart from what are admittedly the rather numerous
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 23/46
8.9.2017 CURIA - Documents
specific considerations relating to the scope and the degree of precision and clarity of a number of terms of the
agreement envisaged, which will be set out below, (78) I also consider that, overall, the agreement envisaged is
drafted in sufficiently clear terms to enable all those concerned to understand, to the requisite standard, the
circumstances in which and the conditions on which the data are transferred to the Canadian authorities, processed,
retained and possibly subsequently disclosed by those authorities, and to regulate their conduct accordingly.
Furthermore, Article 11 of the agreement envisaged lays down a number of additional measures to be adopted by the
contracting parties in order to provide the public with information concerning, in particular, the reasons for collecting
the PNR data and the use and disclosure of those data.
194. To my mind, the interference resulting from the agreement envisaged undoubtedly meets an objective of general
interest, within the meaning of Article 52(1) of the Charter, namely the objective of combating terrorism and serious
(transnational) crime, to ensure public security, as is made clear, in particular, in the preamble to and Articles 1 and 3
of the agreement envisaged. None of the interested parties has questioned the legitimacy of the pursuit of such an
objective by the agreement envisaged. In a slightly different form, the ‘general interest’ nature of that objective for
the purposes of the application of Article 52(1) of the Charter has already been recognised by the Court in its case-
law. (79)
195. It is therefore necessary at this stage to ascertain whether the interference with the rights guaranteed by Article 7
and Article 8(1) of the Charter is proportionate to the legitimate objective pursued.
i) General considerations
196. It has consistently been held that the principle of proportionality requires that acts of the EU institutions be
appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of
what is appropriate and necessary in order to achieve those objectives. (80)
197. In that regard, the interested parties first of all discussed the extent to which compliance with those conditions is
amenable to judicial review. While the Parliament, the Estonian Government and the EDPS support the need for a
strict review of compliance with those conditions, as the Court acknowledged in the judgments of 8 April 2014,
Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), and of 6 October 2015, Schrems
(C‑362/14, EU:C:2015:650), Ireland and the French and United Kingdom Governments defend, in essence, the view
that the Court should limit the scope of its review and allow a broader discretion to the institutions when they adopt
an act forming part of the context of international relations and having regard to the limited nature of the interference
which that act entails.
199. Admittedly, I am prepared to accept that the scope of the institutions’ discretion may differ according to whether
what is envisaged is the adoption of an act of secondary Union law or the conclusion of an international agreement
entailing, by definition, negotiations with one or more third countries. It is clear that, in the particular context of the
data communicated to third countries for processing, it is undoubtedly more appropriate to conclude an international
agreement that affords air passengers, citizens of the Union, sufficient protection of their private life and personal
data, corresponding as much as possible to the requirements of Union law, rather than to leave each of those third
countries entirely free to apply its own national legislation unilaterally as it sees fit.
200. Although those considerations are worth bearing in mind, the Court cannot decline to carry out a strict review of
compliance with the requirements resulting from the principle of proportionality and more particularly from the
adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and
uses the data pursuant to the agreement envisaged.
201. In fact, the need to ensure a strict review of that type is supported by the important role which the protection of
personal data plays in the light of the fundamental right to respect for private life and, moreover, by the extent and
seriousness of the interference with that right, (81) which may include the large number of persons whose
fundamental rights are liable to be infringed where personal data is transferred to a third country. (82) As I have
already stated, the interference constituted by the agreement envisaged with the rights guaranteed by Articles 7 and 8
of the Charter seems to be of a considerable size and a not insignificant seriousness.
202. By the same token, it follows from the judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650,
paragraphs 72 and 78), that the institutions’ discretion as to the adequacy of the level of protection ensured by a third
country to which personal data is transferred is reduced, which entails a strict review of whether the high level of the
protection of personal data provided for in EU law continues to be applied.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 24/46
8.9.2017 CURIA - Documents
203. Although, as I have already indicated, the agreement envisaged cannot be reduced to a decision finding that the
Canadian competent authority guarantees an adequate level of protection, Article 5 of the agreement envisaged does
indeed provide that, subject to compliance with the terms of that agreement, the Canadian Competent Authority is to
be deemed to provide an adequate level of protection, within the meaning of relevant Union data protection law, for
the processing and use of data. The contracting parties’ intention is indeed to ensure that the high level of personal
data protection achieved in the Union may be guaranteed when the data is transferred to Canada. In the light of that
intention, I see no reason why the Court should not carry out a strict review of compliance with the principle of
proportionality.
204. Indeed, as the Court acknowledged in paragraph 74 of the judgment of 6 October 2015, Schrems(C‑362/14,
EU:C:2015:650), I concede that the means to which Canada may have recourse for the purpose of ensuring an
adequate level of protection may differ from those employed within the Union. The fact nonetheless remains that, as
the Court also made clear in the same paragraph of that judgment, those means must nevertheless prove, in practice,
effective in order to ensure protection ‘essentially equivalent’ to that guaranteed within the Union. In that regard, the
Court’s review of whether the level of protection resulting from the terms of the agreement envisaged is ‘essentially
equivalent’ to that guaranteed by Union law cannot be limited.
ii) The ability of the interference to achieve the ‘public security’ objective pursued by the agreement envisaged
205. That point having been clarified, I do not believe that there are any real obstacles to recognising that the
interference constituted by the agreement envisaged is capable of attaining the objective of public security, in
particular the objective of combating terrorism and serious transnational crime, pursued by that agreement. As the
United Kingdom Government and the Commission, in particular, have claimed, the transfer of data for analysis and
retention provides the Canadian authorities with additional opportunities to identify passengers, hitherto not known
and not suspected, who might have connections with other persons and/or passengers involved in a terrorist network
or participating in serious transnational criminal activities. As illustrated by the statistics communicated by the United
Kingdom Government and the Commission concerning the Canadian authorities’ past practice, that data constitutes a
valuable tool for criminal investigations, (83) which is also of such a kind as to favour, notably in the light of the
police cooperation established by the agreement envisaged, the prevention and detection of a terrorist offence or a
serious transnational criminal act within the Union.
206. Although the Kingdom of Denmark’s non-participation is liable to reduce the ability of the measures laid down
in the agreement envisaged to help to strengthen security within the Union, it does not in itself appear to be capable of
rendering the interference inappropriate for attaining the public security objective pursued by that agreement. In fact,
all air carriers providing flights to Canada are required to communicate to the Canadian competent authority the data
which they collect (84) and, moreover, the Canadian competent authority is authorised, under Article 19 of the
agreement envisaged, and subject to compliance with strict conditions, to disclose the data outside Canada, on a case-
by-case basis, to public authorities whose functions are directly related to the purpose stated in Article 3 of that
agreement. (85)
207. As to the strict necessity for the interference consisting in the agreement envisaged, its assessment must in my
view entail ascertaining whether the contracting parties have struck a ‘fair balance’ between the objective of
combating terrorism and serious transnational crime and the objective of protecting personal data and respecting the
private life of the persons concerned. (86)
208. Such a fair balance must, in my view, be capable of being reflected in the terms of the agreement envisaged.
Those terms must thus establish clear and precise rules governing the scope and the application of a measure
providing for an interference with the rights guaranteed by Articles 7 and 8 of the Charter and impose a minimum of
requirements, so that the persons concerned have sufficient guarantees that their data will be afforded effective
protection against the risks of abuse and also against any unlawful access to and any unlawful use of that data. (87)
The terms of the agreement envisaged must also consist of the measures least harmful to the rights recognised by
Articles 7 and 8 of the Charter, while making an effective contribution to the public security objective pursued by the
agreement envisaged. (88) That means that it is not sufficient to imagine, in the abstract, the existence of alternative
measures that would be less intrusive in the fundamental rights at issue. Those alternative measures must also be
sufficiently effective, (89) that is to say, their effectiveness must, in my view, be comparable with those provided for
in the agreement envisaged, in order to attain the public security objective pursued by that agreement.
209. In that regard, the interested parties have discussed both the strict necessity for agreements in general and for
certain terms of the agreement envisaged. As those two aspects are in my view intrinsically linked, I consider that
they should be addressed when I examine the different parts of the agreement envisaged.
210. I shall therefore concentrate on the following eight points, which were specifically raised in the request for an
opinion or which were discussed between the interested parties during the proceedings before the Court, namely the
categories of data covered by the agreement envisaged, the sufficiently precise nature of the purpose for which the
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 25/46
8.9.2017 CURIA - Documents
processing of data is authorised, the identification of the competent authority responsible for the processing of data,
the automated processing of data, access to the data, the retention of the data, the subsequent transfer of the data, and,
last, measures of surveillance and judicial review provided for in the agreement envisaged.
211. As already stated, the agreement envisaged provides for the transfer to the Canadian competent authority of 19
categories of data collected by air carriers for flight reservation purposes and listed in the annex to that agreement.
212. Before the Court, the interested parties submitted observations on both the significance of some of those
categories, on the fact that they may be duplicated with the data gathered by the Canadian authorities for border
control purposes or, since 15 March 2016, in order to issue an electronic travel authorisation (‘eTA’), and on the
identification of data apt to contain sensitive data. In that regard, during the proceedings before the Court, the
Commission asserted that only heading 17 in the annex to the agreement envisaged, entitled ‘General remarks
including Other Supplementary Information (), Special Service Information (SSI) and Special Service Request (SSR)
information’, is apt to contain sensitive data, within the meaning of the agreement envisaged. In addition, it emerged
from the discussion before the Court that the information in heading 17 was transferred only when the person
reserving a flight requested certain on-board services, such as assistance, possibly connected to health or mobility
problems or special dietary requirements, which may provide information about the health or reveal the ethnic origin
and religious beliefs of that person or passengers travelling with him.
213. It is common ground that the 19 categories of data the transfer of which to the Canadian competent authority is
provided for in the agreement envisaged correspond to the categories which appear in the airlines’ reservation
systems. Those categories also correspond to the data elements listed in Appendix 1 to the Guidelines on Passenger
Name Record Data adopted by the International Civil Aviation Organisation (ICAO) and published in 2010. (90) The
elements in those categories are therefore perfectly known to operators active in the air sector. Those elements
concern, in fact, all the information necessary to book a flight, whether they relate to the booking methods or payment
methods used, the itinerary chosen or any on-board services requested.
214. Furthermore, as Ireland, the United Kingdom Government and the Commission emphasised, the data, taken as a
whole, contains additional information by comparison with the data gathered for border control purposes by the
Canadian immigration authorities. The advance passenger information (), of a biographical nature and relating to the
flight taken, which is gathered by the air carriers, is mainly intended to facilitate and speed up passenger identity
checks at the border by making it possible, where appropriate, to prevent persons prohibited from residence from
boarding or subjecting certain passengers already identified to enhanced checks at the border. (91) Likewise, in
Canada the new eVA requirement is intended to preserve Canada’s immigration programme since each person
wishing to visit Canada by air who is not required to have a visa is required to obtain, on the basis of biographical
information and information relating to admission to and stay in Canada, by electronic means, prior travel
authorisation valid for a maximum of five years. (92) However, data of that type does not reveal information about
the booking methods, payment methods used and travel habits, the cross-checking of which can be useful for the
purposes of combating terrorism and other serious transnational criminal activities. Independently of the methods
used to process that data, the and the data required for the issue of an eVA are therefore not sufficient to attain with
comparable effectiveness the public security objective pursued by the agreement envisaged.
215. It is the case that those categories of data are transferred to the Canadian authorities for all travellers flying
between Canada and the Union even though there is no indication that their conduct may have a connection with
terrorism or serious transnational crime.
216. However, as the interested parties have explained, the actual interest of schemes, whether they are adopted
unilaterally or form the subject matter of an international agreement, is specifically to guarantee the bulk transfer of
data that will allow the competent authorities to identify, with the assistance of automated processing and scenario
tools or predetermined assessment criteria, individuals not known to the law enforcement services who may
nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently
to more thorough individual checks.
217. Accordingly, I have serious doubts as to whether the wording of certain categories of data in the annex to the
agreement envisaged is sufficiently clear and precise. Some of those categories are formulated in a very, indeed
excessively, open manner, without a reasonably informed person being able to determine either the nature or the
scope of the personal data which those categories might contain. I am thinking, in that regard, especially, of heading
5, on ‘Available frequent flyer and benefit information (free tickets, upgrades, etc.)’; heading 7, entitled ‘all available
contact information (including originator information)’; and heading 17, which has already been mentioned, on
‘General remarks’. The explanations provided by the Commission in its responses to the written questions put by the
Court did not enable those doubts to be dispelled. In particular, as regards heading 7, the Commission acknowledged
that that heading referred, in a non-exhaustive manner, to ‘all details connected with the booking, including, in
particular, the postal or email address and telephone number of the traveller, the person or agency that booked the
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 26/46
8.9.2017 CURIA - Documents
flight’. Likewise, as regards heading 17, the Commission stated that it covers all ‘supplementary information apart
from that listed elsewhere in the annex to the agreement envisaged’.
218. The agreement does indeed lay down certain guarantees with the aim of ensuring that the data transmitted does
not go beyond the list of elements set out in the annex to the agreement envisaged in the possession of the air carriers.
It is apparent from Article 4(3) of the agreement envisaged that no other data must be communicated to the Canadian
competent authority, since Canada is required to delete upon receipt any data transferred to it if it is not listed in the
annex to the agreement envisaged. Thus, although, in accordance with what is stated under heading 8 of that annex,
available payment/billing information must be transferred to the Canadian competent authority, it cannot include
information relating to the payment methods for other services not directly connected with the flight, such as vehicle
rental on arrival.
219. However, in the light of the very, indeed excessively, open nature of certain headings, it is particularly difficult
to understand what data is to be regarded as not having to be transferred to and therefore as having to be deleted by ,
in application of Article 4(3) of the agreement envisaged. Furthermore, it is likely that an air carrier will choose, on
the ground that it will be easier and less expensive to do so, to transfer all the data which it has previously collected,
whether or not it is among the headings listed in the annex to the agreement envisaged.
220. I therefore consider that, in order to ensure the legal security of persons whose personal data is transferred and
processed under the agreement envisaged and the need to establish clear and precise rules governing the scope ratione
materiae of that agreement, the categories of data in the annex to the agreement envisaged should be drafted in a more
concise and more precise manner, without any discretion being left to either the air carriers or the Canadian
competent authorities as regards the actual scope of those categories.
221. Last, I consider that the agreement envisaged goes beyond what is strictly necessary by including in its scope the
transfer of data that is apt to contain sensitive data, which in material terms allows information about the health or
ethnic origin or religious beliefs of the passenger concerned and and/or of those travelling with him to be disclosed.
222. In that regard, it is apparent from the material submitted to the Court that the data apt to contain such sensitive
data will be communicated only on an optional basis, that is to say, only where a passenger requests an additional on-
board service. However, it seems obvious to me that a person who has not yet been ‘identified’ but is collaborating or
participating in an international terrorist or serious crime network will as a matter of prudence avoid requesting such
services which are apt in particular to provide information about his ethnic background or his religious beliefs. The
modern investigative methods employed by the Canadian competent authorities, consisting, according to the
explanations provided to the Court, in cross-checking the data with scenarios or profile types of persons at risk and
which might be based on such sensitive data, since the agreement envisaged does not prohibit it, will in fact allow
only the sensitive data of persons who have legitimately requested one of those on-board assistance services, and on
whom no suspicion lies or in all likelihood will lie, to be processed. The risk of stigmatising a large number of
individuals who are not suspected of any offence which the use of such sensitive data entails strikes me as
particularly worrying and prompts me to propose that the Court should exclude data of that type from the scope of the
agreement envisaged. In addition, I must observe that Article 8 of the Agreement concluded with Australia precludes
any processing of sensitive data. That suggests, in the absence of a fuller explanation in the agreement envisaged of
why the processing of sensitive data is strictly necessary, that the objective of combating terrorism and serious
international crime could be attained just as effectively without such data even being transferred to .
223. I would add that the guarantees offered by Article 8 of the agreement envisaged, on the ‘Use of sensitive data’,
seem to me to be insufficient to justify taking a different approach from that consisting in proposing that sensitive
data be excluded from the scope of the agreement envisaged.
224. In fact, in spite of the measures laid down in Article 8(1) to (4) of the agreement envisaged, Article 8(5) in fine
authorises ‘Canada’ (and not just the Canadian competent authority) to retain the sensitive data in accordance with
Article 16(5) of the agreement envisaged. It follows from that provision that the data may be retained for up to five
years where it is ‘required for any specific action, review, investigation, enforcement action, judicial proceeding,
prosecution, or enforcement of penalties, until concluded’. Article 16(5) of the agreement envisaged, moreover,
makes no reference to the purposes stated in Article 3 of that agreement, unlike the point immediately preceding it. It
follows that sensitive data of a Union citizen who has taken a flight to Canada is liable to be retained for five years
(and, where appropriate, unmasked and analysed during that period) by any Canadian public authority, for any
‘action’ or ‘investigation’ or ‘judicial proceeding’, without being in any way connected to the objective pursued by
the agreement envisaged, for example, as the Parliament has pointed out, in the event of proceedings related to
contract law or family law. The possibility that such a situation will arise prompts the conclusion that on this point the
contracting parties have not struck a fair balance between the objectives pursued by the agreement envisaged.
225. In the light of those considerations, I consider that the categories of data listed in the annex to the agreement
envisaged should be worded more clearly and more precisely and that, in any event, sensitive data should be excluded
from the scope of the agreement envisaged. It follows that the use of sensitive data provided for in Article 8 of the
agreement envisaged is in my view incompatible with Articles 7 and 8 and Article 52(1) of the Charter.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 27/46
8.9.2017 CURIA - Documents
– The sufficiently precise nature of the purpose for which data processing is authorised
226. As already stated, Article 3(1) of the agreement envisaged provides that the Canadian competent authority is to
process data received pursuant to that agreement strictly for the purpose of preventing, detecting, investigating or
prosecuting terrorist offences or serious transnational crime.
227. Article 3(2)(a) of the agreement envisaged provides a precise definition of ‘terrorist offence’, while Article 3(3)
defines ‘serious transnational crime’ as meaning ‘any offence punishable in Canada by a maximum deprivation of
liberty of at least four years or a more serious penalty and as they are defined by the Canadian law, if the crime is
transnational in nature’. The conditions on which a crime is to be regarded as transnational in nature are also set out
in Article 3(3)(a) to (e) of the agreement envisaged.
228. Article 3(5) of the agreement envisaged confers on Canada the right to process data, on a case-by-case basis, in
order to ensure the oversight or accountability of the public administration (Article 3(5)(a)) or to comply with the
subpoena or warrant issued, or an order made, by a court (Article 3(5)(b)).
229. In its request, the Parliament accepts that Article 3 of the agreement envisaged offers certain objective criteria,
but considers that the reference in paragraph 3 to the legislation of a third country and the possibility of further
treatment afforded by paragraph 5 give rise to uncertainty as to whether the agreement is limited to what is strictly
necessary.
231. First of all, I consider that, unlike the position concerning the measure at issue in Digital Rights Ireland and
Others (C‑293/12 and C‑594/12, EU:C:2014:238), Article 3 of the agreement envisaged lays down objective criteria
in relation to the nature and degree of seriousness of the offences in respect of which the Canadian authorities would
be entitled to process the data. Thus, a terrorist offence is directly defined in Article 3(2) of the agreement envisaged
and the definition also covers the activities defined as constituting such an offence in applicable international
conventions and protocols relating to terrorism. The nature and seriousness of an offence constituting ‘serious
transnational crime’ are also clear from Article 3(3) of the agreement envisaged, since such an offence involves more
than one country and is punishable in Canada by a maximum deprivation of liberty of at least four years. The
definition clearly does not cover minor offences or those the seriousness of which might vary, as was the case in the
act at the origin of the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12,
EU:C:2014:238), according to the domestic law of a number of States, which therefore meant that it was impossible
to consider that the interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter was limited
to what was strictly necessary.
232. However, I accept that the reference to Canadian domestic law does not allow the specific offences that may be
covered by Article 3(3) of the agreement envisaged, if, in addition, they are transnational in nature, to be identified.
233. In that regard, the Commission communicated to the Court a document sent by the Canadian authorities setting
out a non-exhaustive list of offences coming within the definition laid down in Article 3(3) of the agreement
envisaged which, according to those authorities, represent the great majority of offences that may come within that
definition.
234. That list clearly shows the gravity of the infringements concerned, which relate to trafficking of weapons,
ammunition, explosives and humans, the distribution or possession of child pornography, the laundering of the
proceeds of crime, counterfeiting, forgery, murder, kidnapping, sabotage, hostage-taking or aircraft-hijacking.
235. Nonetheless, in order to limit to what is strictly necessary the offences that may entitle the relevant authorities to
process data and ensure the legal security of passengers whose data is transferred to the Canadian authorities, I
consider that the offences coming within the definition in Article 3(3) of the agreement envisaged should be listed
exhaustively, for example, in an annex to the agreement envisaged itself.
236. In addition, I share the Parliament’s concerns about the wording of Article 3(5)(b) of the agreement envisaged,
which extends the purposes for which the processing of the data is authorised. According to that article, the
processing of data is ‘also’ permitted, on a case-by-case basis, in order to comply with the subpoena or warrant
issued, or an order made, by a court, although it is not stated that that court must be acting in the context of the
purposes of the agreement envisaged. That article therefore appears to allow the processing of data for purposes
unconnected with those pursued by the agreement envisaged and/or possibly in connection with conduct or offences
not coming within the scope of that agreement.
237. In the light of those considerations, I consider that, in order to be limited to what is strictly necessary and to
ensure the legal security of passengers, in particular citizens of the Union, the agreement envisaged must be
accompanied by an exhaustive list of the offences coming within the definition of ‘serious transnational crime’,
provided for in Article 3(3) of that agreement. Furthermore, in its current form, Article 3(5) of the agreement
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 28/46
8.9.2017 CURIA - Documents
envisaged is incompatible with Articles 7 and 8 and Article 52(1) of the Charter, in that it allows the possibilities of
processing data to be extended beyond what is strictly necessary, independently of the stated purposes of the
agreement envisaged.
238. It is common ground that the data transferred under the agreement envisaged concerns all travellers flying
between Canada and the Union, even where there is no suggestion that the conduct of those travellers might be
connected with terrorism or serious transnational crime. The transfer of that data to the Canadian competent authority,
its automated processing and then its retention therefore apply without any distinction based on the possible risk that
certain categories of travellers might present.
239. In the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), it
was quite specifically the undifferentiated and general nature of the retention of the data of any person using
electronic communications in the Union, irrespective of the objective pursued by Directive 2006/24/EC of the
European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in
connection with the provision of publicly available electronic communications services or of public communications
networks and amending Directive 2002/58/EC, (93) of combating serious offences that was held by the Court to go
beyond what was strictly necessary.
240. Although the interference constituted by the agreement envisaged is less extensive than that provided for in
Directive 2006/24, and is also less intrusive into the daily life of everyone, its undifferentiated and generalised nature
raises questions.
241. However, as I have already observed in paragraph 216 of this Opinion, the actual interest of schemes is
specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the
assistance of automated processing and scenario tools or predetermined assessment criteria, individuals hitherto
unknown to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and
who are therefore liable to be subjected subsequently to more thorough individual checks. Those checks must also be
capable of being carried out over a certain period after the passengers in question have travelled.
242. In addition, unlike the persons whose data was subject to the processing provided for in Directive 2006/24, all
those coming under the agreement envisaged voluntarily take a means of international transport to or from a third
country, a means of transport which is itself, repeatedly, unfortunately, an vehicle or a victim of terrorism or serious
transnational crime, which requires the adoption of measures ensuring a high level of security for all passengers.
243. It is indeed possible to imagine a data transfer and processing scheme that distinguished passengers according to,
for example, geographic areas of origin (when they stop over in the Union) or according to passengers’ age, minors,
for example, prima facie representing a lesser risk for public security. However, in so far as they were considered not
to involve prohibited discrimination, such measures, once they became known, might well entail the circumvention of
the terms of the agreement envisaged, which would in any event be prejudicial to the effective attainment of one of its
objectives.
244. As already indicated, however, it is not sufficient to imagine in the abstract alternative measures that would be
less restrictive of individuals’ fundamental rights. To my mind, those measures must also present guarantees of
effectiveness comparable with those the implementation of which is envisaged with the aim of combating terrorism
and serious transnational crime. No other measure which, while limiting the number of persons whose data is
automatically processed by the Canadian competent authority, would be capable of attaining with comparable
effectiveness the public security aim pursued by the contracting parties has been brought to the Court’s attention in
the context of the present proceedings.
245. On balance, it therefore seems to me that, generally, the scope ratione personae of the agreement envisaged
cannot be limited further without harming the very object of the regimes.
246. According to Article 5 of the agreement envisaged, only ‘the Canadian Competent Authority’ is to be deemed to
provide an adequate level of protection for the processing and use of data, subject to compliance with the agreement
envisaged.
247. As the Parliament has observed, the identity of that authority is not mentioned in the agreement envisaged. There
can be no doubt, however, in the light of the 2006 Agreement, as confirmed in the letter from the Mission of Canada
to the European Union dated 25 June 2014, notified to the Commission pursuant to Article 30(2)(a) of the agreement
envisaged and communicated to the Court in the context of the present proceedings, that the authority in question is
the CBSA.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 29/46
8.9.2017 CURIA - Documents
248. More than the identity of that authority, it is what is frequently the lack of precision of the terms of the
agreement envisaged that, from the aspect of compliance with the principle of proportionality, raises doubts as to the
authorities liable to process the data.
249. Several terms of the agreement envisaged refer generically to ‘Canada’ and not to ‘the Canadian Competent
Authority’, which, nonetheless, is the only authority deemed to provide an adequate level of protection for the
processing and use of data, in application of the agreement envisaged. That applies to Article 3(5) of the agreement
envisaged, which, moreover, as I have examined above, (94) extends the purposes for which the data may be
processed, Article 8 of the agreement envisaged, Article 12(3) of the agreement envisaged, on disclosure to any
person, and Article 16 of the agreement envisaged, on the retention of the data. (95)
250. Contrary to the Commission’s submissions at the hearing, the replacement of the expression ‘the Canadian
Competent Authority’ by the generic term ‘Canada’ casts doubt on the number of authorities authorised to process the
data, a fortiori when Article 18 of the agreement envisaged authorises the Canadian competent authority, provided
that the conditions set out in that article are met, to disclose the data to other government authorities in Canada. (96)
251. The terms of the agreement envisaged therefore do not seem to me to be sufficiently clear and precise as regards
the identification of the authority responsible for processing the data in such a way as to ensure the protection and
security of the data.
