EUROPEAN

COMMISSION

Brussels, 10.1.2017
COM(2017) 10 final

2017/0003 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

concerning the respect for private life and the protection of personal data in electronic
communications and repealing Directive 2002/58/EC (Regulation on Privacy and
Electronic Communications)

(Text with EEA relevance)

{SWD(2017) 3 final}
{SWD(2017) 4 final}
{SWD(2017) 5 final}
{SWD(2017) 6 final}
 EXPLANATORY MEMORANDUM

1. CONTEXT OF THE PROPOSAL

1.1. Reasons for and objectives of the proposal
The Digital Single Market Strategy ("DSM Strategy")1 has as an objective to increase trust in
and the security of digital services. The reform of the data protection framework, and in
particular the adoption of Regulation (EU) 2016/679, the General Data Protection Regulation
("GDPR")2, was a key action to this end. The DSM Strategy also announced the review of
Directive 2002/58/EC ("ePrivacy Directive")3 in order to provide a high level of privacy
protection for users of electronic communications services and a level playing field for all
market players. This proposal reviews the ePrivacy Directive, foreseeing in the DSM Strategy
objectives and ensuring consistency with the GDPR.
The ePrivacy Directive ensures the protection of fundamental rights and freedoms, in
particular the respect for private life, confidentiality of communications and the protection of
personal data in the electronic communications sector. It also guarantees the free movement
of electronic communications data, equipment and services in the Union. It implements in the
Union's secondary law the fundamental right to the respect for private life, with regard to
communications, as enshrined in Article 7 of the Charter of Fundamental Rights of the
European Union ("Charter").
In line with the 'Better Regulation' requirements, the Commission carried out an ex post
Regulatory Fitness and Performance Programme ("REFIT evaluation") of the ePrivacy
Directive. It follows from the evaluation that the objectives and principles of the current
framework remain sound. However, important technological and economic developments
took place in the market since the last revision of the ePrivacy Directive in 2009. Consumers
and businesses increasingly rely on new internet-based services enabling inter-personal
communications such as Voice over IP, instant messaging and web-based e-mail services,
instead of traditional communications services. These Over-the-Top communications services
("OTTs") are in general not subject to the current Union electronic communications
framework, including the ePrivacy Directive. Accordingly, the Directive has not kept pace
with technological developments, resulting in a void of protection of communications
conveyed through new services.
1.2. Consistency with existing policy provisions in the policy area
This proposal is lex specialis to the GDPR and will particularise and complement it as regards
electronic communications data that qualify as personal data. All matters concerning the
processing of personal data not specifically addressed by the proposal are covered by the
GDPR. The alignment with the GDPR resulted in the repeal of some provisions, such as the
security obligations of Article 4 of the ePrivacy Directive.

1
Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, A Digital Single Market Strategy
for Europe, COM(2015) 192 final.
2
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016,
p. 1–88).
3
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector
(Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p.37).
1.3. Consistency with other Union policies
The ePrivacy Directive is part of the regulatory framework for electronic communications. In
2016, the Commission adopted the proposal for a Directive establishing the European
Electronic Communications Code ("EECC")4, which revises the framework. While the
present proposal is not an integral part of the EECC, it partially relies on definitions provided
therein, including that of 'electronic communications services'. Like the EECC, this proposal
also brings OTT providers in its scope to reflect the market reality. In addition, the EECC
complements this proposal by ensuring the security of electronic communications services.
The Radio Equipment Directive 2014/53/EU ("RED")5 ensures a single market for radio
equipment. In particular, it requires that, before being placed on the market, radio equipment
must incorporate safeguards to ensure that the personal data and privacy of the user are
protected. Under the RED and the European Standardisation Regulation (EU) 1025/20126, the
Commission is empowered to adopt measures. This proposal does not affect the RED.
The proposal does not include any specific provisions in the field of data retention. It
maintains the substance of Article 15 of the ePrivacy Directive and aligns it with specific
wording of Article 23 of the GDPR, which provides grounds for Member States to restrict the
scope of the rights and obligations in specific articles of the ePrivacy Directive. Therefore,
Member States are free to keep or create national data retention frameworks that provide,
inter alia, for targeted retention measures, in so far as such frameworks comply with Union
law, taking into account the case-law of the Court of Justice on the interpretation of the
ePrivacy Directive and the Charter of Fundamental Rights7.
Finally, the proposal does not apply to activities of Union institutions, bodies and agencies.
However, its principles and relevant obligations as to the right to respect for private life and
communications in relation to the processing of electronic communications data have been
included in the Proposal for a Regulation repealing Regulation (EC) No 45/20018.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

2.1. Legal basis
Article 16 and Article 114 of the Treaty on the Functioning of the European Union ("TFEU")
are the relevant legal bases for the proposal.
Article 16 TFEU introduces a specific legal basis for the adoption of rules relating to the
protection of individuals with regard to the processing of personal data by Union institutions,
by Member States when carrying out activities falling within the scope of Union law, and

4
Commission proposal for a Directive of the European Parliament and of the Council establishing the
European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)).
5
Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the
harmonisation of the laws of the Member States relating to the making available on the market of radio
equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62–106).
6
Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on
European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives
94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and
2009/105/EC of the European Parliament and of the Council and repealing Council Decision
87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316,
14.11.2012, p. 12–33).
7
See Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others,
ECLI:EU:C:2014:238; Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB and Secretary of State
for the Home Department, ECLI:EU:C:2016:970.
8
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on
the protection of individuals with regard to the processing of personal data by the Community
institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1–22).
rules relating to the free movement of such data. Since an electronic communication involving
a natural person will normally qualify as personal data, the protection of natural persons with
regard to the privacy of communications and processing of such data, should be based on
Article 16.
In addition, the proposal aims at protecting communications and related legitimate interests of
legal persons. The meaning and scope of the rights under Article 7 of the Charter shall, in
accordance with Article 52(3) of the Charter, be the same as those laid down in Article 8(1) of
the European Convention for the Protection of Human Rights and Fundamental Freedoms
("ECHR"). As regards the scope of Article 7 of the Charter, the case-law of the Court of
Justice of the European Union ("CJEU")9 and of the European Court of Human Rights10
confirm that professional activities of legal persons may not be excluded from the protection
of the right guaranteed by Article 7 of the Charter and Article 8 of the ECHR.
Since the initiative pursues a twofold purpose and that the component concerning the
protection of communications of legal persons and the aim of achieving the internal market
for those electronic communications and ensure its functioning in this regard cannot be
considered merely incidental, the initiative should, therefore, also be based on Article 114 of
the TFEU.
2.2. Subsidiarity
Respect for communications is a fundamental right recognised in the Charter. Content of
electronic communications may reveal highly sensitive information about the end-users
involved in the communication. Similarly, metadata derived from electronic communications,
may also reveal very sensitive and personal information, as expressely recognised by the
CJEU11. The majority of Member States also recognise the need to protect communications as
a distinct constitutional right. Whilst it is possible for Member States to enact policies which
ensure that this right is not breached, this would not be achieved in a uniform way in the
absence of Union rules and would create restrictions on cross-border flows of personal and
non-personal data related to the use of electronic communications services. Finally, to
maintain consistency with the GDPR, it is necessary to review the ePrivacy Directive and
adopt measures to bring the two instruments in line.
The technological developments and the ambitions of the DSM strategy have strengthened the
case for action at the Union level. The success of the EU DSM depends on how effectively
the EU brings down national silos and barriers and seize the advantages and economies of a
European digital single market. Moreover, as internet and digital technologies know no
borders, the dimension of the problem goes beyond the territory of a single Member State.
Member States cannot effectively solve the problems in the current situation. A level playing
field for economic operators providing substitutable services and equal protection of end-
users at Union level are requirements for the DSM to work properly.
2.3. Proportionality
To ensure the effective legal protection of respect for privacy and communications, an
extension of scope to cover OTT providers is necessary. While several popular OTT providers
already comply, or partially comply with the principle of confidentiality of communications,
the protection of fundamental rights cannot be left to self-regulation by industry. Also, the

9
See C-450/06 Varec SA, ECLI:EU:C:2008:91, §48.
10
See, inter alia, ECHR, judgments Niemietz v Germany, judgment of 16 December 1992, Series A n°
251-B, §29; Société Colas Est and Others v France, no 37971/97, §41; ECHR 2002-III; Peck v The
United Kingdom no 44647/98, §57, ECHR 2003-I; and also Vinci Construction and GTM Génie Civil et
Services v. France, n°s. 63629/10 and 60567/10, § 63, 2 April 2015.
11
See footnote 7.
importance of the effective protection of privacy of terminal equipment is increasing as it has
become indispensable in personal and professional life for the storage of sensitive
information. The implementation of the ePrivacy Directive has not been effective to empower
end-users. Therefore the implementation of the principle by centralising consent in software
and prompting users with information about the privacy settings thereof, is necessary to
achieve the aim. Regarding the enforcement of this Regulation, it relies on the supervisory
authorities and the consistency mechanism of the GDPR. Moreover, the proposal allows
Member States to take national derogatory measures for specific legitimate purposes. Thus,
the proposal does not go beyond what is necessary to achieve the aims and complies with the
principle of proportionality as set out in Article 5 of the Treaty on European Union. The
obligations put on affected services are kept to a level as minimum as possible, while not
impinging on the fundamental rights concerned.
2.4. Choice of the instrument
The Commission puts forward a proposal for a Regulation in order to ensure consistency with
the GDPR and legal certainty for users and businesses alike by avoiding divergent
interpretation in the Member States. A Regulation can ensure an equal level of protection
throughout the Union for users and lower compliance costs for businesses operating across
borders.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER

CONSULTATIONS AND IMPACT ASSESSMENTS
3.1. Ex-post evaluations/fitness checks of existing legislation
The REFIT evaluation examined how efficiently the ePrivacy Directive has contributed to an
adequate protection of the respect for private life and confidentiality of communications in the
EU. It also sought to identify possible redundancies.

The REFIT evaluation concluded that the above objectives of the Directive remain relevant.
While the GDPR ensures the protection of personal data, the ePrivacy Directive ensures the
confidentiality of communications, which may also contain non-personal data and data related
to a legal person. Therefore, a separate instrument should ensure an effective protection of
Article 7 of the Charter. Other provisions, such as the rules on the sending of unsolicited
marketing communications, have proven to remain relevant too.

In terms of effectiveness and efficiency, the REFIT evaluation found that the Directive has
not fully met its objectives. The unclear drafting of certain provisions and ambiguity in legal
concepts have jeopardized harmonization, thereby creating challenges for businesses to
operate cross-border. The evaluation further showed that some provisions have created an
unnecessary burden on businesses and consumers. For example, the consent rule to protect the
confidentiality of terminal equipment failed to reach its objectives as end-users face requests
to accept tracking cookies without understanding their meaning and, in some cases, are even
exposed to cookies being set without their consent. The consent rule is over-inclusive, as it
also covers non-privacy intrusive practices, and under-inclusive, as it does not clearly cover
some tracking techniques (e.g. device fingerprinting) which may not entail access/storage in
the device. Finally, its implementation can be costly for businesses.

The evaluation concluded that the ePrivacy rules still have EU added-value for better
achieving the objective of ensuring online privacy in the light of an increasingly transnational
electronic communications market. It also demonstrated that overall the rules are coherent
with other relevant legislation, although a few redundancies have been identified vis-à-vis the
new GDPR (see in Section 1.2).
3.2. Stakeholder consultations
The Commission organised a public consultation between 12 April and 5 July 2016 and
received 421 replies12. The key findings are the following13:
– Need for special rules for the electronic communications sector on
confidentiality of electronic communications: 83.4% of the responding citizens,
consumer and civil society organisations and 88.9% of public authorities agree, while
63.4% of industry respondents do not agree.
– Extension of scope to new communications services (OTTs): 76% of citizens and
civil society and 93.1% of public authorities agree, while only 36.2% of respondents
from industry favour such an extension.
– Amending the exemptions to consent for processing traffic and location data:
49.1% of citizens, consumer and civil society organisations and 36% of public
authorities prefer not to broaden the exemptions, while 36% of the industry favour
extended exemptions and 2/3 of industry advocate the mere repeal of the provisions.
– Support for solutions proposed to the cookie consent issue: 81.2% of citizens and
63% of public authorities support imposing obligations on manufacturers of terminal
equipment to market products with privacy-by-default settings activated, while
58.3% of industry favour the option to support self/co-regulation.
In addition, the European Commission organised two workshops in April 2016, one open to
all stakeholders and one open to national competent authorities, addressing the main questions
of the public consultations. The views expressed during the workshops reflected the outcome
of the public consultation.
To obtain views from citizens, a Eurobarometer survey on ePrivacy14 was conducted
throughout the EU. The key findings are the following15:

– 78% say it is very important that personal information on their computer, smartphone
or tablet can only be accessed with their permission.
– 72% state that it is very important that the confidentiality of their e-mails and online
instant messaging is guaranteed.
– 89% agree with the suggested option that the default settings of their browser should
stop the sharing of their information.
3.3. Collection and use of expertise
The Commission relied on the following external expert advice:
– Targeted consultations of EU expert groups: Opinion of the Article 29 Working
Party; Opinion of the EDPS; Opinion of the REFIT Platform; views of BEREC;
views of ENISA and views of members of the Consumer Protection and Cooperation
Network.
– External expertise, particularly the following two studies:

12
162 contributions from citizens, 33 from civil society and consumer organisations; 186 from industry
and 40 from public authorities, including competent authorities enforcing the ePrivacy Directive.
13
The full report is available: https://ec.europa.eu/digital-single-market/news-redirect/37204.
14
2016 Eurobarometer survey (EB) 443 on e-Privacy (SMART 2016/079).
15
The full report is available: https://ec.europa.eu/digital-single-market/news-redirect/37205.
 – Study "ePrivacy Directive: assessment of transposition, effectiveness and
compatibility with proposed Data Protection Regulation" (SMART
2013/007116).
– Study "Evaluation and review of Directive 2002/58 on privacy and the
electronic communication sector" (SMART 2016/0080).
3.4. Impact assessment
An impact assessment was carried out for this proposal on which on 28 September 2016, the
Regulatory Scrutiny Board issued a positive opinion16. To address the recommendations of
the Board, the impact assessment explains better the scope of the initiative, its coherence with
other legal instruments (GDPR, EECC, RED) and the need for a separate instrument. The
baseline scenario is further developed and clarified. The analysis of the impacts is
strengthened and made more balanced, clarifying and reinforcing the description of the
expected costs and benefits.

The following policy options were examined against the criteria of effectiveness, efficiency
and coherence:
– Option 1: Non-legislative ("soft law") measures;
– Option 2: Limited reinforcement of privacy/confidentiality and simplification;
– Option 3: Measured reinforcement of privacy/confidentiality and simplification;
– Option 4: Far reaching reinforcement of privacy/confidentiality and simplification;
– Option 5: Repeal of the ePrivacy Directive.
Option 3 was, in most aspects, singled out as the preferred option to achieve the objectives,
while taking into account its efficiency and coherence. The main benefits are:
– Enhancing protection of confidentiality of electronic communications by extending
the scope of the legal instrument to include new functionally equivalent electronic
communications services. In addition, the Regulation enhances end-user's control by
clarifying that consent can be expressed through appropriate technical settings.
– Enhancing protection against unsolicited communications, with the introduction of
an obligation to provide the calling line identification or a mandatory prefix for
marketing calls and the enhanced possibilities to block calls from unwanted numbers.
– Simplifying and clarifying the regulatory environment, by reducing the margin of
manoeuvre left to Member States, repealing outdated provisions and the broadening
of the exceptions to the consent rules.
The economic impact of Option 3 is expected to be overall proportionate to the aims of the
proposal. Business opportunities related to the processing of communications data are opened
up for traditional electronic communications services, while OTT providers become subject to
the same rules. This implies some additional compliance costs for these operators. However,
this change will not substantially affect those OTTs that already operate on the basis of
consent. Finally, the impact of the option would not be felt in the Member States that have
extended these rules to OTTs already.
By centralising the consent in software such as internet browsers and prompting users to
choose their privacy settings and expanding the exceptions to the cookie consent rule, a
significant proportion of businesses would be able to do away with cookie banners and
notices, thus leading to potentially significant cost savings and simplification. However, it
16
http://ec.europa.eu/transparency/regdoc/?fuseaction=ia.
may become more difficult for online targeted advertisers to obtain consent if a large
proportion of users opt for "reject third party cookies" settings. At the same time, centralising
consent does not deprive website operators from the possibility to obtain consent by means of
individual requests to end-users and thus maintain their current business model. Additional
costs would ensue for some providers of browsers or similar software as these would need to
ensure privacy-friendly settings.
The external study identified three distinct implementation scenarios of Option 3, according to
the entity who will establish the dialogue box between the user having chosen "reject third
party cookies" or "do-not-track" settings and websites visited wishing the internet user to
reconsider his/her choice. The entities who could be put in charge of this technical task are: 1)
software such as internet browsers; 2) the third party tracker; 3) the individual websites (i.e.
information society service requested by the user). Option 3 would lead to overall savings in
terms of compliance cost compared to baseline scenario of 70% (€948.8 million savings) in
the first scenario (browser solution), implemented in this proposal. Cost savings would be
lower in other scenarios. As overall savings largely derive from a very significant decrease of
the number of affected businesses, the individual amount of compliance costs for one business
is expected to incur – on average – would be higher than today.
3.5. Regulatory fitness and simplification
The policy measures proposed under the preferred option address the objective of
simplification and reduction of administrative burden, in line with the findings of the REFIT
evaluation and Opinion of the REFIT Platform17.
The REFIT Platform issued three sets of recommendations to the Commission:
– The protection of citizen's private life should be strengthened through an alignment
of the ePrivacy Directive with the General Data Protection Regulation;
– The effectiveness of citizens protections against unsolicited marketing should be
enhanced by adding exceptions to the ‘consent’ rule for cookies;
– The Commission addresses national implementation problems and facilitates the
exchange of best practice amongst Member States.
The proposal include specifically:
– Use of technologically neutral definitions to apprehend new services and
technologies to ensure that the Regulation is future-proof;
– Repeal of the security rules to eliminate regulatory duplication;
– Clarification of scope to help eliminate/reduce the risk of divergent implementation
by Member States (point 3 of the Opinion);
– Clarification and simplification of the consent rule for the use of cookies and other
identifiers, as explained in Sections 3.1 and 3.4 (point 2 of the Opinion);
– Alignment of the supervisory authorities with the authorities competent to enforce
the GDPR and reliance on the consistency mechanism of the GDPR.
3.6. Impact on fundamental rights
The proposal aims to make more effective and increase the level of protection of privacy and
personal data processed in relation with electronic communications in accordance with
Articles 7 and 8 of the Charter and ensure greater legal certainty. The proposal complements
and particularises the GDPR. Effective protection of the confidentiality of communications is

17
http://ec.europa.eu/smart-regulation/refit/refit-platform/docs/recommendations/opinion_comm_net.pdf.
essential for exercising the freedom of expression and information and other related rights,
such as the right to personal data protection or the freedom of thought, conscience and
religion.

4. BUDGETARY IMPLICATIONS
The proposal has no implications for the Union budget.

5. OTHER ELEMENTS
5.1. Implementation plans and monitoring, evaluation and reporting arrangements
The Commission will monitor the application of the Regulation and submit a report on its
evaluation to the European Parliament and to the Council and the European Economic and
Social Committee every three years. These reports will be public and detail the effective
application and enforcement of this Regulation.