252. It is apparent from the observations submitted to the Court that the main added value of the processing of the
data is the comparison of the data received with scenarios or predetermined risk assessment criteria or databases
which, with the assistance of automated processing, makes it possible to identify ‘targets’ who can subsequently be
subjected to more thorough checks. In practice, according to the data communicated by the to the Commission and
the United Kingdom Government and communicated to the Court by those interested parties, the application of those
techniques allowed around 9 500 ‘targets’ to be identified by the automated processing of data out of the 28 million
passengers who flew between Canada and the Union between April 2014 and March 2015.
253. However, none of the terms of the agreement envisaged relates specifically to either those databases or those
scenarios or assessment criteria, which would therefore continue to be determined and used at the entire discretion of
the Canadian authorities.
254. Admittedly, the agreement envisaged specifies that Canada is to ensure that the safeguards applicable to the
processing of data apply to all passengers on an equal basis without unlawful discrimination (Article 7 of the
agreement envisaged) and that it is not to take any decisions significantly adversely affecting a passenger solely on
the basis of automated processing of PNR data (Article 15 of the agreement envisaged).
255. I am nonetheless convinced that, in the light of the fair balance between the two objectives pursued by the
agreement envisaged and the considerable practical importance of that aspect, a comparison of the data with those
scenarios or those predetermined assessment criteria is liable to lead, as certain of the interested parties have
acknowledged, to false positive ‘targets’ being identified, the agreement envisaged should contain a number of
principles and explicit rules concerning both the scenarios or the predetermined assessment criteria and the databases
with which the data is compared.
256. The precise framing and determination of the scenarios and the predetermined assessment criteria must to a large
extent make it possible to arrive at results targeting individuals who might be under a ‘reasonable suspicion’ of
participating in terrorism or serious transnational crime. (97)
257. It is not strictly necessary for the Court to indicate the principles that should govern the determination of those
scenarios and assessment criteria or the databases with which the data is compared.
258. For my part, I consider that the agreement envisaged should at least expressly state that neither the scenarios or
the predetermined assessment criteria nor the databases used can be based on an individual’s racial or ethnic origin,
his political opinions, his religion or philosophical beliefs, his membership of a trade union, his health or his sexual
orientation. Furthermore, the criteria, scenarios and databases should be expressly confined to the purposes and
offences defined in Article 3 of the agreement envisaged.
259. Furthermore, the agreement envisaged should in my view state more clearly than Article 15 of the agreement
envisaged does at present that, where the comparison of data with the predetermined criteria and scenarios leads to a
positive result, that result must be examined by non-automated means. That guarantee could reduce the number of
persons who might subsequently be subjected to a more thorough physical check.
260. In addition, in order to be limited to what is strictly necessary, those relevant criteria, scenarios and databases,
and their reconsideration, should in my view be the subject of a check by the independent public authority referred to
in the agreement envisaged, namely the Privacy Commissioner of Canada, (98) and be the subject of a report on their
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 30/46
8.9.2017 CURIA - Documents
implementation, communicated to the competent institutions and bodies of the Union, pursuant to Article 26 of the
agreement envisaged, which governs the joint review and evaluation of the implementation of that agreement.
261. Consequently, I consider that, in failing to establish explicit principles and rules relating to the establishment and
use of the predetermined scenarios and criteria and also the databases with which the data is compared by automated
processing, the contracting parties have not struck a fair balance between the two objectives pursued by the
agreement envisaged.
262. When the passengers whose data has been subject to automated processing and who present a profile
corresponding to predetermined scenarios or criteria are identified, it is apparent from the explanations provided to
the Court that officials access those passengers’ data in order to determine whether they should be subjected to a
more thorough check. In practice, according to the information submitted by the United Kingdom Government and
the Commission, among the 9 500 ‘targets’ identified between April 2014 and March 2015, 1 765 persons were
subjected to thorough checks for reasons connected with national public security or for reasons connected with a
serious transnational criminal offence. Of those persons, 178 were arrested for a serious transnational criminal
offence, connected in particular with drug trafficking.
263. In the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238,
paragraphs 62 and 66), the Court observed that Directive 2006/24 did not lay down any objective criterion by which
to determine the limits of the number of persons authorised to access the personal data in question and did not make
access to that data dependent on a prior review carried out by a court or an independent administrative body.
Furthermore, the directive did not lay down any rules against the risk of abuse and against any unlawful access to or
use of that data.
264. Conversely, it should be observed that the terms of the agreement envisaged satisfy those requirements in part.
265. As already observed, under Article 9(1) and (2) of the agreement envisaged Canada is required to implement
regulatory, procedural or technical measures to protect data against accidental, unlawful or unauthorised access,
processing or loss and to ensure, in particular, the protection, security, confidentiality and integrity of the data, by
applying in particular encryption procedures and holding data in a secure physical environment that is protected with
access controls.
266. Furthermore, both Article 9(2)(b) and Article 16(2) of the agreement envisaged provide that is to restrict access
to data to a limited number of officials specifically authorised by . As regards the retention of the data, Article 16(4)
of the agreement envisaged also states that data depersonalised by masking can be unmasked only if it is necessary to
carry out investigations under the scope of Article 3 of the agreement envisaged and, depending on the length of time
during which the data concerned is retained, either by a limited number of specifically authorised officials or only
with prior permission by the Head of the Canadian Competent Authority or a senior official specifically mandated by
the Head.
267. However, like Directive 2006/24, the agreement envisaged does not specify the objective criteria on the basis of
which the officials with access to the data are to be determined and whether those officials are all in the service of the
CBSA. That information seems to be all the more important because the group of officials having access to that data
in the context of Article 9(2) of the agreement envisaged is, it would appear, wider than the group, described as
‘limited’, who may have access to data retained for more than 30 days in the context of the application of
Article 16(2) of that agreement. The criteria on which the two groups of officials authorised to access the data may be
distinguished is not, however, apparent from the terms of the agreement envisaged and are therefore left to Canada’s
entire discretion. That freedom does not in my view satisfy the requirement laid down in the judgment of 8 April
2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), referred to in paragraph 263 of
this Opinion.
268. Likewise, it should be observed that the agreement envisaged does not provide that access to the data is to be
subject to prior control by an independent authority, such as the Privacy Commissioner of Canada, (99) or by a court
whose decision might limit access to or use of the data and which would deal with the matter following a reasoned
request from the .
269. However, the appropriate balance that must be struck between the effective pursuit of the fight against terrorism
and serious transnational crime and respect for a high level of protection of the personal data of the passengers
concerned does not necessarily require that a prior control of access to the data must be envisaged.
270. In fact, without its even being necessary to ascertain whether such a prior control would in practice be
conceivable and sufficiently effective, given in particular the quantity of data to be examined and the resources
available to the independent control authorities, I observe that, in the context of respect for Article 8 of the ECHR by
the public authorities who have put in place measures for the interception and surveillance of private
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 31/46
8.9.2017 CURIA - Documents
communications, the ECtHR has accepted that, save in exceptional circumstances relating in particular to the
confidentiality of journalists’ sources of information or communications between lawyers and their clients, an ex ante
control of those measures by an independent body or a judge is not an absolute requirement, provided that extensive
post factum judicial oversight of those measures is guaranteed. (100)
271. In that regard, independently of the doubts prompted by the allocation of the CBSA’s surveillance and oversight
powers between the ‘independent public authority’ and the ‘authority created by administrative means that exercises
its functions in an impartial manner and that has a proven record of autonomy’, to which I shall return later, (101) it
must be pointed out that Article 14(2) of the agreement envisaged provides that Canada is to ensure that any
individual who is of the view that their rights have been infringed by a decision or action in relation to their data may
seek effective judicial redress in accordance with Canadian law by way, inter alia, of judicial review. There can be no
doubt, having regard to the wording of Article 14(1) of the agreement envisaged and the explanations provided by the
interested parties, that that remedy is available against any decision relating to access to the data of the persons
concerned, irrespective of their nationality, their domicile or their presence in Canada. In the context of the present
procedure of preventive examination of the compatibility of the terms of the agreement envisaged with Articles 7 and
8 of the Charter, the guarantee of such a remedy, the effectiveness of which has not been called in question by any of
the interested parties, seems to me to satisfy the condition required by those provisions, read in the light of the
interpretation of Article 8 of the ECHR by the ECtHR.
272. Consequently, I consider that the fact that the agreement envisaged has failed to provide that access by the
authorised officials of the to the data is subject to prior control by an independent administrative authority or by a
court is not incompatible with Articles 7 and 8 and Article 52(1) of the Charter, in so far as — as is the case — the
agreement envisaged requires that Canada guarantee that every person concerned will be entitled to an effective post
factum judicial review of the decisions or actions relating to access to his data.
273. On the other hand, I consider that, in order to be limited to what is strictly necessary, the agreement envisaged
must make quite clear that only officials of the are to be authorised to have access to the data and must lay down
objective criteria enabling the number of such officials to be known, having regard to the different situations provided
for in Articles 9 and 16 of the agreement envisaged.
274. Before the Court, the interested parties discussed at length the consequences that flow from the judgment of
8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), as regards the strict
necessity for the system of data retention provided for in Article 16 of the agreement envisaged.
275. In that judgment, the Court took issue with the EU legislature for not having required that the data in question be
retained within the Union, with the consequence that the control, explicitly required by Article 8(3) of the Charter, by
an independent authority of compliance with the requirements of protection and security of the data was not fully
ensured. (102)
276. Furthermore, as regards the data retention period of a maximum of two years laid down in Directive 2006/24,
the Court took issue with the fact that the directive did not distinguish between the categories of data on the basis of
their usefulness for the purposes of the objective pursued or according to the persons concerned and that the retention
period was not determined on the basis of objective criteria. (103)
277. As regards the first point, it is clear that the data coming within the terms of the agreement envisaged will not be
kept within the Union. That in itself is not sufficient, however, to render invalid the retention system provided for in
Article 16 of the agreement envisaged, unless the agreement does not fully ensure a review of the requirements of
protection and security by an independent authority. However, as I shall examine below, while the contracting parties’
intention is indeed to observe in full the requirement laid down in Article 8(3) of the Charter, Article 10(1) of the
agreement envisaged is couched in terms that are too ambiguous to ensure, in all circumstances, the existence of such
a review. (104)
278. As for the duration of the data retention period, it is apparent from Article 16(1) of the agreement envisaged that
the maximum duration of that period is five years from the date that the data is received, (105) and that at the end of
that period Canada is required, pursuant to Article 16(6) of the agreement envisaged, to destroy the data.
279. It is common ground that the retention period has been extended by one and a half years by comparison with the
period provided for in the 2006 Agreement. Furthermore, apart from the explanations and examples provided by
certain interested parties during the proceedings before the Court, which are essentially linked to the average lifetime
of international serious crime networks and to the duration and complexity of investigations of those networks, the
agreement envisaged does not indicate the objective reasons that led the contracting parties to increase the data
retention period to a maximum of five years.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 32/46
8.9.2017 CURIA - Documents
280. To my mind those objective reasons must be stated in the agreement envisaged, thus ensuring at the outset that
that period is necessary for the objectives pursued by the agreement envisaged. To be quite clear on this point, that
consideration also applies with respect to Article 16(5) of the agreement envisaged, the scope of which, as I have
already observed in connection with the sensitive data that must be excluded from the scope of that agreement,
should, as regards the retention of the other data for a maximum period of five years, be confined to the purpose
described in Article 3 of the agreement envisaged. (106)
281. It must therefore be stated that the contracting parties have not shown that it is necessary to retain all the data for
a maximum period of five years.
282. The Court might, in the context of these proceedings, confine itself to that assessment, and would therefore not
be required to ascertain whether the five-year retention period for all data for all air passengers travelling between
Canada and the Union exceeds what is strictly necessary to attain the security purpose of the agreement envisaged.
283. In case the Court should nonetheless consider it appropriate to devote some argument to that point, I shall permit
myself to make the following comments.
284. First of all, as regards the amount of data retained, it is permissible in my view to ask whether, after several
years, there is justification for retaining certain categories of data, since the Canadian competent authority has or may
have at its disposal, by means of unmasking, in accordance with the conditions laid down in Article 16(3) of the
agreement envisaged, the data revealing the essential information relating to the identity of the passenger or
passengers on , the date of travel, the payment methods used, all available information, the travel itinerary, details of
the travel agency or travel agent and baggage information. In particular, I wonder whether frequent flyer and benefit
information (heading 5 in the annex to the agreement envisaged), information about the check-in status of the
passenger (heading 13 in the annex), ticketing or ticket price information (heading 14 in the annex) and code sharing
information (heading 11 in the annex) which, according to the Commission, provide information only about the actual
carrier prove, after being retained for some years, to be information having genuine added value by comparison with
the other data which is also retained and which may be unmasked, with the aim of combating terrorism and serious
transnational crime.
285. Next, in addition to the doubts that may be raised about the strict necessity of the retention period of all the data
provided for in the agreement envisaged, the guarantees afforded by Article 16(3) of that agreement, concerning
‘depersonalisation’ by masking, seem to me to be insufficient in any event to ensure the protection and security of the
personal details of the passengers concerned.
286. Admittedly, that article does indeed provide that the names of all passengers are to be masked 30 days after they
are received. It also states that the data in categories 6, 7, 17 and 18, listed in the annex to the agreement
envisaged, (107) is to be masked two years after it is received if, in the case of the last two categories, it is capable of
identifying a natural person.
287. It is precisely the exhaustive nature of that list that seems worrying. In fact, other headings in the annex to the
agreement envisaged are also capable of directly identifying a natural person but do not appear on the list in
Article 16(3) of the agreement envisaged. I am thinking mainly of the available frequent flyer and benefit information
(heading 5 in the annex) and all available payment/billing information (heading 8), which includes, in particular,
details of the payment method or methods used.
288. I therefore consider that, by omitting to ensure the ‘depersonalisation’ by masking of all the data on the basis of
which a passenger may be directly identified, the contracting parties have not struck a fair balance between the
objectives pursued by the agreement envisaged.
289. Last, as regards the rules and procedures applicable to the unmasking of the data, it should be borne in mind that
Article 16(4) of the agreement envisaged states that such an operation can be carried out only if on the basis of
available information it is necessary to carry out investigations under the scope of Article 3 of the agreement
envisaged either, up to two years from initial receipt of the data, by a limited number of specifically authorised
officials or, between two years and five years after receipt, only with prior permission by the Head of the Canadian
Competent Authority or a senior official specifically mandated by the Head.
290. Subject to the observations made above in relation to the objective criteria on which the officials authorised to
access the data may be determined (108) and to those made below in relation to the oversight of the Canadian
competent authority by an independent public authority, (109) I consider that Article 16(4) of the agreement
envisaged does not in itself go beyond what is strictly necessary.
291. Articles 12, 18 and 19 of the agreement envisaged relate directly to the disclosure of the data.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 33/46
8.9.2017 CURIA - Documents
292. Article 12 of the agreement envisaged, entitled ‘Access for individuals’, appears at first sight not to call for
criticism, since it seeks to ensure that everyone has access to his own data.
293. Paragraph 3 of that article seems to me, however, to extend the possibilities of access to the data and information
extracted from it to anyone, without any specific guarantees being laid down. Article 12(3) of the agreement
envisaged authorises Canada to ‘make any disclosure of information subject to reasonable legal requirements and
limitations …, with due regard for the legitimate interests of the individual concerned’. However, neither the
recipients of that ‘information’ nor the use to which it is put is defined in the agreement envisaged. It is therefore
quite possible that that information may be communicated to any natural or legal person, such as a bank, for example,
provided that considers that the disclosure of such information does not exceed ‘reasonable’ legal requirements,
which, moreover, are not defined in the agreement envisaged.
294. Having regard in particular to the particularly vague nature of its wording and to the particularly broad terms in
which it is couched, Article 12(3) of the agreement envisaged therefore seems to me to go beyond what is strictly
necessary to attain the public security objective pursued by the agreement envisaged.
295. As for Articles 18 and 19 of the agreement envisaged, they relate respectively to disclosure of data by the
Canadian competent authority to other government authorities in Canada and to other government authorities of
countries other than Member States of the Union.
296. Like the Parliament, I consider that, in so far as the ‘adequate level of protection’, deemed to satisfy the level
guaranteed in EU law, concerns only compliance by the Canadian competent authority with the terms of the
agreement envisaged, the contracting parties must ensure that that level of protection cannot be circumvented by
personal data being transferred to other Canadian government authorities or to third countries. (110)
297. It cannot be denied that Articles 18 and 19 of the agreement envisaged make the subsequent transfer of data or
the analytical information containing data subject to strict cumulative conditions, four of which are identical. Thus,
that data and that information are communicated only if the government authorities in question have functions
directly related to the scope of Article 3 of the agreement envisaged, on a case-by-case basis and on condition that the
circumstances of the particular case render disclosure necessary for the purposes stated in Article 3. In addition, it is
made clear that only the minimum data or analytical information necessary is to be disclosed. (111)
298. However, the guarantees afforded by those two terms of the agreement envisaged differ from the other
conditions.
299. First of all, while, according to Article 18 of the agreement envisaged, the other Canadian government
authorities to whom the data is disclosed must afford ‘protection equivalent to the safeguards described in [the
agreement envisaged]’, Article 19(1)(e) states that the Canadian Competent Authority must be ‘satisfied’ that the
foreign authority receiving the data applies either standards to protect the data that are equivalent to those set out in
the agreement envisaged, in accordance with agreements and arrangements that incorporate those standards, or the
standards to protect the data that it has agreed with the Union.
300. In both situations, it is common ground that it is solely for the Canadian competent authority, namely the , to
ascertain the adequacy of the protection afforded by the public authority receiving the data. Neither the CBSA’s
examination nor any decision on disclosure of the data is subject to ex ante control by an independent authority or a
judge. Nor does the agreement envisaged provide that the intention to transfer the data of a national of a Member
State of the Union is at least to be notified to the competent authorities of the Member State in question and/or to the
Commission before disclosure actually takes place. Article 18 of the agreement envisaged is silent as to the latter
possibility, while Article 19(2) thereof provides only that the competent authorities of the Member State in question
are to be informed ‘at the earliest appropriate opportunity’.
301. In fact, the additional guarantees referred to in the preceding paragraph should in my view be afforded.
302. A mere post factum review of the disclosure of the data will not make it possible either to counterbalance an
incorrect assessment of the level of protection afforded by a recipient public authority or to restore the privacy and
confidentiality of the data when it has been transferred to and used by the recipient public authority. (112) That is
particularly true in the case of the disclosure of data to a third country, where its subsequent use will even be outside
the post factum competence and review of the Canadian authorities and courts.
303. Furthermore, if the Commission and the competent authorities of the Member State of which the individual
whose data is to be transferred is a national are given prior notification, it will be possible to ensure that the
examination of the ‘equivalent level of protection’ has indeed been carried out. In addition, from a different aspect,
such prior information, in so far as the transfer of data in application of Articles 18 and 19 of the agreement envisaged
will be able to be effected only in duly reasoned cases and specific circumstances and therefore in situations in which
it may be supposed that significant suspicion attaches to the person concerned, is in particular apt to contribute to
reinforcing cooperation between the competent authorities of Canada, the Union and its Member States, in keeping
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 34/46
8.9.2017 CURIA - Documents
with the objective of preventing and detecting terrorism and serious transnational crime pursued by the agreement
envisaged.
304. Next, it should be observed that under Article 18(1)(f) of the agreement envisaged the receiving Canadian
government authority is prohibited from subsequently disclosing the data to another entity unless the disclosure is
authorised by the respecting the conditions laid down in that paragraph. Conversely, Article 19 of the agreement
envisaged does not require the to be satisfied, before the data is transferred, that the receiving public authority of a
third country cannot itself subsequently disclose that data to another entity, as the case may be, of another third
country.
305. As the risk that such a situation, which would have the effect of circumventing the level of protection of personal
data afforded by EU law, may arise has not been excluded, it must be stated that Article 19 of the agreement
envisaged authorises unwarranted interferences with the fundamental rights guaranteed by Articles 7 and 8 of the
Charter. (113)
306. Control by an independent authority, which is required by both Article 8(3) of the Charter and the second
subparagraph of Article 16(2) TFEU, is an essential element of respect for the protection of individuals with regard to
the processing of personal data in the Union. (114)
307. It is clear from the terms of the agreement envisaged that the contracting parties are aware of that requirement,
although, and I shall return to this point, the agreement envisaged does not fully satisfy it.
308. With the objective of ensuring that the level of protection afforded by the Canadian competent authority, where it
processes and uses data, is, according to Article 5 of the agreement envisaged, ‘adequate … within the meaning of
relevant EU data protection law’, that authority must, in particular, comply with the measures provided for in
Article 10 of the agreement envisaged, that is to say, control by an ‘overseeing authority’. That authority must have
‘effective powers to investigate compliance with the rules related to the collection, use, disclosure, retention, or
disposal of data’. Those powers also include the power to conduct compliance reviews, make recommendations to the
Canadian Competent Authority and refer violations of law related to the agreement envisaged for prosecution or
disciplinary action. Under Article 14(1) of the agreement envisaged, the overseeing authority is to receive, investigate
and respond to complaints lodged by individuals concerning their request for access to, correction of or annotation of
their data.
309. It follows that it is indeed the contracting parties’ intention to ensure that the processing of personal data by the
is subject to an effective mechanism for the detection and review of any violations of the rules of the agreement
envisaged affording protection of passengers’ privacy and personal data, in order to ensure a level of protection that is
intended to be ‘substantially equivalent’ to that which individuals would enjoy if their personal data were processed
and retained within the Union.
310. It follows that control by an independent authority, required in particular by Article 8(3) of the Charter, is fully
applicable in the present case.
311. In fact, the particular feature of the overseeing authority put in place in the agreement envisaged that attracts
criticism from the Parliament and the EDPS in respect of its complete independence is that it is bicephalous.
Article 10 of the agreement envisaged presents that authority as either an ‘independent public authority’ or an
‘authority created by administrative means that exercises its functions in an impartial manner and that has a proven
record of autonomy’.
312. The first of those authorities, as is clear from the letter of 25 June 2014 from the Mission of Canada to the
European Union (115) and the explanations provided by the Commission during the proceedings before the Court,
designates the Canadian Privacy Commissioner, whose status, mode of appointment, fixed term of office of seven
years, investigative powers, including the power to investigate matters on his own initiative, are laid down in the
Canadian Privacy Act 1985. (116) It should be pointed out that none of the interested parties has cast doubt on the
fact that the Canadian Privacy Commissioner, who reports exclusively to the Chambers of the Canadian Parliament,
enjoys independence and impartiality that allow him to perform his tasks without being subject to any external
influence or directions, in particular from the Executive. (117)
313. It is apparent from the explanations provided to the Court that, under the Privacy Act, the powers of the
Canadian Privacy Commissioner extend to complaints from any individual alleging a breach of the rules on privacy
and personal data protection by a federal public institution in Canada.
314. However, the alternative wording of Article 10(1) of the agreement envisaged gives the impression that the
processing of data by the might also be wholly assumed by the ‘authority created by administrative means that
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 35/46
8.9.2017 CURIA - Documents
exercises its functions in an impartial manner and that has a proven record of autonomy’, that is to say by the
Recourse Directorate of the , which was set up under the 2006 Agreement.
315. However, irrespective of the guarantees referred to in the letter of 25 June 2014 from the Mission of Canada to
the European Union, according to which the Recourse Directorate of the CBSA will receive no directions from the
other operational bodies of the latter, that directorate, like all the other bodies of the , continues to be directly
subordinate to the responsible Minister, from whom it may receive directions. (118) Since it is liable to be subject to
influence of, in particular, a political nature on the part of the authority to which it is responsible or more generally
the Executive, the Recourse Directorate of the cannot be regarded as an independent supervisory authority for the
purposes of Article 8(3) of the Charter.
316. Consequently, in so far as Article 10 of the agreement envisaged provides, in essence, that the supervisory
authority may be either the Canadian Privacy Commissioner or the Recourse Directorate of the , it does not constitute
a clear and precise rule systematically ensuring control by an independent authority, within the meaning of
Article 8(3) of the Charter, of respect for the private life and protection of the personal data of the individuals
concerned by the data processing provided for by the agreement envisaged. It is for the contracting parties to dispel
the ambiguity resulting from the drafting of Article 10(1) of that agreement and to ensure that control of compliance
with the fundamental rights guaranteed by Articles 7 and 8 of the Charter is entrusted to an independent supervisory
authority, within the meaning of Article 8(3) of the Charter.
317. As for Article 14(1) of the agreement envisaged, which concerns administrative redress, it is apparent from the
explanations provided by the Commission that, under the Canadian Privacy Act of 1985, the Canadian Privacy
Commissioner is not competent to hear requests for access, correction or annotation of PNR data from persons not
present in Canada, that is to say, requests submitted by those persons on the basis of Articles 12 and 13 of the
agreement envisaged.
318. According to the explanations provided the Commission, the investigation of requests for access, correction or
annotation, and the replies to those requests submitted by persons not present in Canada, as is undoubtedly the
position of most citizens of the Union, are within the remit of the Recourse Directorate of the CBSA.
319. In its observations, and in its replies to the questions put by the Court, the Commission stated that a person
whose request for access to his data, or for correction or annotation of that data, has been rejected by the Recourse
Directorate of the could, via an agent present in Canada, file a complaint with the Canadian Privacy Commissioner.
320. However, there is no reference in the agreement envisaged to the existence of that administrative appeal to the
Canadian Privacy Commissioner, nor is its existence apparent from any provision of Canadian law brought to the
knowledge of the Court. Provided that it is actually conceivable, I consider that the possibility of such an appeal
should be clearly indicated in the agreement envisaged, in such a way as to enable everyone to be aware of the scope
of the procedural rights recognised to him by that measure. If such a possibility does not in fact exist, the Canadian
Privacy Commissioner should in my view be able to assume directly the task of responding to any request for access,
correction or annotation submitted by an individual not present in Canada. If none of those options is provided for, no
independent supervisory authority would be competent to examine requests of that type, even though it is exclusively
such requests that will be submitted by citizens of the with regard to their own personal data. The possibility that such
a situation may arise means, in my view, that the contracting parties have not struck a fair balance between the
objectives pursued by the agreement envisaged.
321. In any event, Article 14(1) of the agreement envisaged should clearly state that requests for access, correction
and annotation submitted by passengers not present on Canadian territory may be brought, either directly or by means
of an administrative action, before an independent public authority.
322. On the other hand, and in the interest of completeness, it does not appear to me that the criticisms put forward by
the Parliament, namely that Article 14(2) of the agreement envisaged is liable to infringe Article 47 of the Charter, are
well founded.
323. Article 14(2) of the agreement envisaged provides that Canada is to ensure that any individual who is of the view
that their rights have been infringed by a decision or action in relation to their data may seek effective judicial redress
in accordance with Canadian law by way of judicial review, or such other remedy which may include compensation.
324. As the Council has claimed, that provision ensures that individuals, irrespective of their nationality, their
domicile or whether or not they are present in , are able to benefit from effective judicial protection, within the
meaning of Article 47 of the Charter. The fact that Article 14(2) of the agreement envisaged provides that the
‘effective judicial remedy’ may take the form not only of judicial review but also of an action for compensation
shows that Canada undertakes to ensure that all individuals concerned may pursue effective legal remedies.
325. I would add that it follows from Article 14(1) of the agreement envisaged that an authority which has rejected a
request for access, correction or annotation must inform the complainant of the procedure for initiating the legal
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 36/46
8.9.2017 CURIA - Documents
redress referred to paragraph 2 of that article, which ensures that adequate individual information is made available to
the citizens of the Union concerned.
326. Contrary to the Parliament’s suggestion, with reference to paragraph 95 of the judgment of 6 October 2015,
Schrems (C‑362/14, EU:C:2015:650), such a situation is not comparable to the situation that led the Court to find in
that case that there had been a failure to respect the essence of the fundamental right to effective judicial protection.
That case concerned the legislation of a third country which the Commission had regarded as ensuring an adequate
level of protection of fundamental rights but which, in the light of the information subsequently acquired, did not
provide for any possibility for an individual to pursue legal remedies in order to have access to his own personal data
or to obtain the rectification or erasure of such data.
327. The agreement envisaged, which constitutes an international commitment for , does indeed require to ensure that
such remedies are put in place and are effective. To that extent, and having regard to the preventive nature of the
opinion procedure, that fact is sufficient, in my view, to support the conclusion that Article 14(2) of the agreement
envisaged is compatible with Article 47 of the Charter. (119)
VIII – Conclusion
328. In the light of the foregoing, I propose that the Court reply to the Parliament’s request for an opinion along the
following lines:
1. The act of the Council concluding the agreement envisaged between Canada and the European Union on the
transfer and processing of Passenger Name Record () data, signed on 25 June 2014, must be based on the first
subparagraph of Article 16(2) TFEU and Article 87(2)(a) TFEU, read in conjunction with Article 218(6)(a)(v) TFEU.
2. The agreement envisaged is compatible with Article 16 TFEU and Articles 7 and 8 and Article 52(1) of the
Charter of Fundamental Rights of the European Union, provided that:
– the categories of Passenger Name Record (PNR) data of airline passengers listed in the annex to the agreement
envisaged are clearly and precisely worded and sensitive data, within the meaning of the agreement envisaged,
is excluded from the scope of that agreement;
– offences coming within the definition of serious transnational crime, provided for in Article 3(3) of the
agreement envisaged, are listed exhaustively in the agreement or in an annex thereto;
– the agreement envisaged identifies in a sufficiently clear and precise manner the authority responsible for
processing the Passenger Name Record data, in such a way as to ensure the protection and security of those
data;
– the agreement envisaged expressly specifies the principles and rules applicable to both the pre-established
scenarios or assessment criteria and the databases with which the Passenger Name Record data is compared in
the context of the automated processing of that data, in such a way that the number of ‘targeted’ persons can
be limited, to a large extent and in a non-discriminatory manner, to those who can be reasonably suspected of
participating in a terrorist offence or serious transnational crime;
– the agreement envisaged specifies that only the officials of the Canadian competent authority are to be
authorised to access the Passenger Name Record data and lays down objective criteria that enable the number
of those officials to be specified;
– the agreement envisaged indicates, stating the reasons, precisely why it is objectively necessary to retain all
Passenger Name Record data for a maximum period of five years;
– where the maximum five-year retention period for the Passenger Name Record data is considered necessary,
the agreement envisaged ensures that all the Passenger Name Record data that would enable an airline
passenger to be directly identified is ‘depersonalised’ by masking;
– the agreement envisaged makes the examination carried out by the Canadian competent authority relating to the
level of protection afforded by other Canadian public authorities and by those of third countries, and also any
decision to disclose Passenger Name Record data, on a case-by-case basis, to those authorities, subject to ex
ante control by an independent authority or a court;
– the intention to transfer Passenger Name Record data of a national of a Member State of the European Union to
another Canadian public authority or to a public authority of a third country is notified in advance to the
competent authorities of the Member State in question and/or to the European Commission before any
communication takes place;
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 37/46
8.9.2017 CURIA - Documents
– the agreement envisaged systematically ensures, by a clear and precise rule, control by an independent
authority, within the meaning of Article 8(3) of the Charter of Fundamental Rights of the European Union, of
respect for the private life and protection of the personal data of passengers whose Passenger Name Record
data is processed; and
– the agreement envisaged makes clear that requests for access, rectification and annotation made by passengers
not present on Canadian territory may be submitted, either directly or by means of an administrative appeal, to
an independent public authority.
3. The agreement envisaged is incompatible with Articles 7 and 8 and Article 52(1) of the Charter of Fundamental
Rights of the European Union in so far as:
– Article 3(5) of the agreement envisaged allows, beyond what is strictly necessary, the possibilities of processing
Passenger Name Record data to be extended, independently of the purpose, stated in Article 3 of that
agreement, of preventing and detecting terrorist offences and serious transnational crime;
– Article 8 of the agreement envisaged provides for the processing, use and retention by Canada of Passenger
Name Record data containing sensitive data;
– Article 12(3) of the agreement envisaged confers on Canada, beyond what is strictly necessary, the right to
make disclosure of information subject to reasonable legal requirements and limitations;
– Article 16(5) of the agreement envisaged authorises Canada to retain Passenger Name Record data for up to
five years for, in particular, any specific action, review, investigation or judicial proceedings, without a
requirement for any connection with the purpose, stated in Article 3 of that agreement, of preventing and
detecting terrorist offences and serious transnational crime; and
– Article 19 of the agreement envisaged allows Passenger Name Record data to be transferred to a public
authority in a third country without the Canadian competent authority, subject to control by an independent
authority, first being satisfied that the public authority in the third country in question to which the data is
transferred cannot itself subsequently communicate the data to another body, where relevant, in another third
country.
2 Proposal for a Council Decision on the conclusion of the Agreement between Canada and the European Union on the
transfer and processing of Passenger Name Record Data (COM(2013) 528 final).
3 See Council Decision 2012/381/EU of 13 December 2011 on the conclusion of the Agreement between the European
Union and Australia on the processing and transfer of Passenger Name Record () data by air carriers to the Australian
Customs and Border Protection Service (OJ 2012 L 186, p. 3).
4 See Council Decision 2012/472/EU of 26 April 2012 on the conclusion of the Agreement between the United States of
America and the European Union on the use and transfer of passenger name records to the United States Department of
Homeland Security (OJ 2012 L 215, p. 4).
5 See Position of the European Parliament adopted at first reading on 14 April 2016 with a view to the adoption of
Directive (EU) 2016/… of the European Parliament and of the Council on the use of passenger name record (Passenger
Name Record) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (EP-
PETC1-COD(2011) 0023).
6 See paragraphs 65 to 135 of this Opinion. It should be noted that, following the decision of the Court, this is also the
first time that the Court will have the benefit of an ‘Opinion’, presented and published before it delivers its opinion.
7 See Council Decision 2006/230/EC of 18 July 2005 on the conclusion of an Agreement between the European
Community and the Government of Canada on the processing of /Passenger Name Record data (OJ 2006 L 82, p. 14).
8 Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 38/46
8.9.2017 CURIA - Documents
9 Commission Decision of 6 September 2005 on the adequate protection of personal data contained in the Passenger
Name Record of air passengers transferred to the Canada Border Services Agency (OJ 2006 L 91, p. 49).
10 Pursuant to Article 7, Decision 2006/523 expired three years and six months after the date of its notification. It could
have been extended in accordance with the procedure laid down in Article 31(2) of Directive 95/46, but was not.
12 OJ 2011 C 81 E, p. 70.
16 The full text of the Opinion of the EDPS in German, English and French is available at the following internet
address: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2013/13-
09-30_Canada_EN.pdf.
17 Although that has not been disputed, I would make clear, for all purposes, that the subject matter of the request for an
opinion does indeed relate to an ‘agreement envisaged’, within the meaning of Article 218(11) TFEU, since although the
agreement at issue in the present case had already been signed by the Council when the matter was referred to the Court, it
has still not been concluded. See, to that effect, Opinion 3/94 of 13 December 1995 (EU:C:1995:436, paragraphs 18 and
19).
18 See, in particular, Opinion 1/75 of 11 November 1975 (EU:C:1975:145); Opinion 1/08 of 30 November 2009
(EU:C:2009:739, paragraphs 108 and 109); and Opinion 1/13 of 14 October 2014 (EU:C:2014:2303, paragraph 43).
19 Although it has not been disputed, I would add, for all practical purposes, that the Court has already held that the fact
that the measure authorising signature of the agreement has not been the subject of an action for annulment does not mean
that a request for an opinion raising the question whether an agreement envisaged is compatible with EU primary law is
inadmissible. See, to that effect, Opinion 2/00 of 6 December 2001 (EU:C:2001:664, paragraph 11).
20 See Opinion 2/00 du 6 December 2001 (EU:C:2001:664) and Opinion 1/08 of 30 November 2009 (EU:C:2009:739).
21 Opinion 2/00 of 6 December 2001 (EU:C:2001:664, paragraph 5) and Opinion 1/08 of 30 November 2009
(EU:C:2009:739, paragraph 110).
22 See, to that effect, Opinion 2/00 of 6 December 2001 (EU:C:2001:664, paragraph 5) and Opinion 1/08 of
30 November 2009 (EU:C:2009:739, paragraph 110).
23 See, to that effect, Opinion 2/00 of 6 December 2001 (EU:C:2001:664, paragraph 6).
25 See judgment of 11 June 2014, Commission v Council(C‑377/12, EU:C:2014:1903, paragraph 34 and the case-law
cited).
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 39/46
8.9.2017 CURIA - Documents
26 See, in particular, judgments of 6 November 2008, Parliament v Council(C‑155/07, EU:C:2008:605, paragraph 36);
of 19 July 2012, Parliament v Council(C‑130/10, EU:C:2012:472, paragraph 44); of 24 June 2014, Parliament v
Council(C‑658/11, EU:C:2014:2025, paragraph 43) and of 14 June 2016, Parliament v Council (C‑263/14, EU:C:2016:453,
paragraph 44). It should be noted that, on this point, the Court’s case-law does not seem entirely consistent, since some
judgments, rather strangely, merely mention the pursuit of a number of indissociably linked objectives, without reference to
the components of the act under examination. See, for example, judgments of 29 April 2004, Commission v
Council(C‑338/01, EU:C:2004:253, paragraph 56), and of 11 June 2014, Commission v Council(C‑377/12,
EU:C:2014:1903, paragraph 34).
28 The chosen procedural legal basis, namely Article 218(6)(a)(v) TFEU, requires that the Council may not adopt the
decision concluding an international agreement without having obtained the consent of the Parliament where that
agreement covers ‘fields to which … the ordinary legislative procedure applies’, does not form the subject matter of the
request submitted by the Parliament and is not the object of controversy between the interested parties. That provision
appears to be the appropriate procedural basis for the act concluding the agreement envisaged.
29 See judgment of 30 May 2006, Parliament v Council and Commission(C‑317/04 and (C‑318/04, EU:C:2006:346,
paragraphs 57 to 59).
30 OJ 2011 L 288, p. 1.
31 Judgment of 6 May 2014, Commission v Parliament and Council(C‑43/12, EU:C:2014:298, paragraph 42).
32 According to the second sentence in that article of the agreement envisaged, ‘an air carrier that provides data to
Canada under this Agreement is deemed to comply with European Union legal requirements for data transfer from the
European Union to Canada’.
33 Article 20 of the agreement envisaged states, in particular, that the contracting parties ‘shall ensure that air carriers
transfer data to the Canadian Competent Authority exclusively on the basis of the push method …’ (emphasis added).
34 Article 21(1) of the agreement envisaged, concerning the frequency of data transfer, states that ‘Canada shall ensure
that the Canadian Competent Authority requires an air carrier to transfer the data …’ (emphasis added).
36 See also, along similar lines, Opinion of Advocate General Kokott in Parliament v Council(C‑263/14,
EU:C:2015:729, point 67).
37 See judgment of 6 May 2014, Commission v Parliament and Council(C‑43/12, EU:C:2014:298, paragraphs 48 and
49).
38 See, by analogy, judgment of 30 May 2006, Parliament v Counciland Commission(C‑317/04 and C‑318/04,
EU:C:2006:346, paragraph 56).
39 Article 23(2) of the agreement envisaged confirms the importance ascribed to the security of citizens of the Union
when it states that the contracting parties are to cooperate to pursue the coherence of their respective data processing
regimes in a manner that ‘further enhances the security of citizens of Canada [and] the European Union’.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 40/46
8.9.2017 CURIA - Documents
40 See, to that effect, by analogy, judgment of 30 May 2006, Parliament v Council and Commission(C‑317/04 and
C‑318/04, EU:C:2006:346, paragraph 59).
41 See, to that effect, judgment of 10 February 2009, Ireland v Parliament and Council(C‑301/06, EU:C:2009:68,
paragraph 83).
42 Emphasis added.
43 See the citations of Decision 2012/381 and Decision 2012/472, cited in footnotes 3 and 4, respectively, above.
44 See, in particular, judgments of 10 January 2006, Commission v Council(C‑94/03, EU:C:2006:2, paragraph 50); of
24 June 2014, Parliament v Council(C‑658/11, EU:C:2014:2025, paragraph 48); and of 18 December 2014, United
Kingdom v Council(C‑81/13, EU:C:2014:2449, paragraph 36).
46 See Opinion of Advocate General Léger in Joined Cases Parliament v Council and Commission(C‑317/04 and
C‑318/04, EU:C:2005:710, point 160).
47 See judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650, paragraphs 28 and 45 and the case-law cited).
49 Thus, at the hearing, in answer to a number of questions put by the Court, the Council’s representative acknowledged
that the three Member States concerned would not be able to vote on the adoption of an act by which they would not be
bound. It seems to me, moreover, to be inconsistent on the Council’s part to argue, as I have emphasised above, that the
second question in the request for an opinion is inadmissible on the ground that the choice of Article 16 TFEU as the
substantive legal basis for the act concluding the agreement envisaged, would have no impact, since the procedure for the
adoption of measures based on that provision is the same as those procedures laid down in Articles 82(1)(a) and 87(2)(d)
TFEU respectively, and to maintain, as regards the examination of the substance of that question, that those procedures are
incompatible.
50 See judgments of 22 October 2013, Commission v Council(C‑137/12, EU:C:2013:675, paragraph 73), and of
18 December 2014, United Kingdom v Council(C‑81/13, EU:C:2014:2449, paragraph 37).
53 In that regard, the Parliament draws a parallel with the approach taken in the judgment of 8 April 2014, Digital
Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 37).
54 ECtHR, 1 July 2008, Liberty and others v. United Kingdom (CE:ECHR:2008:0701JUD005824300, paragraph 63).
55 These expressions being used, respectively, by Ireland and the United Kingdom Government in their replies to the
written question put by the Court.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 41/46
8.9.2017 CURIA - Documents
56 Likewise, verification of the degree of independence of the ‘overseeing authority’ established by the agreement
envisaged requires that the Canadian legislation be taken into consideration: see points 311 to 316 below.
57 I would point out, by way of reminder, that in accordance with Article 6(1) TEU the Charter is to have ‘the same
legal value as the Treaties’.
58 See, on this criterion for the application of Articles 7 and 8 of the Charter, judgments of 9 November 2010, Volker
und Markus Schecke and Eifert(C‑92/09 and C‑93/09, EU:C:2010:662, paragraph 52); of 24 November 2011, Asociación
Nacional de Establecimientos Financieros de Crédito(C‑468/10 and C‑469/10, EU:C:2011:777, paragraph 42); and of
17 October 2013, Schwarz(C‑291/12, EU:C:2013:670, paragraph 26).
59 See, in particular, judgments of 9 November 2010 in Volker und Markus Schecke and Eifert(C‑92/09 and C‑93/09,
EU:C:2010:662, paragraph 47), and of 24 November 2011, Asociación Nacional de Establecimientos Financieros de
Crédito(C‑468/10 and C‑469/10, EU:C:2011:777, paragraph 41).
60 According to the Explanations relating to the Charter of Fundamental Rights (OJ 2007 C 303, p. 17), the rights
guaranteed in Article 7 of the Charter ‘correspond’ to those guaranteed by Article 8 of the ECHR, while Article 8 of the
Charter is ‘based’ on both Article 8 ECHR and Council of Europe Convention (No 108) of 28 January 1981 for the
Protection of Individuals with regard to Automatic Processing of Personal Data, which has been ratified by all the Member
States.
61 Judgment of 20 May 2003, Österreichischer Rundfunk and Others(C‑465/00, C‑138/01 and C‑139/01,
EU:C:2003:294, paragraph 74).
62 Judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 34
and 35).
63 Judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 29
and 36).
64 See, to that effect, judgment of 3 September 2008, Kadi and Al Barakaat International Foundation v Council and
Commission(C‑402/05 P and C‑415/05 P, EU:C:2008:461, paragraphs 284 and 285).
65 See, to that effect, judgments of 20 May 2003, Österreichischer Rundfunk and Others(C‑465/00, C‑138/01 and
C‑139/01, EU:C:2003:294, paragraph 75); of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 33); and of 6 October 2015, Schrems(C‑362/14, EU:C:2015:650, paragraph 87).
66 See, to that effect, judgments of 20 May 2003, Österreichischer Rundfunk and Others(C‑465/00, C‑138/01 and
C‑139/01, EU:C:2003:294, paragraph 75); of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 33); and of 6 October 2015, Schrems(C‑362/14, EU:C:2015:650, paragraph 87).
67 According to the information supplied to the Court, 28 million passengers took flights between Canada and the Union
between April 2014 and March 2015.
68 It should be noted that, in the judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 37), the Court considered that the impressions or sentiments generated in the minds of the
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 42/46
8.9.2017 CURIA - Documents
public affected by rules on the processing and retention of personal data assumed a certain importance in the assessment of
the gravity of the interference with the fundamental rights safeguarded by Articles 7 and 8(1) of the Charter.
69 As stated above, Article 11(1) of the agreement envisaged refers only to the information available on the Canadian
competent authority’s website, while paragraph 2 mentions only a rather vague obligation to work to promote transparency,
preferably at the time of booking, consisting in informing passengers of, in particular, the reasons for data collection and
use.
70 See, in particular, ECtHR, 24 April 1990, Kruslin v. France (CE:ECHR:1990:0424JUD001180185, paragraph 27),
and ECtHR, 1 July 2008, Liberty and others v. United Kingdom (CE:ECHR:2008:0701JUD005824300, paragraph 59).
71 See ECtHR, 1 December 2015, Brito Ferrinho Bexiga Villa-Nova v. Portugal (CE:ECHR:2015:1201JUD006943610,
paragraph 47).
72 See ECtHR, 2 August 1984, Malone v. United Kingdom (CE:ECHR:0802JUD000869179, paragraph 66).
73 See ECtHR, 6 July 2010, Neulinger and Shuruk v. Switzerland (CE:ECHR:2010:0706JUD004161507, paragraph 99),
and ECtHR, 12 June 2014, Fernández Martínez v. Spain (CE:ECHR:2014:0612JUD005603007, paragraph 118).
74 Judgment of 9 November 2010, Volker und Markus Schecke and Eifert(C‑92/09 and C‑93/09, EU:C:2010:662,
paragraph 66).
76 See, in particular, judgments of 3 June 2008, Intertanko and Others(C‑308/06, EU:C:2008:312, paragraph 42), and of
13 January 2015, Council and Others v Vereniging Milieudefensie and Stichting Stop Luchtverontreiniging
Utrecht(C‑401/12 P to C‑403/12 P, EU:C:2015:4, paragraph 52).
77 See in particular, to that effect, ECtHR, 12 June 2014, Fernández Martínez v. Spain
(CE:ECHR:2014:0612JUD005603007, paragraph 117 and the case-law cited).
79 See judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238,
paragraph 42).
80 See, in particular, judgments of 9 November 2010, Volker und Markus Schecke and Eifert(C‑92/09 and C‑93/09,
EU:C:2010:662, paragraph 74), and of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 46).
81 See judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238,
paragraph 48).
83 See, by analogy, judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 49).
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 43/46
8.9.2017 CURIA - Documents
84 According to the interested parties, only Air Canada provides flights between Denmark and Canada.
85 As the Kingdom of Denmark is not participating in the agreement envisaged, it must therefore be regarded as a third
country for the purposes of that agreement, whose cooperation relationship between the Canadian competent authority and
its own authorities is governed by Article 19 of the agreement envisaged.
86 See, to that effect, by analogy, judgment of 9 November 2010, Volker und Markus Schecke and Eifert(C‑92/09 and
C‑93/09, EU:C:2010:662, paragraph 77).
87 See, to that effect, judgments of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 54), and of 6 October 2015, Schrems(C‑362/14, EU:C:2015:650, paragraph 91).
88 See, to that effect, judgments of 9 November 2010, Volker und Markus Schecke and Eifert(C‑92/09 and C‑93/09,
EU:C:2010:662, paragraph 86), and of 17 October 2013, Schwarz(C‑291/12, EU:C:2013:670, paragraph 46).
89 See, to that effect, judgment of 17 October 2013, Schwarz(C‑291/12, EU:C:2013:670, paragraph 53).
90 See Document 9944, approved by the Secretary General of the ICAO and published under his authority. The English
version of this document is available at the following internet address: www.iata.org/iata/passenger-data-
toolkit/assets/doc_library/04-pnr/New Doc 9944 1st Edition .pdf.
91 See, in that regard, paragraph 3.8 of the Guidelines on Advance Passenger Information () drawn up in 2010 under the
aegis of the World Customs Organisation, the International Air Transport Association and the ICAO, available at the
following internet address:
http://www.icao.int/Security/FAL/Documents/2010%20%20Guidelines%20Final%20Version.ICAO.2011%20full%20x2.pdf.
In the Union, the collection of is governed by Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers
to communicate passenger data (OJ 2004 L 261, p. 24).
92 See, in particular, the information on the website of the Canadian Ministry of Citizenship and Immigration
(Citizenship and Immigration Canada): www.cic.gc.ca/english/visit/apply-who.asp.
95 I shall examine the last two provisions in greater detail below. See paragraphs 292 to 294 and 274 to 290,
respectively, of this Opinion.
96 See, on Article 18 of the agreement envisaged, paragraphs 295 to 304 of this Opinion.
97 In the context of the application of Article 8 of the ECHR, the ECtHR applies the ‘reasonable suspicion’ test, which
may justify the interception of an individual’s private communications for reasons linked with the protection of public
security. See, in that regard, ECtHR, 4 December 2015, Zakharov v. Russia (CE:ECHR:2015:1204JUD004714306,
paragraph 260).
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 44/46
8.9.2017 CURIA - Documents
100 See ECtHR, 12 January 2016, Szabó and Vissy v. Hungary (CE:ECHR:2016:0112JUD003713814, paragraph 77
and the case-law cited).
102 Judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238,
paragraph 68).
103 Judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238,
paragraphs 62 to 64).
105 It should be noted, however, that Article 16(5)(b) of the agreement envisaged provides that the retention may be
extended for ‘an additional two-year period only to ensure the accountability of or oversee public administration so that it
may be disclosed to the passenger should the passenger request it’. As such, that extension of the retention of the data,
which did not feature in the observations of the interested parties, does not appear to raise any particular problems, since it
is designed solely to protect the rights of passengers whose data has been processed.
107 Namely, respectively, ‘other names on , including number of travellers on PNR’; ‘all available contact information
(including originator information)’; ‘general remarks including other supplementary information (), special service
information (SSI) and special service request (SSR) information, to the extent that it contains any information capable of
identifying a natural person’; and ‘any advance passenger information () data collected for reservation purposes to the
extent that it contains any information capable of identifying a natural person’.
110 See, by analogy, judgment of 6 October 2015, Schrems(C‑362/14, EU:C:2015:650, paragraph 73).
111 See, respectively, Article 18(1)(a) to (d) and Article 19(1)(a) to (d) of the agreement envisaged. It follows from
Article 18(2) and Article 19(3) of the agreement envisaged that the safeguards laid down in those provisions are also to
apply to the transfer of analytical information containing data.
112 See, by analogy, ECtHR, 12 January 2016, Szabó and Vissy v. Hungary (CE:ECHR:2016:0112JUD003713814,
paragraph 77).
113 It should be pointed out, for all practical purposes, that Article 19(1)(h) of the Agreement concluded with Australia
states that data may be transferred on a case-by-case basis to a third country authority only where the Australian Customs
and Border Protection Service is satisfied that the receiving authority has agreed not to further transfer data.
114 See, to that effect, judgments of 16 October 2012, Commission v Austria(C‑614/10, EU:C:2012:631, paragraphs 36
and 37); of 8 April 2014, Commission v Hungary(C‑288/12, EU:C:2014:237, paragraphs 47 and 48); and of 6 October
2015, Schrems(C‑362/14, EU:C:2015:650, paragraph 68).
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 45/46
8.9.2017 CURIA - Documents
115 This letter constitutes, in accordance with Article 30(2)(b) of the agreement envisaged, the notification through
diplomatic channels of the identity of the two authorities referred to in Article 10 and Article 14(1) of that agreement.
116 L.R.C., 1985, ch. P-21. The consolidated version of that Act, up to date as at 16 March 2016, is available on the
website of the Department of Justice Canada: http://lois-laws.justice.gc.ca.
117 In the context of the application of Article 8 of the ECHR, the ECtHR emphasises the independence which the
supervisory body must enjoy vis-à-vis the Executive. See, as regards the monitoring of interceptions of private
communications, ECtHR, 4 December 2015, Zakharov v. Russia (CE:ECHR:2015:1204JUD004714306, paragraphs 278
and 279).