5.2. Detailed explanation of the specific provisions of the proposal

Chapter I contains the general provisions: the subject matter (Article 1), the scope (Articles 2
and 3) and its definitions, including references to relevant definitions from other EU
instruments, such as the GDPR.
Chapter II contains the key provisions ensuring the confidentiality of electronic
communications (Article 5) and the limited permitted purposes and conditions of processing
such communications data (Articles 6 and 7). It also addresses the protection of terminal
equipment, by (i) guaranteeing the integrity of the information stored in it and (ii) protecting
information emitted from terminal equipment, as it may enable the identification of its end-
user (Article 8). Finally, Article 9 details the consent of end-users, a central lawful ground of
this Regulation, expressly referring to its definition and conditions as provided by the GDPR,
while Article 10 imposes an obligation on providers of software permitting electronic
communications to help end-users in making effective choices about privacy settings. Article
11 details the purposes and conditions for Member States to restrict the above provisions.
Chapter III concerns the rights of end-users to control the sending and reception of electronic
communications to protect their privacy: (i) the right of end-users to prevent the presentation
of the calling line identification to guarantee anonymity (Article 12), with its limitations
(Article 13); and (ii) the obligation for providers of publicly available number-based
interpersonal communication to provide for the possibility to limit the reception of unwanted
calls (Article 14). This Chapter also regulates the conditions under which end-users may be
included in publicly available directories (Article 15) and the conditions under which
unsolicited communications for direct marketing may be conducted (Article 17). It also relates
to security risks and provides for an obligation upon providers of electronic communications
services to alert end-users in case of a particular risk that may compromise the security of
networks and services. The security obligations in the GDPR and in the EECC will apply to
the providers of electronic communications services.
Chapter IV sets out the supervision and enforcement of this Regulation and entrusts it to the
supervisory authorities in charge of the GDPR, in view of the strong synergies between
general data protection issues and confidentiality of communications (Article 18). The powers
of the European Data Protection Board are extended (Article 19) and the cooperation and
consistency mechanism foreseen under the GDPR will apply in case of cross-border matters
related to this Regulation (Article 20).
Chapter V details the various remedies available to end-users (Articles 21 and 22) and the
penalties that can be imposed (Article 24), including the general conditions for imposing
administrative fines (Article 23).
Chapter VI relates to the adoption of delegated and implementing acts in accordance with
Article 290 and 291 of the Treaty.
Finally, Chapter VII contains the final provisions of this Regulation: the repeal of ePrivacy
Directive, the monitoring and review, the entry into force and application. Concerning the
review, the Commission intends to evaluate, inter alia, whether a separate legal act remains
necessary in the light of legal, technical or economic developments and taking into account
the first evaluation of Regulation (EU) 2016/679 which is due by 25 May 2020.
 2017/0003 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

concerning the respect for private life and the protection of personal data in electronic
communications and repealing Directive 2002/58/EC (Regulation on Privacy and
Electronic Communications)

(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular
Articles 16 and 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee1,
Having regard to the opinion of the Committee of the Regions2,
Having regard to the opinion of the European Data Protection Supervisor3,
Acting in accordance with the ordinary legislative procedure,
Whereas:
(1) Article 7 of the Charter of Fundamental Rights of the European Union ("the Charter")
protects the fundamental right of everyone to the respect for his or her private and
family life, home and communications. Respect for the privacy of one’s
communications is an essential dimension of this right. Confidentiality of electronic
communications ensures that information exchanged between parties and the external
elements of such communication, including when the information has been sent, from
where, to whom, is not to be revealed to anyone other than to the parties involved in a
communication. The principle of confidentiality should apply to current and future
means of communication, including calls, internet access, instant messaging
applications, e-mail, internet phone calls and personal messaging provided through
social media.
(2) The content of electronic communications may reveal highly sensitive information
about the natural persons involved in the communication, from personal experiences
and emotions to medical conditions, sexual preferences and political views, the
disclosure of which could result in personal and social harm, economic loss or
embarrassment. Similarly, metadata derived from electronic communications may also
reveal very sensitive and personal information. These metadata includes the numbers
called, the websites visited, geographical location, the time, date and duration when an
individual made a call etc., allowing precise conclusions to be drawn regarding the

1
OJ C , , p. .
2
OJ C , , p. .
3
OJ C , , p. .
 private lives of the persons involved in the electronic communication, such as their
social relationships, their habits and activities of everyday life, their interests, tastes
etc.
(3) Electronic communications data may also reveal information concerning legal entities,
such as business secrets or other sensitive information that has economic value.
Therefore, the provisions of this Regulation should apply to both natural and legal
persons. Furthermore, this Regulation should ensure that provisions of the Regulation
(EU) 2016/679 of the European Parliament and of the Council4, also apply to end-
users who are legal persons. This includes the definition of consent under Regulation
(EU) 2016/679. When reference is made to consent by an end-user, including legal
persons, this definition should apply. In addition, legal persons should have the same
rights as end-users that are natural persons regarding the supervisory authorities;
furthermore, supervisory authorities under this Regulation should also be responsible
for monitoring the application of this Regulation regarding legal persons.
(4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the
Functioning of the European Union, everyone has the right to the protection of
personal data concerning him or her. Regulation (EU) 2016/679 lays down rules
relating to the protection of natural persons with regard to the processing of personal
data and rules relating to the free movement of personal data. Electronic
communications data may include personal data as defined in Regulation (EU)
2016/679.
(5) The provisions of this Regulation particularise and complement the general rules on
the protection of personal data laid down in Regulation (EU) 2016/679 as regards
electronic communications data that qualify as personal data. This Regulation
therefore does not lower the level of protection enjoyed by natural persons under
Regulation (EU) 2016/679. Processing of electronic communications data by providers
of electronic communications services should only be permitted in accordance with
this Regulation.
(6) While the principles and main provisions of Directive 2002/58/EC of the European
Parliament and of the Council5 remain generally sound, that Directive has not fully
kept pace with the evolution of technological and market reality, resulting in an
inconsistent or insufficient effective protection of privacy and confidentiality in
relation to electronic communications. Those developments include the entrance on
the market of electronic communications services that from a consumer perspective
are substitutable to traditional services, but do not have to comply with the same set of
rules. Another development concerns new techniques that allow for tracking of online
behaviour of end-users, which are not covered by Directive 2002/58/EC. Directive
2002/58/EC should therefore be repealed and replaced by this Regulation.
(7) The Member States should be allowed, within the limits of this Regulation, to
maintain or introduce national provisions to further specify and clarify the application
of the rules of this Regulation in order to ensure an effective application and
interpretation of those rules. Therefore, the margin of discretion, which Member States

4
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016,
p. 1–88).
5
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector
(Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p.37).
 have in this regard, should maintain a balance between the protection of private life
and personal data and the free movement of electronic communications data.
(8) This Regulation should apply to providers of electronic communications services, to
providers of publicly available directories, and to software providers permitting
electronic communications, including the retrieval and presentation of information on
the internet. This Regulation should also apply to natural and legal persons who use
electronic communications services to send direct marketing commercial
communications or collect information related to or stored in end-users’ terminal
equipment.
(9) This Regulation should apply to electronic communications data processed in
connection with the provision and use of electronic communications services in the
Union, regardless of whether or not the processing takes place in the Union. Moreover,
in order not to deprive end-users in the Union of effective protection, this Regulation
should also apply to electronic communications data processed in connection with the
provision of electronic communications services from outside the Union to end-users
in the Union.
(10) Radio equipment and its software which is placed on the internal market in the Union,
must comply with Directive 2014/53/EU of the European Parliament and of the
Council6. This Regulation should not affect the applicability of any of the
requirements of Directive 2014/53/EU nor the power of the Commission to adopt
delegated acts pursuant to Directive 2014/53/EU requiring that specific categories or
classes of radio equipment incorporate safeguards to ensure that personal data and
privacy of end-users are protected.
(11) The services used for communications purposes, and the technical means of their
delivery, have evolved considerably. End-users increasingly replace traditional voice
telephony, text messages (SMS) and electronic mail conveyance services in favour of
functionally equivalent online services such as Voice over IP, messaging services and
web-based e-mail services. In order to ensure an effective and equal protection of end-
users when using functionally equivalent services, this Regulation uses the definition
of electronic communications services set forth in the [Directive of the European
Parliament and of the Council establishing the European Electronic Communications
Code7]. That definition encompasses not only internet access services and services
consisting wholly or partly in the conveyance of signals but also interpersonal
communications services, which may or may not be number-based, such as for
example, Voice over IP, messaging services and web-based e-mail services. The
protection of confidentiality of communications is crucial also as regards interpersonal
communications services that are ancillary to another service; therefore, such type of
services also having a communication functionality should be covered by this
Regulation.
(12) Connected devices and machines increasingly communicate with each other by using
electronic communications networks (Internet of Things). The transmission of
machine-to-machine communications involves the conveyance of signals over a
network and, hence, usually constitutes an electronic communications service. In order
to ensure full protection of the rights to privacy and confidentiality of

6
Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the
harmonisation of the laws of the Member States relating to the making available on the market of radio
equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62).
7
Commission proposal for a Directive of the European Parliament and of the Council establishing the
European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)).
 communications, and to promote a trusted and secure Internet of Things in the digital
single market, it is necessary to clarify that this Regulation should apply to the
transmission of machine-to-machine communications. Therefore, the principle of
confidentiality enshrined in this Regulation should also apply to the transmission of
machine-to-machine communications. Specific safeguards could also be adopted under
sectorial legislation, as for instance Directive 2014/53/EU.
(13) The development of fast and efficient wireless technologies has fostered the increasing
availability for the public of internet access via wireless networks accessible by
anyone in public and semi-private spaces such as 'hotspots' situated at different places
within a city, department stores, shopping malls and hospitals. To the extent that those
communications networks are provided to an undefined group of end-users, the
confidentiality of the communications transmitted through such networks should be
protected. The fact that wireless electronic communications services may be ancillary
to other services should not stand in the way of ensuring the protection of
confidentiality of communications data and application of this Regulation. Therefore,
this Regulation should apply to electronic communications data using electronic
communications services and public communications networks. In contrast, this
Regulation should not apply to closed groups of end-users such as corporate networks,
access to which is limited to members of the corporation.
(14) Electronic communications data should be defined in a sufficiently broad and
technology neutral way so as to encompass any information concerning the content
transmitted or exchanged (electronic communications content) and the information
concerning an end-user of electronic communications services processed for the
purposes of transmitting, distributing or enabling the exchange of electronic
communications content; including data to trace and identify the source and
destination of a communication, geographical location and the date, time, duration and
the type of communication. Whether such signals and the related data are conveyed by
wire, radio, optical or electromagnetic means, including satellite networks, cable
networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial
networks, electricity cable systems, the data related to such signals should be
considered as electronic communications metadata and therefore be subject to the
provisions of this Regulation. Electronic communications metadata may include
information that is part of the subscription to the service when such information is
processed for the purposes of transmitting, distributing or exchanging electronic
communications content.
(15) Electronic communications data should be treated as confidential. This means that any
interference with the transmission of electronic communications data, whether directly
by human intervention or through the intermediation of automated processing by
machines, without the consent of all the communicating parties should be prohibited.
The prohibition of interception of communications data should apply during their
conveyance, i.e. until receipt of the content of the electronic communication by the
intended addressee. Interception of electronic communications data may occur, for
example, when someone other than the communicating parties, listens to calls, reads,
scans or stores the content of electronic communications, or the associated metadata
for purposes other than the exchange of communications. Interception also occurs
when third parties monitor websites visited, timing of the visits, interaction with
others, etc., without the consent of the end-user concerned. As technology evolves, the
technical ways to engage in interception have also increased. Such ways may range
from the installation of equipment that gathers data from terminal equipment over
targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity)
catchers, to programs and techniques that, for example, surreptitiously monitor
 browsing habits for the purpose of creating end-user profiles. Other examples of
interception include capturing payload data or content data from unencrypted wireless
networks and routers, including browsing habits without the end-users' consent.
(16) The prohibition of storage of communications is not intended to prohibit any
automatic, intermediate and transient storage of this information insofar as this takes
place for the sole purpose of carrying out the transmission in the electronic
communications network. It should not prohibit either the processing of electronic
communications data to ensure the security and continuity of the electronic
communications services, including checking security threats such as the presence of
malware or the processing of metadata to ensure the necessary quality of service
requirements, such as latency, jitter etc.
(17) The processing of electronic communications data can be useful for businesses,
consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation
broadens the possibilities for providers of electronic communications services to
process electronic communications metadata, based on end-users consent. However,
end-users attach great importance to the confidentiality of their communications,
including their online activities, and that they want to control the use of electronic
communications data for purposes other than conveying the communication.
Therefore, this Regulation should require providers of electronic communications
services to obtain end-users' consent to process electronic communications metadata,
which should include data on the location of the device generated for the purposes of
granting and maintaining access and connection to the service. Location data that is
generated other than in the context of providing electronic communications services
should not be considered as metadata. Examples of commercial usages of electronic
communications metadata by providers of electronic communications services may
include the provision of heatmaps; a graphical representation of data using colors to
indicate the presence of individuals. To display the traffic movements in certain
directions during a certain period of time, an identifier is necessary to link the
positions of individuals at certain time intervals. This identifier would be missing if
anonymous data were to be used and such movement could not be displayed. Such
usage of electronic communications metadata could, for example, benefit public
authorities and public transport operators to define where to develop new
infrastructure, based on the usage of and pressure on the existing structure. Where a
type of processing of electronic communications metadata, in particular using new
technologies, and taking into account the nature, scope, context and purposes of the
processing, is likely to result in a high risk to the rights and freedoms of natural
persons, a data protection impact assessment and, as the case may be, a consultation of
the supervisory authority should take place prior to the processing, in accordance with
Articles 35 and 36 of Regulation (EU) 2016/679.
(18) End-users may consent to the processing of their metadata to receive specific services
such as protection services against fraudulent activities (by analysing usage data,
location and customer account in real time). In the digital economy, services are often
supplied against counter-performance other than money, for instance by end-users
being exposed to advertisements. For the purposes of this Regulation, consent of an
end-user, regardless of whether the latter is a natural or a legal person, should have the
same meaning and be subject to the same conditions as the data subject's consent
under Regulation (EU) 2016/679. Basic broadband internet access and voice
communications services are to be considered as essential services for individuals to
be able to communicate and participate to the benefits of the digital economy. Consent
for processing data from internet or voice communication usage will not be valid if the
 data subject has no genuine and free choice, or is unable to refuse or withdraw consent
without detriment.
(19) The content of electronic communications pertains to the essence of the fundamental
right to respect for private and family life, home and communications protected under
Article 7 of the Charter. Any interference with the content of electronic
communications should be allowed only under very clear defined conditions, for
specific purposes and be subject to adequate safeguards against abuse. This Regulation
provides for the possibility of providers of electronic communications services to
process electronic communications data in transit, with the informed consent of all the
end-users concerned. For example, providers may offer services that entail the
scanning of emails to remove certain pre-defined material. Given the sensitivity of the
content of communications, this Regulation sets forth a presumption that the
processing of such content data will result in high risks to the rights and freedoms of
natural persons. When processing such type of data, the provider of the electronic
communications service should always consult the supervisory authority prior to the
processing. Such consultation should be in accordance with Article 36 (2) and (3) of
Regulation (EU) 2016/679. The presumption does not encompass the processing of
content data to provide a service requested by the end-user where the end-user has
consented to such processing and it is carried out for the purposes and duration strictly
necessary and proportionate for such service. After electronic communications content
has been sent by the end-user and received by the intended end-user or end-users, it
may be recorded or stored by the end-user, end-users or by a third party entrusted by
them to record or store such data. Any processing of such data must comply with
Regulation (EU) 2016/679.
(20) Terminal equipment of end-users of electronic communications networks and any
information relating to the usage of such terminal equipment, whether in particular is
stored in or emitted by such equipment, requested from or processed in order to enable
it to connect to another device and or network equipment, are part of the private sphere
of the end-users requiring protection under the Charter of Fundamental Rights of the
European Union and the European Convention for the Protection of Human Rights and
Fundamental Freedoms. Given that such equipment contains or processes information
that may reveal details of an individual's emotional, political, social complexities,
including the content of communications, pictures, the location of individuals by
accessing the device’s GPS capabilities, contact lists, and other information already
stored in the device, the information related to such equipment requires enhanced
privacy protection. Furthermore, the so-called spyware, web bugs, hidden identifiers,
tracking cookies and other similar unwanted tracking tools can enter end-user's
terminal equipment without their knowledge in order to gain access to information, to
store hidden information and to trace the activities. Information related to the end-
user’s device may also be collected remotely for the purpose of identification and
tracking, using techniques such as the so-called ‘device fingerprinting’, often without
the knowledge of the end-user, and may seriously intrude upon the privacy of these
end-users. Techniques that surreptitiously monitor the actions of end-users, for
example by tracking their activities online or the location of their terminal equipment,
or subvert the operation of the end-users’ terminal equipment pose a serious threat to
the privacy of end-users. Therefore, any such interference with the end-user's terminal
equipment should be allowed only with the end-user's consent and for specific and
transparent purposes.
(21) Exceptions to the obligation to obtain consent to make use of the processing and
storage capabilities of terminal equipment or to access information stored in terminal
equipment should be limited to situations that involve no, or only very limited,
 intrusion of privacy. For instance, consent should not be requested for authorizing the
technical storage or access which is strictly necessary and proportionate for the
legitimate purpose of enabling the use of a specific service explicitly requested by the
end-user. This may include the storing of cookies for the duration of a single
established session on a website to keep track of the end-user’s input when filling in
online forms over several pages. Cookies can also be a legitimate and useful tool, for
example, in measuring web traffic to a website. Information society providers that
engage in configuration checking to provide the service in compliance with the end-
user's settings and the mere logging of the fact that the end-user’s device is unable to
receive content requested by the end-user should not constitute access to such a device
or use of the device processing capabilities.
(22) The methods used for providing information and obtaining end-user's consent should
be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other
tracking techniques, end-users are increasingly requested to provide consent to store
such tracking cookies in their terminal equipment. As a result, end-users are
overloaded with requests to provide consent. The use of technical means to provide
consent, for example, through transparent and user-friendly settings, may address this
problem. Therefore, this Regulation should provide for the possibility to express
consent by using the appropriate settings of a browser or other application. The
choices made by end-users when establishing its general privacy settings of a browser
or other application should be binding on, and enforceable against, any third parties.
Web browsers are a type of software application that permits the retrieval and
presentation of information on the internet. Other types of applications, such as the
ones that permit calling and messaging or provide route guidance, have also the same
capabilities. Web browsers mediate much of what occurs between the end-user and the
website. From this perspective, they are in a privileged position to play an active role
to help the end-user to control the flow of information to and from the terminal
equipment. More particularly web browsers may be used as gatekeepers, thus helping
end-users to prevent information from their terminal equipment (for example smart
phone, tablet or computer) from being accessed or stored.
(23) The principles of data protection by design and by default were codified under Article
25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in
most current browsers to ‘accept all cookies’. Therefore providers of software
enabling the retrieval and presentation of information on the internet should have an
obligation to configure the software so that it offers the option to prevent third parties
from storing information on the terminal equipment; this is often presented as ‘reject
third party cookies’. End-users should be offered a set of privacy setting options,
ranging from higher (for example, ‘never accept cookies’) to lower (for example,
‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or
‘only accept first party cookies’). Such privacy settings should be presented in a an
easily visible and intelligible manner.
(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation
(EU) 2016/679, for example, to the storage of third party tracking cookies, they
should, among others, require a clear affirmative action from the end-user of terminal
equipment to signify his or her freely given, specific informed, and unambiguous
agreement to the storage and access of such cookies in and from the terminal
equipment. Such action may be considered to be affirmative, for example, if end-users
are required to actively select ‘accept third party cookies’ to confirm their agreement
and are given the necessary information to make the choice. To this end, it is necessary
to require providers of software enabling access to internet that, at the moment of
installation, end-users are informed about the possibility to choose the privacy settings
 among the various options and ask them to make a choice. Information provided
should not dissuade end-users from selecting higher privacy settings and should
include relevant information about the risks associated to allowing third party cookies
to be stored in the computer, including the compilation of long-term records of
individuals' browsing histories and the use of such records to send targeted
advertising. Web browsers are encouraged to provide easy ways for end-users to
change the privacy settings at any time during use and to allow the user to make
exceptions for or to whitelist certain websites or to specify for which websites (third)
party cookies are always or never allowed.
(25) Accessing electronic communications networks requires the regular emission of
certain data packets in order to discover or maintain a connection with the network or
other devices on the network. Furthermore, devices must have a unique address
assigned in order to be identifiable on that network. Wireless and cellular telephone
standards similarly involve the emission of active signals containing unique identifiers
such as a MAC address, the IMEI (International Mobile Station Equipment Identity),
the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a
wireless access point, has a specific range within which such information may be
captured. Service providers have emerged who offer tracking services based on the
scanning of equipment related information with diverse functionalities, including
people counting, providing data on the number of people waiting in line, ascertaining
the number of people in a specific area, etc. This information may be used for more
intrusive purposes, such as to send commercial messages to end-users, for example
when they enter stores, with personalized offers. While some of these functionalities
do not entail high privacy risks, others do, for example, those involving the tracking of
individuals over time, including repeated visits to specified locations. Providers
engaged in such practices should display prominent notices located on the edge of the
area of coverage informing end-users prior to entering the defined area that the
technology is in operation within a given perimeter, the purpose of the tracking, the
person responsible for it and the existence of any measure the end-user of the terminal
equipment can take to minimize or stop the collection. Additional information should
be provided where personal data are collected pursuant to Article 13 of Regulation
(EU) 2016/679.
(26) When the processing of electronic communications data by providers of electronic
communications services falls within its scope, this Regulation should provide for the
possibility for the Union or Member States under specific conditions to restrict by law
certain obligations and rights when such a restriction constitutes a necessary and
proportionate measure in a democratic society to safeguard specific public interests,
including national security, defence, public security and the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties,
including the safeguarding against and the prevention of threats to public security and
other important objectives of general public interest of the Union or of a Member
State, in particular an important economic or financial interest of the Union or of a
Member State, or a monitoring, inspection or regulatory function connected to the
exercise of official authority for such interests. Therefore, this Regulation should not
affect the ability of Member States to carry out lawful interception of electronic
communications or take other measures, if necessary and proportionate to safeguard
the public interests mentioned above, in accordance with the Charter of Fundamental
Rights of the European Union and the European Convention for the Protection of
Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of
the European Union and of the European Court of Human Rights. Providers of
electronic communications services should provide for appropriate procedures to
 facilitate legitimate requests of competent authorities, where relevant also taking into
account the role of the representative designated pursuant to Article 3(3).
(27) As regards calling line identification, it is necessary to protect the right of the calling
party to withhold the presentation of the identification of the line from which the call
is being made and the right of the called party to reject calls from unidentified lines.
Certain end-users, in particular help lines, and similar organisations, have an interest
in guaranteeing the anonymity of their callers. As regards connected line
identification, it is necessary to protect the right and the legitimate interest of the
called party to withhold the presentation of the identification of the line to which the
calling party is actually connected.
(28) There is justification for overriding the elimination of calling line identification
presentation in specific cases. End-users' rights to privacy with regard to calling line
identification should be restricted where this is necessary to trace nuisance calls and
with regard to calling line identification and location data where this is necessary to
allow emergency services, such as eCall, to carry out their tasks as effectively as
possible.
(29) Technology exists that enables providers of electronic communications services to
limit the reception of unwanted calls by end-users in different ways, including
blocking silent calls and other fraudulent and nuisance calls. Providers of publicly
available number-based interpersonal communications services should deploy this
technology and protect end-users against nuisance calls and free of charge. Providers
should ensure that end-users are aware of the existence of such functionalities, for
instance, by publicising the fact on their webpage.
(30) Publicly available directories of end-users of electronic communications services are
widely distributed. Publicly available directories means any directory or service
containing end-users information such as phone numbers (including mobile phone
numbers), email address contact details and includes inquiry services. The right to
privacy and to protection of the personal data of a natural person requires that end-
users that are natural persons are asked for consent before their personal data are
included in a directory. The legitimate interest of legal entities requires that end-users
that are legal entities have the right to object to the data related to them being included
in a directory.
(31) If end-users that are natural persons give their consent to their data being included in
such directories, they should be able to determine on a consent basis which categories
of personal data are included in the directory (for example name, email address, home
address, user name, phone number). In addition, providers of publicly available
directories should inform the end-users of the purposes of the directory and of the
search functions of the directory before including them in that directory. End-users
should be able to determine by consent on the basis of which categories of personal
data their contact details can be searched. The categories of personal data included in
the directory and the categories of personal data on the basis of which the end-user's
contact details can be searched should not necessarily be the same.
(32) In this Regulation, direct marketing refers to any form of advertising by which a
natural or legal person sends direct marketing communications directly to one or more
identified or identifiable end-users using electronic communications services. In
addition to the offering of products and services for commercial purposes, this should
also include messages sent by political parties that contact natural persons via
electronic communications services in order to promote their parties. The same should
apply to messages sent by other non-profit organisations to support the purposes of the
organisation.
(33) Safeguards should be provided to protect end-users against unsolicited
communications for direct marketing purposes, which intrude into the private life of
end-users. The degree of privacy intrusion and nuisance is considered relatively
similar independently of the wide range of technologies and channels used to conduct
these electronic communications, whether using automated calling and communication
systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is
therefore justified to require that consent of the end-user is obtained before
commercial electronic communications for direct marketing purposes are sent to end-
users in order to effectively protect individuals against the intrusion into their private
life as well as the legitimate interest of legal persons. Legal certainty and the need to
ensure that the rules protecting against unsolicited electronic communications remain
future-proof justify the need to define a single set of rules that do not vary according to
the technology used to convey these unsolicited communications, while at the same
time guaranteeing an equivalent level of protection for all citizens throughout the
Union. However, it is reasonable to allow the use of e-mail contact details within the
context of an existing customer relationship for the offering of similar products or
services. Such possibility should only apply to the same company that has obtained the
electronic contact details in accordance with Regulation (EU) 2016/679.
(34) When end-users have provided their consent to receiving unsolicited communications
for direct marketing purposes, they should still be able to withdraw their consent at
any time in an easy manner. To facilitate effective enforcement of Union rules on
unsolicited messages for direct marketing, it is necessary to prohibit the masking of
the identity and the use of false identities, false return addresses or numbers while
sending unsolicited commercial communications for direct marketing purposes.
Unsolicited marketing communications should therefore be clearly recognizable as
such and should indicate the identity of the legal or the natural person transmitting the
communication or on behalf of whom the communication is transmitted and provide
the necessary information for recipients to exercise their right to oppose to receiving
further written and/or oral marketing messages.
(35) In order to allow easy withdrawal of consent, legal or natural persons conducting
direct marketing communications by email should present a link, or a valid electronic
mail address, which can be easily used by end-users to withdraw their consent. Legal
or natural persons conducting direct marketing communications through voice-to-
voice calls and through calls by automating calling and communication systems
should display their identity line on which the company can be called or present a
specific code identifying the fact that the call is a marketing call.
(36) Voice-to-voice direct marketing calls that do not involve the use of automated calling
and communication systems, given that they are more costly for the sender and impose
no financial costs on end-users. Member States should therefore be able to establish
and or maintain national systems only allowing such calls to end-users who have not
objected.
(37) Service providers who offer electronic communications services should inform end-
users of measures they can take to protect the security of their communications for
instance by using specific types of software or encryption technologies. The
requirement to inform end-users of particular security risks does not discharge a
service provider from the obligation to take, at its own costs, appropriate and
immediate measures to remedy any new, unforeseen security risks and restore the
normal security level of the service. The provision of information about security risks
to the subscriber should be free of charge. Security is appraised in the light of Article
32 of Regulation (EU) 2016/679.
(38) To ensure full consistency with Regulation (EU) 2016/679, the enforcement of the
provisions of this Regulation should be entrusted to the same authorities responsible
for the enforcement of the provisions Regulation (EU) 2016/679 and this Regulation
relies on the consistency mechanism of Regulation (EU) 2016/679. Member States
should be able to have more than one supervisory authority, to reflect their
constitutional, organisational and administrative structure. The supervisory authorities
should also be responsible for monitoring the application of this Regulation regarding
electronic communications data for legal entities. Such additional tasks should not
jeopardise the ability of the supervisory authority to perform its tasks regarding the
protection of personal data under Regulation (EU) 2016/679 and this Regulation. Each
supervisory authority should be provided with the additional financial and human
resources, premises and infrastructure necessary for the effective performance of the
tasks under this Regulation.
(39) Each supervisory authority should be competent on the territory of its own Member
State to exercise the powers and to perform the tasks set forth in this Regulation. In
order to ensure consistent monitoring and enforcement of this Regulation throughout
the Union, the supervisory authorities should have the same tasks and effective powers
in each Member State, without prejudice to the powers of prosecutorial authorities
under Member State law, to bring infringements of this Regulation to the attention of
the judicial authorities and engage in legal proceedings. Member States and their
supervisory authorities are encouraged to take account of the specific needs of micro,
small and medium-sized enterprises in the application of this Regulation.
(40) In order to strengthen the enforcement of the rules of this Regulation, each supervisory
authority should have the power to impose penalties including administrative fines for
any infringement of this Regulation, in addition to, or instead of any other appropriate
measures pursuant to this Regulation. This Regulation should indicate infringements
and the upper limit and criteria for setting the related administrative fines, which
should be determined by the competent supervisory authority in each individual case,
taking into account all relevant circumstances of the specific situation, with due regard
in particular to the nature, gravity and duration of the infringement and of its
consequences and the measures taken to ensure compliance with the obligations under
this Regulation and to prevent or mitigate the consequences of the infringement. For
the purpose of setting a fine under this Regulation, an undertaking should be
understood to be an undertaking in accordance with Articles 101 and 102 of the
Treaty.
(41) In order to fulfil the objectives of this Regulation, namely to protect the fundamental
rights and freedoms of natural persons and in particular their right to the protection of
personal data and to ensure the free movement of personal data within the Union, the
power to adopt acts in accordance with Article 290 of the Treaty should be delegated
to the Commission to supplement this Regulation. In particular, delegated acts should
be adopted in respect of the information to be presented, including by means of
standardised icons in order to give an easily visible and intelligible overview of the
collection of information emitted by terminal equipment, its purpose, the person
responsible for it and of any measure the end-user of the terminal equipment can take
to minimise the collection. Delegated acts are also necessary to specify a code to
identify direct marketing calls including those made through automated calling and
communication systems. It is of particular importance that the Commission carries out
appropriate consultations and that those consultations be conducted in accordance with
the principles laid down in the Interinstitutional Agreement on Better Law-Making of
 13 April 20168. In particular, to ensure equal participation in the preparation of
delegated acts, the European Parliament and the Council receive all documents at the
same time as Member States' experts, and their experts systematically have access to
meetings of Commission expert groups dealing with the preparation of delegated acts.
Furthermore, in order to ensure uniform conditions for the implementation of this
Regulation, implementing powers should be conferred on the Commission when
provided for by this Regulation. Those powers should be exercised in accordance with
Regulation (EU) No 182/2011.
(42) Since the objective of this Regulation, namely to ensure an equivalent level of
protection of natural and legal persons and the free flow of electronic communications
data throughout the Union, cannot be sufficiently achieved by the Member States and
can rather, by reason of the scale or effects of the action, be better achieved at Union
level, the Union may adopt measures, in accordance with the principle of subsidiarity
as set out in Article 5 of the Treaty on European Union. In accordance with the
principle of proportionality as set out in that Article, this Regulation does not go
beyond what is necessary in order to achieve that objective.
(43) Directive 2002/58/EC should be repealed.
HAVE ADOPTED THIS REGULATION:

8
Interinstitutional Agreement between the European Parliament, the Council of the European Union and
the European Commission on Better Law-Making of 13 April 2016 (OJ L 123, 12.5.2016, p. 1–14).
 CHAPTER I
GENERAL PROVISIONS

Article 1
Subject matter
1. This Regulation lays down rules regarding the protection of fundamental rights and
freedoms of natural and legal persons in the provision and use of electronic
communications services, and in particular, the rights to respect for private life and
communications and the protection of natural persons with regard to the processing
of personal data.
2. This Regulation ensures free movement of electronic communications data and
electronic communications services within the Union, which shall be neither
restricted nor prohibited for reasons related to the respect for the private life and
communications of natural and legal persons and the protection of natural persons
with regard to the processing of personal data.
3. The provisions of this Regulation particularise and complement Regulation (EU)
2016/679 by laying down specific rules for the purposes mentioned in paragraphs 1
and 2.

Article 2
Material Scope
1. This Regulation applies to the processing of electronic communications data carried
out in connection with the provision and the use of electronic communications
services and to information related to the terminal equipment of end-users.
2. This Regulation does not apply to:
(a) activities which fall outside the scope of Union law;
(b) activities of the Member States which fall within the scope of Chapter 2 of Title V of
the Treaty on European Union;
(c) electronic communications services which are not publicly available;
(d) activities of competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties,
including the safeguarding against and the prevention of threats to public security;
3. The processing of electronic communications data by the Union institutions, bodies,
offices and agencies is governed by Regulation (EU) 00/0000 [new Regulation
replacing Regulation 45/2001].
4. This Regulation shall be without prejudice to the application of Directive
2000/31/EC9, in particular of the liability rules of intermediary service providers in
Articles 12 to 15 of that Directive.
5. This Regulation shall be without prejudice to the provisions of Directive
2014/53/EU.

9
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal
aspects of information society services, in particular electronic commerce, in the Internal Market
('Directive on electronic commerce') (OJ L 178, 17.7.2000, p. 1–16).
 Article 3
Territorial scope and representative
1. This Regulation applies to:
(a) the provision of electronic communications services to end-users in the Union,
irrespective of whether a payment of the end-user is required;
(b) the use of such services;
(c) the protection of information related to the terminal equipment of end-users located
in the Union.
2. Where the provider of an electronic communications service is not established in the
Union it shall designate in writing a representative in the Union.
3. The representative shall be established in one of the Member States where the end-
users of such electronic communications services are located.
4. The representative shall have the power to answer questions and provide information
in addition to or instead of the provider it represents, in particular, to supervisory
authorities, and end-users, on all issues related to processing electronic
communications data for the purposes of ensuring compliance with this Regulation.
5. The designation of a representative pursuant to paragraph 2 shall be without
prejudice to legal actions, which could be initiated against a natural or legal person
who processes electronic communications data in connection with the provision of
electronic communications services from outside the Union to end-users in the
Union.

Article 4
Definitions
1. For the purposes of this Regulation, following definitions shall apply:
(a) the definitions in Regulation (EU) 2016/679;
(b) the definitions of ‘electronic communications network’, ‘electronic communications
service’, ‘interpersonal communications service’, ‘number-based interpersonal
communications service’, ‘number-independent interpersonal communications
service’, ‘end-user’ and ‘call’ in points (1), (4), (5), (6), (7), (14) and (21)
respectively of Article 2 of [Directive establishing the European Electronic
Communications Code];
(c) the definition of 'terminal equipment' in point (1) of Article 1 of Commission
Directive 2008/63/EC10.
2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal
communications service’ shall include services which enable interpersonal and
interactive communication merely as a minor ancillary feature that is intrinsically
linked to another service.
3. In addition, for the purposes of this Regulation the following definitions shall apply:
(a) ‘electronic communications data’ means electronic communications content and
electronic communications metadata;

10
Commission Directive 2008/63/EC of 20 June 2008 on competition in the markets in
telecommunications terminal equipment (OJ L 162, 21.6.2008, p. 20–26).
(b) ‘electronic communications content’ means the content exchanged by means of
electronic communications services, such as text, voice, videos, images, and sound;
(c) ‘electronic communications metadata’ means data processed in an electronic
communications network for the purposes of transmitting, distributing or exchanging
electronic communications content; including data used to trace and identify the
source and destination of a communication, data on the location of the device
generated in the context of providing electronic communications services, and the
date, time, duration and the type of communication;
(d) ‘publicly available directory’ means a directory of end-users of electronic
communications services, whether in printed or electronic form, which is published
or made available to the public or to a section of the public, including by means of a
directory enquiry service;
(e) ‘electronic mail’ means any electronic message containing information such as text,
voice, video, sound or image sent over an electronic communications network which
can be stored in the network or in related computing facilities, or in the terminal
equipment of its recipient;
(f) ‘direct marketing communications’ means any form of advertising, whether written
or oral, sent to one or more identified or identifiable end-users of electronic
communications services, including the use of automated calling and communication
systems with or without human interaction, electronic mail, SMS, etc.;
(g) ‘direct marketing voice-to-voice calls’ means live calls, which do not entail the use
of automated calling systems and communication systems;
(h) ‘automated calling and communication systems’ means systems capable of
automatically initiating calls to one or more recipients in accordance with
instructions set for that system, and transmitting sounds which are not live speech,
including calls made using automated calling and communication systems which
connect the called person to an individual.
CHAPTER II
PROTECTION OF ELECTRONIC COMMUNICATIONS OF
NATURAL AND LEGAL PERSONS AND OF INFORMATION
STORED IN THEIR TERMINAL EQUIPMENT

Article 5
Confidentiality of electronic communications data
Electronic communications data shall be confidential. Any interference with electronic
communications data, such as by listening, tapping, storing, monitoring, scanning or other
kinds of interception, surveillance or processing of electronic communications data, by
persons other than the end-users, shall be prohibited, except when permitted by this
Regulation.

Article 6
Permitted processing of electronic communications data
1. Providers of electronic communications networks and services may process
electronic communications data if:
(a) it is necessary to achieve the transmission of the communication, for the duration
necessary for that purpose; or
(b) it is necessary to maintain or restore the security of electronic communications
networks and services, or detect technical faults and/or errors in the transmission of
electronic communications, for the duration necessary for that purpose.

2. Providers of electronic communications services may process electronic

communications metadata if:
(a) it is necessary to meet mandatory quality of service requirements pursuant to
[Directive establishing the European Electronic Communications Code] or
Regulation (EU) 2015/212011 for the duration necessary for that purpose; or
(b) it is necessary for billing, calculating interconnection payments, detecting or
stopping fraudulent, or abusive use of, or subscription to, electronic communications
services; or
(c) the end-user concerned has given his or her consent to the processing of his or her
communications metadata for one or more specified purposes, including for the
provision of specific services to such end-users, provided that the purpose or
purposes concerned could not be fulfilled by processing information that is made
anonymous.
3. Providers of the electronic communications services may process electronic
communications content only:
(a) for the sole purpose of the provision of a specific service to an end-user, if the end-
user or end-users concerned have given their consent to the processing of his or her
electronic communications content and the provision of that service cannot be
fulfilled without the processing of such content; or
(b) if all end-users concerned have given their consent to the processing of their
electronic communications content for one or more specified purposes that cannot be
fulfilled by processing information that is made anonymous, and the provider has
consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation
(EU) 2016/679 shall apply to the consultation of the supervisory authority.

Article 7
Storage and erasure of electronic communications data
1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3),
the provider of the electronic communications service shall erase electronic
communications content or make that data anonymous after receipt of electronic
communication content by the intended recipient or recipients. Such data may be
recorded or stored by the end-users or by a third party entrusted by them to record,
store or otherwise process such data, in accordance with Regulation (EU) 2016/679.
2. Without prejudice to point (b) of Article 6(1) and points (a) and (c) of Article 6(2),
the provider of the electronic communications service shall erase electronic
communications metadata or make that data anonymous when it is no longer needed
for the purpose of the transmission of a communication.

11
Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015
laying down measures concerning open internet access and amending Directive 2002/22/EC on
universal service and users’ rights relating to electronic communications networks and services and
Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the
Union (OJ L 310, 26.11.2015, p. 1–18).
3. Where the processing of electronic communications metadata takes place for the
purpose of billing in accordance with point (b) of Article 6(2), the relevant metadata
may be kept until the end of the period during which a bill may lawfully be
challenged or a payment may be pursued in accordance with national law.

Article 8
Protection of information stored in and related to end-users’ terminal equipment
1. The use of processing and storage capabilities of terminal equipment and the
collection of information from end-users’ terminal equipment, including about its
software and hardware, other than by the end-user concerned shall be prohibited,
except on the following grounds:
(a) it is necessary for the sole purpose of carrying out the transmission of an electronic
communication over an electronic communications network; or
(b) the end-user has given his or her consent; or
(c) it is necessary for providing an information society service requested by the end-
user; or
(d) if it is necessary for web audience measuring, provided that such measurement is
carried out by the provider of the information society service requested by the end-
user.
2. The collection of information emitted by terminal equipment to enable it to connect
to another device and, or to network equipment shall be prohibited, except if:
(a) it is done exclusively in order to, for the time necessary for, and for the purpose of
establishing a connection; or
(b) a clear and prominent notice is displayed informing of, at least, the modalities of the
collection, its purpose, the person responsible for it and the other information
required under Article 13 of Regulation (EU) 2016/679 where personal data are
collected, as well as any measure the end-user of the terminal equipment can take to
stop or minimise the collection.
The collection of such information shall be conditional on the application of
appropriate technical and organisational measures to ensure a level of security
appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have
been applied.
3. The information to be provided pursuant to point (b) of paragraph 2 may be provided
in combination with standardized icons in order to give a meaningful overview of the
collection in an easily visible, intelligible and clearly legible manner.
4. The Commission shall be empowered to adopt delegated acts in accordance with
Article 27 determining the information to be presented by the standardized icon and
the procedures for providing standardized icons.