118 It is thus apparent from the provisions of the Canada Border Services Agency Act (S.S. 2005, c. 38) that the
Minister is responsible for the (section 6.1), that the President of the has the control and management of that agency ‘under
the direction of the Minister’ (section 8.1) and that the exercises the powers that relate to the border legislation conferred by
the Act ‘subject to any direction given by the Minister’ (section 12.1). No provision of the Act mentions the Appeals
Directorate or, a fortiori, confers on it a special status within the CBSA. The Act, up to date as at 16 March 2016, is
available on the website of the Department of Justice Canada: http://lois-laws.justice.gc.ca
119 I would add that, when the agreement envisaged has been concluded, Article 26 thereof provides for a joint review
of its implementation one year after its entry into force and at regular intervals thereafter, and in any event four years after
its entry into force. If the implementation of Article 14(2) of the agreement envisaged gives rise to difficulties, they could
therefore be evaluated by the contracting parties and, if necessary, resolved in application of Article 25(1) of that agreement
or, failing that, could lead the Union to suspend the application of the agreement, in accordance with the procedure laid
down in Article 25(2) of the agreement envisaged. Furthermore, when the agreement envisaged has been introduced into
the EU legal order, none of those procedures would in my view detract from the possibility for a national court of a
Member State, hearing a dispute relating to the application of that agreement, to submit a question to the Court for a
preliminary ruling on the validity of the decision concluding the agreement, in the light of Article 5 of the agreement
envisaged and the circumstances that have arisen after that decision, by analogy with the Court’s observation in
paragraph 77 of the judgment of 6 October 2015, Schrems(C‑362/14, EU:C:2015:650) concerning the examination of the
validity of an adequacy decision adopted by the Commission. The question as to the influence that the opinion of the Court
that will be delivered in the present case may have on the answer to be given to such a reference for a ruling on validity is
outside the scope of this Opinion.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 46/46
24.5.2016 EN Official Journal of the European Union L 135/53
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 88 thereof,
Whereas:
(1) Europol was set up by Council Decision 2009/371/JHA (2) as an entity of the Union funded from the general
budget of the Union to support and strengthen action by competent authorities of the Member States and their
mutual cooperation in preventing and combating organised crime, terrorism and other forms of serious crime
affecting two or more Member States. Decision 2009/371/JHA replaced the Convention based on Article K.3 of
the Treaty on European Union, on the establishment of a European Police Office (Europol Convention) (3).
(2) Article 88 of the Treaty on the Functioning of the European Union (TFEU) provides for Europol to be governed
by a regulation to be adopted in accordance with the ordinary legislative procedure. It also requires the
establishment of procedures for the scrutiny of Europol's activities by the European Parliament, together with
national parliaments, subject to point (c) of Article 12 of the Treaty on European Union (TEU) and Article 9 of
Protocol No 1 on the role of National Parliaments in the European Union, annexed to the TEU and to the TFEU
(‘Protocol No 1’), in order to enhance the democratic legitimacy and accountability of Europol to the Union's
citizens. Therefore, Decision 2009/371/JHA should be replaced by a regulation laying down, inter alia, rules on
parliamentary scrutiny.
(3) The ‘Stockholm programme — An open and secure Europe serving and protecting citizens’ (4) calls for Europol
to evolve and become a hub for information exchange between the law enforcement authorities of the
Member States, a service provider and a platform for law enforcement services. On the basis of an assessment of
Europol's functioning, further enhancement of its operational effectiveness is needed to meet that objective.
(4) Large-scale criminal and terrorist networks pose a significant threat to the internal security of the Union and to
the safety and livelihood of its citizens. Available threat assessments show that criminal groups are becoming
increasingly poly-criminal and cross-border in their activities. National law enforcement authorities therefore need
to cooperate more closely with their counterparts in other Member States. In this context, it is necessary to equip
Europol to better support Member States in Union-wide crime prevention, analyses and investigations. This was
also confirmed in the evaluation of Decision 2009/371/JHA.
(1) Position of the European Parliament of 25 February 2014 (not yet published in the Official Journal) and position of the Council at first
reading of 10 March 2016 (not yet published in the Official Journal). Position of the European Parliament of 11 May 2016 (not yet
published in the Official Journal).
(2) Council Decision 2009/371/JHA of 6 April 2009 establishing the European Police Office (Europol) (OJ L 121, 15.5.2009, p. 37).
(3) OJ C 316, 27.11.1995, p. 1.
(4) OJ C 115, 4.5.2010, p. 1.
L 135/54 EN Official Journal of the European Union 24.5.2016
(5) This Regulation aims to amend and expand the provisions of Decision 2009/371/JHA and of Council
Decisions 2009/934/JHA (1), 2009/935/JHA (2), 2009/936/JHA (3) and 2009/968/JHA (4) implementing
Decision 2009/371/JHA. Since the amendments to be made are of a substantial number and nature, those
Decisions should, in the interests of clarity, be replaced in their entirety in relation to the Member States bound
by this Regulation. Europol as established by this Regulation should replace and assume the functions of Europol
as established by Decision 2009/371/JHA, which, as a consequence, should be repealed.
(6) As serious crime often occurs across internal borders, Europol should support and strengthen Member States'
actions and their cooperation in preventing and combating serious crime affecting two or more Member States.
Given that terrorism is one of the most significant threats to the security of the Union, Europol should assist
Member States in facing common challenges in this regard. As the Union law enforcement agency, Europol
should also support and strengthen actions and cooperation in tackling forms of crime that affect the interests of
the Union. Among the forms of crime with which Europol is competent to deal, organised crime will continue to
fall within the scope of Europol's main objectives, as, given its scale, significance and consequences, it also calls
for a common approach by the Member States. Europol should also offer support in preventing and combating
related criminal offences which are committed in order to procure the means of perpetrating acts in respect of
which Europol is competent or to facilitate or perpetrate such acts or to ensure the impunity of committing
them.
(7) Europol should provide strategic analyses and threat assessments to assist the Council and the Commission in
laying down strategic and operational priorities of the Union for fighting crime and in the operational implemen
tation of those priorities. Where the Commission so requests in accordance with Article 8 of Council Regulation
(EU) No 1053/2013 (5), Europol should also carry out risk analyses, including in respect of organised crime,
insofar as the risks concerned may undermine the application of the Schengen acquis by the Member States.
Moreover, at the request of the Council or the Commission where appropriate, Europol should provide strategic
analyses and threat assessments to contribute to the evaluation of states that are candidates for accession to the
Union.
(8) Attacks against information systems affecting Union bodies or two or more Member States are a growing menace
in the Union, in particular in view of their speed and impact and the difficulty in identifying their sources. When
considering requests by Europol to initiate an investigation into a serious attack of suspected criminal origin
against information systems affecting Union bodies or two or more Member States, Member States should
respond to Europol without delay, taking into account the fact that the rapidity of the response is a key factor in
successfully tackling computer crime.
(9) Given the importance of the inter-agency cooperation, Europol and Eurojust should ensure that necessary
arrangements are established to optimise their operational cooperation, taking due account of their respective
missions and mandates and of the interests of Member States. In particular, Europol and Eurojust should keep
each other informed of any activity involving the financing of joint investigation teams.
(10) When a joint investigation team is set up, the relevant agreement should determine the conditions relating to the
participation of the Europol staff in the team. Europol should keep a record of its participation in such joint
investigation teams targeting criminal activities falling within the scope of its objectives.
(11) Europol should be able to request Member States to initiate, conduct or coordinate criminal investigations in
specific cases where cross-border cooperation would add value. Europol should inform Eurojust of such requests.
(1) Council Decision 2009/934/JHA of 30 November 2009 adopting the implementing rules governing Europol's relations with partners,
including the exchange of personal data and classified information (OJ L 325, 11.12.2009, p. 6).
(2) Council Decision 2009/935/JHA of 30 November 2009 determining the list of third States and organisations with which Europol shall
conclude agreements (OJ L 325, 11.12.2009, p. 12).
(3) Council Decision 2009/936/JHA of 30 November 2009 adopting the implementing rules for Europol analysis work files (OJ L 325,
11.12.2009, p. 14).
(4) Council Decision 2009/968/JHA of 30 November 2009 adopting the rules on the confidentiality of Europol information (OJ L 332,
17.12.2009, p. 17).
(5) Council Regulation (EU) No 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the
application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing
Committee on the evaluation and implementation of Schengen (OJ L 295, 6.11.2013, p. 27).
24.5.2016 EN Official Journal of the European Union L 135/55
(12) Europol should be a hub for information exchange in the Union. Information collected, stored, processed,
analysed and exchanged by Europol includes criminal intelligence which relates to information about crime or
criminal activities falling within the scope of Europol's objectives, obtained with a view to establishing whether
concrete criminal acts have been committed or may be committed in the future.
(13) In order to ensure Europol's effectiveness as a hub for information exchange, clear obligations should be laid
down requiring Member States to provide Europol with the data necessary for it to fulfil its objectives. While
implementing such obligations, Member States should pay particular attention to providing data relevant to the
fight against crimes considered to be strategic and operational priorities within relevant policy instruments of the
Union, in particular the priorities set by the Council in the framework of the EU Policy Cycle for organised and
serious international crime. Member States should also endeavour to provide Europol with a copy of bilateral and
multilateral exchanges of information with other Member States on crime falling within Europol's objectives.
When supplying Europol with the necessary information, Member States should also include information about
any alleged cyber attacks affecting Union bodies located in their territory. At the same time, Europol should
increase the level of its support to Member States, so as to enhance mutual cooperation and the sharing of
information. Europol should submit an annual report to the European Parliament, to the Council, to the
Commission and to national parliaments on the information provided by the individual Member States.
(14) To ensure effective cooperation between Europol and Member States, a national unit should be set up in each
Member State (the ‘national unit’). The national unit should be the liaison link between national competent
authorities and Europol, thereby having a coordinating role in respect of Member States' cooperation with
Europol, and thus helping to ensure that each Member State responds to Europol requests in a uniform way. To
ensure a continuous and effective exchange of information between Europol and the national units, and to
facilitate their cooperation, each national unit should designate at least one liaison officer to be attached to
Europol.
(15) Taking into account the decentralised structure of some Member States and the need to ensure rapid exchanges of
information, Europol should be allowed to cooperate directly with competent authorities in Member States,
subject to the conditions defined by Member States, while keeping the national units informed at the latter's
request.
(16) The establishment of joint investigation teams should be encouraged and Europol staff should be able to
participate in them. To ensure that such participation is possible in every Member State, Council Regulation
(Euratom, ECSC, EEC) No 549/69 (1) provides that Europol staff do not benefit from immunities while they are
participating in joint investigation teams.
(17) It is also necessary to improve the governance of Europol, by seeking efficiency gains and streamlining
procedures.
(18) The Commission and the Member States should be represented on the Management Board of Europol (the
‘Management Board’) to effectively supervise its work. The members and the alternate members of the
Management Board should be appointed taking into account their relevant managerial, administrative and
budgetary skills and knowledge of law enforcement cooperation. Alternate members should act as members in
the absence of the member.
(19) All parties represented on the Management Board should make efforts to limit the turnover of their represen
tatives, with a view to ensuring the continuity of the Management Board's work. All parties should aim to
achieve a balanced representation between men and women on the Management Board.
(20) The Management Board should be able to invite non-voting observers whose opinion may be relevant for the
discussion, including a representative designated by the Joint Parliamentary Scrutiny Group (JPSG).
(1) Regulation (Euratom, ECSC, EEC) No 549/69 of the Council of 25 March 1969 determining the categories of officials and other servants
of the European Communities to whom the provisions of Article 12, the second paragraph of Article 13 and Article 14 of the Protocol
on the Privileges and Immunities of the Communities apply (OJ L 74, 27.3.1969, p. 1).
L 135/56 EN Official Journal of the European Union 24.5.2016
(21) The Management Board should be given the necessary powers, in particular to set the budget, verify its
execution, and adopt the appropriate financial rules and planning documents, as well as adopt rules for the
prevention and management of conflicts of interest in respect of its members, establish transparent working
procedures for decision-making by the Executive Director of Europol, and adopt the annual activity report. It
should exercise the powers of appointing authority vis-à-vis staff of the agency, including the Executive Director.
(22) To ensure the efficient day-to-day functioning of Europol, the Executive Director should be its legal representative
and manager, acting independently in the performance of his or her duties and ensuring that Europol carries out
the tasks provided for by this Regulation. In particular, the Executive Director should be responsible for preparing
budgetary and planning documents submitted for the decision of the Management Board and for implementing
the multiannual programming and annual work programmes of Europol and other planning documents.
(23) For the purposes of preventing and combating crime falling within the scope of its objectives, it is necessary for
Europol to have the fullest and most up-to-date information possible. Therefore, Europol should be able to
process data provided to it by Member States, Union bodies, third countries, international organisations and,
under stringent conditions laid down by this Regulation, private parties, as well as data coming from publicly
available sources, in order to develop an understanding of criminal phenomena and trends, to gather information
about criminal networks, and to detect links between different criminal offences.
(24) To improve Europol's effectiveness in providing accurate crime analyses to the competent authorities of the
Member States, it should use new technologies to process data. Europol should be able to swiftly detect links
between investigations and common modi operandi across different criminal groups, to check cross-matches of
data and to have a clear overview of trends, while guaranteeing a high level of protection of personal data for
individuals. Therefore, Europol databases should be structured in such a way as to allow Europol to choose the
most efficient IT structure. Europol should also be able to act as a service provider, in particular by providing a
secure network for the exchange of data, such as the secure information exchange network application (SIENA),
aimed at facilitating the exchange of information between Member States, Europol, other Union bodies, third
countries and international organisations. In order to ensure a high level of data protection, the purpose of
processing operations and access rights as well as specific additional safeguards should be laid down. In
particular, the principles of necessity and proportionality should be observed with regard to the processing of
personal data.
(25) Europol should ensure that all personal data processed for operational analyses are allocated a specific purpose.
Nonetheless, in order for Europol to fulfil its mission, it should be allowed to process all personal data received
to identify links between multiple crime areas and investigations, and should not be limited to identifying
connections only within one crime area.
(26) To respect the ownership of data and the protection of personal data, Member States, Union bodies, third
countries and international organisations should be able to determine the purpose or purposes for which Europol
may process the data they provide and to restrict access rights. Purpose limitation is a fundamental principle of
personal data processing; in particular, it contributes to transparency, legal certainty and predictability and is
particularly of high importance in the area of law enforcement cooperation, where data subjects are usually
unaware when their personal data are being collected and processed and where the use of personal data may
have a very significant impact on the lives and freedoms of individuals.
(27) To ensure that data are accessed only by those needing access in order to perform their tasks, this Regulation
should lay down detailed rules on different degrees of right of access to data processed by Europol. Such rules
should be without prejudice to restrictions on access imposed by data providers, as the principle of ownership of
data should be respected. In order to increase efficiency in the prevention and combating of crimes falling within
the scope of Europol's objectives, Europol should notify Member States of information which concerns them.
(28) To enhance operational cooperation between the agencies, and particularly to establish links between data already
in the possession of the different agencies, Europol should enable Eurojust and the European Anti-Fraud Office
(OLAF) to have access, on the basis of a hit/no hit system, to data available at Europol. Europol and Eurojust
should be able to conclude a working arrangement ensuring, in a reciprocal manner within their respective
mandates, access to, and the possibility of searching, all information that has been provided for the purpose of
24.5.2016 EN Official Journal of the European Union L 135/57
cross-checking in accordance with specific safeguards and data protection guarantees provided for in this
Regulation. Any access to data available at Europol should, by technical means, be limited to information falling
within the respective mandates of those Union bodies.
(29) Europol should maintain cooperative relations with other Union bodies, authorities of third countries, internat
ional organisations and private parties, to the extent required for the accomplishment of its tasks.
(30) To ensure operational effectiveness, Europol should be able to exchange all relevant information, with the
exception of personal data, with other Union bodies, authorities of third countries and international organ
isations, to the extent necessary for the performance of its tasks. Since companies, firms, business associations,
non-governmental organisations and other private parties hold expertise and information of direct relevance to
the prevention and combating of serious crime and terrorism, Europol should also be able to exchange such
information with private parties. To prevent and combat cybercrime, as related to network and information
security incidents, Europol should, pursuant to the applicable legislative act of the Union laying down measures
to ensure a high common level of network and information security across the Union, cooperate and exchange
information, with the exception of personal data, with national authorities competent for the security of network
and information systems.
(31) Europol should be able to exchange relevant personal data with other Union bodies to the extent necessary for
the accomplishment of its or their tasks.
(32) Serious crime and terrorism often have links beyond the territory of the Union. Europol should therefore be able
to exchange personal data with authorities of third countries and with international organisations such as the In
ternational Criminal Police Organisation — Interpol to the extent necessary for the accomplishment of its tasks.
(33) All Member States are affiliated to Interpol. To fulfil its mission, Interpol receives, stores and circulates data to
assist competent law enforcement authorities to prevent and combat international crime. Therefore, it is
appropriate to strengthen cooperation between Europol and Interpol by promoting an efficient exchange of
personal data whilst ensuring respect for fundamental rights and freedoms regarding the automatic processing of
personal data. When personal data is transferred from Europol to Interpol, this Regulation, in particular the
provisions on international transfers, should apply.
(34) To guarantee purpose limitation, it is important to ensure that personal data can be transferred by Europol to
Union bodies, third countries and international organisations only if necessary for preventing and combating
crime that falls within Europol's objectives. To this end, it is necessary to ensure that, when personal data are
transferred, the recipient gives an undertaking that the data will be used by the recipient or transferred onward to
a competent authority of a third country solely for the purpose for which they were originally transferred.
Further onward transfer of the data should take place in compliance with this Regulation.
(35) Europol should be able to transfer personal data to an authority of a third country or an international
organisation on the basis of a Commission decision finding that the country or international organisation in
question ensures an adequate level of data protection (‘adequacy decision’), or, in the absence of an adequacy
decision, an international agreement concluded by the Union pursuant to Article 218 TFEU, or a cooperation
agreement allowing for the exchange of personal data concluded between Europol and the third country prior to
the entry into force of this Regulation. In light of Article 9 of Protocol No 36 on transitional provisions, annexed
to the TEU and to the TFEU, the legal effects of such agreements are to be preserved until those agreements are
repealed, annulled or amended in the implementation of the Treaties. Where appropriate and in accordance with
Regulation (EC) No 45/2001 of the European Parliament and of the Council (1), the Commission should be able
to consult the European Data Protection Supervisor (EDPS) before and during the negotiation of an international
agreement. Where the Management Board identifies an operational need for cooperation with a third country or
(1) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with
regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8,
12.1.2001, p. 1).
L 135/58 EN Official Journal of the European Union 24.5.2016
an international organisation, it should be able to suggest to the Council that the latter draw the attention of the
Commission to the need for an adequacy decision or for a recommendation for the opening of negotiations on
an international agreement as referred to above.
(36) Where a transfer of personal data cannot be based on an adequacy decision, an international agreement
concluded by the Union or an existing cooperation agreement, the Management Board, in agreement with the
EDPS, should be allowed to authorise a set of transfers, where specific conditions so require and provided that
adequate safeguards are ensured. The Executive Director should be allowed to authorise the transfer of data in
exceptional cases on a case-by-case basis, where such transfer is required, under specific strict conditions.
(37) Europol should be able to process personal data originating from private parties and private persons only if those
data are transferred to Europol by one of the following: a national unit in accordance with its national law; a
contact point in a third country or an international organisation with which there is established cooperation
through a cooperation agreement allowing for the exchange of personal data concluded in accordance with
Article 23 of Decision 2009/371/JHA prior to the entry into force of this Regulation; an authority of a third
country or an international organisation which is subject to an adequacy decision or with which the Union has
concluded an international agreement pursuant to Article 218 TFEU. However, in cases where Europol receives
personal data directly from private parties and the national unit, contact point or authority concerned cannot be
identified, Europol should be able to process those personal data solely for the purpose of identifying those
entities, and such data should be deleted unless those entities resubmit those personal data within four months
after the transfer takes place. Europol should ensure by technical means that, during that period, such data would
not be accessible for processing for any other purpose.
(38) Taking into account the exceptional and specific threat posed to the internal security of the Union by terrorism
and other forms of serious crime, especially when facilitated, promoted or committed using the internet, the
activities that Europol should undertake on the basis of this Regulation, stemming from its implementation of
the Council Conclusions of 12 March 2015 and the call by the European Council of 23 April 2015 in relation
especially to those priority areas, in particular the corresponding practice of direct exchanges of personal data
with private parties, should be evaluated by the Commission by 1 May 2019.
(39) Any information which has clearly been obtained in obvious violation of human rights should not be processed.
(40) Data protection rules at Europol should be strengthened and should draw on the principles underpinning
Regulation (EC) No 45/2001 to ensure a high level of protection of individuals with regard to the processing of
personal data. As Declaration No 21 on the protection of personal data in the fields of judicial cooperation in
criminal matters and police cooperation, attached to the TEU and the TFEU, recognises the specificity of personal
data processing in the law enforcement context, the data protection rules of Europol should be autonomous
while at the same time consistent with other relevant data protection instruments applicable in the area of police
cooperation in the Union. Those instruments include, in particular, Directive (EU) 2016/680 of the European
Parliament and of the Council (1), as well as the Convention for the Protection of Individuals with regard to
Automatic Processing of Personal Data of the Council of Europe and its Recommendation No R(87) 15 (2).
(41) Any processing of personal data by Europol should be lawful and fair in relation to the data subjects concerned.
The principle of fair processing requires transparency of processing allowing data subjects concerned to exercise
their rights under this Regulation. It should be possible nevertheless to refuse or restrict access to their personal
data if, with due regard to the interests of the data subjects concerned, such refusal or restriction constitutes a
necessary measure to enable Europol to fulfil its tasks properly, to protect security and public order or to prevent
crime, to guarantee that a national investigation will not be jeopardised or to protect the rights and freedoms of
third parties. To enhance transparency, Europol should make publicly available a document setting out in an
intelligible form the applicable provisions regarding the processing of personal data and the means available to
data subjects to exercise their rights. Europol should also publish on its website a list of adequacy decisions,
(1) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
(2) Council of Europe Committee of Ministers Recommendation No R(87) 15 to the Member States on regulating the use of personal data in
the police sector, 17.9.1987.
24.5.2016 EN Official Journal of the European Union L 135/59
agreements and administrative arrangements relating to the transfer of personal data to third countries and inter
national organisations. Moreover, in order to increase Europol's transparency vis-à-vis Union citizens and its
accountability, Europol should publish on its website a list of its Management Board members and, where
appropriate, the summaries of the outcome of the meetings of the Management Board, while respecting data
protection requirements.
(42) As far as possible, personal data should be distinguished according to their degree of accuracy and reliability.
Facts should be distinguished from personal assessments, in order to ensure both the protection of individuals
and the quality and reliability of the information processed by Europol. In the case of information obtained from
publicly available sources, particularly sources on the internet, Europol should as far as possible assess the
accuracy of such information and the reliability of its source with particular diligence in order to address the
risks associated with the internet as regards the protection of personal data and privacy.
(43) Personal data relating to different categories of data subjects are processed in the area of law enforcement
cooperation. Europol should make distinctions between personal data in respect of different categories of data
subjects as clear as possible. Personal data concerning persons such as victims, witnesses and persons possessing
relevant information, as well as personal data concerning minors, should in particular be protected. Europol
should only process sensitive data if those data supplement other personal data already processed by Europol.
(44) In the light of the fundamental right to the protection of personal data, Europol should not store personal data
for longer than is necessary for the performance of its tasks. The need for continued storage of such data should
be reviewed no later than three years after the start of its initial processing.
(45) To guarantee the security of personal data, Europol and Member States should implement necessary technical and
organisational measures.
(46) Any data subject should have a right of access to personal data concerning him or her, a right to rectification if
those data are inaccurate, and a right to erasure or restriction if those data are no longer required. The costs
related to exercising the right of access to personal data should not represent a barrier to effectively exercising
that right. The rights of the data subject and the exercise thereof should not affect the obligations incumbent
upon Europol and should be subject to the restrictions laid down in this Regulation.
(47) The protection of the rights and freedoms of data subjects requires a clear attribution of the responsibilities
under this Regulation. In particular, Member States should be responsible for the accuracy of data, for keeping up
to date the data they have transferred to Europol and for the legality of such data transfers. Europol should be
responsible for the accuracy of data and for keeping up to date the data provided by other data suppliers or
resulting from Europol's own analyses. Europol should ensure that data are processed fairly and lawfully, and are
collected and processed for a specific purpose. Europol should also ensure that the data are adequate, relevant,
not excessive in relation to the purpose for which they are processed, stored no longer than is necessary for that
purpose, and processed in a manner that ensures appropriate security of personal data and confidentiality of data
processing.
(48) Europol should keep records of collection, alteration, access, disclosure, combination or erasure of personal data
for the purposes of verifying the lawfulness of the data processing, self-monitoring and ensuring proper data
integrity and security. Europol should be obliged to co-operate with the EDPS and to make logs or documentation
available upon request, so that they can be used for monitoring processing operations.
(49) Europol should designate a Data Protection Officer to assist it in monitoring compliance with this Regulation.
The Data Protection Officer should be in a position to perform his or her duties and tasks independently and
effectively, and should be provided with the necessary resources to do so.
L 135/60 EN Official Journal of the European Union 24.5.2016
(50) Independent, transparent, accountable and effective structures for supervision are essential for the protection of
individuals with regard to the processing of personal data as required by Article 8(3) of the Charter of
Fundamental Rights of the European Union. National authorities competent for the supervision of the processing
of personal data should monitor the lawfulness of personal data provided by Member States to Europol. The
EDPS should monitor the lawfulness of data processing carried out by Europol, exercising his or her functions
with complete independence. In this regard, the prior consultation mechanism is an important safeguard for new
types of processing operations. This should not apply to specific individual operational activities, such as
operational analysis projects, but to the use of new IT systems for the processing of personal data and any
substantial changes thereto.
(51) It is important to ensure strengthened and effective supervision of Europol and to guarantee that the EDPS can
make use of appropriate law enforcement data protection expertise when he or she assumes responsibility for
data protection supervision of Europol. The EDPS and national supervisory authorities should closely cooperate
with each other on specific issues requiring national involvement and should ensure the consistent application of
this Regulation throughout the Union.
(52) In order to facilitate the cooperation between the EDPS and the national supervisory authorities, but without
prejudice to the independence of the EDPS and his or her responsibility for data protection supervision of
Europol, they should regularly meet within the Cooperation Board, which, as an advisory body, should deliver
opinions, guidelines, recommendations and best practices on various issues requiring national involvement.
(53) As Europol also processes non-operational personal data, unrelated to criminal investigations, such as personal
data concerning staff of Europol, service providers or visitors, the processing of such data should be subject to
Regulation (EC) No 45/2001.
(54) The EDPS should hear and investigate complaints lodged by data subjects. The investigation following a
complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case.
The national supervisory authority should inform the data subject of the progress and the outcome of the
complaint within a reasonable period.
(55) Any individual should have the right to a judicial remedy against a decision of the EDPS concerning him or her.
(56) Europol should be subject to the general rules on contractual and non-contractual liability applicable to Union
institutions, agencies and bodies, save as regards the rules on liability for unlawful data processing.
(57) It may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is
a consequence of action by Europol or by a Member State. Europol and the Member State in which the event that
gave rise to the damage occurred should therefore be jointly and severally liable.
(58) While respecting the role of the European Parliament together with national parliaments in the scrutiny of
Europol's activities, it is necessary that Europol be a fully accountable and transparent internal organisation. To
that end, in light of Article 88 TFEU, procedures should be established for the scrutiny of Europol's activities by
the European Parliament together with national parliaments. Such procedures should be subject to point (c) of
Article 12 TEU and to Article 9 of Protocol No 1, providing that the European Parliament and national
parliaments are together to determine the organisation and promotion of effective and regular interparliamentary
cooperation within the Union. The procedures to be established for the scrutiny of Europol's activities should
take due account of the need to ensure that the European Parliament and the national parliaments stand on an
equal footing, as well as the need to safeguard the confidentiality of operational information. However, the way in
which national parliaments scrutinise their governments in relation to the activities of the Union is a matter for
the particular constitutional organisation and practice of each Member State.
(59) The Staff Regulations of Officials of the European Union (the ‘Staff Regulations’) and the Conditions of
Employment of Other Servants of the European Union (the ‘Conditions of Employment of Other Servants’) laid
down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (1) should apply to Europol staff. Europol should
be able to employ staff from the competent authorities of the Member States as temporary agents whose period
of service should be limited in order to maintain the principle of rotation, as the subsequent reintegration of such
staff members into the service of their competent authority facilitates close cooperation between Europol and the
competent authorities of the Member States. Member States should take any measure necessary to ensure that
staff engaged at Europol as temporary agents may, at the end of their term of service at Europol, return to the
national civil service to which they belong.
(60) Given the nature of the duties of Europol and the role of the Executive Director, the competent committee of the
European Parliament should be able to invite the Executive Director to appear before it prior to his or her
appointment, as well as prior to any extension of his or her term of office. The Executive Director should also
present the annual report to the European Parliament and to the Council. Furthermore, the European Parliament
and the Council should be able to invite the Executive Director to report on the performance of his or her duties.
(61) To guarantee the full autonomy and independence of Europol, it should be granted an autonomous budget, with
revenue coming essentially from a contribution from the general budget of the Union. The Union budgetary
procedure should be applicable as far as the Union contribution and any other subsidies chargeable to the general
budget of the Union are concerned. The auditing of accounts should be undertaken by the Court of Auditors.
(62) Commission Delegated Regulation (EU) No 1271/2013 (1) should apply to Europol.
(63) Given their specific legal and administrative powers and their technical competences in conducting cross-border
information-exchange activities, operations and investigations, including in joint investigation teams, and in
providing facilities for training, the competent authorities of the Member States should be able to receive grants
from Europol without a call for proposals in accordance with point (d) of Article 190(1) of Commission
Delegated Regulation (EU) No 1268/2012 (2).
(64) Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (3) should apply to
Europol.
(65) Europol processes data that require particular protection as they include sensitive non-classified and EU classified
information. Europol should therefore draw up rules on the confidentiality and processing of such information.
The rules on the protection of EU classified information should be consistent with Council
Decision 2013/488/EU (4).
(67) The necessary provisions regarding accommodation for Europol in The Hague, where it has its headquarters, and
the specific rules applicable to all Europol's staff and members of their families should be laid down in a
headquarters agreement. Furthermore, the host Member State should provide the necessary conditions for the
smooth operation of Europol, including multilingual, European-oriented schooling and appropriate transport
connections, so as to attract high-quality human resources from as wide a geographical area as possible.
(68) Europol as established by this Regulation replaces and succeeds Europol as established by
Decision 2009/371/JHA. It should therefore be the legal successor of all its contracts, including employment
contracts, liabilities and properties acquired. International agreements concluded by Europol as established by
Decision 2009/371/JHA and agreements concluded by Europol as established by the Europol Convention
before 1 January 2010 should remain in force.
(1) Commission Delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies
referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (OJ L 328,
7.12.2013, p. 42).
(2) Commission Delegated Regulation (EU) No 1268/2012 of 29 October 2012 on the rules of application of Regulation (EU, Euratom)
No 966/2012 of the European Parliament and of the Council on the financial rules applicable to the general budget of the Union
(OJ L 362, 31.12.2012, p. 1).
(3) Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations
conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of
the Council and Council Regulation (Euratom) No 1074/1999 (OJ L 248, 18.9.2013, p. 1).
(4) Council Decision 2013/488/EU of 23 September 2013 on the security rules for protecting EU classified information (OJ L 274,
15.10.2013, p. 1).
L 135/62 EN Official Journal of the European Union 24.5.2016
(69) To enable Europol to continue to fulfil the tasks of Europol as established by Decision 2009/371/JHA to the best
of its abilities, transitional measures should be laid down, in particular with regard to the Management Board, the
Executive Director and staff employed under a contract of indefinite duration as a local staff member concluded
by Europol as established by the Europol Convention, who should be offered the possibility of employment as a
member of the temporary or contract staff under the Conditions of Employment of Other Servants.
(70) The Council Act of 3 December 1998 (1) on Europol staff regulations has been repealed by Article 63 of
Decision 2009/371/JHA. However, it should continue to apply to staff employed by Europol before the entry into
force of Decision 2009/371/JHA. Therefore, transitional provisions should provide that contracts concluded in
accordance with those staff regulations are to remain governed by them.
(71) Since the objective of this Regulation, namely the establishment of an entity responsible for law enforcement
cooperation at Union level, cannot be sufficiently achieved by the Member States but can rather, by reason of the
scale and effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance
with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality
as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
(72) In accordance with Article 3 and Article 4a(1) of Protocol No 21 on the position of the United Kingdom and
Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TFEU, Ireland has
notified its wish to take part in the adoption and application of this Regulation.
(73) In accordance with Articles 1 and 2 and Article 4a(1) of Protocol No 21 on the position of the United Kingdom
and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and the TFEU, and
without prejudice to Article 4 of that Protocol, the United Kingdom is not taking part in the adoption of this
Regulation and is not bound by it or subject to its application.
(74) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to
the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its
application.
(75) The EDPS has been consulted and issued an opinion on 31 May 2013.
(76) This Regulation respects the fundamental rights and observes the principles recognised in particular by the
Charter of Fundamental Rights of the European Union, in particular the right to the protection of personal data
and the right to privacy as protected by Articles 8 and 7 of the Charter, as well as by Article 16 TFEU,
CHAPTER I
Article 1
1. A European Union Agency for Law Enforcement Cooperation (Europol) is hereby established with a view to
supporting cooperation among law enforcement authorities in the Union.
2. Europol as established by this Regulation shall replace and succeed Europol as established by
Decision 2009/371/JHA.
(1) Council Act of 3 December 1998 laying down the staff regulations applicable to Europol employees (OJ C 26, 30.1.1999, p. 23).
24.5.2016 EN Official Journal of the European Union L 135/63
Article 2
Definitions
(a) ‘the competent authorities of the Member States’ means all police authorities and other law enforcement services
existing in the Member States which are responsible under national law for preventing and combating criminal
offences. The competent authorities shall also comprise other public authorities existing in the Member States
which are responsible under national law for preventing and combating criminal offences in respect of which
Europol is competent;
(b) ‘strategic analysis’ means all methods and techniques by which information is collected, stored, processed and
assessed with the aim of supporting and developing a criminal policy that contributes to the efficient and effective
prevention of, and the fight against, crime;
(c) ‘operational analysis’ means all methods and techniques by which information is collected, stored, processed and
assessed with the aim of supporting criminal investigations;
(d) ‘Union bodies’ means institutions, bodies, missions, offices and agencies set up by, or on the basis of, the TEU and
the TFEU;
(e) ‘international organisation’ means an organisation and its subordinate bodies governed by public international law,
or any other body which is set up by, or on the basis of, an agreement between two or more countries;
(f) ‘private parties’ means entities and bodies established under the law of a Member State or third country, in
particular companies and firms, business associations, non-profit organisations and other legal persons that are not
covered by point (e);
(i) ‘data subject’ means an identified or identifiable natural person, an identifiable person being a person who can be
identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,
location data or an online identifier or to one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that person;
(j) ‘genetic data’ means all personal data relating to the genetic characteristics of an individual that have been inherited
or acquired, which give unique information about the physiology or the health of that individual, resulting in
particular from an analysis of a biological sample from the individual in question;
(k) ‘processing’ means any operation or set of operations which is performed upon personal data or sets of personal
data, whether or not by automated means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction;
(l) ‘recipient’ means a natural or legal person, public authority, agency or any other body to which data are disclosed,
whether a third party or not;
(m) ‘transfer of personal data’ means the communication of personal data, actively made available, between a limited
number of identified parties, with the knowledge or intention of the sender to give the recipient access to the
personal data;
(n) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
L 135/64 EN Official Journal of the European Union 24.5.2016
(o) ‘the data subject's consent’ means any freely given, specific, informed and unambiguous indication of his or her
wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to
personal data relating to him or her being processed;
(p) ‘administrative personal data’ means all personal data processed by Europol apart from those that are processed to
meet the objectives laid down in Article 3.
Article 3
Objectives
1. Europol shall support and strengthen action by the competent authorities of the Member States and their mutual
cooperation in preventing and combating serious crime affecting two or more Member States, terrorism and forms of
crime which affect a common interest covered by a Union policy, as listed in Annex I.
2. In addition to paragraph 1, Europol's objectives shall also cover related criminal offences. The following shall be
considered to be related criminal offences:
(a) criminal offences committed in order to procure the means of perpetrating acts in respect of which Europol is
competent;
(b) criminal offences committed in order to facilitate or perpetrate acts in respect of which Europol is competent;
(c) criminal offences committed in order to ensure the impunity of those committing acts in respect of which Europol
is competent.
Article 4
Tasks
1. Europol shall perform the following tasks in order to achieve the objectives set out in Article 3:
(a) collect, store, process, analyse and exchange information, including criminal intelligence;
(b) notify the Member States, via the national units established or designated pursuant to Article 7(2), without delay of
any information and connections between criminal offences concerning them;
(c) coordinate, organise and implement investigative and operational actions to support and strengthen actions by the
competent authorities of the Member States, that are carried out:
(ii) in the context of joint investigation teams in accordance with Article 5 and, where appropriate, in liaison with
Eurojust;
(d) participate in joint investigation teams, as well as propose that they be set up in accordance with Article 5;
(e) provide information and analytical support to Member States in connection with major international events;
(f) prepare threat assessments, strategic and operational analyses and general situation reports;
24.5.2016 EN Official Journal of the European Union L 135/65
(g) develop, share and promote specialist knowledge of crime prevention methods, investigative procedures and
technical and forensic methods, and provide advice to Member States;
(h) support Member States' cross-border information exchange activities, operations and investigations, as well as joint
investigation teams, including by providing operational, technical and financial support;
(i) provide specialised training and assist Member States in organising training, including with the provision of
financial support, within the scope of its objectives and in accordance with the staffing and budgetary resources at
its disposal in coordination with the European Union Agency for Law Enforcement Training (CEPOL);
(j) cooperate with the Union bodies established on the basis of Title V of the TFEU and with OLAF, in particular
through exchanges of information and by providing them with analytical support in the areas that fall within their
competence;
(k) provide information and support to EU crisis management structures and missions established on the basis of the
TEU, within the scope of Europol's objectives as set out in Article 3;
(l) develop Union centres of specialised expertise for combating certain types of crime falling within the scope of
Europol's objectives, in particular the European Cybercrime Centre;
(m) support Member States' actions in preventing and combating forms of crime listed in Annex I which are facilitated,
promoted or committed using the internet, including, in cooperation with Member States, the making of referrals of
internet content, by which such forms of crime are facilitated, promoted or committed, to the online service
providers concerned for their voluntary consideration of the compatibility of the referred internet content with their
own terms and conditions.
2. Europol shall provide strategic analyses and threat assessments to assist the Council and the Commission in laying
down strategic and operational priorities of the Union for fighting crime. Europol shall also assist in the operational
implementation of those priorities.
3. Europol shall provide strategic analyses and threat assessments to assist the efficient and effective use of the
resources available at national and Union level for operational activities and the support of those activities.
4. Europol shall act as the Central Office for combating euro counterfeiting in accordance with Council
Decision 2005/511/JHA (1). Europol shall also encourage the coordination of measures carried out to fight euro counter
feiting by the competent authorities of the Member States or in the context of joint investigation teams, where
appropriate in liaison with Union bodies and the authorities of third countries.
5. Europol shall not apply coercive measures in carrying out its tasks.
CHAPTER II
Article 5
1. Europol staff may participate in the activities of joint investigation teams dealing with crime falling within
Europol's objectives. The agreement setting up a joint investigation team shall determine the conditions relating to the
participation of the Europol staff in the team, and shall include information on the rules on liability.
(1) Council Decision 2005/511/JHA of 12 July 2005 on protecting the euro against counterfeiting, by designating Europol as the Central
Office for combating euro counterfeiting (OJ L 185, 16.7.2005, p. 35).
L 135/66 EN Official Journal of the European Union 24.5.2016
2. Europol staff may, within the limits of the laws of the Member States in which a joint investigation team is
operating, assist in all activities and exchanges of information with all members of the joint investigation team.
3. Europol staff participating in a joint investigation team may, in accordance with this Regulation, provide all
members of the team with necessary information processed by Europol for the purposes set out in Article 18(2).
Europol shall at the same time inform the national units of the Member States represented in the team, as well as those
of the Member States which provided the information.
4. Information obtained by Europol staff while part of the joint investigation team may, with the consent and under
the responsibility of the Member State which provided the information, be processed by Europol for the purposes set
out in Article 18(2), under the conditions laid down in this Regulation.
5. Where Europol has reason to believe that setting up a joint investigation team would add value to an investigation,
it may propose this to the Member States concerned and take measures to assist them in setting up the joint investi
gation team.
Article 6
1. In specific cases where Europol considers that a criminal investigation should be initiated into a crime falling
within the scope of its objectives, it shall request the competent authorities of the Member States concerned via the
national units to initiate, conduct or coordinate such a criminal investigation.
2. The national units shall inform Europol without delay of the decision of the competent authorities of the
Member States concerning any request made pursuant to paragraph 1.
3. If the competent authorities of a Member State decide not to accede to a request made by Europol pursuant to
paragraph 1, they shall inform Europol of the reasons for their decision without undue delay, preferably within one
month of receipt of the request. However, the reasons may be withheld if providing them would:
(a) be contrary to the essential interests of the security of the Member State concerned; or
4. Europol shall immediately inform Eurojust of any request made pursuant to paragraph 1 and of any decision of a
competent authority of a Member State pursuant to paragraph 2.
Article 7
1. The Member States and Europol shall cooperate with each other in the fulfilment of their respective tasks set out
in this Regulation.
2. Each Member State shall establish or designate a national unit, which shall be the liaison body between Europol
and the competent authorities of that Member State. Each Member State shall appoint an official as the head of its
national unit.
24.5.2016 EN Official Journal of the European Union L 135/67
3. Each Member State shall ensure that its national unit is competent under national law to fulfil the tasks assigned to
national units in this Regulation, and in particular that it has access to national law enforcement data and other relevant
data necessary for cooperation with Europol.
4. Each Member State shall determine the organisation and the staff of its national unit in accordance with its
national law.
5. In accordance with paragraph 2, the national unit shall be the liaison body between Europol and the competent
authorities of the Member States. However, subject to conditions determined by the Member States, including prior
involvement of the national unit, the Member States may allow direct contacts between their competent authorities and
Europol. The national unit shall at the same time receive from Europol any information exchanged in the course of
direct contacts between Europol and the competent authorities, unless the national unit indicates that it does not need
to receive such information.
6. Each Member State shall, via its national unit or, subject to paragraph 5, a competent authority, in particular:
(a) supply Europol with the information necessary for it to fulfil its objectives, including information relating to forms
of crime the prevention or combating of which is considered a priority by the Union;
(b) ensure effective communication and cooperation of all relevant competent authorities with Europol;
(d) in accordance with point (a) of Article 38(5), ensure compliance with national law when supplying information to
Europol.
7. Without prejudice to the discharge by Member States of their responsibilities with regard to the maintenance of
law and order and the safeguarding of internal security, Member States shall not in any particular case be obliged to
supply information in accordance with point (a) of paragraph 6 that would:
(a) be contrary to the essential interests of the security of the Member State concerned;
(c) disclose information relating to organisations or specific intelligence activities in the field of national security.
However, Member States shall supply information as soon as it ceases to fall within the scope of points (a), (b) or (c) of
the first subparagraph.
8. Member States shall ensure that their financial intelligence units established pursuant to Directive 2005/60/EC of
the European Parliament and of the Council (1) are allowed to cooperate with Europol via their national unit regarding
analyses, within the limits of their mandate and competence.
9. The heads of the national units shall meet on a regular basis, in particular to discuss and resolve problems that
occur in the context of their operational cooperation with Europol.
10. The costs incurred by national units in communications with Europol shall be borne by the Member States and,
with the exception of the costs of connection, shall not be charged to Europol.
11. Europol shall draw up an annual report on the information provided by each Member State pursuant to point (a)
of paragraph 6 on the basis of the quantitative and qualitative evaluation criteria defined by the Management Board. The
annual report shall be sent to the European Parliament, the Council, the Commission and national parliaments.
(1) Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial
system for the purpose of money laundering and terrorist financing (OJ L 309, 25.11.2005, p. 15).
L 135/68 EN Official Journal of the European Union 24.5.2016
Article 8
Liaison officers
1. Each national unit shall designate at least one liaison officer to be attached to Europol. Except as otherwise laid
down in this Regulation, the liaison officers shall be subject to the national law of the designating Member State.
2. Liaison officers shall constitute the national liaison bureaux at Europol and shall be instructed by their national
units to represent the interests of the latter within Europol in accordance with the national law of the designating
Member State and the provisions applicable to the administration of Europol.
3. Liaison officers shall assist in the exchange of information between Europol and their Member States.
4. Liaison officers shall, in accordance with their national law, assist in the exchange of information between their
Member States and the liaison officers of other Member States, third countries and international organisations. Europol's
infrastructure may be used, in accordance with national law, for such bilateral exchanges also to cover crimes falling
outside the scope of the objectives of Europol. All such exchanges of information shall be in accordance with applicable
Union and national law.
5. The Management Board shall determine the rights and obligations of liaison officers in relation to Europol. Liaison
officers shall enjoy the privileges and immunities necessary for the performance of their tasks in accordance with
Article 63(2).
6. Europol shall ensure that liaison officers are fully informed of and associated with all of its activities, in so far as
necessary for the performance of their tasks.
7. Europol shall cover the costs of providing Member States with the necessary premises within the Europol building
and adequate support for liaison officers to perform their duties. All other costs that arise in connection with the
designation of liaison officers shall be borne by the designating Member State, including the costs of equipment for
liaison officers, unless the European Parliament and the Council decide otherwise on the recommendation of the
Management Board.
CHAPTER III
ORGANISATION OF EUROPOL
Article 9
(c) where appropriate, other advisory bodies established by the Management Board in accordance with point (s) of
Article 11(1).
24.5.2016 EN Official Journal of the European Union L 135/69
SECTION 1
Management Board
Article 10
1. The Management Board shall be composed of one representative from each Member State and one representative
of the Commission. Each representative shall have a voting right.
2. The members of the Management Board shall be appointed taking into account their knowledge of law
enforcement cooperation.
3. Each member of the Management Board shall have an alternate member who shall be appointed taking into
account the criterion set out in paragraph 2. The alternate member shall represent the member in his or her absence.
The principle of a balanced gender representation on the Management Board shall also be taken into account.
4. Without prejudice to the right of the Member States and of the Commission to terminate the mandate of their
respective member and alternate member, the membership of the Management Board shall be for a period of four years.
That term shall be extendable.
Article 11
(a) adopt each year, by a majority of two-thirds of its members and in accordance with Article 12, a document
containing Europol's multiannual programming and its annual work programme for the following year;
(b) adopt, by a majority of two-thirds of its members, the annual budget of Europol and exercise other functions in
respect of Europol's budget pursuant to Chapter X;
(c) adopt a consolidated annual activity report on Europol's activities and, by 1 July of the following year, send it to the
European Parliament, the Council, the Commission, the Court of Auditors and the national parliaments. The
consolidated annual activity report shall be made public;
(d) adopt the financial rules applicable to Europol in accordance with Article 61;
(e) adopt an internal anti-fraud strategy, proportionate to fraud risks, taking into account the costs and benefits of the
measures to be implemented;
(f) adopt rules for the prevention and management of conflicts of interest in respect of its members, including in
relation to their declaration of interests;
(g) in accordance with paragraph 2, exercise, with respect to the staff of Europol, the powers conferred by the Staff
Regulations on the appointing authority and by the Conditions of Employment of Other Servants on the authority
empowered to conclude a contract of employment of other servants (‘the appointing authority powers’);
(h) adopt appropriate implementing rules giving effect to the Staff Regulations and the Conditions of Employment of
Other Servants in accordance with Article 110 of the Staff Regulations;
L 135/70 EN Official Journal of the European Union 24.5.2016
(i) adopt internal rules regarding the procedure for the selection of the Executive Director, including rules on the
composition of the selection committee which ensure its independence and impartiality;
(j) propose to the Council a shortlist of candidates for the posts of Executive Director and Deputy Executive Directors
and, where relevant, propose to the Council that their terms of office be extended or that they be removed from
office in accordance with Articles 54 and 55;
(k) establish performance indicators and oversee the Executive Director's performance, including the implementation of
Management Board decisions;
(l) appoint a Data Protection Officer, who shall be functionally independent in the performance of his or her duties;
(m) appoint an accounting officer, who shall be subject to the Staff Regulations and the Conditions of Employment of
Other Servants and functionally independent in the performance of his or her duties;
(o) ensure adequate follow-up to findings and recommendations stemming from the internal or external audit reports
and evaluations, as well as from investigations of OLAF and the EDPS;
(p) define the evaluation criteria for the annual report in accordance with Article 7(11);
(q) adopt guidelines further specifying the procedures for the processing of information by Europol in accordance with
Article 18, after consulting the EDPS;
(r) decide upon the conclusion of working and administrative arrangements in accordance with Article 23(4) and
Article 25(1), respectively;
(s) decide, taking into consideration both business and financial requirements, upon the establishment of Europol's
internal structures, including Union centres of specialised expertise as referred to in point (l) of Article 4(1), upon a
proposal of the Executive Director;
(t) adopt its rules of procedure, including provisions concerning the tasks and the functioning of its secretariat;
2. If the Management Board considers it necessary for the performance of Europol's tasks, it may suggest to the
Council that it draw the attention of the Commission to the need for an adequacy decision as referred to in point (a) of
Article 25(1) or for a recommendation for a decision authorising the opening of negotiations with a view to the
conclusion of an international agreement as referred to in point (b) of Article 25(1).
3. The Management Board shall, in accordance with Article 110 of the Staff Regulations, adopt a decision based on
Article 2(1) of the Staff Regulations and on Article 6 of the Conditions of Employment of Other Servants delegating the
relevant appointing authority powers to the Executive Director and establishing the conditions under which such
delegation of powers may be suspended. The Executive Director shall be authorised to subdelegate those powers.
Where exceptional circumstances so require, the Management Board may, by way of a decision, temporarily suspend the
delegation of the appointing authority powers to the Executive Director and any subdelegation of such powers and
exercise them itself or delegate those powers to one of its members or to a staff member other than the Executive
Director.
Article 12
1. The Management Board shall, by 30 November each year, adopt a document containing Europol's multiannual
programming and annual work programme, based on a draft put forward by the Executive Director, taking into account
the opinion of the Commission and, as regards the multiannual programming, after having consulted the JPSG. The
Management Board shall forward that document to the Council, the Commission and the JPSG.
24.5.2016 EN Official Journal of the European Union L 135/71
2. The multiannual programming shall set out the overall strategic programming, including the objectives, expected
results and performance indicators. It shall also set out the resource planning, including the multiannual budget and
staff. It shall include the strategy for relations with third countries and international organisations.
The multiannual programming shall be implemented by means of annual work programmes and shall, where
appropriate, be updated following the outcome of external and internal evaluations. The conclusion of those evaluations
shall also be reflected, where appropriate, in the annual work programme for the following year.
3. The annual work programme shall comprise detailed objectives, expected results and performance indicators. It
shall also contain a description of the actions to be financed and an indication of the financial and human resources
allocated to each action, in accordance with the principles of activity-based budgeting and management. The annual
work programme shall be consistent with the multiannual programming. It shall clearly indicate tasks that have been
added, changed or deleted compared to the previous financial year.
4. Where, after adoption of an annual work programme, a new task is assigned to Europol, the Management Board
shall amend the annual work programme.
5. Any substantial amendment to the annual work programme shall be adopted by the same procedure as that
applicable to the adoption of the initial annual work programme. The Management Board may delegate to the Executive
Director the power to make non-substantial amendments to the annual work programme.
Article 13
1. The Management Board shall elect a Chairperson and a Deputy Chairperson from within the group of three
Member States that have jointly prepared the Council's 18-month programme. They shall serve for the 18-month period
corresponding to that Council programme. If, however, the Chairperson's or the Deputy Chairperson's membership of
the Management Board ends at any time during their term of office as Chairperson or Deputy Chairperson, their term of
office shall automatically expire at the same time.
2. The Chairperson and the Deputy Chairperson shall be elected by a majority of two-thirds of the members of the
Management Board.
3. Where the Chairperson is unable to carry out his or her duties, he or she shall automatically be replaced by the
Deputy Chairperson.
Article 14
2. The Executive Director shall take part in the deliberations of the Management Board.
3. The Management Board shall hold at least two ordinary meetings a year. In addition, it shall meet on the initiative
of its Chairperson, or at the request of the Commission or of at least one-third of its members.
4. The Management Board may invite any person whose opinion may be relevant for the discussion, including, where
appropriate, a representative of the JPSG, to attend its meeting as a non-voting observer.
L 135/72 EN Official Journal of the European Union 24.5.2016
5. The members and the alternate members of the Management Board may, subject to its rules of procedure, be
assisted at the meetings by advisers or experts.
Article 15
1. Without prejudice to points (a) and (b) of Article 11(1), Article 13(2), Article 50(2), Article 54(8) and Article 64,
the Management Board shall take decisions by a majority of its members.
2. Each member shall have one vote. In the absence of a voting member, his or her alternate shall be entitled to
exercise his or her right to vote.
4. The Management Board's rules of procedure shall establish more detailed voting arrangements, in particular the
circumstances in which a member may act on behalf of another member, and any quorum requirements, where
necessary.