Article 9
Consent
1. The definition of and conditions for consent provided for under Articles 4(11) and 7
of Regulation (EU) 2016/679/EU shall apply.
2. Without prejudice to paragraph 1, where technically possible and feasible, for the
purposes of point (b) of Article 8(1), consent may be expressed by using the
 appropriate technical settings of a software application enabling access to the
internet.
3. End-users who have consented to the processing of electronic communications data
as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3) shall be
given the possibility to withdraw their consent at any time as set forth under Article
7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic
intervals of 6 months, as long as the processing continues.

Article 10
Information and options for privacy settings to be provided
1. Software placed on the market permitting electronic communications, including the
retrieval and presentation of information on the internet, shall offer the option to
prevent third parties from storing information on the terminal equipment of an end-
user or processing information already stored on that equipment.
2. Upon installation, the software shall inform the end-user about the privacy settings
options and, to continue with the installation, require the end-user to consent to a
setting.
3. In the case of software which has already been installed on 25 May 2018, the
requirements under paragraphs 1 and 2 shall be complied with at the time of the first
update of the software, but no later than 25 August 2018.

Article 11
Restrictions
1. Union or Member State law may restrict by way of a legislative measure the scope of
the obligations and rights provided for in Articles 5 to 8 where such a restriction
respects the essence of the fundamental rights and freedoms and is a necessary,
appropriate and proportionate measure in a democratic society to safeguard one or
more of the general public interests referred to in Article 23(1)(a) to (e) of
Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function
connected to the exercise of official authority for such interests.
2. Providers of electronic communications services shall establish internal procedures
for responding to requests for access to end-users’ electronic communications data
based on a legislative measure adopted pursuant to paragraph 1. They shall provide
the competent supervisory authority, on demand, with information about those
procedures, the number of requests received, the legal justification invoked and their
response.
CHAPTER III
NATURAL AND LEGAL PERSONS' RIGHTS TO CONTROL
ELECTRONIC COMMUNICATIONS

Article 12
Presentation and restriction of calling and connected line identification
1. Where presentation of the calling and connected line identification is offered in
accordance with Article [107] of the [Directive establishing the European Electronic
Communication Code], the providers of publicly available number-based
interpersonal communications services shall provide the following:
(a) the calling end-user with the possibility of preventing the presentation of the calling
line identification on a per call, per connection or permanent basis;
(b) the called end-user with the possibility of preventing the presentation of the calling
line identification of incoming calls;
(c) the called end-user with the possibility of rejecting incoming calls where the
presentation of the calling line identification has been prevented by the calling end-
user;
(d) the called end-user with the possibility of preventing the presentation of the
connected line identification to the calling end-user.
2. The possibilities referred to in points (a), (b), (c) and (d) of paragraph 1 shall be
provided to end-users by simple means and free of charge.
3. Point (a) of paragraph 1 shall also apply with regard to calls to third countries
originating in the Union. Points (b), (c) and (d) of paragraph 1 shall also apply to
incoming calls originating in third countries.
4. Where presentation of calling or connected line identification is offered, providers of
publicly available number-based interpersonal communications services shall
provide information to the public regarding the options set out in points (a), (b), (c)
and (d) of paragraph 1.

Article 13
Exceptions to presentation and restriction of calling and connected line identification
1. Regardless of whether the calling end-user has prevented the presentation of the
calling line identification, where a call is made to emergency services, providers of
publicly available number-based interpersonal communications services shall
override the elimination of the presentation of the calling line identification and the
denial or absence of consent of an end-user for the processing of metadata, on a per-
line basis for organisations dealing with emergency communications, including
public safety answering points, for the purpose of responding to such
communications.
2. Member States shall establish more specific provisions with regard to the
establishment of procedures and the circumstances where providers of publicly
available number-based interpersonal communication services shall override the
elimination of the presentation of the calling line identification on a temporary basis,
where end-users request the tracing of malicious or nuisance calls.

Article 14
Incoming call blocking
Providers of publicly available number-based interpersonal communications services shall
deploy state of the art measures to limit the reception of unwanted calls by end-users and shall
also provide the called end-user with the following possibilities, free of charge:

(a) to block incoming calls from specific numbers or from anonymous sources;
(b) to stop automatic call forwarding by a third party to the end-user's terminal
equipment.
 Article 15
Publicly available directories
1. The providers of publicly available directories shall obtain the consent of end-users
who are natural persons to include their personal data in the directory and,
consequently, shall obtain consent from these end-users for inclusion of data per
category of personal data, to the extent that such data are relevant for the purpose of
the directory as determined by the provider of the directory. Providers shall give end-
users who are natural persons the means to verify, correct and delete such data.
2. The providers of a publicly available directory shall inform end-users who are
natural persons whose personal data are in the directory of the available search
functions of the directory and obtain end-users’ consent before enabling such search
functions related to their own data.
3. The providers of publicly available directories shall provide end-users that are legal
persons with the possibility to object to data related to them being included in the
directory. Providers shall give such end-users that are legal persons the means to
verify, correct and delete such data.
4. The possibility for end-users not to be included in a publicly available directory, or to
verify, correct and delete any data related to them shall be provided free of charge.

Article 16
Unsolicited communications
1. Natural or legal persons may use electronic communications services for the
purposes of sending direct marketing communications to end-users who are natural
persons that have given their consent.
2. Where a natural or legal person obtains electronic contact details for electronic mail
from its customer, in the context of the sale of a product or a service, in accordance
with Regulation (EU) 2016/679, that natural or legal person may use these electronic
contact details for direct marketing of its own similar products or services only if
customers are clearly and distinctly given the opportunity to object, free of charge
and in an easy manner, to such use. The right to object shall be given at the time of
collection and each time a message is sent.
3. Without prejudice to paragraphs 1 and 2, natural or legal persons using electronic
communications services for the purposes of placing direct marketing calls shall:
(a) present the identity of a line on which they can be contacted; or
(b) present a specific code/or prefix identifying the fact that the call is a marketing call.
4. Notwithstanding paragraph 1, Member States may provide by law that the placing of
direct marketing voice-to-voice calls to end-users who are natural persons shall only
be allowed in respect of end-users who are natural persons who have not expressed
their objection to receiving those communications.
5. Member States shall ensure, in the framework of Union law and applicable national
law, that the legitimate interest of end-users that are legal persons with regard to
unsolicited communications sent by means set forth under paragraph 1 are
sufficiently protected.
6. Any natural or legal person using electronic communications services to transmit
direct marketing communications shall inform end-users of the marketing nature of
the communication and the identity of the legal or natural person on behalf of whom
the communication is transmitted and shall provide the necessary information for
 recipients to exercise their right to withdraw their consent, in an easy manner, to
receiving further marketing communications.
7. The Commission shall be empowered to adopt implementing measures in accordance
with Article 26(2) specifying the code/or prefix to identify marketing calls, pursuant
to point (b) of paragraph 3.

Article 17
Information about detected security risks
In the case of a particular risk that may compromise the security of networks and electronic
communications services, the provider of an electronic communications service shall inform
end-users concerning such risk and, where the risk lies outside the scope of the measures to be
taken by the service provider, inform end-users of any possible remedies, including an
indication of the likely costs involved.

CHAPTER IV
INDEPENDENT SUPERVISORY AUTHORITIES AND
ENFORCEMENT

Article 18
Independent supervisory authorities
1. The independent supervisory authority or authorities responsible for monitoring the
application of Regulation (EU) 2016/679 shall also be responsible for monitoring the
application of this Regulation. Chapter VI and VII of Regulation (EU) 2016/679
shall apply mutatis mutandis. The tasks and powers of the supervisory authorities
shall be exercised with regard to end-users.
2. The supervisory authority or authorities referred to in paragraph 1 shall cooperate
whenever appropriate with national regulatory authorities established pursuant to the
[Directive Establishing the European Electronic Communications Code].

Article 19
European Data Protection Board
The European Data Protection Board, established under Article 68 of Regulation (EU)
2016/679, shall have competence to ensure the consistent application of this Regulation. To
that end, the European Data Protection Board shall exercise the tasks laid down in Article 70
of Regulation (EU) 2016/679. The Board shall also have the following tasks:

(a) advise the Commission on any proposed amendment of this Regulation;

(b) examine, on its own initiative, on request of one of its members or on request of the
Commission, any question covering the application of this Regulation and issue
guidelines, recommendations and best practices in order to encourage consistent
application of this Regulation.

Article 20
Cooperation and consistency procedures
Each supervisory authority shall contribute to the consistent application of this Regulation
throughout the Union. For this purpose, the supervisory authorities shall cooperate with each
other and the Commission in accordance with Chapter VII of Regulation (EU) 2016/679
regarding the matters covered by this Regulation.
CHAPTER V
REMEDIES, LIABILITY AND PENALTIES

Article 21
Remedies
1. Without prejudice to any other administrative or judicial remedy, every end-user of
electronic communications services shall have the same remedies provided for in
Articles 77, 78, and 79 of Regulation (EU) 2016/679.
2. Any natural or legal person other than end-users adversely affected by infringements
of this Regulation and having a legitimate interest in the cessation or prohibition of
alleged infringements, including a provider of electronic communications services
protecting its legitimate business interests, shall have a right to bring legal
proceedings in respect of such infringements.

Article 22
Right to compensation and liability
Any end-user of electronic communications services who has suffered material or non-
material damage as a result of an infringement of this Regulation shall have the right to
receive compensation from the infringer for the damage suffered, unless the infringer proves
that it is not in any way responsible for the event giving rise to the damage in accordance with
Article 82 of Regulation (EU) 2016/679.

Article 23
General conditions for imposing administrative fines
1. For the purpose of this Article, Chapter VII of Regulation (EU) 2016/679 shall apply
to infringements of this Regulation.
2. Infringements of the following provisions of this Regulation shall, in accordance
with paragraph 1, be subject to administrative fines up to EUR 10 000 000, or in the
case of an undertaking, up to 2 % of the total worldwide annual turnover of the
preceding financial year, whichever is higher:
(a) the obligations of any legal or natural person who process electronic communications
data pursuant to Article 8;
(b) the obligations of the provider of software enabling electronic communications,
pursuant to Article 10;
(c) the obligations of the providers of publicly available directories pursuant to Article
15;
(d) the obligations of any legal or natural person who uses electronic communications
services pursuant to Article 16.
3. Infringements of the principle of confidentiality of communications, permitted
processing of electronic communications data, time limits for erasure pursuant to
Articles 5, 6, and 7 shall, in accordance with paragraph 1 of this Article, be subject to
administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4
% of the total worldwide annual turnover of the preceding financial year, whichever
is higher.
4. Member States shall lay down the rules on penalties for infringements of Articles 12,
13, 14, and 17.
5. Non-compliance with an order by a supervisory authority as referred to in Article 18,
shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an
undertaking, up to 4 % of the total worldwide annual turnover of the preceding
financial year, whichever is higher.
6. Without prejudice to the corrective powers of supervisory authorities pursuant to
Article 18, each Member State may lay down rules on whether and to what extent
administrative fines may be imposed on public authorities and bodies established in
that Member State.
7. The exercise by the supervisory authority of its powers under this Article shall be
subject to appropriate procedural safeguards in accordance with Union and Member
State law, including effective judicial remedy and due process.
8. Where the legal system of the Member State does not provide for administrative
fines, this Article may be applied in such a manner that the fine is initiated by the
competent supervisory authority and imposed by competent national courts, while
ensuring that those legal remedies are effective and have an equivalent effect to the
administrative fines imposed by supervisory authorities. In any event, the fines
imposed shall be effective, proportionate and dissuasive. Those Member States shall
notify to the Commission the provisions of their laws which they adopt pursuant to
this paragraph by [xxx] and, without delay, any subsequent amendment law or
amendment affecting them.

Article 24
Penalties
1. Member States shall lay down the rules on other penalties applicable to
infringements of this Regulation in particular for infringements which are not subject
to administrative fines pursuant to Article 23, and shall take all measures necessary
to ensure that they are implemented. Such penalties shall be effective, proportionate
and dissuasive.
2. Each Member State shall notify to the Commission the provisions of its law which it
adopts pursuant to paragraph 1, no later than 18 months after the date set forth under
Article 29(2) and, without delay, any subsequent amendment affecting them.
CHAPTER VI
DELEGATED ACTS AND IMPLEMENTING ACTS

Article 25
Exercise of the delegation
1. The power to adopt delegated acts is conferred on the Commission subject to the
conditions laid down in this Article.
2. The power to adopt delegated acts referred to in Article 8(4) shall be conferred on the
Commission for an indeterminate period of time from [the data of entering into force
of this Regulation].
3. The delegation of power referred to in Article 8(4) may be revoked at any time by
the European Parliament or by the Council. A decision to revoke shall put an end to
the delegation of the power specified in that decision. It shall take effect the day
following the publication of the decision in the Official Journal of the European
 Union or at a later date specified therein. It shall not affect the validity of any
delegated acts already in force.
4. Before adopting a delegated act, the Commission shall consult experts designated by
each Member State in accordance with the principles laid down in the Inter-
institutional Agreement on Better Law-Making of 13 April 2016.
5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to
the European Parliament and to the Council.
6. A delegated act adopted pursuant to Article 8(4) shall enter into force only if no
objection has been expressed either by the European Parliament or the Council
within a period of two months of notification of that act to the European Parliament
and the Council or if, before the expiry of that period, the European Parliament and
the Council have both informed the Commission that they will not object. That
period shall be extended by two months at the initiative of the European Parliament
or of the Council.

Article 26
Committee
1. The Commission shall be assisted by the Communications Committee established
under Article 110 of the [Directive establishing the European Electronic
Communications Code]. That committee shall be a committee within the meaning of
Regulation (EU) No 182/201112.
2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No
182/2011 shall apply.

CHAPTER VII
FINAL PROVISIONS

Article 27
Repeal
1. Directive 2002/58/EC is repealed with effect from 25 May 2018.
2. References to the repealed Directive shall be construed as references to this
Regulation.

Article 28
Monitoring and evaluation clause
By 1 January 2018 at the latest, the Commission shall establish a detailed programme for
monitoring the effectiveness of this Regulation.
No later than three years after the date of application of this Regulation, and every three years
thereafter, the Commission shall carry out an evaluation of this Regulation and present the
main findings to the European Parliament, the Council and the European Economic and

12
Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011
laying down the rules and general principles concerning mechanisms for control by Member States of
the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13–18).
Social Committee. The evaluation shall, where appropriate, inform a proposal for the
amendment or repeal of this Regulation in light of legal, technical or economic developments.

Article 29
Entry into force and application
1. This Regulation shall enter into force on the twentieth day following that of its
publication in the Official Journal of the European Union.
2. It shall apply from 25 May 2018.