SECTION 2
Executive Director
Article 16
1. The Executive Director shall manage Europol. He or she shall be accountable to the Management Board.
2. Without prejudice to the powers of the Commission or the Management Board, the Executive Director shall be
independent in the performance of his or her duties and shall neither seek nor take instructions from any government
or any other body.
3. The Council may invite the Executive Director to report on the performance of his or her duties.
5. The Executive Director shall be responsible for the implementation of the tasks assigned to Europol by this
Regulation, in particular:
(b) making proposals to the Management Board as regards the establishment of Europol's internal structures;
(d) preparing the draft multiannual programming and annual work programmes and submitting them to the
Management Board, after having consulted the Commission;
24.5.2016 EN Official Journal of the European Union L 135/73
(e) implementing the multiannual programming and the annual work programmes and reporting to the Management
Board on their implementation;
(f) preparing appropriate draft implementing rules to give effect to the Staff Regulations and the Conditions of
Employment of Other Servants in accordance with Article 110 of the Staff Regulations;
(g) preparing the draft consolidated annual report on Europol's activities and presenting it to the Management Board
for adoption;
(h) preparing an action plan following up conclusions of internal or external audit reports and evaluations, as well as
investigation reports and recommendations from investigations by OLAF and the EDPS, and reporting on progress
twice a year to the Commission and regularly to the Management Board;
(i) protecting the financial interests of the Union by applying measures to prevent fraud, corruption and any other
illegal activity and, without prejudice to the investigative competence of OLAF, by effective checks and, if irregular
ities are detected, by recovering amounts wrongly paid and, where appropriate, by effective, proportionate and
dissuasive administrative and financial penalties;
(j) preparing a draft internal anti-fraud strategy for Europol and presenting it to the Management Board for adoption;
(k) preparing draft internal rules for the prevention and management of conflicts of interest in respect of the members
of the Management Board and presenting those draft rules to the Management Board for adoption;
(m) preparing Europol's draft statement of estimates of revenue and expenditure and implementing its budget;
(n) supporting the Chairperson of the Management Board in preparing Management Board meetings;
(o) informing the Management Board on a regular basis regarding the implementation of Union strategic and
operational priorities for fighting crime;
CHAPTER IV
PROCESSING OF INFORMATION
Article 17
Sources of information
1. Europol shall only process information that has been provided to it:
(a) by Member States in accordance with their national law and Article 7;
(b) by Union bodies, third countries and international organisations in accordance with Chapter V;
2. Europol may directly retrieve and process information, including personal data, from publicly available sources,
including the internet and public data.
3. In so far as Europol is entitled under Union, international or national legal instruments to gain computerised
access to data from Union, international or national information systems, it may retrieve and process information,
including personal data, by such means if that is necessary for the performance of its tasks. The applicable provisions of
such Union, international or national legal instruments shall govern access to, and the use of, that information by
Europol, in so far as they provide for stricter rules on access and use than those laid down by this Regulation. Access to
such information systems shall be granted only to duly authorised staff of Europol and only in so far as this is necessary
and proportionate for the performance of their tasks.
L 135/74 EN Official Journal of the European Union 24.5.2016
Article 18
1. In so far as is necessary for the achievement of its objectives as laid down in Article 3, Europol may process
information, including personal data.
(a) cross-checking aimed at identifying connections or other relevant links between information related to:
(i) persons who are suspected of having committed or taken part in a criminal offence in respect of which Europol
is competent, or who have been convicted of such an offence;
(ii) persons regarding whom there are factual indications or reasonable grounds to believe that they will commit
criminal offences in respect of which Europol is competent;
(d) facilitating the exchange of information between Member States, Europol, other Union bodies, third countries and in
ternational organisations.
3. Processing for the purpose of operational analyses as referred to in point (c) of paragraph 2 shall be performed by
means of operational analysis projects, in respect of which the following specific safeguards shall apply:
(a) for every operational analysis project, the Executive Director shall define the specific purpose, categories of personal
data and categories of data subjects, participants, duration of storage and conditions for access, transfer and use of
the data concerned, and shall inform the Management Board and the EDPS thereof;
(b) personal data may only be collected and processed for the purpose of the specified operational analysis project.
Where it becomes apparent that personal data may be relevant for another operational analysis project, further
processing of that personal data shall only be permitted insofar as such further processing is necessary and propor
tionate and the personal data are compatible with the provisions set out in point (a) that apply to the other analysis
project;
(c) only authorised staff may access and process the data of the relevant project.
4. The processing referred to in paragraphs 2 and 3 shall be carried out in compliance with the data protection
safeguards provided for in this Regulation. Europol shall duly document those processing operations. The documentation
shall be made available, upon request, to the Data Protection Officer and to the EDPS for the purpose of verifying the
lawfulness of the processing operations.
5. Categories of personal data and categories of data subjects whose data may be collected and processed for each
purpose referred to in paragraph 2 are listed in Annex II.
6. Europol may temporarily process data for the purpose of determining whether such data are relevant to its tasks
and, if so, for which of the purposes referred to in paragraph 2. The Management Board, acting on a proposal from the
Executive Director and after consulting the EDPS, shall further specify the conditions relating to the processing of such
data, in particular with respect to access to and use of the data, as well as time limits for the storage and deletion of the
data, which may not exceed six months, having due regard to the principles referred to in Article 28.
7. The Management Board, after consulting the EDPS, shall, as appropriate, adopt guidelines further specifying
procedures for the processing of information for the purposes listed in paragraph 2 in accordance with point (q) of
Article 11(1).
24.5.2016 EN Official Journal of the European Union L 135/75
Article 19
Determination of the purpose of, and restrictions on, the processing of information by Europol
1. A Member State, a Union body, a third country or an international organisation providing information to Europol
shall determine the purpose or purposes for which it is to be processed, as referred to in Article 18. If it has not done
so, Europol, in agreement with the provider of the information concerned, shall process the information in order to
determine the relevance of such information as well as the purpose or purposes for which it is to be further processed.
Europol may process information for a purpose different from that for which information has been provided only if
authorised so to do by the provider of the information.
2. Member States, Union bodies, third countries and international organisations may indicate, at the moment of
providing information to Europol, any restriction on access thereto or the use to be made thereof, in general or specific
terms, including as regards its transfer, erasure or destruction. Where the need for such restrictions becomes apparent
after the information has been provided, they shall inform Europol accordingly. Europol shall comply with such
restrictions.
3. In duly justified cases Europol may assign restrictions to access or use by Member States, Union bodies, third
countries and international organisations of information retrieved from publicly available sources.
Article 20
1. Member States shall, in accordance with their national law and Article 7(5), have access to, and be able to search,
all information which has been provided for the purposes of points (a) and (b) of Article 18(2). This shall be without
prejudice to the right of Member States, Union bodies, third countries and international organisations to indicate any
restrictions in accordance with Article 19(2).
2. Member States shall, in accordance with their national law and Article 7(5), have indirect access on the basis of a
hit/no hit system to information provided for the purposes of point (c) of Article 18(2). This shall be without prejudice
to any restrictions indicated by the Member States, Union bodies and third countries or international organisations
providing the information, in accordance with Article 19(2).
In the case of a hit, Europol shall initiate the procedure by which the information that generated the hit may be shared,
in accordance with the decision of the provider of the information to Europol.
3. In accordance with national law, the information referred to in paragraphs 1 and 2 shall be accessed and further
processed by Member States only for the purpose of preventing and combating:
(b) other forms of serious crime, as set out in Council Framework Decision 2002/584/JHA (1).
4. Europol staff duly empowered by the Executive Director shall have access to information processed by Europol to
the extent required for the performance of their duties and without prejudice to Article 67.
(1) Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between
Member States (OJ L 190, 18.7.2002, p. 1).
L 135/76 EN Official Journal of the European Union 24.5.2016
Article 21
1. Europol shall take all appropriate measures to enable Eurojust and OLAF, within their respective mandates, to have
indirect access on the basis of a hit/no hit system to information provided for the purposes of points (a), (b) and (c) of
Article 18(2), without prejudice to any restrictions indicated by the Member State, Union body, third country or internat
ional organisation providing the information in question, in accordance with Article 19(2).
In the case of a hit, Europol shall initiate the procedure by which the information that generated the hit may be shared,
in accordance with the decision of the provider of the information to Europol, and only to the extent that the data
generating the hit are necessary for the performance of Eurojust's or OLAF's tasks.
2. Europol and Eurojust may conclude a working arrangement ensuring, in a reciprocal manner and within their
respective mandates, access to, and the possibility of searching, all information that has been provided for the purpose
specified in point (a) of Article 18(2). This shall be without prejudice to the right of Member States, Union bodies, third
countries and international organisations to indicate restrictions on access to, and the use of, such data, and shall be in
accordance with the data protection guarantees provided for in this Regulation.
3. Searches of information in accordance with paragraphs 1 and 2 shall be carried out only for the purpose of
identifying whether information available at Eurojust or OLAF matches with information processed at Europol.
4. Europol shall allow searches in accordance with paragraphs 1 and 2 only after obtaining from Eurojust
information on which National Members, Deputies and Assistants, as well as Eurojust staff members, and from OLAF
information on which OLAF staff members, have been designated as authorised to perform such searches.
6. Eurojust, including the College, the National Members, Deputies and Assistants, as well as Eurojust staff members,
and OLAF, shall respect any restriction on access or use, in general or specific terms, indicated by Member States, Union
bodies, third countries and international organisations in accordance with Article 19(2).
7. Europol, Eurojust and OLAF shall inform each other if, after consulting each other's data in accordance with
paragraph 2 or as a result of a hit in accordance with paragraph 1, there are indications that data may be incorrect or
may conflict with other data.
Article 22
1. Europol shall, in accordance with point (b) of Article 4(1), notify a Member State without delay of any information
concerning it. If such information is subject to access restrictions pursuant to Article 19(2) that would prohibit its being
shared, Europol shall consult with the provider of the information stipulating the access restriction and seek its authoris
ation for sharing.
In such a case, the information shall not be shared without an explicit authorisation by the provider.
24.5.2016 EN Official Journal of the European Union L 135/77
2. Irrespective of any access restrictions, Europol shall notify a Member State of any information concerning it if this
is absolutely necessary in the interest of preventing an imminent threat to life.
In such a case, Europol shall at the same time notify the provider of the information about the sharing of the
information and justify its analysis of the situation.
CHAPTER V
SECTION 1
Common provisions
Article 23
Common provisions
1. In so far as necessary for the performance of its tasks, Europol may establish and maintain cooperative relations
with Union bodies in accordance with the objectives of those bodies, the authorities of third countries, international
organisations and private parties.
2. Subject to any restriction pursuant to Article 19(2) and without prejudice to Article 67, Europol may directly
exchange all information, with the exception of personal data, with entities referred to in paragraph 1 of this Article, in
so far as such an exchange is relevant for the performance of Europol's tasks.
3. The Executive Director shall inform the Management Board about any regular cooperative relations which Europol
intends to establish and maintain in accordance with paragraphs 1 and 2, and about the development of such relations
once established.
4. For the purposes set out in paragraphs 1 and 2, Europol may conclude working arrangements with entities
referred to in paragraph 1. Such working arrangements shall not allow the exchange of personal data and shall not bind
the Union or its Member States.
5. Europol may receive and process personal data from entities referred to in paragraph 1 insofar as necessary and
proportionate for the legitimate performance of its tasks and subject to the provisions of this Chapter.
6. Without prejudice to Article 30(5), personal data shall only be transferred by Europol to Union bodies, third
countries and international organisations if necessary for preventing and combating crime falling within the scope of
Europol's objectives and in accordance with this Regulation, and if the recipient gives an undertaking that the data will
be processed only for the purpose for which they were transferred. If the data to be transferred have been provided by a
Member State, Europol shall seek that Member State's consent, unless the Member State has granted its prior authoris
ation to such onward transfer, either in general terms or subject to specific conditions. Such consent may be withdrawn
at any time.
7. Onward transfers of personal data held by Europol by Member States, Union bodies, third countries and internat
ional organisations shall be prohibited, unless Europol has given its prior explicit authorisation.
8. Europol shall ensure that detailed records of all transfers of personal data and of the grounds for such transfers are
recorded in accordance with this Regulation.
9. Any information which has clearly been obtained in obvious violation of human rights shall not be processed.
L 135/78 EN Official Journal of the European Union 24.5.2016
SECTION 2
Article 24
Subject to any possible restrictions pursuant to Article 19(2) or (3) and without prejudice to Article 67, Europol may
directly transfer personal data to a Union body, insofar as such transfer is necessary for the performance of its tasks or
those of the recipient Union body.
Article 25
1. Subject to any possible restrictions pursuant to Article 19(2) or (3) and without prejudice to Article 67, Europol
may transfer personal data to an authority of a third country or to an international organisation, insofar as such transfer
is necessary for the performance of Europol's tasks, on the basis of one of the following:
(a) a decision of the Commission adopted in accordance with Article 36 of Directive (EU) 2016/680, finding that the
third country or a territory or a processing sector within that third country or the international organisation in
question ensures an adequate level of protection (‘adequacy decision’);
(b) an international agreement concluded between the Union and that third country or international organisation
pursuant to Article 218 TFEU adducing adequate safeguards with respect to the protection of privacy and
fundamental rights and freedoms of individuals;
(c) a cooperation agreement allowing for the exchange of personal data concluded, before 1 May 2017, between
Europol and that third country or international organisation in accordance with Article 23 of
Decision 2009/371/JHA.
Europol may conclude administrative arrangements to implement such agreements or adequacy decisions.
2. The Executive Director shall inform the Management Board about exchanges of personal data on the basis of
adequacy decisions pursuant to point (a) of paragraph 1.
3. Europol shall publish on its website and keep up to date a list of adequacy decisions, agreements, administrative
arrangements and other instruments relating to the transfer of personal data in accordance with paragraph 1.
4. By 14 June 2021, the Commission shall assess the provisions contained in the cooperation agreements referred to
in point (c) of paragraph 1, in particular those concerning data protection. The Commission shall inform the
European Parliament and the Council about the outcome of that assessment, and may, if appropriate, submit to the
Council a recommendation for a decision authorising the opening of negotiations for the conclusion of international
agreements referred to in point (b) of paragraph (1).
5. By way of derogation from paragraph 1, the Executive Director may authorise the transfer of personal data to third
countries or international organisations on a case-by-case basis if the transfer is:
(a) necessary in order to protect the vital interests of the data subject or of another person;
(b) necessary to safeguard legitimate interests of the data subject where the law of the Member State transferring the
personal data so provides;
24.5.2016 EN Official Journal of the European Union L 135/79
(c) essential for the prevention of an immediate and serious threat to the public security of a Member State or a third
country;
(d) necessary in individual cases for the purposes of the prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal sanctions; or
(e) necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention,
investigation, detection or prosecution of a specific criminal offence or the execution of a specific criminal sanction.
Personal data shall not be transferred if the Executive Director determines that fundamental rights and freedoms of the
data subject concerned override the public interest in the transfer referred to in points (d) and (e).
6. By way of derogation from paragraph 1, the Management Board may, in agreement with the EDPS, authorise for a
period not exceeding one year, which shall be renewable, a set of transfers in accordance with points (a) to (e) of
paragraph 5, taking into account the existence of adequate safeguards with respect to the protection of privacy and
fundamental rights and freedoms of individuals. Such authorisation shall be duly justified and documented.
7. The Executive Director shall as soon as possible inform the Management Board and the EDPS of the cases in which
paragraph 5 has been applied.
8. Europol shall keep detailed records of all transfers made pursuant to this Article.
Article 26
1. Insofar as is necessary in order for Europol to perform its tasks, Europol may process personal data obtained from
private parties on condition that they are received via:
(b) the contact point of a third country or an international organisation with which Europol has concluded,
before 1 May 2017, a cooperation agreement allowing for the exchange of personal data in accordance with
Article 23 of Decision 2009/371/JHA; or
(c) an authority of a third country or an international organisation which is the subject of an adequacy decision as
referred to in point (a) of Article 25(1) of this Regulation or with which the Union has concluded an international
agreement pursuant to Article 218 TFEU.
2. In cases where Europol nonetheless receives personal data directly from private parties and where the national
unit, contact point or authority concerned, as referred to in paragraph 1, cannot be identified, Europol may process
those personal data solely for the purpose of such identification. Subsequently, the personal data shall be forwarded
immediately to the national unit, contact point or authority concerned and shall be deleted unless the national unit,
contact point or authority concerned resubmits those personal data in accordance with Article 19(1) within four
months after the transfer takes place. Europol shall ensure by technical means that, during that period, the data in
question are not accessible for processing for any other purpose.
3. Following the transfer of personal data in accordance with point (c) of paragraph 5 of this Article, Europol may in
connection therewith receive personal data directly from a private party which that private party declares it is legally
allowed to transmit in accordance with the applicable law, in order to process such data for the performance of the task
set out in point (m) of Article 4(1).
L 135/80 EN Official Journal of the European Union 24.5.2016
4. If Europol receives personal data from a private party in a third country with which there is no agreement
concluded either on the basis of Article 23 of Decision 2009/371/JHA or on the basis of Article 218 TFEU, or which is
not the subject of an adequacy decision as referred to in point (a) of Article 25(1) of this Regulation, Europol may
forward those data only to a Member State, or to a third country concerned with which such an agreement has been
concluded.
5. Europol may not transfer personal data to private parties except where, on a case-by-case basis where strictly
necessary and subject to any possible restrictions stipulated pursuant to Article 19(2) or (3) and without prejudice to
Article 67:
(a) the transfer is undoubtedly in the interests of the data subject, and either the data subject's consent has been given
or the circumstances allow a clear presumption of consent; or
(b) the transfer is absolutely necessary in the interests of preventing the imminent perpetration of a crime, including
terrorism, for which Europol is competent; or
(c) the transfer of personal data which are publicly available is strictly necessary for the performance of the task set out
in point (m) of Article 4(1) and the following conditions are met:
(ii) no fundamental rights and freedoms of the data subjects concerned override the public interest necessitating the
transfer in the case at hand.
6. With regard to points (a) and (b) of paragraph 5 of this Article, if the private party concerned is not established
within the Union or in a country with which Europol has a cooperation agreement allowing for the exchange of
personal data, with which the Union has concluded an international agreement pursuant to Article 218 TFEU or which
is the subject of an adequacy decision as referred to in point (a) of Article 25(1) of this Regulation, the transfer shall
only be authorised if the transfer is:
(a) necessary in order to protect the vital interests of the data subject or another person; or
(c) essential for the prevention of an immediate and serious threat to public security of a Member State or a third
country; or
(d) necessary in individual cases for the purposes of the prevention, investigation, detection or prosecution of criminal
offences for which Europol is competent; or
(e) necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention,
investigation, detection or prosecution of a specific criminal offence for which Europol is competent.
7. Europol shall ensure that detailed records of all transfers of personal data and the grounds for such transfers are
recorded in accordance with this Regulation and communicated upon request to the EDPS pursuant to Article 40.
8. If the personal data received or to be transferred affect the interests of a Member State, Europol shall immediately
inform the national unit of the Member State concerned.
10. The Commission shall evaluate the practice of direct exchanges of personal data with private parties
by 1 May 2019.
24.5.2016 EN Official Journal of the European Union L 135/81
Article 27
1. Insofar as is necessary in order for Europol to perform its tasks, Europol may receive and process information
originating from private persons. Personal data originating from private persons may only be processed by Europol on
condition that they are received via:
(b) the contact point of a third country or an international organisation with which Europol has concluded,
before 1 May 2017, a cooperation agreement allowing for the exchange of personal data in accordance with
Article 23 of Decision 2009/371/JHA; or
(c) an authority of a third country or an international organisation which is the subject of an adequacy decision as
referred to in point (a) of Article 25(1) or with which the Union has concluded an international agreement pursuant
to Article 218 TFEU.
2. If Europol receives information, including personal data, from a private person residing in a third country with
which there is no international agreement concluded either on the basis of Article 23 of Decision 2009/371/JHA or on
the basis of Article 218 TFEU, or which is not the subject of an adequacy decision as referred to in point (a) of
Article 25(1) of this Regulation, Europol may only forward that information to a Member State or to a third country
concerned with which such an international agreement has been concluded.
3. If the personal data received affect the interests of a Member State, Europol shall immediately inform the national
unit of the Member State concerned.
5. Without prejudice to Articles 36 and 37, Europol may not transfer personal data to private persons.
CHAPTER VI
Article 28
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with
those purposes. Further processing of personal data for historical, statistical or scientific research purposes shall not
be considered incompatible provided that Europol provides appropriate safeguards, in particular to ensure that data
are not processed for any other purposes;
(c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate,
having regard to the purposes for which they are processed, are erased or rectified without delay;
L 135/82 EN Official Journal of the European Union 24.5.2016
(e) kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which
the personal data are processed; and
2. Europol shall make publicly available a document setting out in an intelligible form the provisions regarding the
processing of personal data and the means available for the exercise of the rights of data subjects.
Article 29
1. The reliability of the source of information originating from a Member State shall be assessed as far as possible by
the providing Member State using the following source evaluation codes:
(A): where there is no doubt as to the authenticity, trustworthiness and competence of the source, or if the information
is provided by a source which has proved to be reliable in all instances;
(B): where the information is provided by a source which has in most instances proved to be reliable;
(C): where the information is provided by a source which has in most instances proved to be unreliable;
2. The accuracy of information originating from a Member State shall be assessed as far as possible by the providing
Member State using the following information evaluation codes:
(2): information known personally to the source but not known personally to the official passing it on;
(3): information not known personally to the source but corroborated by other information already recorded;
(4): information not known personally to the source and which cannot be corroborated.
3. Where Europol, on the basis of information already in its possession, comes to the conclusion that the assessment
provided for in paragraphs 1 or 2 needs to be corrected, it shall inform the Member State concerned and seek to agree
on an amendment to the assessment. Europol shall not change the assessment without such agreement.
4. Where Europol receives information from a Member State without an assessment in accordance with paragraphs 1
or 2, it shall attempt to assess the reliability of the source or the accuracy of information on the basis of information
already in its possession. The assessment of specific data and information shall take place in agreement with the
providing Member State. A Member State may also agree with Europol in general terms on the assessment of specified
types of data and specified sources. If no agreement is reached in a specific case, or no agreement in general terms
exists, Europol shall assess the information or data and shall attribute to such information or data the evaluation
codes (X) and (4) referred to in paragraphs 1 and 2 respectively.
5. This Article shall apply mutatis mutandis where Europol receives data or information from a Union body, third
country, international organisation or private party.
24.5.2016 EN Official Journal of the European Union L 135/83
6. Information from publicly available sources shall be assessed by Europol using the evaluation codes set out in
paragraphs 1 and 2.
7. Where information is the result of an analysis made by Europol in the performance of its tasks, Europol shall
assess such information in accordance with this Article, and in agreement with the Member States participating in the
analysis.
Article 30
Processing of special categories of personal data and of different categories of data subjects
1. Processing of personal data in respect of victims of a criminal offence, witnesses or other persons who can provide
information concerning criminal offences, or in respect of persons under the age of 18, shall be allowed if it is strictly
necessary and proportionate for preventing or combating crime that falls within Europol's objectives.
2. Processing of personal data, by automated or other means, revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs or trade union membership and processing of genetic data or data concerning a
person's health or sex life shall be prohibited, unless it is strictly necessary and proportionate for preventing or
combating crime that falls within Europol's objectives and if those data supplement other personal data processed by
Europol. The selection of a particular group of persons solely on the basis of such personal data shall be prohibited.
3. Only Europol shall have direct access to personal data as referred to in paragraphs 1 and 2. The Executive Director
shall duly authorise a limited number of Europol officials to have such access if it is necessary for the performance of
their tasks.
4. No decision by a competent authority which produces adverse legal effects concerning a data subject shall be
based solely on automated processing of data as referred to in paragraph 2, unless the decision is expressly authorised
pursuant to national or Union legislation.
5. Personal data as referred to in paragraphs 1 and 2 shall not be transmitted to Member States, Union bodies, third
countries or international organisations unless such transmission is strictly necessary and proportionate in individual
cases concerning crime that falls within Europol's objectives and in accordance with Chapter V.
6. Every year Europol shall provide to the EDPS a statistical overview of all personal data as referred to in
paragraph 2 which it has processed.
Article 31
1. Personal data processed by Europol shall be stored by Europol only for as long as is necessary and proportionate
for the purposes for which the data are processed.
2. Europol shall in any event review the need for continued storage no later than three years after the start of initial
processing of personal data. Europol may decide on the continued storage of personal data until the following review,
which shall take place after another period of three years, if continued storage is still necessary for the performance of
Europol's tasks. The reasons for the continued storage shall be justified and recorded. If no decision is taken on the
continued storage of personal data, that data shall be erased automatically after three years.
L 135/84 EN Official Journal of the European Union 24.5.2016
3. If personal data as referred to in Article 30(1) and (2) are stored for a period exceeding five years, the EDPS shall
be informed accordingly.
4. Where a Member State, a Union body, a third country or an international organisation has indicated any
restriction as regards the earlier erasure or destruction of the personal data at the moment of transfer in accordance
with Article 19(2), Europol shall erase the personal data in accordance with those restrictions. If continued storage of
the data is deemed necessary, on the basis of information that is more extensive than that possessed by the data
provider, in order for Europol to perform its tasks, Europol shall request the authorisation of the data provider to
continue storing the data and shall present a justification for such request.
5. Where a Member State, a Union body, a third country or an international organisation erases from its own data
files personal data provided to Europol, it shall inform Europol accordingly. Europol shall erase the data unless the
continued storage of the data is deemed necessary, on the basis of information that is more extensive than that
possessed by the data provider, in order for Europol to perform its tasks. Europol shall inform the data provider of the
continued storage of such data and present a justification of such continued storage.
(a) this would damage the interests of a data subject who requires protection. In such cases, the data shall be used only
with the express and written consent of the data subject;
(b) their accuracy is contested by the data subject, for a period enabling Member States or Europol, where appropriate,
to verify the accuracy of the data;
(c) they have to be maintained for purposes of proof or for the establishment, exercise or defence of legal claims; or
(d) the data subject opposes their erasure and requests the restriction of their use instead.
Article 32
Security of processing
1. Europol shall implement appropriate technical and organisational measures to protect personal data against
accidental or unlawful destruction, accidental loss or unauthorised disclosure, alteration and access or any other
unauthorised form of processing.
2. In respect of automated data processing, Europol and each Member State shall implement measures designed to:
(a) deny unauthorised persons access to data-processing equipment used for processing personal data (equipment access
control);
(b) prevent the unauthorised reading, copying, modification or removal of data media (data media control);
(c) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal
data (storage control);
(d) prevent the use of automated data-processing systems by unauthorised persons using data-communication
equipment (user control);
(e) ensure that persons authorised to use an automated data-processing system have access only to data covered by their
access authorisation (data access control);
24.5.2016 EN Official Journal of the European Union L 135/85
(f) ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted
using data-communication equipment (communication control);
(g) ensure that it is possible to verify and establish which personal data have been input into automated data-processing
systems and when and by whom the data were input (input control);
(h) ensure that it is possible to verify and establish what data have been accessed by which member of personnel and at
what time (access log);
(i) prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal
data or during the transportation of data media (transport control);
(j) ensure that it is possible, in the event of interruption, to restore installed systems immediately (recovery); and
(k) ensure that the functions of the system perform faultlessly, that the occurrence of faults in the functions is
immediately reported (reliability) and that stored data cannot be corrupted by system malfunctions (integrity).
3. Europol and Member States shall establish mechanisms to ensure that security needs are taken on board across
information system boundaries.
Article 33
Europol shall implement appropriate technical and organisational measures and procedures in such a way that the data
processing will comply with this Regulation and protect the rights of the data subjects concerned.
Article 34
1. In the event of a personal data breach, Europol shall without undue delay notify the EDPS, as well as the
competent authorities of the Member States concerned, of that breach, in accordance with the conditions laid down in
Article 7(5),as well as the provider of the data concerned.
(a) describe the nature of the personal data breach including, where possible and appropriate, the categories and
number of data subjects concerned and the categories and number of data records concerned;
(c) describe the measures proposed or taken by Europol to address the personal data breach; and
(d) where appropriate, recommend measures to mitigate the possible adverse effects of the personal data breach.
3. Europol shall document any personal data breaches, including the facts surrounding the breach, its effects and the
remedial action taken, thereby enabling the EDPS to verify compliance with this Article.
L 135/86 EN Official Journal of the European Union 24.5.2016
Article 35
1. Subject to paragraph 4 of this Article, where a personal data breach as referred to in Article 34 is likely to severely
and adversely affect the rights and freedoms of the data subject, Europol shall communicate the personal data breach to
the data subject without undue delay.
2. The communication to the data subject referred to in paragraph 1 shall describe, where possible, the nature of the
personal data breach, recommend measures to mitigate the possible adverse effects of the personal data breach, and
contain the identity and contact details of the Data Protection Officer.
3. If Europol does not have the contact details of the data subject concerned, it shall request the provider of the data
to communicate the personal data breach to the data subject concerned and to inform Europol about the decision taken.
Member States providing the data shall communicate the breach to the data subject concerned in accordance with the
procedures of their national law.
4. The communication of a personal data breach to the data subject shall not be required if:
(a) Europol has applied to the personal data concerned by that breach appropriate technological protection measures
that render the data unintelligible to any person who is not authorised to access it;
(b) Europol has taken subsequent measures which ensure that the data subject's rights and freedoms are no longer likely
to be severely affected; or
(c) such communication would involve disproportionate effort, in particular owing to the number of cases involved. In
such a case, there shall instead be a public communication or similar measure informing the data subjects concerned
in an equally effective manner.
5. The communication to the data subject may be delayed, restricted or omitted where this constitutes a necessary
measure with due regard for the legitimate interests of the person concerned:
(b) to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the
execution of criminal penalties;
Article 36
1. Any data subject shall have the right, at reasonable intervals, to obtain information on whether personal data
relating to him or her are processed by Europol.
2. Without prejudice to paragraph 5, Europol shall provide the following information to the data subject:
(a) confirmation as to whether or not data related to him or her are being processed;
(b) information on at least the purposes of the processing operation, the categories of data concerned, and the
recipients or categories of recipients to whom the data are disclosed;
24.5.2016 EN Official Journal of the European Union L 135/87
(c) communication in an intelligible form of the data undergoing processing and of any available information as to their
sources;
(e) the envisaged period for which the personal data will be stored;
(f) the existence of the right to request from Europol rectification, erasure or restriction of processing of personal data
concerning the data subject.
3. Any data subject wishing to exercise the right of access to personal data relating to him or her may make a request
to that effect, without incurring excessive costs, to the authority appointed for that purpose in the Member State of his
or her choice. That authority shall refer the request to Europol without delay, and in any case within one month of
receipt.
4. Europol shall confirm receipt of the request under paragraph 3. Europol shall answer it without undue delay, and
in any case within three months of receipt by Europol of the request from the national authority.
5. Europol shall consult the competent authorities of the Member States, in accordance with the conditions laid down
in Article 7(5), and the provider of the data concerned, on a decision to be taken. A decision on access to personal data
shall be conditional on close cooperation between Europol and the Member States and the provider of the data directly
concerned by the access of the data subject to such data. If a Member State or the provider of the data objects to
Europol's proposed response, it shall notify Europol of the reasons for its objection in accordance with paragraph 6 of
this Article. Europol shall take the utmost account of any such objection. Europol shall subsequently notify its decision
to the competent authorities concerned, in accordance with the conditions laid down in Article 7(5), and to the provider
of the data.
6. The provision of information in response to any request under paragraph 1 may be refused or restricted if such
refusal or restriction constitutes a measure that is necessary in order to:
When the applicability of an exemption is assessed, the fundamental rights and interests of the data subject shall be
taken into account.
7. Europol shall inform the data subject in writing of any refusal or restriction of access, of the reasons for such a
decision and of his or her right to lodge a complaint with the EDPS. Where the provision of such information would
deprive paragraph 6 of its effect, Europol shall only notify the data subject concerned that it has carried out the checks,
without giving any information which might reveal to him or her whether or not personal data concerning him or her
are processed by Europol.
Article 37
1. Any data subject having accessed personal data concerning him or her processed by Europol in accordance with
Article 36 shall have the right to request Europol, through the authority appointed for that purpose in the
Member State of his or her choice, to rectify personal data concerning him or her held by Europol if they are incorrect
or to complete or update them. That authority shall refer the request to Europol without delay and in any case within
one month of receipt.
L 135/88 EN Official Journal of the European Union 24.5.2016
2. Any data subject having accessed personal data concerning him or her processed by Europol in accordance with
Article 36 shall have the right to request Europol, through the authority appointed for that purpose in the
Member State of his or her choice, to erase personal data relating to him or her held by Europol if they are no longer
required for the purposes for which they are collected or are further processed. That authority shall refer the request to
Europol without delay and in any case within one month of receipt.
3. Europol shall restrict rather than erase personal data as referred to in paragraph 2 if there are reasonable grounds
to believe that erasure could affect the legitimate interests of the data subject. Restricted data shall be processed only for
the purpose that prevented their erasure.
4. If personal data as referred to in paragraphs 1, 2 and 3 held by Europol have been provided to it by third
countries, international organisations or Union bodies, have been directly provided by private parties or have been
retrieved by Europol from publicly available sources or result from Europol's own analyses, Europol shall rectify, erase
or restrict such data and, where appropriate, inform the providers of the data.
5. If personal data as referred to in paragraphs 1, 2 and 3 held by Europol have been provided to Europol by
Member States, the Member States concerned shall rectify, erase or restrict such data in collaboration with Europol,
within their respective competences.
6. If incorrect personal data have been transferred by another appropriate means or if the errors in the data provided
by Member States are due to faulty transfer or transfer in breach of this Regulation or if they result from data being
input, taken over or stored in an incorrect manner or in breach of this Regulation by Europol, Europol shall rectify or
erase such data in collaboration with the provider of the data concerned.
7. In the cases referred to in paragraphs 4, 5 and 6, all addressees of the data concerned shall be notified forthwith.
In accordance with the rules applicable to them, the addressees shall then rectify, erase or restrict those data in their
systems.
8. Europol shall inform the data subject in writing without undue delay, and in any case within three months of
receipt of a request in accordance with paragraph 1 or 2, that data concerning him or her have been rectified, erased or
restricted.
9. Within three months of receipt of a request in accordance with paragraph 1 or 2, Europol shall inform the data
subject in writing of any refusal of rectification, erasure or restricting, of the reasons for such a refusal and of the
possibility of lodging a complaint with the EDPS and of seeking a judicial remedy.
Article 38
1. Europol shall store personal data in a way that ensures that their source, as referred to in Article 17, can be
established.
2. The responsibility for the quality of personal data as referred to in point (d) of Article 28(1) shall lie with:
(a) the Member State or the Union body which provided the personal data to Europol;
(b) Europol in respect of personal data provided by third countries or international organisations or directly provided by
private parties; of personal data retrieved by Europol from publicly available sources or resulting from Europol's
own analyses; and of personal data stored by Europol in accordance with Article 31(5).
24.5.2016 EN Official Journal of the European Union L 135/89
3. If Europol becomes aware that personal data provided pursuant to points (a) and (b) of Article 17(1) are factually
incorrect or have been unlawfully stored, it shall inform the provider of those data accordingly.
4. Europol shall be responsible for compliance with the principles referred to in points (a), (b), (c), (e) and (f) of
Article 28(1).
5. The responsibility for the legality of a data transfer shall lie with:
(a) the Member State which provided the personal data to Europol;
(b) Europol in the case of personal data provided by it to Member States, third countries or international organisations.
6. In the case of a transfer between Europol and a Union body, the responsibility for the legality of the transfer shall
lie with Europol.
Without prejudice to the first subparagraph, where the data are transferred by Europol following a request from the
recipient, both Europol and the recipient shall be responsible for the legality of such a transfer.
7. Europol shall be responsible for all data processing operations carried out by it, with the exception of the bilateral
exchange of data using Europol's infrastructure between Member States, Union bodies, third countries and international
organisations to which Europol has no access. Such bilateral exchanges shall take place under the responsibility of the
entities concerned and in accordance with their law. The security of such exchanges shall be ensured in accordance with
Article 32.
Article 39
Prior consultation
1. Any new type of processing operations to be carried out shall be subject to prior consultation where:
(b) the type of processing, in particular using new technologies, mechanisms or procedures, presents specific risks for
the fundamental rights and freedoms, and in particular the protection of personal data, of data subjects.
2. The prior consultation shall be carried out by the EDPS following receipt of a notification from the Data
Protection Officer that shall contain at least a general description of the envisaged processing operations, an assessment
of the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks, safeguards and
security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this
Regulation, taking into account the rights and legitimate interests of the data subjects and other persons concerned.
3. The EDPS shall deliver his or her opinion to the Management Board within two months following receipt of the
notification. That period may be suspended until the EDPS has obtained any further information that he or she may
have requested.
If the opinion has not been delivered after four months it shall be deemed to be favourable.
If the opinion of the EDPS is that the notified processing may involve a breach of any provision of this Regulation, he
or she shall, where appropriate, make proposals to avoid such a breach. Where Europol does not modify the processing
operation accordingly, the EDPS may exercise the powers granted to him or her under Article 43(3).
L 135/90 EN Official Journal of the European Union 24.5.2016
4. The EDPS shall keep a register of all processing operations that have been notified to him or her pursuant to
paragraph 1. The register shall not be made public.
Article 40
1. For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data integrity
and security, Europol shall keep records of the collection, alteration, access, disclosure, combination or erasure of
personal data. Such logs or documentation shall be deleted after three years, unless the data which they contain are
further required for ongoing control. There shall be no possibility of modifying the logs.
2. Logs or documentation prepared pursuant to paragraph 1 shall be communicated upon request to the EDPS, to the
Data Protection Officer and, if required for a specific investigation, to the national unit concerned. The information thus
communicated shall only be used for the control of data protection and for ensuring proper data processing as well as
data integrity and security.
Article 41
1. The Management Board shall appoint a Data Protection Officer, who shall be a member of the staff. In the
performance of his or her duties, he or she shall act independently.
2. The Data Protection Officer shall be selected on the basis of his or her personal and professional qualities and, in
particular, the expert knowledge of data protection.
It shall be ensured in the selection of the Data Protection Officer that no conflict of interest may result from the
performance of his or her duty in that capacity and from any other official duties, in particular those relating to the
application of this Regulation.
3. The Data Protection Officer shall be appointed for a term of four years. He or she shall be eligible for
reappointment up to a maximum total term of eight years. He or she may be dismissed from his or her function as Data
Protection Officer by the Management Board only with the consent of the EDPS, if he or she no longer meets the
conditions required for the performance of his or her duties.
4. After his or her appointment, the Data Protection Officer shall be registered with the EDPS by the Management
Board.
5. With respect to the performance of his or her duties, the Data Protection Officer shall not receive any instructions.
6. The Data Protection Officer shall, in particular, have the following tasks with regard to personal data, with the
exception of administrative personal data:
(a) ensuring, in an independent manner, the internal application of this Regulation concerning the processing of
personal data;
(b) ensuring that a record of the transfer and receipt of personal data is kept in accordance with this Regulation;
24.5.2016 EN Official Journal of the European Union L 135/91
(c) ensuring that data subjects are informed of their rights under this Regulation at their request;
(d) cooperating with Europol staff responsible for procedures, training and advice on data processing;
(f) preparing an annual report and communicating that report to the Management Board and to the EDPS;
7. The Data Protection Officer shall also carry out the functions provided for by Regulation (EC) No 45/2001 with
regard to administrative personal data.
8. In the performance of his or her tasks, the Data Protection Officer shall have access to all the data processed by
Europol and to all Europol premises.
9. If the Data Protection Officer considers that the provisions of this Regulation concerning the processing of
personal data have not been complied with, he or she shall inform the Executive Director and shall require him or her
to resolve the non-compliance within a specified time.
If the Executive Director does not resolve the non-compliance of the processing within the time specified, the Data
Protection Officer shall inform the Management Board. The Data Protection Officer and the Management Board shall
agree a specified time for a response by the latter. If the Management Board does not resolve the non-compliance within
the time specified, the Data Protection Officer shall refer the matter to the EDPS.
10. The Management Board shall adopt implementing rules concerning the Data Protection Officer. Those
implementing rules shall, in particular, concern the selection procedure for the position of the Data Protection Officer
and his or her dismissal, tasks, duties and powers, and safeguards ensuring the independence of the Data Protection
Officer.
11. Europol shall provide the Data Protection Officer with the staff and resources needed in order for him or her to
be able to carry out his or her duties. Those staff members shall have access to all the data processed at Europol and to
Europol premises only to the extent necessary for the performance of their tasks.
12. The Data Protection Officer and his or her staff shall be bound by the obligation of confidentiality in accordance
with Article 67(1).
Article 42
1. Each Member State shall designate a national supervisory authority. The national supervisory authority shall have
the task of monitoring independently, in accordance with its national law, the permissibility of the transfer, the retrieval
and any communication to Europol of personal data by the Member State concerned, and of examining whether such
transfer, retrieval or communication violates the rights of the data subjects concerned. For that purpose, the national
supervisory authority shall have access, at the national unit or at the liaison officers' premises, to data submitted by its
Member State to Europol in accordance with the relevant national procedures and to logs and documentation as referred
to in Article 40.
2. For the purpose of exercising their supervisory function, national supervisory authorities shall have access to the
offices and documents of their respective liaison officers at Europol.
L 135/92 EN Official Journal of the European Union 24.5.2016
3. National supervisory authorities shall, in accordance with the relevant national procedures, supervise the activities
of national units and the activities of liaison officers, insofar as such activities are relevant to the protection of personal
data. They shall also keep the EDPS informed of any actions they take with respect to Europol.
4. Any person shall have the right to request the national supervisory authority to verify the legality of any transfer
or communication to Europol of data concerning him or her in any form and of access to those data by the
Member State concerned. That right shall be exercised in accordance with the national law of the Member State in which
the request is made.
Article 43
1. The EDPS shall be responsible for monitoring and ensuring the application of the provisions of this Regulation
relating to the protection of fundamental rights and freedoms of natural persons with regard to the processing of
personal data by Europol, and for advising Europol and data subjects on all matters concerning the processing of
personal data. To that end, he or she shall fulfil the duties set out in paragraph 2 and exercise the powers laid down in
paragraph 3, while closely cooperating with the national supervisory authorities in accordance with Article 44.
(a) hearing and investigating complaints, and informing the data subject of the outcome within a reasonable period;
(b) conducting inquiries either on his or her own initiative or on the basis of a complaint, and informing the data
subject of the outcome within a reasonable period;
(c) monitoring and ensuring the application of this Regulation and any other Union act relating to the protection of
natural persons with regard to the processing of personal data by Europol;
(d) advising Europol, either on his or her own initiative or in response to a consultation, on all matters concerning the
processing of personal data, in particular before it draws up internal rules relating to the protection of fundamental
rights and freedoms with regard to the processing of personal data;
(e) keeping a register of new types of processing operations notified to him or her by virtue of Article 39(1) and
registered in accordance with Article 39(4);
(b) refer a matter to Europol in the event of an alleged breach of the provisions governing the processing of personal
data, and, where appropriate, make proposals for remedying that breach and for improving the protection of the
data subjects;
(c) order that requests to exercise certain rights in relation to data be complied with where such requests have been
refused in breach of Articles 36 and 37;
(e) order Europol to carry out the rectification, restriction, erasure or destruction of personal data which have been
processed in breach of the provisions governing the processing of personal data and to notify such actions to third
parties to whom such data have been disclosed;
(f) impose a temporary or definitive ban on processing operations by Europol which are in breach of the provisions
governing the processing of personal data;
(g) refer a matter to Europol and, if necessary, to the European Parliament, the Council and the Commission;
(h) refer a matter to the Court of Justice of the European Union under the conditions provided for in the TFEU;
(i) intervene in actions brought before the Court of Justice of the European Union.
(a) obtain from Europol access to all personal data and to all information necessary for his or her enquiries;
(b) obtain access to any premises in which Europol carries on its activities when there are reasonable grounds for
presuming that an activity covered by this Regulation is being carried out there.
5. The EDPS shall draw up an annual report on the supervisory activities of Europol, after consulting the national
supervisory authorities. That report shall be part of the annual report of the EDPS referred to in Article 48 of
Regulation (EC) No 45/2001.
The report shall include statistical information regarding complaints, inquiries, and investigations carried out in
accordance with paragraph 2, as well as regarding transfers of personal data to third countries and international organ
isations, cases of prior consultation, and the use of the powers laid down in paragraph 3.
6. The EDPS, the officials and the other staff members of the EDPS's Secretariat shall be bound by the obligation of
confidentiality laid down in Article 67(1).
Article 44
1. The EDPS shall act in close cooperation with the national supervisory authorities on issues requiring national
involvement, in particular if the EDPS or a national supervisory authority finds major discrepancies between the
practices of Member States or potentially unlawful transfers in the use of Europol's channels for exchanges of
information, or in the context of questions raised by one or more national supervisory authorities on the implemen
tation and interpretation of this Regulation.
2. The EDPS shall use the expertise and experience of the national supervisory authorities in carrying out his or her
duties as set out in Article 43(2). In carrying out joint inspections together with the EDPS, members and staff of
national supervisory authorities shall, taking due account of the principles of subsidiarity and proportionality, have
powers equivalent to those laid down in Article 43(4) and be bound by an obligation equivalent to that laid down in
Article 43(6). The EDPS and the national supervisory authorities shall, each acting within the scope of their respective
competences, exchange relevant information and assist each other in carrying out audits and inspections.
3. The EDPS shall keep national supervisory authorities fully informed of all issues directly affecting or otherwise
relevant to them. Upon the request of one or more national supervisory authorities, the EDPS shall inform them of
specific issues.
L 135/94 EN Official Journal of the European Union 24.5.2016
4. In cases relating to data originating from one or more Member States, including the cases referred to in
Article 47(2), the EDPS shall consult the national supervisory authorities concerned. The EDPS shall not decide on
further action to be taken before those national supervisory authorities have informed the EDPS of their position, within
a deadline specified by him or her which shall not be shorter than one month and not longer than three months. The
EDPS shall take the utmost account of the respective positions of the national supervisory authorities concerned. In
cases where the EDPS intends not to follow the position of a national supervisory authority, he or she shall inform that
authority, provide a justification and submit the matter for discussion to the Cooperation Board established by
Article 45(1).
In cases which the EDPS considers to be extremely urgent, he or she may decide to take immediate action. In such cases,
the EDPS shall immediately inform the national supervisory authorities concerned and justify the urgent nature of the
situation as well as the action he or she has taken.
Article 45
Cooperation Board
1. A Cooperation Board with an advisory function is hereby established. It shall be composed of a representative of a
national supervisory authority of each Member State and of the EDPS.
2. The Cooperation Board shall act independently when performing its tasks pursuant to paragraph 3 and shall
neither seek nor take instructions from any body.
(a) discussing general policy and strategy of data protection supervision of Europol and the permissibility of the
transfer, the retrieval and any communication to Europol of personal data by the Member States;
(c) studying general problems relating to the exercise of independent supervision or the exercise of the rights of data
subjects;
(d) discussing and drawing up harmonised proposals for joint solutions on matters referred to in Article 44(1);
(e) discussing cases submitted by the EDPS in accordance with Article 44(4);
4. The Cooperation Board may issue opinions, guidelines, recommendations and best practices. The EDPS and the
national supervisory authorities shall, without prejudice to their independence and each acting within the scope of their
respective competences, take the utmost account of them.
5. The Cooperation Board shall meet whenever necessary, and at least twice a year. The costs and servicing of its
meetings shall be borne by the EDPS.
6. Rules of procedure of the Cooperation Board shall be adopted at its first meeting by a simple majority of its
members. Further working methods shall be developed jointly as necessary.
24.5.2016 EN Official Journal of the European Union L 135/95
Article 46
Regulation (EC) No 45/2001 shall apply to all administrative personal data held by Europol.
CHAPTER VII
Article 47
1. Any data subject shall have the right to lodge a complaint with the EDPS if he or she considers that the processing
by Europol of personal data relating to him or her does not comply with this Regulation.
2. Where a complaint relates to a decision as referred to in Article 36 or 37, the EDPS shall consult the national
supervisory authorities of the Member State that provided the data or the Member State directly concerned. In adopting
his or her decision, which may extend to a refusal to communicate any information, the EDPS shall take into account
the opinion of the national supervisory authority.
3. Where a complaint relates to the processing of data provided by a Member State to Europol, the EDPS and the
national supervisory authority of the Member State that provided the data shall, each acting within the scope of their
respective competences, ensure that the necessary checks on the lawfulness of the processing of the data have been
carried out correctly.
4. Where a complaint relates to the processing of data provided to Europol by Union bodies, third countries or inter
national organisations, or of data retrieved by Europol from publicly available sources or resulting from Europol's own
analyses, the EDPS shall ensure that Europol has correctly carried out the necessary checks on the lawfulness of the
processing of the data.
Article 48
Any action against a decision of the EDPS shall be brought before the Court of Justice of the European Union.
Article 49
1. Europol's contractual liability shall be governed by the law applicable to the contract in question.
2. The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration
clause in a contract concluded by Europol.
L 135/96 EN Official Journal of the European Union 24.5.2016
3. Without prejudice to Article 49, in the case of non-contractual liability, Europol shall, in accordance with the
general principles common to the laws of the Member States, make good any damage caused by its departments or by
its staff in the performance of their duties.
4. The Court of Justice of the European Union shall have jurisdiction in disputes relating to compensation for damage
as referred to in paragraph 3.
5. The personal liability of Europol staff vis-à-vis Europol shall be governed by the provisions laid down in the Staff
Regulations or in the Conditions of Employment of Other Servants applicable to them.
Article 50
Liability for incorrect personal data processing and the right to compensation
1. Any individual who has suffered damage as a result of an unlawful data processing operation shall have the right
to receive compensation for damage suffered, either from Europol in accordance with Article 340 TFEU or from the
Member State in which the event that gave rise to the damage occurred, in accordance with its national law. The
individual shall bring an action against Europol before the Court of Justice of the European Union, or against the
Member State before a competent national court of that Member State.
2. Any dispute between Europol and Member States over the ultimate responsibility for compensation awarded to an
individual in accordance with paragraph 1 shall be referred to the Management Board, which shall decide by a
majority of two-thirds of its members, without prejudice to the right to challenge that decision in accordance with
Article 263 TFEU.
CHAPTER VIII
Article 51
1. Pursuant to Article 88 TFEU, the scrutiny of Europol's activities shall be carried out by the European Parliament
together with national parliaments. This shall constitute a specialised Joint Parliamentary Scrutiny Group (JPSG)
established together by the national parliaments and the competent committee of the European Parliament. The
organisation and the rules of procedure of the JPSG shall be determined together by the European Parliament and the
national parliaments in accordance with Article 9 of Protocol No 1.
2. The JPSG shall politically monitor Europol's activities in fulfilling its mission, including as regards the impact of
those activities on the fundamental rights and freedoms of natural persons.
(a) the Chairperson of the Management Board, the Executive Director or their Deputies shall appear before the JPSG at
its request to discuss matters relating to the activities referred to in the first subparagraph, including the budgetary
aspects of such activities, the structural organisation of Europol and the potential establishment of new units and
specialised centres, taking into account the obligations of discretion and confidentiality. The JPSG may decide to
invite to its meetings other relevant persons, where appropriate;
24.5.2016 EN Official Journal of the European Union L 135/97
(b) the EDPS shall appear before the JPSG at its request, and at least once a year, to discuss general matters relating to
the protection of fundamental rights and freedoms of natural persons, and in particular the protection of personal
data, with regard to Europol's activities, taking into account the obligations of discretion and confidentiality;
(c) the JPSG shall be consulted in relation to the multiannual programming of Europol in accordance with Article 12(1).
3. Europol shall transmit the following documents, for information purposes, to the JPSG, taking into account the
obligations of discretion and confidentiality:
(a) threat assessments, strategic analyses and general situation reports relating to Europol's objective as well as the
results of studies and evaluations commissioned by Europol;
(c) the document containing the multiannual programming and the annual work programme of Europol, referred to in
Article 12(1);
(d) the consolidated annual activity report on Europol's activities, referred to in point (c) of Article 11(1);
(e) the evaluation report drawn up by the Commission, referred to in Article 68(1).
4. The JPSG may request other relevant documents necessary for the fulfilment of its tasks relating to the political
monitoring of Europol's activities, subject to Regulation (EC) No 1049/2001 of the European Parliament and of the
Council (1) and without prejudice to Articles 52 and 67 of this Regulation.
5. The JPSG may draw up summary conclusions on the political monitoring of Europol's activities and submit those
conclusions to the European Parliament and national parliaments. The European Parliament shall forward them, for
information purposes, to the Council, the Commission and Europol.
Article 52
1. For the purpose of enabling it to exercise parliamentary scrutiny of Europol's activities in accordance with
Article 51, access by the European Parliament to sensitive non-classified information processed by or through Europol,
upon the European Parliament's request, shall comply with the rules referred to in Article 67(1).