This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels,

For the European Parliament For the Council

The President The President
L 350/60 EN Official Journal of the European Union
III
(Acts adopted under the EU Treaty)
ACTS ADOPTED UNDER TITLE VI OF THE EU TREATY
COUNCIL FRAMEWORK DECISION 2008/977/JHA
of 27 November 2008
on the protection of personal data processed in the framework of police and judicial cooperation in
criminal matters
THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on European Union, and in
particular Articles 30, 31 and 34(2)(b) thereof,
Having regard to the proposal from the Commission,
Having regard to the opinion of the European Parliament (1),
Whereas:
(1) The European Union has set itself the objective of main­
taining and developing the Union as an area of freedom,
security and justice in which a high level of safety is to
be provided by common action among the Member
States in the fields of police and judicial cooperation in
criminal matters.
(2) Common action in the field of police cooperation under
Article 30(1)(b) of the Treaty on European Union and
common action on judicial cooperation in criminal
matters under Article 31(1)(a) of the Treaty on
European Union imply a need to process the relevant
information which should be subject to appropriate
provisions on the protection of personal data.
(3) Legislation falling within the scope of Title VI of the
Treaty on European Union should foster police and
judicial cooperation in criminal matters with regard to
its efficiency as well as its legitimacy and compliance
with fundamental rights, in particular the right to
(1) OJ C 125 E, 22.5.2008, p. 154.
30.12.2008
privacy and to the protection of personal data. Common
standards regarding the processing and protection of
personal data processed for the purpose of preventing
and combating crime contribute to the achieving of
both aims.
(4) The Hague Programme on strengthening freedom,
security and justice in the European Union, adopted by
the European Council on 4 November 2004, stressed the
need for an innovative approach to the cross-border
exchange of law-enforcement information under the
strict observation of key conditions in the area of data
protection and invited the Commission to submit
proposals in this regard by the end of 2005 at the
latest. This was reflected in the Council and Commission
Action Plan implementing the Hague Programme on
strengthening freedom, security and justice in the
European Union (2).
(5) The exchange of personal data within the framework of
police and judicial cooperation in criminal matters,
notably under the principle of availability of information
as laid down in the Hague Programme, should be
supported by clear rules enhancing mutual trust
between the competent authorities and ensuring that
the relevant information is protected in a way that
excludes any discrimination in respect of such cooper­
ation between the Member States while fully respecting
fundamental rights of individuals. Existing instruments at
the European level do not suffice; Directive 95/46/EC of
the European Parliament and of the Council of
24 October 1995 on the protection of individuals with
regard to the processing of personal data and on the free
movement of such data (3) does not apply to the
processing of personal data in the course of an activity
which falls outside the scope of Community law, such as
those provided for by Title VI of the Treaty on European
Union, nor, in any case, to processing operations
concerning public security, defence, state security or the
activities of the State in areas of criminal law.
(2) OJ C 198, 12.8.2005, p. 1.
(3) OJ L 281, 23.11.1995, p. 31.
30.12.2008 EN Official Journal of the European Union
(6) This Framework Decision applies only to data gathered
or processed by competent authorities for the purpose of
the prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties.
This Framework Decision should leave it to Member
States to determine more precisely at national level
which other purposes are to be considered as incom­
patible with the purpose for which the personal data
were originally collected. In general, further processing
for historical, statistical or scientific purposes should
not be considered as incompatible with the original
purpose of the processing.
(7) The scope of this Framework Decision is limited to the
processing of personal data transmitted or made available
between Member States. No conclusions should be
inferred from this limitation regarding the competence
of the Union to adopt acts relating to the collection
and processing of personal data at national level or the
expediency for the Union to do so in the future.
(8) In order to facilitate data exchanges within the Union,
Member States intend to ensure that the standard of data
protection achieved in national data processing matches
that provided for in this Framework Decision. With
regard to national data processing, this Framework
Decision does not preclude Member States from
providing safeguards for the protection of personal data
higher than those established in this Framework
Decision.
(9) This Framework Decision should not apply to personal
data which a Member State has obtained within the
scope of this Framework Decision and which originated
in that Member State.
(10) The approximation of Member States’ laws should not
result in any lessening of the data protection they afford
but should, on the contrary, seek to ensure a high level
of protection within the Union.
(11) It is necessary to specify the objectives of data protection
within the framework of police and judicial activities and
to lay down rules concerning the lawfulness of
processing of personal data in order to ensure that any
information that might be exchanged has been processed
lawfully and in accordance with fundamental principles
relating to data quality. At the same time the legitimate
activities of the police, customs, judicial and other
competent authorities should not be jeopardised in any
way.
(12) The principle of accuracy of data is to be applied taking
account of the nature and purpose of the processing
concerned. For example, in particular in judicial
L 350/61
proceedings data are based on the subjective perception
of individuals and in some cases are totally unverifiable.
Consequently, the requirement of accuracy cannot
appertain to the accuracy of a statement but merely to
the fact that a specific statement has been made.
(13) Archiving in a separate data set should be permissible
only if the data are no longer required and used for the
prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties.
Archiving in a separate data set should also be
permissible if the archived data are stored in a database
with other data in such a way that they can no longer be
used for the prevention, investigation, detection or prose­
cution of criminal offences or the execution of criminal
penalties. The appropriateness of the archiving period
should depend on the purposes of archiving and the
legitimate interests of the data subjects. In the case of
archiving for historical purposes a very long period may
be envisaged.
(14) Data may also be erased by destroying the data medium.
(15) As regards inaccurate, incomplete or no longer up-to-
date data transmitted or made available to another
Member State and further processed by quasi-judicial
authorities, meaning authorities with powers to make
legally binding decisions, its rectification, erasure or
blocking should be carried out in accordance with
national law.
(16) Ensuring a high level of protection of the personal data
of individuals requires common provisions to determine
the lawfulness and the quality of data processed by
competent authorities in other Member States.
(17) It is appropriate to lay down at the European level the
conditions under which competent authorities of the
Member States should be allowed to transmit and
make available personal data received from other
Member States to authorities and private parties in
Member States. In many cases the transmission of
personal data by the judiciary, police or customs to
private parties is necessary to prosecute crime or to
prevent an immediate and serious threat to public
security or to prevent serious harm to the rights of indi­
viduals, for example, by issuing alerts concerning
forgeries of securities to banks and credit institutions,
or, in the area of vehicle crime, by communicating
personal data to insurance companies in order to
prevent illicit trafficking in stolen motor vehicles or to
improve the conditions for the recovery of stolen motor
vehicles from abroad. This is not tantamount to the
transfer of police or judicial tasks to private parties.
L 350/62 EN Official Journal of the European Union
(18) The rules in this Framework Decision regarding the trans­
mission of personal data by the judiciary, police or
customs to private parties do not apply to the disclosure
of data to private parties (such as defence lawyers and
victims) in the context of criminal proceedings.
(19) The further processing of personal data received from, or
made available by, the competent authority of another
Member State, in particular the further transmission of or
making available such data, should be subject to
common rules at European level.
(20) Where personal data may be further processed after the
Member State from which the data were obtained has
given its consent, each Member State should be able to
determine the modalities of such consent, including, for
example, by means of a general consent for categories of
information or categories of further processing.
(21) Where personal data may be further processed for
administrative proceedings, these proceedings also
include activities by regulatory and supervisory bodies.
(22) The legitimate activities of the police, customs, judicial
and other competent authorities may require that data
are sent to authorities in third States or international
bodies that have obligations for the prevention, investi­
gation, detection or prosecution of criminal offences or
the execution of criminal penalties.
(23) Where personal data are transferred from a Member State
to third States or international bodies, these data should,
in principle, benefit from an adequate level of protection.
(24) Where personal data are transferred from a Member State
to third States or international bodies, such transfer
should, in principle, take place only after the Member
State from which the data were obtained has given its
consent to the transfer. Each Member State should be
able to determine the modalities of such consent,
including, for example, by means of a general consent
for categories of information or for specified third States.
(25) The interests of efficient law enforcement cooperation
require that where the nature of a threat to the public
security of a Member State or a third State is so
immediate as to render it impossible to obtain prior
consent in good time, the competent authority should
be able to transfer the relevant personal data to the
third State concerned without such prior consent. The
same could apply where other essential interests of a
Member State of equal importance are at stake, for
example where the critical infrastructure of a Member
State could be the subject of an immediate and serious
threat or where a Member State’s financial system could
be seriously disrupted.
30.12.2008
(26) It may be necessary to inform data subjects regarding the
processing of their data, in particular where there has
been particularly serious encroachment on their rights
as a result of secret data collection measures, in order
to ensure that data subjects can have effective legal
protection.
(27) Member States should ensure that the data subject is
informed that the personal data could be or are being
collected, processed or transmitted to another Member
State for the purpose of prevention, investigation,
detection, and prosecution of criminal offences or the
execution of criminal penalties. The modalities of the
right of the data subject to be informed and the
exceptions thereto should be determined by national
law. This may take a general form, for example,
through the law or through the publication of a list of
the processing operations.
(28) In order to ensure the protection of personal data
without jeopardising the interests of criminal investi­
gations, it is necessary to define the rights of the data
subject.
(29) Some Member States have provided for the right of
access of the data subject in criminal matters through a
system where the national supervisory authority, in place
of the data subject, has access to all the personal data
related to the data subject without any restriction and
may also rectify, erase or update inaccurate data. In
such a case of indirect access, the national law of those
Member States may provide that the national supervisory
authority will inform the data subject only that all the
necessary verifications have taken place. However, those
Member States also provide for possibilities of direct
access for the data subject in specific cases, such as
access to judicial records, in order to obtain copies of
own criminal records or of documents relating to own
hearings by the police services.
(30) It is appropriate to establish common rules on confiden­
tiality and security of processing, on liability and
penalties for unlawful use by competent authorities and
on judicial remedies available to the data subject. It is,
however, for each Member State to determine the nature
of its tort rules and of the penalties applicable to
violations of domestic data protection provisions.
(31) This Framework Decision allows the principle of public
access to official documents to be taken into account
when implementing the principles set out in this
Framework Decision.
30.12.2008 EN Official Journal of the European Union
(32) When necessary to protect personal data in relation to
processing which by scale or by type holds specific risks
for fundamental rights and freedoms, for example
processing by means of new technologies, mechanisms
or procedures, it is appropriate to ensure that the
competent national supervisory authorities are
consulted prior to the establishment of filing systems
aimed at the processing of these data.
(33) The establishment in Member States of supervisory au-
thorities, exercising their functions with complete inde­
pendence, is an essential component of the protection of
personal data processed within the framework of police
and judicial cooperation between the Member States.
(34) The supervisory authorities already established in
Member States under Directive 95/46/EC should also
be able to assume responsibility for the tasks to be
performed by the national supervisory authorities to be
established under this Framework Decision.
(35) Such supervisory authorities should have the necessary
means to perform their duties, including powers of inves­
tigation and intervention, particularly in cases of
complaints from individuals, or powers to engage in
legal proceedings. These supervisory authorities should
help to ensure transparency of processing in the
Member States within whose jurisdiction they fall.
However, their powers should not interfere with
specific rules set out for criminal proceedings or the
independence of the judiciary.
(36) Article 47 of the Treaty on European Union stipulates
that nothing in it is to affect the Treaties establishing the
European Communities or the subsequent Treaties and
Acts modifying or supplementing them. Accordingly, this
Framework Decision does not affect the protection of
personal data under Community law, in particular as
provided for in Directive 95/46/EC, in Regulation (EC)
No 45/2001 of the European Parliament and of the
Council of 18 December 2000 on the protection of
individuals with regard to the processing of personal
data by the Community institutions and bodies and on
the free movement of such data (1) and in Directive
2002/58/EC of the European Parliament and of the
Council of 12 July 2002 concerning the processing of
personal data and the protection of privacy in the elec­
tronic communications sector (Directive on privacy and
electronic communications) (2).
(37) This Framework Decision is without prejudice to the
rules pertaining to illicit access to data laid down in
Council Framework Decision 2005/222/JHA of
24 February 2005 on attacks against information
systems (3).
(1) OJ L 8, 12.1.2001, p. 1.
(2) OJ L 201, 31.7.2002, p. 37.
(3) OJ L 69, 16.3.2005, p. 67.
L 350/63
(38) This Framework Decision is without prejudice to existing
obligations and commitments incumbent upon Member
States or upon the Union by virtue of bilateral and/or
multilateral agreements with third States. Future
agreements should comply with the rules on exchanges
with third States.
(39) Several acts, adopted on the basis of Title VI of the
Treaty on European Union, contain specific provisions
on the protection of personal data exchanged or
otherwise processed pursuant to those acts. In some
cases these provisions constitute a complete and
coherent set of rules covering all relevant aspects of
data protection (principles of data quality, rules on data
security, regulation of the rights and safeguards of data
subjects, organisation of supervision and liability) and
they regulate these matters in more detail than this
Framework Decision. The relevant set of data protection
provisions of those acts, in particular those governing the
functioning of Europol, Eurojust, the Schengen Infor­
mation System (SIS) and the Customs Information
System (CIS), as well as those introducing direct access
for the authorities of Member States to certain data
systems of other Member States, should not be affected
by this Framework Decision. The same applies in respect
of the data protection provisions governing the
automated transfer between Member States of DNA
profiles, dactyloscopic data and national vehicle regis­
tration data pursuant to the Council Decision
2008/615/JHA of 23 June 2008 on the stepping up of
cross-border cooperation, particularly in combating
terrorism and cross-border crime (4).
(40) In other cases the provisions on data protection in acts,
adopted on the basis of Title VI of the Treaty on
European Union, are more limited in scope. They often
set specific conditions for the Member State receiving
information containing personal data from other
Member States as to the purposes for which it can use
those data, but refer for other aspects of data protection
to the Council of Europe Convention for the Protection
of Individuals with regard to Automatic Processing of
Personal Data of 28 January 1981 or to national law.
To the extent that the provisions of those acts imposing
conditions on receiving Member States as to the use or
further transfer of personal data are more restrictive than
those contained in the corresponding provisions of this
Framework Decision, the former provisions should
remain unaffected. However, for all other aspects the
rules set out in this Framework Decision should be
applied.
(41) This Framework Decision does not affect the Council of
Europe Convention for the Protection of Individuals with
regard to Automatic Processing of Personal Data, the
Additional Protocol to that Convention of 8 November
2001 or the Council of Europe conventions on judicial
cooperation in criminal matters.
(4) OJ L 210, 6.8.2008, p. 1.
L 350/64 EN Official Journal of the European Union
(42) Since the objective of this Framework Decision, namely
the determination of common rules for the protection of
personal data processed in the framework of police and
judicial cooperation in criminal matters, cannot be suf­
ficiently achieved by the Member States, and can
therefore, by reason of the scale and effects of the
action, be better achieved at the Union level, the Union
may adopt measures in accordance with the principle of
subsidiarity as set out in Article 5 of the Treaty estab­
lishing the European Community and referred to in
Article 2 of the Treaty on European Union. In
accordance with the principle of proportionality as set
out in Article 5 of the Treaty establishing the European
Community, this Framework Decision does not go
beyond what is necessary to achieve that objective.
(43) The United Kingdom is taking part in this Framework
Decision, in accordance with Article 5 of the Protocol
integrating the Schengen acquis into the framework of the
European Union annexed to the Treaty on European
Union and to the Treaty establishing the European
Community, and Article 8(2) of Council Decision
2000/365/EC of 29 May 2000 concerning the request
of the United Kingdom of Great Britain and Northern
Ireland to take part in some of the provisions of the
Schengen acquis (1).
(44) Ireland is taking part in this Framework Decision in
accordance with Article 5 of the Protocol integrating
the Schengen acquis into the framework of the
European Union annexed to the Treaty on European
Union and to the Treaty establishing the European
Community, and Article 6(2) of Council Decision
2002/192/EC of 28 February 2002 concerning Ireland’s
request to take part in some of the provisions of the
Schengen acquis (2).
(45) As regards Iceland and Norway, this Framework Decision
constitutes a development of provisions of the Schengen
acquis within the meaning of the Agreement concluded
by the Council of the European Union and the Republic
of Iceland and the Kingdom of Norway concerning the
latter’s association with the implementation, application
and development of the Schengen acquis (3), which fall
within the area referred to in Article 1, points H and I
of Council Decision 1999/437/EC (4) on certain
arrangements for the application of that Agreement.
(46) As regards Switzerland, this Framework Decision
constitutes a development of the provisions of the
Schengen acquis within the meaning of the Agreement
between the European Union, the European
Community and the Swiss Confederation on the Swiss
Confederation’s association with the implementation,
(1) OJ L 131, 1.6.2000, p. 43.
(2) OJ L 64, 7.3.2002, p. 20.
(3) OJ L 176, 10.7.1999, p. 36.
(4) OJ L 176, 10.7.1999, p. 31.
30.12.2008
application and development of the Schengen acquis (5),
which fall within the area referred to in Article 1, point
H and I of Decision 1999/437/EC read in conjunction
with Article 3 of Council Decision 2008/149/JHA (6) on
the conclusion of that Agreement on behalf of the
European Union.
(47) As regards Liechtenstein, this Framework Decision
constitutes a development of the provisions of the
Schengen acquis within the meaning of the Protocol
signed between the European Union, the European
Community, the Swiss Confederation and the Principality
of Liechtenstein on the accession of the Principality of
Liechtenstein to the Agreement between the European
Union, the European Community and the Swiss Confed­
eration on the Swiss Confederation’s association with the
implementation, application and development of the
Schengen acquis, which fall within the area referred to
in Article 1, point H and I of Decision 1999/437/EC
read in conjunction with Article 3 of Council Decision
2008/262/JHA (7) on the signature of that Protocol on
behalf of the European Union.
(48) This Framework Decision respects the fundamental rights
and observes the principles recognised in particular by
the Charter of Fundamental Rights of the European
Union (8). This Framework Decision seeks to ensure full
respect for the rights to privacy and the protection of
personal data reflected in Articles 7 and 8 of the Charter,
HAS ADOPTED THIS FRAMEWORK DECISION:
Article 1
Purpose and scope
1. The purpose of this Framework Decision is to ensure a
high level of protection of the fundamental rights and freedoms
of natural persons, and in particular their right to privacy, with
respect to the processing of personal data in the framework of
police and judicial cooperation in criminal matters, provided for
by Title VI of the Treaty on European Union, while guaran­
teeing a high level of public safety.
2. In accordance with this Framework Decision, Member
States shall protect the fundamental rights and freedoms of
natural persons, and in particular their right to privacy when,
for the purpose of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal
penalties, personal data:
(a) are or have been transmitted or made available between
Member States;
(5) OJ L 53, 27.2.2008, p. 52.
(6) OJ L 53, 27.2.2008, p. 50.
(7) OJ L 83, 26.3.2008, p. 5.
(8) OJ C 303, 14.12.2007, p. 1.
30.12.2008 EN Official Journal of the European Union
(b) are or have been transmitted or made available by Member
States to authorities or to information systems established
on the basis of Title VI of the Treaty on European Union; or
(c) are or have been transmitted or made available to the
competent authorities of the Member States by authorities
or information systems established on the basis of the
Treaty on European Union or the Treaty establishing the
European Community.
3. This Framework Decision shall apply to the processing of
personal data wholly or partly by automatic means, and to the
processing otherwise than by automatic means, of personal data
which form part of a filing system or are intended to form part
of a filing system.
4. This Framework Decision is without prejudice to essential
national security interests and specific intelligence activities in
the field of national security.
5. This Framework Decision shall not preclude Member
States from providing, for the protection of personal data
collected or processed at national level, higher safeguards than
those established in this Framework Decision.
Article 2
Definitions
For the purposes of this Framework Decision:
(a) ‘personal data’ mean any information relating to an iden­
tified or identifiable natural person (‘data subject’); an iden­
tifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification
number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity;
(b) ‘processing of personal data’ and ‘processing’ mean any
operation or set of operations which is performed upon
personal data, whether or not by automatic means, such
as collection, recording, organisation, storage, adaptation
or alteration, retrieval, consultation, use, disclosure by trans­
mission, dissemination or otherwise making available,
alignment or combination, blocking, erasure or destruction;
(c) ‘blocking’ means the marking of stored personal data with
the aim of limiting their processing in future;
(d) ‘personal data filing system’ and ‘filing system’ mean any
structured set of personal data which are accessible
according to specific criteria, whether centralised, decen­
tralised or dispersed on a functional or geographical basis;
(e) ‘processor’ means any body which processes personal data
on behalf of the controller;
L 350/65
(f) ‘recipient’ means any body to which data are disclosed;
(g) ‘the data subject’s consent’ means any freely given specific
and informed indication of his wishes by which the data
subject signifies his agreement to personal data relating to
him being processed;
(h) ‘competent authorities’ mean agencies or bodies established
by legal acts adopted by the Council pursuant to Title VI of
the Treaty on European Union, as well as police, customs,
judicial and other competent authorities of the Member
States that are authorised by national law to process
personal data within the scope of this Framework Decision;
(i) ‘controller’ means the natural or legal person, public
authority, agency or any other body which alone or
jointly with others determines the purposes and means of
the processing of personal data;
(j) ‘referencing’ means the marking of stored personal data
without the aim of limiting their processing in future;
(k) ‘to make anonymous’ means to modify personal data in
such a way that details of personal or material circum­
stances can no longer or only with disproportionate
investment of time, cost and labour be attributed to an
identified or identifiable natural person.
Article 3
Principles of lawfulness, proportionality and purpose
1. Personal data may be collected by the competent au-
thorities only for specified, explicit and legitimate purposes in
the framework of their tasks and may be processed only for the
same purpose for which data were collected. Processing of the
data shall be lawful and adequate, relevant and not excessive in
relation to the purposes for which they are collected.
2. Further processing for another purpose shall be permitted
in so far as:
(a) it is not incompatible with the purposes for which the data
were collected;
(b) the competent authorities are authorised to process such
data for such other purpose in accordance with the
applicable legal provisions; and
(c) processing is necessary and proportionate to that other
purpose.
The competent authorities may also further process the trans­
mitted personal data for historical, statistical or scientific
purposes, provided that Member States provide appropriate
safeguards, such as making the data anonymous.
L 350/66 EN Official Journal of the European Union
Article 4
Rectification, erasure and blocking
1. Personal data shall be rectified if inaccurate and, where
this is possible and necessary, completed or updated.
2. Personal data shall be erased or made anonymous when
they are no longer required for the purposes for which they
were lawfully collected or are lawfully further processed.
Archiving of those data in a separate data set for an appropriate
period in accordance with national law shall not be affected by
this provision.
3. Personal data shall be blocked instead of erased if there
are reasonable grounds to believe that erasure could affect the
legitimate interests of the data subject. Blocked data shall be
processed only for the purpose which prevented their erasure.
4. When the personal data are contained in a judicial
decision or record related to the issuance of a judicial
decision, the rectification, erasure or blocking shall be carried
out in accordance with national rules on judicial proceedings.
Article 5
Establishment of time limits for erasure and review
Appropriate time limits shall be established for the erasure of
personal data or for a periodic review of the need for the
storage of the data. Procedural measures shall ensure that
these time limits are observed.
Article 6
Processing of special categories of data
The processing of personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs or trade-
union membership and the processing of data concerning
health or sex life shall be permitted only when this is strictly
necessary and when the national law provides adequate safe­
guards.
Article 7
Automated individual decisions
A decision which produces an adverse legal effect for the data
subject or significantly affects him and which is based solely on
automated processing of data intended to evaluate certain
personal aspects relating to the data subject shall be permitted
only if authorised by a law which also lays down measures to
safeguard the data subject’s legitimate interests.
Article 8
Verification of quality of data that are transmitted or made
available
1. The competent authorities shall take all reasonable steps
to provide that personal data which are inaccurate, incomplete
or no longer up to date are not transmitted or made available.
30.12.2008
To that end, the competent authorities shall, as far as prac­
ticable, verify the quality of personal data before they are trans­
mitted or made available. As far as possible, in all transmissions
of data, available information shall be added which enables the
receiving Member State to assess the degree of accuracy,
completeness, up-to-dateness and reliability. If personal data
were transmitted without request the receiving authority shall
verify without delay whether these data are necessary for the
purpose for which they were transmitted.
2. If it emerges that incorrect data have been transmitted or
data have been unlawfully transmitted, the recipient must be
notified without delay. The data must be rectified, erased, or
blocked without delay in accordance with Article 4.
Article 9
Time limits
1. Upon transmission or making available of the data, the
transmitting authority may in line with the national law and in
accordance with Articles 4 and 5, indicate the time limits for
the retention of data, upon the expiry of which the recipient
must erase or block the data or review whether or not they are
still needed. This obligation shall not apply if, at the time of the
expiry of these time limits, the data are required for a current
investigation, prosecution of criminal offences or enforcement
of criminal penalties.
2. Where the transmitting authority has not indicated a time
limit in accordance with paragraph 1, the time limits referred to
in Articles 4 and 5 for the retention of data provided for under
the national law of the receiving Member State shall apply.
Article 10
Logging and documentation
1. All transmissions of personal data are to be logged or
documented for the purposes of verification of the lawfulness
of the data processing, self-monitoring and ensuring proper data
integrity and security.
2. Logs or documentation prepared under paragraph 1 shall
be communicated on request to the competent supervisory
authority for the control of data protection. The competent
supervisory authority shall use this information only for the
control of data protection and for ensuring proper data
processing as well as data integrity and security.
Article 11
Processing of personal data received from or made
available by another Member State
Personal data received from or made available by the competent
authority of another Member State may, in accordance with the
requirements of Article 3(2), be further processed only for the
following purposes other than those for which they were trans­
mitted or made available:
30.12.2008 EN Official Journal of the European Union
(a) the prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties
other than those for which they were transmitted or made
available;
(b) other judicial and administrative proceedings directly related
to the prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties;
(c) the prevention of an immediate and serious threat to public
security; or
(d) any other purpose only with the prior consent of the trans­
mitting Member State or with the consent of the data
subject, given in accordance with national law.
The competent authorities may also further process the trans­
mitted personal data for historical, statistical or scientific
purposes, provided that Member States provide appropriate
safeguards, such as, for example, making the data anonymous.
Article 12
Compliance with national processing restrictions
1. Where, under the law of the transmitting Member State,
specific processing restrictions apply in specific circumstances to
data exchanges between competent authorities within that
Member State, the transmitting authority shall inform the
recipient of such restrictions. The recipient shall ensure that
these processing restrictions are met.
2. When applying paragraph 1, Member States shall not
apply restrictions regarding data transmissions to other
Member States or to agencies or bodies established pursuant
to Title VI of the Treaty on European Union other than those
applicable to similar national data transmissions.
Article 13
Transfer to competent authorities in third States or to
international bodies
1. Member States shall provide that personal data transmitted
or made available by the competent authority of another
Member State may be transferred to third States or international
bodies, only if:
(a) it is necessary for the prevention, investigation, detection or
prosecution of criminal offences or the execution of
criminal penalties;
(b) the receiving authority in the third State or receiving inter­
national body is responsible for the prevention, investi­
L 350/67
gation, detection or prosecution of criminal offences or
the execution of criminal penalties;
(c) the Member State from which the data were obtained has
given its consent to transfer in compliance with its national
law; and
(d) the third State or international body concerned ensures an
adequate level of protection for the intended data
processing.
2. Transfer without prior consent in accordance with
paragraph 1(c) shall be permitted only if transfer of the data
is essential for the prevention of an immediate and serious
threat to public security of a Member State or a third State
or to essential interests of a Member State and the prior
consent cannot be obtained in good time. The authority
responsible for giving consent shall be informed without delay.
3. By way of derogation from paragraph 1(d), personal data
may be transferred if:
(a) the national law of the Member State transferring the data
so provides because of:
(i) legitimate specific interests of the data subject; or
(ii) legitimate prevailing interests, especially important
public interests; or
(b) the third State or receiving international body provides safe­
guards which are deemed adequate by the Member State
concerned according to its national law.
4. The adequacy of the level of protection referred to in
paragraph 1(d) shall be assessed in the light of all the circum­
stances surrounding a data transfer operation or a set of data
transfer operations. Particular consideration shall be given to the
nature of the data, the purpose and duration of the proposed
processing operation or operations, the State of origin and the
State or international body of final destination of the data, the
rules of law, both general and sectoral, in force in the third
State or international body in question and the professional
rules and security measures which apply.
Article 14
Transmission to private parties in Member States
1. Member States shall provide that personal data received
from or made available by the competent authority of another
Member State may be transmitted to private parties only if:
L 350/68 EN Official Journal of the European Union
(a) the competent authority of the Member State from which
the data were obtained has consented to transmission in
compliance with its national law;
(b) no legitimate specific interests of the data subject prevent
transmission; and
(c) in particular cases transfer is essential for the competent
authority transmitting the data to a private party for:
(i) the performance of a task lawfully assigned to it;
(ii) the prevention, investigation, detection or prosecution
of criminal offences or the execution of criminal
penalties;
(iii) the prevention of an immediate and serious threat to
public security; or
(iv) the prevention of serious harm to the rights of indi­
viduals.
2. The competent authority transmitting the data to a private
party shall inform the latter of the purposes for which the data
may exclusively be used.
Article 15
Information on request of the competent authority
The recipient shall, on request, inform the competent authority
which transmitted or made available the personal data about
their processing.
Article 16
Information for the data subject
1. Member States shall ensure that the data subject is
informed regarding the collection or processing of personal
data by their competent authorities, in accordance with
national law.
2. When personal data have been transmitted or made
available between Member States, each Member State may, in
accordance with the provisions of its national law referred to in
paragraph 1, ask that the other Member State does not inform
the data subject. In such case the latter Member State shall not
inform the data subject without the prior consent of the other
Member State.
Article 17
Right of access
1. Every data subject shall have the right to obtain, following
requests made at reasonable intervals, without constraint and
without excessive delay or expense:
(a) at least a confirmation from the controller or from the
national supervisory authority as to whether or not data
30.12.2008
relating to him have been transmitted or made available
and information on the recipients or categories of recipients
to whom the data have been disclosed and communication
of the data undergoing processing; or
(b) at least a confirmation from the national supervisory
authority that all necessary verifications have taken place.
2. The Member States may adopt legislative measures
restricting access to information pursuant to paragraph 1(a),
where such a restriction, with due regard for the legitimate
interests of the person concerned, constitutes a necessary and
proportional measure:
(a) to avoid obstructing official or legal inquiries, investigations
or procedures;
(b) to avoid prejudicing the prevention, detection, investigation
and prosecution of criminal offences or for the execution of
criminal penalties;
(c) to protect public security;
(d) to protect national security;
(e) to protect the data subject or the rights and freedoms of
others.
3. Any refusal or restriction of access shall be set out in
writing to the data subject. At the same time, the factual or
legal reasons on which the decision is based shall also be
communicated to him. The latter communication may be
omitted where a reason under paragraph 2(a) to (e) exists. In
all of these cases the data subject shall be advised that he may
appeal to the competent national supervisory authority, a
judicial authority or to a court.
Article 18
Right to rectification, erasure or blocking
1. The data subject shall have the right to expect the
controller to fulfil its duties in accordance with Articles 4, 8
and 9 concerning the rectification, erasure or blocking of
personal data which arise from this Framework Decision.
Member States shall lay down whether the data subject may
assert this right directly against the controller or through the
intermediary of the competent national supervisory authority. If
the controller refuses rectification, erasure or blocking, the
refusal must be communicated in writing to the data subject
who must be informed of the possibilities provided for in
national law for lodging a complaint or seeking judicial
remedy. Upon examination of the complaint or judicial
remedy, the data subject shall be informed whether the
controller acted properly or not. Member States may also
provide that the data subject shall be informed by the
competent national supervisory authority that a review has
taken place.
30.12.2008 EN Official Journal of the European Union
2. If the accuracy of an item of personal data is contested by
the data subject and its accuracy or inaccuracy cannot be ascer­
tained, referencing of that item of data may take place.
Article 19
Right to compensation
1. Any person who has suffered damage as a result of an
unlawful processing operation or of any act incompatible with
the national provisions adopted pursuant to this Framework
Decision shall be entitled to receive compensation for the
damage suffered from the controller or other authority
competent under national law.
2. Where a competent authority of a Member State has
transmitted personal data, the recipient cannot, in the context
of its liability vis-à-vis the injured party in accordance with
national law, cite in its defence that the data transmitted were
inaccurate. If the recipient pays compensation for damage
caused by the use of incorrectly transmitted data, the trans­
mitting competent authority shall refund to the recipient the
amount paid in damages, taking into account any fault that may
lie with the recipient.
Article 20
Judicial remedies
Without prejudice to any administrative remedy for which
provision may be made prior to referral to the judicial
authority, the data subject shall have the right to a judicial
remedy for any breach of the rights guaranteed to him by the
applicable national law.
Article 21
Confidentiality of processing
1. Any person who has access to personal data which fall
within the scope of this Framework Decision may process such
data only if that person is a member of, or acts on instructions
of, the competent authority, unless he is required to do so by
law.
2. Persons working for a competent au-
thority of a Member State shall be bound by all the data
protection rules which apply to the competent authority in
question.
Article 22
Security of processing
1. Member States shall provide that the competent au­
thorities must implement appropriate technical and organisa­
tional measures to protect personal data against accidental or
L 350/69
unlawful destruction or accidental loss, alteration, unauthorised
disclosure or access, in particular where the processing involves
the transmission over a network or the making available by
granting direct automated access, and against all other
unlawful forms of processing, taking into account in particular
the risks represented by the processing and the nature of the
data to be protected. Having regard to the state of the art and
the cost of their implementation, such measures shall ensure a
level of security appropriate to the risks represented by the
processing and the nature of the data to be protected.
2. In respect of automated data processing each Member
State shall implement measures designed to:
(a) deny unauthorised persons access to data-processing
equipment used for processing personal data (equipment
access control);
(b) prevent the unauthorised reading, copying, modification or
removal of data media (data media control);
(c) prevent the unauthorised input of data and the unauthorised
inspection, modification or deletion of stored personal data
(storage control);
(d) prevent the use of automated data-processing systems by
unauthorised persons using data communication
equipment (user control);
(e) ensure that persons authorised to use an automated data-
processing system only have access to the data covered by
their access authorisation (data access control);
(f) ensure that it is possible to verify and establish to which
bodies personal data have been or may be transmitted or
made available using data communication equipment
(communication control);
(g) ensure that it is subsequently possible to verify and establish
which personal data have been input into automated data-
processing systems and when and by whom the data were
input (input control);
(h) prevent the unauthorised reading, copying, modification or
deletion of personal data during transfers of personal data
or during transportation of data media (transport control);
(i) ensure that installed systems may, in case of interruption, be
restored (recovery);
(j) ensure that the functions of the system perform, that the
appearance of faults in the functions is reported (reliability)
and that stored data cannot be corrupted by means of a
malfunctioning of the system (integrity).
L 350/70 EN Official Journal of the European Union
3. Member States shall provide that processors may be
designated only if they guarantee that they observe the
requisite technical and organisational measures under
paragraph 1 and comply with the instructions under
Article 21. The competent authority shall monitor the
processor in those respects.
4. Personal data may be processed by a processor only on
the basis of a legal act or a written contract.
Article 23
Prior consultation
Member States shall ensure that the competent national super­
visory authorities are consulted prior to the processing of
personal data which will form part of a new filing system to
be created where:
(a) special categories of data referred to in Article 6 are to be
processed; or
(b) the type of processing, in particular using new technologies,
mechanism or procedures, holds otherwise specific risks for
the fundamental rights and freedoms, and in particular the
privacy, of the data subject.
Article 24
Penalties
Member States shall adopt suitable measures to ensure the full
implementation of the provisions of this Framework Decision
and shall in particular lay down effective, proportionate and
dissuasive penalties to be imposed in case of infringements of
the provisions adopted pursuant to this Framework Decision.
Article 25
National supervisory authorities
1. Each Member State shall provide that one or more public
authorities are responsible for advising and monitoring the
application within its territory of the provisions adopted by
the Member States pursuant to this Framework Decision.
These authorities shall act with complete independence in exer­
cising the functions entrusted to them.
2. Each authority shall in particular be endowed with:
(a) investigative powers, such as powers of access to data
forming the subject matter of processing operations and
powers to collect all the information necessary for the
performance of its supervisory duties;
(b) effective powers of intervention, such as, for example, that
of delivering opinions before processing operations are
carried out, and ensuring appropriate publication of such
opinions, of ordering the blocking, erasure or destruction of
30.12.2008
data, of imposing a temporary or definitive ban on
processing, of warning or admonishing the controller, or
that of referring the matter to national parliaments or
other political institutions;
(c) the power to engage in legal proceedings where the national
provisions adopted pursuant to this Framework Decision
have been infringed or to bring this infringement to the
attention of the judicial authorities. Decisions by the super­
visory authority which give rise to complaints may be
appealed against through the courts.
3. Each supervisory authority shall hear claims lodged by any
person concerning the protection of his rights and freedoms in
regard to the processing of personal data. The person concerned
shall be informed of the outcome of the claim.
4. Member States shall provide that the members and staff of
the supervisory authority are bound by the data protection
provisions applicable to the competent authority in question
and, even after their employment has ended, are to be subject
to a duty of professional secrecy with regard to confidential
information to which they have access.
Article 26
Relationship to agreements with third States
This Framework Decision is without prejudice to any obli­
gations and commitments incumbent upon Member States or
upon the Union by virtue of bilateral and/or multilateral
agreements with third States existing at the time of adoption
of this Framework Decision.
In the application of these agreements, the transfer to a third
State of personal data obtained from another Member State,
shall be carried out while respecting Article 13(1)(c) or (2), as
appropriate.
Article 27
Evaluation
1. Member States shall report to the Commission by
27 November 2013 on the national measures they have
taken to ensure full compliance with this Framework
Decision, and particularly with regard to those provisions that
already have to be complied with when data is collected. The
Commission shall examine in particular the implications of
those provisions for the scope of this Framework Decision as
laid down in Article 1(2).
2. The Commission shall report to the European Parliament
and the Council within one year on the outcome of the
evaluation referred to in paragraph 1, and shall accompany its
report with any appropriate proposals for amendments to this
Framework Decision.
30.12.2008 EN Official Journal of the European Union
Article 28
Relationship to previously adopted acts of the Union
Where in acts, adopted under Title VI of the Treaty on
European Union prior to the date of entry into force of this
Framework Decision and regulating the exchange of personal
data between Member States or the access of designated au-
thorities of Member States to information systems established
pursuant to the Treaty establishing the European Community,
specific conditions have been introduced as to the use of such
data by the receiving Member State, these conditions shall take
precedence over the provisions of this Framework Decision on
the use of data received from or made available by another
Member State.
Article 29
Implementation
1. Member States shall take the necessary measures to
comply with the provisions of this Framework Decision
before 27 November 2010.
2. By the same date Member States shall transmit to the
General Secretariat of the Council and to the Commission the
L 350/71
text of the provisions transposing into their national law the
obligations imposed on them under this Framework Decision,
as well as information on the supervisory authorities referred to
in Article 25. On the basis of a report established using this
information by the Commission, the Council shall, before
27 November 2011, assess the extent to which Member
States have complied with the provisions of this Framework
Decision.
Article 30
Entry into force
This Framework Decision shall enter into force on the 20th day
following its publication in the Official Journal of the European
Union.
Done at Brussels, 27 November 2008.
For the Council
The President
M. ALLIOT-MARIE
19.7.2003 EN Official Journal of the European Union L 181/27