2. Access by the European Parliament to EU classified information processed by or through Europol shall be
consistent with the Interinstitutional Agreement of 12 March 2014 between the European Parliament and the Council
concerning the forwarding to and the handling by the European Parliament of classified information held by the Council
on matters other than those in the area of the common foreign and security policy (2), and shall comply with the rules
referred to in Article 67(2) of this Regulation.
3. The necessary details regarding access by the European Parliament to the information referred to in paragraphs 1
and 2 shall be governed by working arrangements concluded between Europol and the European Parliament.
(1) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European
Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
(2) OJ C 95, 1.4.2014, p. 1.
L 135/98 EN Official Journal of the European Union 24.5.2016
CHAPTER IX
STAFF
Article 53
General provisions
1. The Staff Regulations, the Conditions of Employment of Other Servants and the rules adopted by agreement
between the institutions of the Union for giving effect to the Staff Regulations and to the Conditions of Employment of
Other Servants shall apply to the staff of Europol with the exception of staff who, on 1 May 2017, are employed
pursuant to a contract concluded by Europol as established by the Europol Convention without prejudice to
Article 73(4) of this Regulation. Such contracts shall continue to be governed by the Council Act of 3 December 1998.
2. Europol staff shall consist of temporary staff and/or contract staff. The Management Board shall be informed on a
yearly basis of contracts of an indefinite duration granted by the Executive Director. The Management Board shall decide
which temporary posts provided for in the establishment plan can be filled only by staff from the competent authorities
of the Member States. Staff recruited to occupy such posts shall be temporary agents and may be awarded only fixed-
term contracts, renewable once for a fixed period.
Article 54
Executive Director
1. The Executive Director shall be engaged as a temporary agent of Europol under point (a) of Article 2 of the
Conditions of Employment of Other Servants.
2. The Executive Director shall be appointed by the Council from a shortlist of candidates proposed by the
Management Board, following an open and transparent selection procedure.
The shortlist shall be drawn up by a selection committee set up by the Management Board and composed of members
designated by Member States and a Commission representative
For the purpose of concluding a contract with the Executive Director, Europol shall be represented by the Chairperson
of the Management Board.
Before appointment, the candidate selected by the Council may be invited to appear before the competent committee of
the European Parliament, which shall subsequently give a non-binding opinion.
3. The term of office of the Executive Director shall be four years. By the end of that period, the Commission, in
association with the Management Board, shall undertake an assessment taking into account:
4. The Council, acting on a proposal from the Management Board that takes into account the assessment referred to
in paragraph 3, may extend the term of office of the Executive Director once and for no more than four years.
24.5.2016 EN Official Journal of the European Union L 135/99
5. The Management Board shall inform the European Parliament if it intends to propose to the Council that the
Executive Director's term of office be extended. Within the month before any such extension, the Executive Director may
be invited to appear before the competent committee of the European Parliament.
6. An Executive Director whose term of office has been extended shall not participate in another selection procedure
for the same post at the end of the overall period.
7. The Executive Director may be removed from office only pursuant to a decision of the Council acting on a
proposal from the Management Board. The European Parliament shall be informed about that decision.
8. The Management Board shall reach decisions regarding proposals to be made to the Council on the appointment,
extension of the term of office, or removal from office, of the Executive Director by a majority of two-thirds of its
members with voting rights.
Article 55
1. Three Deputy Executive Directors shall assist the Executive Director. The Executive Director shall define their tasks.
2. Article 54 shall apply to the Deputy Executive Directors. The Executive Director shall be consulted prior to their
appointment, any extension of their term of office or their removal from office.
Article 56
2. The Management Board shall adopt a decision laying down rules on the secondment of national experts to
Europol.
CHAPTER X
FINANCIAL PROVISIONS
Article 57
Budget
1. Estimates of all revenue and expenditure for Europol shall be prepared each financial year, which shall correspond
to the calendar year, and shall be shown in Europol's budget.
3. Without prejudice to other resources, Europol's revenue shall comprise a contribution from the Union entered in
the general budget of the Union.
4. Europol may benefit from Union funding in the form of delegation agreements or ad hoc grants in accordance
with its financial rules referred to in Article 61 and with the provisions of the relevant instruments supporting the
policies of the Union.
5. Europol's expenditure shall include staff remuneration, administrative and infrastructure expenses, and operating
costs.
6. Budgetary commitments for actions relating to large-scale projects extending over more than one financial year
may be broken down into several annual instalments.
Article 58
1. Each year the Executive Director shall draw up a draft statement of estimates of Europol's revenue and expenditure
for the following financial year, including an establishment plan, and shall send it to the Management Board.
2. The Management Board shall, on the basis of the draft statement of estimates, adopt a provisional draft estimate of
Europol's revenue and expenditure for the following financial year and shall send it to the Commission by 31 January
each year.
3. The Management Board shall send the final draft estimate of Europol's revenue and expenditure, which shall
include a draft establishment plan, to the European Parliament, the Council and the Commission by 31 March each year.
4. The Commission shall send the statement of estimates to the European Parliament and the Council, together with
the draft general budget of the Union.
5. On the basis of the statement of estimates, the Commission shall enter in the draft general budget of the Union
the estimates that it considers necessary for the establishment plan and the amount of the contribution to be charged to
the general budget, which it shall place before the European Parliament and the Council in accordance with Articles 313
and 314 TFEU.
6. The European Parliament and the Council shall authorise the appropriations for the contribution from the Union
to Europol.
7. The European Parliament and the Council shall adopt Europol's establishment plan.
8. Europol's budget shall be adopted by the Management Board. It shall become final following the final adoption of
the general budget of the Union. Where necessary, it shall be adjusted accordingly.
9. For any building projects likely to have significant implications for Europol's budget, Delegated Regulation (EU)
No 1271/2013 shall apply.
24.5.2016 EN Official Journal of the European Union L 135/101
Article 59
2. Each year the Executive Director shall send to the European Parliament and the Council all information relevant to
the findings of any evaluation procedures.
Article 60
1. Europol's accounting officer shall send the provisional accounts for the financial year (year N) to the Commission's
accounting officer and to the Court of Auditors by 1 March of the following financial year (year N + 1).
2. Europol shall send a report on the budgetary and financial management for year N to the European Parliament,
the Council and the Court of Auditors by 31 March of year N + 1.
3. The Commission's accounting officer shall send Europol's provisional accounts for year N, consolidated with the
Commission's accounts, to the Court of Auditors by 31 March of year N + 1.
4. On receipt of the Court of Auditors' observations on Europol's provisional accounts for year N pursuant to
Article 148 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (1), Europol's
accounting officer shall draw up Europol's final accounts for that year. The Executive Director shall submit them to the
Management Board for an opinion.
5. The Management Board shall deliver an opinion on Europol's final accounts for year N.
6. Europol's accounting officer shall, by 1 July of year N + 1, send the final accounts for year N to the
European Parliament, the Council, the Commission, the Court of Auditors and national parliaments, together with the
Management Board's opinion referred to in paragraph 5.
7. The final accounts for year N shall be published in the Official Journal of the European Union by 15 November of
year N + 1.
8. The Executive Director shall send to the Court of Auditors, by 30 September of year N + 1, a reply to the
observations made in its annual report. He or she shall also send the reply to the Management Board.
9. The Executive Director shall submit to the European Parliament, at the latter's request, any information required
for the smooth application of the discharge procedure for year N, as laid down in Article 109(3) of Delegated
Regulation (EU) No 1271/2013.
10. On a recommendation from the Council acting by a qualified majority, the European Parliament shall,
before 15 May of year N + 2, grant a discharge to the Executive Director in respect of the implementation of the budget
for year N.
(1) Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council of 25 October 2012 on the financial rules
applicable to the general budget of the Union and repealing Council Regulation (EC, Euratom) No 1605/2002 (OJ L 298, 26.10.2012,
p. 1).
L 135/102 EN Official Journal of the European Union 24.5.2016
Article 61
Financial rules
1. The financial rules applicable to Europol shall be adopted by the Management Board after consultation with the
Commission. They shall not depart from Delegated Regulation (EU) No 1271/2013 unless such a departure is
specifically required for the operation of Europol and the Commission has given its prior consent.
2. Europol may award grants related to the fulfilment of tasks as referred to in Article 4.
3. Europol may award grants without a call for proposals to Member States for performance of their cross-border
operations and investigations and for the provision of training relating to the tasks referred to in points (h) and (i) of
Article 4(1).
4. In respect of the financial support to be given to joint investigation teams' activities, Europol and Eurojust shall
jointly establish the rules and conditions upon which applications for such support are to be processed.
CHAPTER XI
MISCELLANEOUS PROVISIONS
Article 62
Legal status
2. In each Member State Europol shall enjoy the most extensive legal capacity accorded to legal persons under
national law. Europol may, in particular, acquire and dispose of movable and immovable property and be a party to
legal proceedings.
3. In accordance with Protocol No 6 on the location of the seats of the institutions and of certain bodies, agencies
and departments of the European Union, annexed to the TEU and to the TFEU (‘Protocol No 6’), Europol shall have its
seat in The Hague.
Article 63
1. Protocol No 7 on the privileges and immunities of the European Union, annexed to the TEU and to the TFEU,
shall apply to Europol and its staff.
2. Privileges and immunities of liaison officers and members of their families shall be subject to an agreement
between the Kingdom of Netherlands and the other Member States. That agreement shall provide for such privileges and
immunities as are necessary for the proper performance of the tasks of liaison officers.
24.5.2016 EN Official Journal of the European Union L 135/103
Article 64
Language arrangements
2. The Management Board shall decide by a majority of two-thirds of its members on the internal language
arrangements of Europol.
3. The translation services required for the functioning of Europol shall be provided by the Translation Centre for the
bodies of the European Union.
Article 65
Transparency
2. By 14 December 2016, the Management Board shall adopt the detailed rules for applying Regulation (EC)
No 1049/2001 with regard to Europol documents.
3. Decisions taken by Europol under Article 8 of Regulation (EC) No 1049/2001 may be the subject of a complaint
to the European Ombudsman or of an action before the Court of Justice of the European Union, in accordance with
Articles 228 and 263 TFEU respectively.
4. Europol shall publish on its website a list of the Management Board members and summaries of the outcome of
the meetings of the Management Board. The publication of those summaries shall be temporarily or permanently
omitted or restricted if such publication would risk jeopardising the performance of Europol's tasks, taking into account
its obligations of discretion and confidentiality and the operational character of Europol.
Article 66
Combating fraud
1. In order to facilitate the fight against fraud, corruption and any other illegal activities under Regulation (EU,
Euratom) No 883/2013, Europol shall, by 30 October 2017, accede to the Interinstitutional Agreement of 25 May 1999
between the European Parliament, the Council of the European Union and the Commission of the
European Communities concerning internal investigations by the European Anti-Fraud Office (OLAF) (2) and shall adopt
appropriate provisions applicable to all employees of Europol, using the template set out in the Annex to that
Agreement.
2. The Court of Auditors shall have a power of audit, on the basis of documents and on-the-spot checks, over all
grant beneficiaries, contractors and subcontractors who have received Union funds from Europol.
(1) Regulation No 1 determining the languages to be used by the European Economic Community (OJ 17, 6.10.1958, p. 385/58).
(2) OJ L 136, 31.5.1999, p. 15.
L 135/104 EN Official Journal of the European Union 24.5.2016
3. OLAF may carry out investigations, including on-the-spot checks and inspections, with a view to establishing
whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in
connection with a grant or a contract awarded by Europol. Such investigations shall be carried out in accordance with
the provisions and procedures laid down in Regulation (EU, Euratom) No 883/2013 and in Council Regulation
(Euratom, EC) No 2185/96 (1).
4. Without prejudice to paragraphs 1, 2 and 3, working arrangements with Union bodies, authorities of third
countries, international organisations and private parties, contracts, grant agreements and grant decisions of Europol
shall contain provisions expressly empowering the Court of Auditors and OLAF to conduct the audits and investigations
referred to in paragraphs 2 and 3, in accordance with their respective competences.
Article 67
1. Europol shall establish rules on the obligations of discretion and confidentiality and on the protection of sensitive
non-classified information.
2. Europol shall establish rules on the protection of EU classified information which shall be consistent with
Decision 2013/488/EU in order to ensure an equivalent level of protection for such information.
Article 68
1. By 1 May 2022 and every five years thereafter, the Commission shall ensure that an evaluation assessing, in
particular, the impact, effectiveness and efficiency of Europol and of its working practices is carried out. The evaluation
may, in particular, address the possible need to modify the structure, operation, field of action and tasks of Europol, and
the financial implications of any such modification.
2. The Commission shall submit the evaluation report to the Management Board. The Management Board shall
provide its observations on the evaluation report within three months from the date of receipt. The Commission shall
then submit the final evaluation report, together with the Commission's conclusions, and the Management Board's
observations in an annex thereto, to the European Parliament, the Council, the national parliaments and the
Management Board. Where appropriate, the main findings of the evaluation report shall be made public.
Article 69
Administrative inquiries
The activities of Europol shall be subject to inquiries by the European Ombudsman in accordance with Article 228
TFEU.
(1) Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the
Commission in order to protect the European Communities' financial interests against fraud and other irregularities (OJ L 292,
15.11.1996, p. 2).
24.5.2016 EN Official Journal of the European Union L 135/105
Article 70
Headquarters
The necessary arrangements concerning the accommodation to be provided for Europol in the Kingdom of the
Netherlands and the facilities to be made available by the Kingdom of the Netherlands, together with the specific rules
applicable there to the Executive Director, members of the Management Board, Europol's staff and members of their
families, shall be laid down in a headquarters agreement between Europol and the Kingdom of the Netherlands, in
accordance with Protocol No 6.
CHAPTER XII
TRANSITIONAL PROVISIONS
Article 71
Legal succession
1. Europol as established by this Regulation shall be the legal successor in respect of all contracts concluded by,
liabilities incumbent upon and properties acquired by Europol as established by Decision 2009/371/JHA.
2. This Regulation shall not affect the legal force of agreements concluded by Europol as established by
Decision 2009/371/JHA before 13 June 2016, or of agreements concluded by Europol as established by the Europol
Convention before 1 January 2010.
Article 72
1. The term of office of the members of the Management Board as established on the basis of Article 37 of
Decision 2009/371/JHA shall terminate on 1 May 2017.
2. During the period from 13 June 2016 to 1 May 2017, the Management Board as established on the basis of
Article 37 of Decision 2009/371/JHA shall:
(a) exercise the functions of the Management Board in accordance with Article 11 of this Regulation;
(b) prepare the adoption of the rules relating to the application of Regulation (EC) No 1049/2001 with regard to
Europol documents as referred to in Article 65(2) of this Regulation, and of the rules referred to in Article 67 of
this Regulation;
(c) prepare any instrument necessary for the application of this Regulation, in particular any measures relating to
Chapter IV; and
(d) review the internal rules and measures which it has adopted on the basis of Decision 2009/371/JHA so as to allow
the Management Board as established pursuant to Article 10 of this Regulation to take a decision pursuant to
Article 76 of this Regulation.
L 135/106 EN Official Journal of the European Union 24.5.2016
3. The Commission shall without delay after 13 June 2016 take the measures necessary to ensure that the
Management Board established pursuant to Article 10 starts its work on 1 May 2017.
4. By 14 December 2016, the Member States shall notify the Commission of the names of the persons whom they
have appointed as member and alternate member of the Management Board, in accordance with Article 10.
5. The Management Board established pursuant to Article 10 shall hold its first meeting on 1 May 2017. On that
occasion it shall, if necessary, take decisions as referred to in Article 76.
Article 73
Transitional arrangements concerning the Executive Director, the Deputy Directors and staff
1. The Director of Europol appointed on the basis of Article 38 of Decision 2009/371/JHA shall, for the remaining
period of his or her term of office, be assigned the responsibilities of Executive Director, as provided for in Article 16 of
this Regulation. The other conditions of his or her contract shall remain unchanged. If the term of office ends between
13 June 2016 and 1 May 2017, it shall be extended automatically until 1 May 2018.
2. Should the Director appointed on the basis of Article 38 of Decision 2009/371/JHA be unwilling or unable to act
in accordance with paragraph 1 of this Article, the Management Board shall designate an interim Executive Director to
exercise the duties assigned to the Executive Director for a period not exceeding 18 months, pending the appointment
provided for in Article 54(2) of this Regulation.
3. Paragraphs 1 and 2 of this Article shall apply to the Deputy Directors appointed on the basis of Article 38 of
Decision 2009/371/JHA.
4. In accordance with the Conditions of Employment of Other Servants, the authority referred to in the first
paragraph of Article 6 thereof shall offer employment of indefinite duration as a member of the temporary or contract
staff to any person who, on 1 May 2017, is employed under a contract of indefinite duration as a local staff member
concluded by Europol as established by the Europol Convention. The offer of employment shall be based on the tasks to
be performed by the servant as a member of the temporary or contract staff. The contract concerned shall take effect at
the latest on 1 May 2018. A staff member who does not accept the offer referred to in this paragraph may retain his or
her contractual relationship with Europol in accordance with Article 53(1).
Article 74
The discharge procedure in respect of the budgets approved on the basis of Article 42 of Decision 2009/371/JHA shall
be carried out in accordance with the rules established by Article 43 thereof.
CHAPTER XIII
FINAL PROVISIONS
Article 75
1. Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA are hereby replaced
for the Member States bound by this Regulation with effect from 1 May 2017.
24.5.2016 EN Official Journal of the European Union L 135/107
Therefore, Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA are repealed
with effect from 1 May 2017.
2. With regard to the Member States bound by this Regulation, references to the Decisions referred to in paragraph 1
shall be construed as references to this Regulation.
Article 76
Internal rules and measures adopted by the Management Board on the basis of Decision 2009/371/JHA shall remain in
force after 1 May 2017, unless otherwise decided by the Management Board in the application of this Regulation.
Article 77
1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of
the European Union.
This Regulation shall be binding in its entirety and directly applicable in the Member States in
accordance with the Treaties.
ANNEX I
— terrorism,
— organised crime,
— drug trafficking,
— money-laundering activities,
— crime connected with nuclear and radioactive substances,
— immigrant smuggling,
— trafficking in human beings,
— motor vehicle crime,
— murder and grievous bodily injury,
— illicit trade in human organs and tissue,
— kidnapping, illegal restraint and hostage-taking,
— racism and xenophobia,
— robbery and aggravated theft,
— illicit trafficking in cultural goods, including antiquities and works of art,
— swindling and fraud,
— crime against the financial interests of the Union,
— insider dealing and financial market manipulation,
— racketeering and extortion,
— counterfeiting and product piracy,
— forgery of administrative documents and trafficking therein,
— forgery of money and means of payment,
— computer crime,
— corruption,
— illicit trafficking in arms, ammunition and explosives,
— illicit trafficking in endangered animal species,
— illicit trafficking in endangered plant species and varieties,
— environmental crime, including ship-source pollution,
— illicit trafficking in hormonal substances and other growth promoters,
— sexual abuse and sexual exploitation, including child abuse material and solicitation of children for sexual purposes,
— genocide, crimes against humanity and war crimes.
24.5.2016 EN Official Journal of the European Union L 135/109
ANNEX II
A. Categories of personal data and categories of data subjects whose data may be collected and processed for the
purpose of cross-checking as referred to in point (a) of Article 18(2)
1. Personal data collected and processed for the purpose of cross-checking shall relate to:
(a) persons who, in accordance with the national law of the Member State concerned, are suspected of having
committed or having taken part in a criminal offence in respect of which Europol is competent, or who have
been convicted of such an offence;
(b) persons regarding whom there are factual indications or reasonable grounds under the national law of the
Member State concerned to believe that they will commit criminal offences in respect of which Europol is
competent.
2. Data relating to the persons referred to in paragraph 1 may include only the following categories of personal data:
(a) surname, maiden name, given names and any alias or assumed name;
(c) nationality;
(d) sex;
(f) social security numbers, driving licences, identification documents and passport data; and
(g) where necessary, other characteristics likely to assist in identification, including any specific objective physical
characteristics not subject to change such as dactyloscopic data and DNA profile (established from the non-
coding part of DNA).
3. In addition to the data referred to in paragraph 2, the following categories of personal data concerning the persons
referred to in paragraph 1 may be collected and processed:
(a) criminal offences, alleged criminal offences and when, where and how they were (allegedly) committed;
(b) means which were or which may have been used to commit those criminal offences, including information
concerning legal persons;
(e) convictions, where they relate to criminal offences in respect of which Europol is competent;
These data may be provided to Europol even when they do not yet contain any references to persons.
4. Additional information held by Europol or national units concerning the persons referred to in paragraph 1 may
be communicated to any national unit or to Europol, should either so request. National units shall do so in
compliance with their national law.
5. If proceedings against the person concerned are definitively dropped or if that person is definitively acquitted, the
data relating to the case in respect of which either decision has been taken shall be deleted.
L 135/110 EN Official Journal of the European Union 24.5.2016
B. Categories of personal data and categories of data subjects whose data may be collected and processed for the
purpose of analyses of a strategic or thematic nature, for the purpose of operational analyses or for the purpose of
facilitating the exchange of information as referred to in points (b), (c) and (d) of Article 18(2)
1. Personal data collected and processed for the purpose of analyses of a strategic or thematic nature, for the purpose
of operational analyses or for the purpose of facilitating the exchange of information between Member States,
Europol, other Union bodies, third countries and international organisations shall relate to:
(a) persons who, pursuant to the national law of the Member State concerned, are suspected of having committed
or having taken part in a criminal offence in respect of which Europol is competent, or who have been
convicted of such an offence;
(b) persons regarding whom there are factual indications or reasonable grounds under the national law of the
Member State concerned to believe that they will commit criminal offences in respect of which Europol is
competent;
(c) persons who might be called on to testify in investigations in connection with the offences under consideration
or in subsequent criminal proceedings;
(d) persons who have been the victims of one of the offences under consideration or with regard to whom certain
facts give reason to believe that they could be the victims of such an offence;
(f) persons who can provide information on the criminal offences under consideration.
2. The following categories of personal data, including associated administrative data, may be processed on the
categories of persons referred to in points (a) and (b) of paragraph 1:
(vi) sex;
(ix) nationality;
(xi) alias;
(xii) nickname;
(v) forensic identification information such as fingerprints, DNA profile (established from the non-coding part
of DNA), voice profile, blood group, dental information;
(iv) qualifications;
(i) financial data (bank accounts and codes, credit cards, etc.);
(viii) other information revealing a person's management of his or her financial affairs;
(ii) movements;
(vi) specific risks such as escape probability, use of double agents, connections with law enforcement
personnel;
(g) contacts and associates, including type and nature of the contact or association;
L 135/112 EN Official Journal of the European Union 24.5.2016
(h) means of communication used, such as telephone (static/mobile), fax, pager, electronic mail, postal addresses,
internet connection(s);
(i) means of transport used, such as vehicles, boats, aircraft, including information identifying those means of
transport (registration numbers);
(iv) means which were or may be used to prepare and/or commit crimes;
(viii) material gathered in the course of an investigation, such as video and photographic images;
(k) references to other information systems in which information on the person is stored:
(i) Europol;
(l) information on legal persons associated with the data referred to in points (e) and (j):
(ii) location;
(vi) capital;
(ix) directors;
3. ‘Contacts and associates’, as referred to in point (e) of paragraph 1, are persons through whom there is sufficient
reason to believe that information which relates to the persons referred to in points (a) and (b) of paragraph 1 and
which is relevant for the analysis can be gained, provided they are not included in one of the categories of persons
referred to in points (a), (b), (c), (d) and (f) of paragraph 1. ‘Contacts’ are those persons who have a sporadic
contact with the persons referred to in points (a) and (b) of paragraph 1. ‘Associates’ are those persons who have a
regular contact with the persons referred to in points (a) and (b) of paragraph 1.
24.5.2016 EN Official Journal of the European Union L 135/113
In relation to contacts and associates, the data referred to in paragraph 2 may be stored as necessary, provided
there is reason to assume that such data are required for the analysis of the relationship of such persons with
persons referred to in points (a) and (b) of paragraph 1. In this context, the following shall be observed:
(b) the data referred to in paragraph 2 shall be deleted without delay if the assumption that such relationship
exists turns out to be unfounded;
(c) all data referred to in paragraph 2 may be stored if contacts or associates are suspected of having committed
an offence falling within the scope of Europol's objectives, or have been convicted for the commission of such
an offence, or if there are factual indications or reasonable grounds under the national law of the
Member State concerned to believe that they will commit such an offence;
(d) data referred to in paragraph 2 on contacts, and associates, of contacts as well as on contacts, and associates,
of associates shall not be stored, with the exception of data on the type and nature of their contact or
association with the persons referred to in points (a) and (b) of paragraph 1;
(e) if a clarification pursuant to the previous points is not possible, this shall be taken into account when a
decision is taken on the need for, and the extent of, data storage for further analysis.
4. With regard to a person who, as referred to in point (d) of paragraph 1, has been the victim of one of the offences
under consideration or who, on the basis of certain facts there is reason to believe could be the victim of such an
offence, the data referred to in point (a) to point (c)(iii) of paragraph 2 as well as the following categories of data
may be stored:
(f) crime-related information provided by or through persons referred to in point (d) of paragraph 1, including
where necessary information on their relationship with other persons, for the purpose of identifying the
persons referred to in points (a) and (b) of paragraph 1.
Other data referred to in paragraph 2 may be stored as necessary, provided there is reason to assume that they are
required for the analysis of a person's role as victim or potential victim.
5. With regard to persons who, as referred to in point (c) of paragraph 1, might be called on to testify in investi
gations in connection with the offences under consideration or in subsequent criminal proceedings, data referred
to in point (a) to point (c)(iii) of paragraph 2 as well as categories of data complying with the following criteria
may be stored:
(a) crime-related information provided by such persons, including information on their relationship with other
persons included in the analysis work file;
Other data referred to in paragraph 2 may be stored as necessary, provided there is reason to assume that they are
required for the analysis of such persons' role as witness.
6. With regard to persons who, as referred to in point (f) of paragraph 1, can provide information on the criminal
offences under consideration, data referred to in point (a) to point (c)(iii) of paragraph 2 as well as categories of
data complying with the following criteria may be stored:
Other data referred to in paragraph 2 may be stored as necessary, provided there is reason to assume that they are
required for the analysis of such persons' role as informant.
7. If, at any time during the course of an analysis, it becomes clear on the basis of serious and corroborating
indications that a person should be included in a category of persons, as defined in this Annex, other than the
category in which that person was initially placed, Europol may process only the data on that person which is
permitted under that new category, and all other data shall be deleted.
If, on the basis of such indications, it becomes clear that a person should be included in two or more different
categories as defined in this Annex, all data allowed under such categories may be processed by Europol.