AGREEMENT
on extradition between the European Union and the United States of America

CONTENTS
Preamble

Article 1 Object and purpose

Article 2 Definitions

Article 3 Scope of application of this Agreement in relation to bilateral extradition treaties with Member
States

Article 4 Extraditable offences

Article 5 Transmission and authentication of documents

Article 6 Transmission of requests for provisional arrest

Article 7 Transmission of documents following provisional arrest

Article 8 Supplemental information

Article 9 Temporary surrender

Article 10 Requests for extradition or surrender made by several States

Article 11 Simplified extradition procedures

Article 12 Transit

Article 13 Capital punishment

Article 14 Sensitive information in a request

Article 15 Consultations

Article 16 Temporal application

Article 17 Non-derogation

Article 18 Future bilateral extradition treaties with Member States

Article 19 Designation and notification

Article 20 Territorial application

Article 21 Review

Article 22 Entry into force and termination

Explanatory Note

THE EUROPEAN UNION AND THE UNITED STATES OF AMERICA,

DESIRING further to facilitate cooperation between the European Union Member States and the United States of
America,

DESIRING to combat crime in a more effective way as a means of protecting their respective democratic societies and
common values,

HAVING DUE REGARD for rights of individuals and the rule of law,

MINDFUL of the guarantees under their respective legal systems which provide for the right to a fair trial to an extra-
dited person, including the right to adjudication by an impartial tribunal established pursuant to law,

DESIRING to conclude an Agreement relating to the extradition of offenders,

HAVE AGREED AS FOLLOWS:

L 181/28 EN Official Journal of the European Union
Article 1
Object and Purpose
The Contracting Parties undertake, in accordance with the
provisions of this Agreement, to provide for enhancements to
cooperation in the context of applicable extradition relations
between the Member States and the United States of America
governing extradition of offenders.
Article 2
Definitions
1. ‘Contracting Parties’ shall mean the European Union and the
United States of America.
2. ‘Member State’ shall mean a Member State of the European
Union.
3. ‘Ministry of Justice’ shall, for the United States of America,
mean the United States Department of Justice; and for a
Member State, its Ministry of Justice, except that with
respect to a Member State in which functions described in
Articles 3, 5, 6, 8 or 12 are carried out by its Prosecutor
General, that body may be designated to carry out such
function in lieu of the Ministry of Justice in accordance with
Article 19, unless the United States and the Member State
concerned agree to designate another body.
Article 3
Scope of application of this Agreement in relation to bilat-
eral extradition treaties with Member States
1. The European Union, pursuant to the Treaty on European
Union, and the United States of America shall ensure that the
provisions of this Agreement are applied in relation to bilateral
extradition treaties between the Member States and the United
States of America, in force at the time of the entry into force of
this Agreement, under the following terms:
(a) Article 4 shall be applied in place of bilateral treaty provi-
sions that authorise extradition exclusively with respect to
a list of specified criminal offences;
(b) Article 5 shall be applied in place of bilateral treaty provi-
sions governing transmission, certification, authentication
or legalisation of an extradition request and supporting
documents transmitted by the requesting State;
(c) Article 6 shall be applied in the absence of bilateral treaty
provisions authorising direct transmission of provisional
arrest requests between the United States Department of
Justice and the Ministry of Justice of the Member State
concerned;
(d) Article 7 shall be applied in addition to bilateral treaty
provisions governing transmission of extradition requests;
19.7.2003
(e) Article 8 shall be applied in the absence of bilateral treaty
provisions governing the submission of supplementary
information; where bilateral treaty provisions do not
specify the channel to be used, paragraph 2 of that Article
shall also be applied;
(f) Article 9 shall be applied in the absence of bilateral treaty
provisions authorising temporary surrender of persons
being proceeded against or serving a sentence in the
requested State;
(g) Article 10 shall be applied, except as otherwise specified
therein, in place of, or in the absence of, bilateral treaty
provisions pertaining to decision on several requests for
extradition of the same person;
(h) Article 11 shall be applied in the absence of bilateral treaty
provisions authorising waiver of extradition or simplified
extradition procedures;
(i) Article 12 shall be applied in the absence of bilateral treaty
provisions governing transit; where bilateral treaty provi-
sions do not specify the procedure governing unscheduled
landing of aircraft, paragraph 3 of that Article shall also be
applied;
(j) Article 13 may be applied by the requested State in place
of, or in the absence of, bilateral treaty provisions
governing capital punishment;
(k) Article 14 shall be applied in the absence of bilateral treaty
provisions governing treatment of sensitive information in
a request.
2. (a) The European Union, pursuant to the Treaty on
European Union, shall ensure that each Member State
acknowledges, in a written instrument between such
Member State and the United States of America, the
application, in the manner set forth in this Article, of its
bilateral extradition treaty in force with the United
States of America.
(b) The European Union, pursuant to the Treaty on
European Union, shall ensure that new Member States
acceding to the European Union after the entry into
force of this Agreement and having bilateral extradition
treaties with the United States of America, take the
measures referred to in subparagraph (a).
(c) The Contracting Parties shall endeavour to complete the
process described in subparagraph (b) prior to the
scheduled accession of a new Member State, or as soon
as possible thereafter. The European Union shall notify
the United States of America of the date of accession of
new Member States.
3. If the process described in paragraph 2(b) is not
completed by the date of accession, the provisions of this
Agreement shall apply in the relations between that new
Member State and the United States of America as from the
date on which they have notified each other and the European
Union of the completion of their internal procedures for that
purpose.
19.7.2003 EN Official Journal of the European Union
Article 4
Extraditable offences
1. An offence shall be an extraditable offence if it is punish-
able under the laws of the requesting and requested States by
deprivation of liberty for a maximum period of more than one
year or by a more severe penalty. An offence shall also be an
extraditable offence if it consists of an attempt or conspiracy to
commit, or participation in the commission of, an extraditable
offence. Where the request is for enforcement of the sentence
of a person convicted of an extraditable offence, the depriva-
tion of liberty remaining to be served must be at least four
months.
2. If extradition is granted for an extraditable offence, it shall
also be granted for any other offence specified in the request if
the latter offence is punishable by one year's deprivation of
liberty or less, provided that all other requirements for extradi-
tion are met.
3. For the purposes of this Article, an offence shall be
considered an extraditable offence:
(a) regardless of whether the laws in the requesting and
requested States place the offence within the same category
of offences or describe the offence by the same termi-
nology;
(b) regardless of whether the offence is one for which United
States federal law requires the showing of such matters as
interstate transportation, or use of the mails or of other
facilities affecting interstate or foreign commerce, such
matters being merely for the purpose of establishing juris-
diction in a United States federal court; and
(c) in criminal cases relating to taxes, customs duties, currency
control and the import or export of commodities, regard-
less of whether the laws of the requesting and requested
States provide for the same kinds of taxes, customs duties,
or controls on currency or on the import or export of the
same kinds of commodities.
4. If the offence has been committed outside the territory of
the requesting State, extradition shall be granted, subject to the
other applicable requirements for extradition, if the laws of the
requested State provide for the punishment of an offence
committed outside its territory in similar circumstances. If the
laws of the requested State do not provide for the punishment
of an offence committed outside its territory in similar circum-
stances, the executive authority of the requested State, at its
discretion, may grant extradition provided that all other applic-
able requirements for extradition are met.
Article 5
Transmission and authentication of documents
1. Requests for extradition and supporting documents shall
be transmitted through the diplomatic channel, which shall
include transmission as provided for in Article 7.
L 181/29
2. Documents that bear the certificate or seal of the Ministry
of Justice, or Ministry or Department responsible for foreign
affairs, of the requesting State shall be admissible in extradition
proceedings in the requested State without further certification,
authentication, or other legalisation.
Article 6
Transmission of requests for provisional arrest
Requests for provisional arrest may be made directly between
the Ministries of Justice of the requesting and requested States,
as an alternative to the diplomatic channel. The facilities of the
International Criminal Police Organisation (Interpol) may also
be used to transmit such a request.
Article 7
Transmission of documents following provisional arrest
1. If the person whose extradition is sought is held under
provisional arrest by the requested State, the requesting State
may satisfy its obligation to transmit its request for extradition
and supporting documents through the diplomatic channel
pursuant to Article 5(1), by submitting the request and docu-
ments to the Embassy of the requested State located in the
requesting State. In that case, the date of receipt of such request
by the Embassy shall be considered to be the date of receipt by
the requested State for purposes of applying the time limit that
must be met under the applicable extradition treaty to enable
the person's continued detention.
2. Where a Member State on the date of signature of this
Agreement, due to the established jurisprudence of its domestic
legal system applicable at such date, cannot apply the measures
referred to in paragraph 1, this Article shall not apply to it,
until such time as that Member State and the United States of
America, by exchange of diplomatic note, agree otherwise.
Article 8
Supplemental information
1. The requested State may require the requesting State to
furnish additional information within such reasonable length of
time as it specifies, if it considers that the information furnished
in support of the request for extradition is not sufficient to
fulfil the requirements of the applicable extradition treaty.
2. Such supplementary information may be requested and
furnished directly between the Ministries of Justice of the States
concerned.
L 181/30 EN Official Journal of the European Union
Article 9
Temporary surrender
1. If a request for extradition is granted in the case of a
person who is being proceeded against or is serving a sentence
in the requested State, the requested State may temporarily
surrender the person sought to the requesting State for the
purpose of prosecution.
2. The person so surrendered shall be kept in custody in the
requesting State and shall be returned to the requested State at
the conclusion of the proceedings against that person, in accor-
dance with the conditions to be determined by mutual agree-
ment of the requesting and requested States. The time spent in
custody in the territory of the requesting State pending prose-
cution in that State may be deducted from the time remaining
to be served in the requested State.
Article 10
Requests for extradition or surrender made by several
States
1. If the requested State receives requests from the
requesting State and from any other State or States for the
extradition of the same person, either for the same offence or
for different offences, the executive authority of the requested
State shall determine to which State, if any, it will surrender
the person.
2. If a requested Member State receives an extradition
request from the United States of America and a request for
surrender pursuant to the European arrest warrant for the same
person, either for the same offence or for different offences, the
competent authority of the requested Member State shall deter-
mine to which State, if any, it will surrender the person. For
this purpose, the competent authority shall be the requested
Member State's executive authority if, under the bilateral extra-
dition treaty in force between the United States and the
Member State, decisions on competing requests are made by
that authority; if not so provided in the bilateral extradition
treaty, the competent authority shall be designated by the
Member State concerned pursuant to Article 19.
3. In making its decision under paragraphs 1 and 2, the
requested State shall consider all of the relevant factors,
including, but not limited to, factors already set forth in the
applicable extradition treaty, and, where not already so set
forth, the following:
(a) whether the requests were made pursuant to a treaty;
(b) the places where each of the offences was committed;
(c) the respective interests of the requesting States;
(d) the seriousness of the offences;
(e) the nationality of the victim;
(f) the possibility of any subsequent extradition between the
requesting States; and
(g) the chronological order in which the requests were received
from the requesting States.
19.7.2003
Article 11
Simplified extradition procedures
If the person sought consents to be surrendered to the
requesting State, the requested State may, in accordance with
the principles and procedures provided for under its legal
system, surrender the person as expeditiously as possible
without further proceedings. The consent of the person sought
may include agreement to waiver of protection of the rule of
specialty.
Article 12
Transit
1. A Member State may authorise transportation through its
territory of a person surrendered to the United States of
America by a third State, or by the United States of America to
a third State. The United States of America may authorise
transportation through its territory of a person surrendered to
a Member State by a third State, or by a Member State to a
third State.
2. A request for transit shall be made through the diplo-
matic channel or directly between the United States Depart-
ment of Justice and the Ministry of Justice of the Member State
concerned. The facilities of Interpol may also be used to
transmit such a request. The request shall contain a description
of the person being transported and a brief statement of the
facts of the case. A person in transit shall be detained in
custody during the period of transit.
3. Authorisation is not required when air transportation is
used and no landing is scheduled on the territory of the transit
State. If an unscheduled landing does occur, the State in which
the unscheduled landing occurs may require a request for
transit pursuant to paragraph 2. All measures necessary to
prevent the person from absconding shall be taken until transit
is effected, as long as the request for transit is received within
96 hours of the unscheduled landing.
Article 13
Capital punishment
Where the offence for which extradition is sought is punishable
by death under the laws in the requesting State and not punish-
able by death under the laws in the requested State, the
requested State may grant extradition on the condition that the
death penalty shall not be imposed on the person sought, or if
for procedural reasons such condition cannot be complied with
by the requesting State, on condition that the death penalty if
imposed shall not be carried out. If the requesting State accepts
extradition subject to conditions pursuant to this Article, it
shall comply with the conditions. If the requesting State does
not accept the conditions, the request for extradition may be
denied.
19.7.2003 EN Official Journal of the European Union
Article 14
Sensitive information in a request
Where the requesting State contemplates the submission of
particularly sensitive information in support of its request for
extradition, it may consult the requested State to determine the
extent to which the information can be protected by the
requested State. If the requested State cannot protect the infor-
mation in the manner sought by the requesting State, the
requesting State shall determine whether the information shall
nonetheless be submitted.
Article 15
Consultations
The Contracting Parties shall, as appropriate, consult to enable
the most effective use to be made of this Agreement, including
to facilitate the resolution of any dispute regarding the interpre-
tation or application of this Agreement.
Article 16
Temporal application
1. This Agreement shall apply to offences committed before
as well as after it enters into force.
2. This Agreement shall apply to requests for extradition
made after its entry into force. Nevertheless, Articles 4 and 9
shall apply to requests pending in a requested State at the time
this Agreement enters into force.
Article 17
Non-derogation
1. This Agreement is without prejudice to the invocation by
the requested State of grounds for refusal relating to a matter
not governed by this Agreement that is available pursuant to a
bilateral extradition treaty in force between a Member State
and the United States of America.
2. Where the constitutional principles of, or final judicial
decisions binding upon, the requested State may pose an impe-
diment to fulfilment of its obligation to extradite, and resolu-
tion of the matter is not provided for in this Agreement or the
applicable bilateral treaty, consultations shall take place
between the requested and requesting States.
Article 18
Future bilateral extradition treaties with Member States
This Agreement shall not preclude the conclusion, after its
entry into force, of bilateral Agreements between a Member
State and the United States of America consistent with this
Agreement.
L 181/31
Article 19
Designation and notification
The European Union shall notify the United States of America
of any designation pursuant to Article 2(3) and Article 10(2),
prior to the exchange of written instruments described in
Article 3(2) between the Member States and the United States
of America.
Article 20
Territorial application
1. This Agreement shall apply:
(a) to the United States of America;
(b) in relation to the European Union to:
— Member States,
— territories for whose external relations a Member State
has responsibility, or countries that are not Member
States for whom a Member State has other duties with
respect to external relations, where agreed upon by
exchange of diplomatic note between the Contracting
Parties, duly confirmed by the relevant Member State.
2. The application of this Agreement to any territory or
country in respect of which extension has been made in accor-
dance with subparagraph (b) of paragraph 1 may be terminated
by either Contracting Party giving six months' written notice to
the other Contracting Party through the diplomatic channel,
where duly confirmed between the relevant Member State and
the United States of America.
Article 21
Review
The Contracting Parties agree to carry out a common review of
this Agreement as necessary, and in any event no later than five
years after its entry into force. The review shall address in parti-
cular the practical implementation of the Agreement and may
also include issues such as the consequences of further develop-
ment of the European Union relating to the subject matter of
this Agreement, including Article 10.
Article 22
Entry into force and termination
1. This Agreement shall enter into force on the first day
following the third month after the date on which the
Contracting Parties have exchanged instruments indicating that
they have completed their internal procedures for this purpose.
These instruments shall also indicate that the steps specified in
Article 3(2) have been completed.
2. Either Contracting Party may terminate this Agreement at
any time by giving written notice to the other Party, and such
termination shall be effective six months after the date of such
notice.
L 181/32 EN Official Journal of the European Union 19.7.2003

In witness whereof the undersigned Plenipotentiaries have signed this Agreement

Done at Washington DC on the twenty-fifth day of June in the year two thousand and three in duplicate in
the Danish, Dutch, English, Finnish, French, German, Greek, Italian, Portuguese, Spanish and Swedish
languages, each text being equally authentic.

Por la Unión Europea

For Den Europæiske Union
Für die Europäische Union
Για την Ευρωπαϊκή Ένωση
For the European Union
Pour l'Union européenne
Per l'Unione europea
Voor de Europese Unie
Pela União Europeia
Euroopan unionin puolesta
På Europeiska unionens vägnar

Por los Estados Unidos de América

For Amerikas Forenede Stater
Für die Vereinigten Staaten von Amerika
Για τις Ηνωµένες Πολιτείες της Αµερικής
For the United States of America
Pour les États-Unis d'Amérique
Per gli Stati Uniti d'America
Voor de Verenigde Staten van Amerika
Pelos Estados Unidos da América
Amerikan yhdysvaltojen puolesta
På Amerikas förenta staters vägnar
19.7.2003 EN Official Journal of the European Union L 181/33

Explanatory Note on the Agreement on Extradition between the European Union and the United
States of America

This Explanatory Note reflects understandings regarding the application of certain provisions of the Agree-
ment on Extradition between the European Union and the United States of America (hereinafter ‘the Agree-
ment’) agreed between the Contracting Parties.

On Article 10
Article 10 is not intended to affect the obligations of States Parties to the Rome Statute of the International
Criminal Court, nor to affect the rights of the United States of America as a non-Party with regard to the
International Criminal Court.

On Article 18
Article 18 provides that the Agreement shall not preclude the conclusion, after its entry into force, of bilat-
eral agreements on extradition between a Member State and the United States of America consistent with
the Agreement.
Should any measures set forth in the Agreement create an operational difficulty for either one or more
Member States or the United States of America, such difficulty should in the first place be resolved, if
possible, through consultations between the Member State or Member States concerned and the United
States of America, or, if appropriate, through the consultation procedures set out in this Agreement. Where
it is not possible to address such operational difficulty through consultations alone, it would be consistent
with the Agreement for future bilateral agreements between the Member State or Member States and the
United States of America to provide an operationally feasible alternative mechanism that would satisfy the
objectives of the specific provision with respect to which the difficulty has arisen.
8.9.2017 CURIA - Documents

JUDGMENT OF THE COURT (Grand Chamber)

21 December 2016 (*)

(Reference for a preliminary ruling — Electronic communications — Processing of personal data —

Confidentiality of electronic communications — Protection — Directive 2002/58/EC — Articles 5, 6
and 9 and Article 15(1) — Charter of Fundamental Rights of the European Union — Articles 7, 8 and
11 and Article 52(1) — National legislation — Providers of electronic communications services —
Obligation relating to the general and indiscriminate retention of traffic and location data — National
authorities — Access to data — No prior review by a court or independent administrative authority —
Compatibility with EU law)

In Joined Cases C‑203/15 and C‑698/15,

REQUESTS for a preliminary ruling under Article 267 TFEU, made by the Kammarrätten i Stockholm
(Administrative Court of Appeal, Stockholm, Sweden) and the Court of Appeal (England & Wales)
(Civil Division) (United Kingdom), by decisions, respectively, of 29 April 2015 and 9 December 2015,
received at the Court on 4 May 2015 and 28 December 2015, in the proceedings

Tele2 Sverige AB (C‑203/15)

Post- och telestyrelsen,

and

Secretary of State for the Home Department (C‑698/15)

Tom Watson,

Peter Brice,

Geoffrey Lewis,

interveners:

Open Rights Group,

Privacy International,

The Law Society of England and Wales,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, A. Tizzano, Vice-President, R. Silva de Lapuerta, T. von Danwitz

(Rapporteur), J.L. da Cruz Vilaça, E. Juhász and M. Vilaras, Presidents of the Chamber, A. Borg
Barthet, J. Malenovský, E. Levits, J.-C. Bonichot, A. Arabadjiev, S. Rodin, F. Biltgen and
C. Lycourgos, Judges,

Advocate General: H. Saugmandsgaard Øe,

Registrar: C. Strömholm, Administrator,

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 1/27
8.9.2017 CURIA - Documents

having regard to the decision of the President of the Court of 1 February 2016 that Case C‑698/15
should be determined pursuant to the expedited procedure provided for in Article 105(1) of the Rules
of Procedure of the Court,

having regard to the written procedure and further to the hearing on 12 April 2016,

after considering the observations submitted on behalf of:

– Tele2 Sverige AB, by M. Johansson and N. Torgerzon, advokater, and by E. Lagerlöf and
S. Backman,

– Mr Watson, by J. Welch and E. Norton, Solicitors, I. Steele, Advocate, B. Jaffey, Barrister, and
D. Rose QC,

– Mr Brice and Mr Lewis, by A. Suterwalla and R. de Mello, Barristers, R. Drabble QC, and
S. Luke, Solicitor,

– Open Rights Group and Privacy International, by D. Carey, Solicitor, and by R. Mehta and
J. Simor, Barristers,

– The Law Society of England and Wales, by T. Hickman, Barrister, and by N. Turner,

– the Swedish Government, by A. Falk, C. Meyer-Seitz, U. Persson, N. Otte Widgren and

L. Swedenborg, acting as Agents,

– the United Kingdom Government, by S. Brandon, L. Christie and V. Kaye, acting as Agents, and
by D. Beard QC, G. Facenna QC, J. Eadie QC and S. Ford, Barrister,

– the Belgian Government, by J.-C. Halleux, S. Vanrie and C. Pochet, acting as Agents,

– the Czech Government, by M. Smolek and J. Vláčil, acting as Agents,

– the Danish Government, by C. Thorning and M. Wolff, acting as Agents,

– the German Government, by T. Henze, M. Hellmann and J. Kemper, acting as Agents, and by
M. Kottmann and U. Karpenstein, Rechtsanwalte,

– the Estonian Government, by K. Kraavi-Käerdi, acting as Agent,

– Ireland, by E. Creedon, L. Williams and A. Joyce, acting as Agents, and by D. Fennelly BL,

– the Spanish Government, by A. Rubio González, acting as Agent,

– the French Government, by G. de Bergues, D. Colas, F.-X. Bréchot and C. David, acting as
Agents,

– the Cypriot Government, by K. Kleanthous, acting as Agent,

– the Hungarian Government, by M. Fehér and G. Koós, acting as Agents,

– the Netherlands Government, by M. Bulterman, M. Gijzen and. J. Langer, acting as Agents,

– the Polish Government, by B. Majczyna, acting as Agent,

– the Finnish Government, by J. Heliskoski, acting as Agent,

– the European Commission, by H. Krämer, K. Simonsson, H. Kranenborg, D. Nardi, P. Costa de

Oliveira and J. Vondung, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 19 July 2016,
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 2/27
8.9.2017 CURIA - Documents

gives the following

Judgment

1 These requests for a preliminary ruling concern the interpretation of Article 15(1) of Directive
2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing
of personal data and the protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC
of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11)
(‘Directive 2002/58’), read in the light of Articles 7 and 8 and Article 52(1) of the Charter of
Fundamental Rights of the European Union (‘the Charter’).

2 The requests have been made in two proceedings between (i) Tele2 Sverige AB and Post- och
telestyrelsen (the Swedish Post and Telecom Authority; ‘PTS’), concerning an order sent by PTS to
Tele2 Sverige requiring the latter to retain traffic and location data in relation to its subscribers and
registered users (Case C‑203/15), and (ii) Mr Tom Watson, Mr Peter Brice and Mr Geoffrey Lewis, on
the one hand, and the Secretary of State for the Home Department (United Kingdom of Great Britain
and Northern Ireland), on the other, concerning the conformity with EU law of Section 1 of the Data
Retention and Investigatory Powers Act 2014 (‘DRIPA’) (Case C‑698/15).

Legal context

EU law

Directive 2002/58

3 Recitals 2, 6, 7, 11, 21, 22, 26 and 30 of Directive 2002/58 state:

‘(2) This Directive seeks to respect the fundamental rights and observes the principles recognised in
particular by [the Charter]. In particular, this Directive seeks to ensure full respect for the rights
set out in Articles 7 and 8 of that Charter.

...

(6) The Internet is overturning traditional market structures by providing a common, global
infrastructure for the delivery of a wide range of electronic communications services. Publicly
available electronic communications services over the Internet open new possibilities for users
but also new risks for their personal data and privacy.

(7) In the case of public communications networks, specific legal, regulatory and technical
provisions should be made in order to protect fundamental rights and freedoms of natural persons
and legitimate interests of legal persons, in particular with regard to the increasing capacity for
automated storage and processing of data relating to subscribers and users.

...

(11) Like Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995
on the protection of individuals with regard to the processing of personal data and on the free
movement of such data (OJ 1995 L 281, p. 31)], this Directive does not address issues of
protection of fundamental rights and freedoms related to activities which are not governed by
Community law. Therefore it does not alter the existing balance between the individual’s right to
privacy and the possibility for Member States to take the measures referred to in Article 15(1) of
this Directive, necessary for the protection of public security, defence, State security (including
the economic well-being of the State when the activities relate to State security matters) and the
enforcement of criminal law. Consequently, this Directive does not affect the ability of Member
States to carry out lawful interception of electronic communications, or take other measures, if
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 3/27
8.9.2017 CURIA - Documents

necessary for any of these purposes and in accordance with the European Convention for the
Protection of Human Rights and Fundamental Freedoms, as interpreted by the rulings of the
European Court of Human Rights. Such measures must be appropriate, strictly proportionate to
the intended purpose and necessary within a democratic society and should be subject to
adequate safeguards in accordance with the European Convention for the Protection of Human
Rights and Fundamental Freedoms.

...

(21) Measures should be taken to prevent unauthorised access to communications in order to protect
the confidentiality of communications, including both the contents and any data related to such
communications, by means of public communications networks and publicly available electronic
communications services. National legislation in some Member States only prohibits intentional
unauthorised access to communications.

(22) The prohibition of storage of communications and the related traffic data by persons other than
the users or without their consent is not intended to prohibit any automatic, intermediate and
transient storage of this information in so far as this takes place for the sole purpose of carrying
out the transmission in the electronic communications network and provided that the information
is not stored for any period longer than is necessary for the transmission and for traffic
management purposes, and that during the period of storage the confidentiality remains
guaranteed. ...

...

(26) The data relating to subscribers processed within electronic communications networks to
establish connections and to transmit information contain information on the private life of
natural persons and concern the right to respect for their correspondence or concern the
legitimate interests of legal persons. Such data may only be stored to the extent that is necessary
for the provision of the service for the purpose of billing and for interconnection payments, and
for a limited time. Any further processing of such data … may only be allowed if the subscriber
has agreed to this on the basis of accurate and full information given by the provider of the
publicly available electronic communications services about the types of further processing it
intends to perform and about the subscriber’s right not to give or to withdraw his/her consent to
such processing. ...

...

(30) Systems for the provision of electronic communications networks and services should be
designed to limit the amount of personal data necessary to a strict minimum. ...’

4 Article 1 of Directive 2002/58, headed ‘Scope and aim’, provides:

‘1. This Directive provides for the harmonisation of the national provisions required to ensure an
equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy
and confidentiality, with respect to the processing of personal data in the electronic communication
sector and to ensure the free movement of such data and of electronic communication equipment and
services in the Community.

2. The provisions of this Directive particularise and complement Directive [95/46] for the purposes
mentioned in paragraph 1. Moreover, they provide for protection of the legitimate interests of
subscribers who are legal persons.

3. This Directive shall not apply to activities which fall outside the scope of the Treaty establishing
the European Community, such as those covered by Titles V and VI of the Treaty on European Union,
and in any case to activities concerning public security, defence, State security (including the economic
well-being of the State when the activities relate to State security matters) and the activities of the State
in areas of criminal law.’

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 4/27
8.9.2017 CURIA - Documents

5 Article 2 of Directive 2002/58, headed ‘Definitions’, provides:

‘Save as otherwise provided, the definitions in Directive [95/46] and in Directive 2002/21/EC of the
European Parliament and of the Council of 7 March 2002 on a common regulatory framework for
electronic communications networks and services (Framework Directive) [(OJ 2002 L 108, p. 33)]
shall apply.

The following definitions shall also apply:

...

(b) “traffic data” means any data processed for the purpose of the conveyance of a communication
on an electronic communications network or for the billing thereof;

(c) “location data” means any data processed in an electronic communications network or by an
electronic communications service, indicating the geographic position of the terminal equipment
of a user of a publicly available electronic communications service;

(d) “communication” means any information exchanged or conveyed between a finite number of
parties by means of a publicly available electronic communications service. This does not
include any information conveyed as part of a broadcasting service to the public over an
electronic communications network except to the extent that the information can be related to the
identifiable subscriber or user receiving the information;

...’

6 Article 3 of Directive 2002/58, headed ‘Services concerned’, provides:

‘This Directive shall apply to the processing of personal data in connection with the provision of
publicly available electronic communications services in public communications networks in the
Community, including public communications networks supporting data collection and identification
devices.’

7 Article 4 of that directive, headed ‘Security of processing’, is worded as follows:

‘1. The provider of a publicly available electronic communications service must take appropriate
technical and organisational measures to safeguard security of its services, if necessary in conjunction
with the provider of the public communications network with respect to network security. Having
regard to the state of the art and the cost of their implementation, these measures shall ensure a level of
security appropriate to the risk presented.

1a. Without prejudice to Directive [95/46], the measures referred to in paragraph 1 shall at
least:

– ensure that personal data can be accessed only by authorised personnel for legally authorised
purposes,

– protect personal data stored or transmitted against accidental or unlawful destruction, accidental
loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and

– ensure the implementation of a security policy with respect to the processing of personal data.

...’

8 Article 5 of Directive 2002/58, headed ‘Confidentiality of the communications’, provides:

‘1. Member States shall ensure the confidentiality of communications and the related traffic data by
means of a public communications network and publicly available electronic communications services,
through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds
of interception or surveillance of communications and the related traffic data by persons other than
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 5/27
8.9.2017 CURIA - Documents

users, without the consent of the users concerned, except when legally authorised to do so in
accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary
for the conveyance of a communication without prejudice to the principle of confidentiality.

...

3. Member States shall ensure that the storing of information, or the gaining of access to
information already stored, in the terminal equipment of a subscriber or user is only allowed on
condition that the subscriber or user concerned has given his or her consent, having been provided with
clear and comprehensive information, in accordance with Directive [95/46], inter alia, about the
purposes of the processing. This shall not prevent any technical storage or access for the sole purpose
of carrying out the transmission of a communication over an electronic communications network, or as
strictly necessary in order for the provider of an information society service explicitly requested by the
subscriber or user to provide the service.’

9 Article 6 of Directive 2002/58, headed ‘Traffic data’, provides:

‘1. Traffic data relating to subscribers and users processed and stored by the provider of a public
communications network or publicly available electronic communications service must be erased or
made anonymous when it is no longer needed for the purpose of the transmission of a communication
without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1).

2. Traffic data necessary for the purposes of subscriber billing and interconnection payments may be
processed. Such processing is permissible only up to the end of the period during which the bill may
lawfully be challenged or payment pursued.

3. For the purpose of marketing electronic communications services or for the provision of value
added services, the provider of a publicly available electronic communications service may process the
data referred to in paragraph 1 to the extent and for the duration necessary for such services or
marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or
subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at
any time.

...

5. Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to

persons acting under the authority of providers of the public communications networks and publicly
available electronic communications services handling billing or traffic management, customer
enquiries, fraud detection, marketing electronic communications services or providing a value added
service, and must be restricted to what is necessary for the purposes of such activities.’

10 Article 9(1) of that directive, that article being headed ‘Location data other than traffic data’, provides:

‘Where location data other than traffic data, relating to users or subscribers of public communications
networks or publicly available electronic communications services, can be processed, such data may
only be processed when they are made anonymous, or with the consent of the users or subscribers to
the extent and for the duration necessary for the provision of a value added service. The service
provider must inform the users or subscribers, prior to obtaining their consent, of the type of location
data other than traffic data which will be processed, of the purposes and duration of the processing and
whether the data will be transmitted to a third party for the purpose of providing the value added
service. …’

11 Article 15 of that directive, headed ‘Application of certain provisions of Directive [95/46]’, states:

‘1. Member States may adopt legislative measures to restrict the scope of the rights and obligations
provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when
such restriction constitutes a necessary, appropriate and proportionate measure within a democratic
society to safeguard national security (i.e. State security), defence, public security, and the prevention,
investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 6/27
8.9.2017 CURIA - Documents

communication system, as referred to in Article 13(1) of Directive [95/46]. To this end, Member States
may, inter alia, adopt legislative measures providing for the retention of data for a limited period
justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall
be in accordance with the general principles of Community law, including those referred to in
Article 6(1) and (2) of the Treaty on European Union.

...

1b. Providers shall establish internal procedures for responding to requests for access to users’
personal data based on national provisions adopted pursuant to paragraph 1. They shall provide the
competent national authority, on demand, with information about those procedures, the number of
requests received, the legal justification invoked and their response.

2. The provisions of Chapter III on judicial remedies, liability and sanctions of Directive [95/46]
shall apply with regard to national provisions adopted pursuant to this Directive and with regard to the
individual rights derived from this Directive.

...’

Directive 95/46

12 Article 22 of Directive 95/46, which is in Chapter III of that directive, is worded as follows:

‘Without prejudice to any administrative remedy for which provision may be made, inter alia before
the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member
States shall provide for the right of every person to a judicial remedy for any breach of the rights
guaranteed him by the national law applicable to the processing in question.’

Directive 2006/24/EC

13 Article 1(2) of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006
on the retention of data generated or processed in connection with the provision of publicly available
electronic communications services or of public communications networks and amending Directive
2002/58/EC (OJ 2006 L 105, p. 54), that article being headed ‘Subject matter and scope’, provided:

‘This Directive shall apply to traffic and location data on both legal entities and natural persons and to
the related data necessary to identify the subscriber or registered user. It shall not apply to the content
of electronic communications, including information consulted using an electronic communications
network.’

14 Article 3 of that directive, headed ‘Obligation to retain data’, provided:

‘1. By way of derogation from Articles 5, 6 and 9 of [Directive 2002/58], Member States shall
adopt measures to ensure that the data specified in Article 5 of this Directive are retained in accordance
with the provisions thereof, to the extent that those data are generated or processed by providers of
publicly available electronic communications services or of a public communications network within
their jurisdiction in the process of supplying the communications services concerned.

2. The obligation to retain data provided for in paragraph 1 shall include the retention of the data
specified in Article 5 relating to unsuccessful call attempts where those data are generated or
processed, and stored (as regards telephony data) or logged (as regards Internet data), by providers of
publicly available electronic communications services or of a public communications network within
the jurisdiction of the Member State concerned in the process of supplying the communication services
concerned. This Directive shall not require data relating to unconnected calls to be retained.’

Swedish law

15 It is apparent from the order for reference in Case C‑203/15 that the Swedish legislature, in order to
transpose Directive 2006/24 into national law, amended the lagen (2003:389) om elektronisk
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 7/27
8.9.2017 CURIA - Documents

kommunikation [Law (2003:389) on electronic communications; ‘the LEK’] and the förordningen
(2003:396) om elektronisk kommunikation [Regulation (2003:396) on electronic communications].
Both of those texts, in the versions applicable to the dispute in the main proceedings, contain rules on
the retention of electronic communications data and on access to that data by the national authorities.

16 Access to that data is, in addition, regulated by the lagen (2012:278) om inhämtning av uppgifter om
elektronisk kommunikation i de brottsbekämpande myndigheternas underrättelseverksamhet (Law
(2012:278) on gathering of data relating to electronic communications as part of intelligence gathering
by law enforcement authorities: ‘Law 2012:278’) and by the rättegångsbalken (Code of Judicial
Procedure; ‘the RB’).

The obligation to retain electronic communications data

17 According to the information provided by the referring court in Case C‑203/15, the provisions of
Paragraph 16a of Chapter 6 of the LEK, read together with Paragraph 1 of Chapter 2 of that law,
impose an obligation on providers of electronic communications services to retain data the retention of
which was required by Directive 2006/24. The data concerned is that relating to subscriptions and all
electronic communications necessary to trace and identify the source and destination of a
communication; to determine its date, time, and type; to identify the communications equipment used
and to establish the location of mobile communication equipment used at the start and end of each
communication. The data which there is an obligation to retain is data generated or processed in the
context of telephony services, telephony services which use a mobile connection, electronic messaging
systems, internet access services and internet access capacity (connection mode) provision services.
The obligation extends to data relating to unsuccessful communications. The obligation does not
however extend to the content of communications.

18 Articles 38 to 43 of Regulation (2003:396) on electronic communications specify the categories of

data that must be retained. As regards telephony services, there is the obligation to retain data relating
to calls and numbers called and the identifiable dates and times of the start and end of the
communication. As regards telephony services which use a mobile connection, additional obligations
are imposed, covering, for example, the retention of location data at the start and end of the
communication. As regards telephony services using an IP packet, data to be retained includes, in
addition to data mentioned above, data relating to the IP addresses of the caller and the person called.
As regards electronic messaging systems, data to be retained includes data relating to the numbers of
senders and recipients, IP addresses or other messaging addresses. As regards internet access services,
data to be retained includes, for example, data relating to the IP addresses of users and the traceable
dates and times of logging into and out of the internet access service.

Data retention period

19 In accordance with Paragraph 16d of Chapter 6 of the LEK, the data covered by Paragraph 16a of that
Chapter must be retained by the providers of electronic communications services for six months from
the date of the end of communication. The data must then be immediately erased, unless otherwise
provided in the second subparagraph of Paragraph 16d of that Chapter.

Access to retained data

20 Access to retained data by the national authorities is governed by the provisions of Law 2012:278, the
LEK and the RB.

– Law 2012:278

21 In the context of intelligence gathering, the national police, the Säkerhetspolisen (the Swedish Security
Service), and the Tullverket (the Swedish Customs Authority) may, on the basis of Paragraph 1 of Law
2012:278, on the conditions prescribed by that law and without informing the provider of an electronic
communications network or a provider of an electronic communications service authorised under the
LEK, undertake the collection of data relating to messages transmitted by an electronic
communications network, the electronic communications equipment located in a specified

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 8/27
8.9.2017 CURIA - Documents

geographical area and the geographical areas(s) where electronic communications equipment is or was
located.

22 In accordance with Paragraphs 2 and 3 of Law 2012:278, data may, as a general rule, be collected if,
depending on the circumstances, the measure is particularly necessary in order to avert, prevent or
detect criminal activity involving one or more offences punishable by a term of imprisonment of at
least two years, or one of the acts listed in Paragraph 3 of that law, referring to offences punishable by
a term of imprisonment of less than two years. Any grounds supporting that measure must outweigh
considerations relating to the harm or prejudice that may be caused to the person affected by that
measure or to an interest opposing that measure. In accordance with Paragraph 5 of that law, the
duration of the measure must not exceed one month.

23 The decision to implement such a measure is to be taken by the director of the authority concerned or
by a person to whom that responsibility is delegated. The decision is not subject to prior review by a
judicial authority or an independent administrative authority.

24 Under Paragraph 6 of Law 2012:278, the Säkerhets och integritetsskyddsnämnden (the Swedish
Commission on Security and Integrity Protection) must be informed of any decision authorising the
collection of data. In accordance with Paragraph 1 of Lagen (2007:980) om tillsyn över viss
brottsbekämpande verksamhet (Law (2007:980) on the supervision of certain law enforcement
activities), that authority is to oversee the application of the legislation by the law enforcement
authorities.

– The LEK

25 Under Paragraph 22, first subparagraph, point 2, of Chapter 6 of the LEK, all providers of electronic
communications services must disclose data relating to a subscription at the request of the prosecution
authority, the national police, the Security Service or any other public law enforcement authority, if that
data is connected with a presumed criminal offence. On the information provided by the referring court
in Case C‑203/15, it is not necessary that the offence be a serious crime.

– The RB

26 The RB governs the disclosure of retained data to the national authorities within the framework of
preliminary investigations. In accordance with Paragraph 19 of Chapter 27 of the RB, ‘placing
electronic communications under surveillance’ without the knowledge of third parties is, as a general
rule, permitted within the framework of preliminary investigations that relate to, inter alia, offences
punishable by a sentence of imprisonment of at least six months. The expression ‘placing electronic
communications under surveillance’, under Paragraph 19 of Chapter 27 of the RB, means obtaining
data without the knowledge of third parties that relates to a message transmitted by an electronic
communications network, the electronic communications equipment located or having been located in
a specific geographical area, and the geographical area(s) where specific electronic communications
equipment is or has been located.

27 According to what is stated by the referring court in Case C‑203/15, information on the content of a
message may not be obtained on the basis of Paragraph 19 of Chapter 27 of the RB. As a general rule,
placing electronic communications under surveillance may be ordered, under Paragraph 20 of Chapter
27 of the RB, only where there are reasonable grounds for suspicion that an individual has committed
an offence and that the measure is particularly necessary for the purposes of the investigation: the
subject of that investigation must moreover be an offence punishable by a sentence of imprisonment of
at least two years, or attempts, preparation or conspiracy to commit such an offence. In accordance
with Paragraph 21 of Chapter 27 of the RB, the prosecutor must, other than in cases of urgency, request
from the court with jurisdiction authority to place electronic communications under surveillance.

The security and protection of retained data

28 Under Paragraph 3a of Chapter 6 of the LEK, providers of electronic communications services who
are subject to an obligation to retain data must take appropriate technical and organisational measures
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=&… 9/27
8.9.2017 CURIA - Documents

to ensure the protection of data during processing. On the information provided by the referring court
in Case C‑203/15, Swedish law does not, however, make any provision as to where the data is to be
retained.

United Kingdom law

DRIPA

29 Section 1 of DRIPA, headed ‘Powers for retention of relevant communications data subject to
safeguards’, provides:

‘(1) The Secretary of State may by notice (a “retention notice”) require a public telecommunications
operator to retain relevant communications data if the Secretary of State considers that the
requirement is necessary and proportionate for one or more of the purposes falling within
paragraphs (a) to (h) of section 22(2) of the Regulation of Investigatory Powers Act 2000
(purposes for which communications data may be obtained).

(2) A retention notice may:

(a) relate to a particular operator or any description of operators;

(b) require the retention of all data or any description of data;

(c) specify the period or periods for which data is to be retained;

(d) contain other requirements, or restrictions, in relation to the retention of data;

(e) make different provision for different purposes;

(f) relate to data whether or not in existence at the time of the giving, or coming into force, of
the notice.

(3) The Secretary of State may by regulations make further provision about the retention of relevant
communications data.

(4) Such provision may, in particular, include provision about:

(a) requirements before giving a retention notice;

(b) the maximum period for which data is to be retained under a retention notice;

(c) the content, giving, coming into force, review, variation or revocation of a retention notice;

(d) the integrity, security or protection of, access to, or the disclosure or destruction of, data
retained by virtue of this section;

(e) the enforcement of, or auditing compliance with, relevant requirements or restrictions;

(f) a code of practice in relation to relevant requirements or restrictions or relevant power;

(g) the reimbursement by the Secretary of State (with or without conditions) of expenses
incurred by public telecommunications operators in complying with relevant requirements
or restrictions;

(h) the [Data Retention (EC Directive) Regulations 2009] ceasing to have effect and the
transition to the retention of data by virtue of this section.

(5) The maximum period provided for by virtue of subsection (4)(b) must not exceed 12 months
beginning with such day as is specified in relation to the data concerned by regulations under
subsection (3).
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 10/27
8.9.2017 CURIA - Documents

...’

30 Section 2 of DRIPA defines the expression ‘relevant communications data’ as meaning

‘communications data of the kind mentioned in the Schedule to the [Data Retention (EC Directive)
Regulations 2009] so far as such data is generated or processed in the United Kingdom by public
telecommunications operators in the process of supplying the telecommunications services concerned’.

RIPA

31 Section 21(4) of the Regulation of Investigatory Powers Act 2000 (‘RIPA’), that section being in
Chapter II of that act and headed ‘Lawful acquisition and disclosure of communications data’, states:

‘In this Chapter “communications data” means any of the following:

(a) any traffic data comprised in or attached to a communication (whether by the sender or
otherwise) for the purposes of any postal service or telecommunication system by means of
which it is being or may be transmitted;

(b) any information which includes none of the contents of a communication (apart from any
information falling within paragraph (a)) and is about the use made by any person:

(i) of any postal service or telecommunications service; or

(ii) in connection with the provision to or use by any person of any telecommunications
service, of any part of a telecommunication system;

(c) any information not falling within paragraph (a) or (b) that is held or obtained, in relation to
persons to whom he provides the service, by a person providing a postal service or
telecommunications service’.

32 On the information provided in the order for reference in Case C‑698/15, that data includes ‘user
location data’, but not data relating to the content of a communication.

33 As regards access to retained data, Section 22 of RIPA provides:

‘(1) This section applies where a person designated for the purposes of this Chapter believes that it
is necessary on grounds falling within subsection (2) to obtain any communications data.

(2) It is necessary on grounds falling within this subsection to obtain communications data if it is
necessary:

(a) in the interests of national security;

(b) for the purpose of preventing or detecting crime or of preventing disorder;

(c) in the interests of the economic well-being of the United Kingdom;

(d) in the interests of public safety;

(e) for the purpose of protecting public health;

(f) for the purpose of assessing or collecting any tax, duty, levy or other imposition,
contribution or charge payable to a government department;

(g) or the purpose, in an emergency, of preventing death or injury or any damage to a person’s
physical or mental health, or of mitigating any injury or damage to a person’s physical or
mental health; or

(h) or any purpose (not falling within paragraphs (a) to (g)) which is specified for the purposes
of this subsection by an order made by the Secretary of State.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 11/27
8.9.2017 CURIA - Documents

(4) Subject to subsection (5), where it appears to the designated person that a postal or
telecommunications operator is or may be in possession of, or be capable of obtaining, any
communications data, the designated person may, by notice to the postal or telecommunications
operator, require the operator:

(a) if the operator is not already in possession of the data, to obtain the data; and

(b) in any case, to disclose all of the data in his possession or subsequently obtained by him.

(5) The designated person shall not grant an authorisation under subsection (3) or give a notice
under subsection (4), unless he believes that obtaining the data in question by the conduct
authorised or required by the authorisation or notice is proportionate to what is sought to be
achieved by so obtaining the data.’

34 Under Section 65 of RIPA, complaints may be made to the Investigatory Powers Tribunal (United
Kingdom) if there is reason to believe that data has been acquired inappropriately.

The Data Retention Regulations 2014

35 The Data Retention Regulations 2014 (‘the 2014 Regulations’), adopted on the basis of DRIPA, are
divided into three parts, Part 2 containing regulations 2 to 14 of that legislation. Regulation 4, headed
‘Retention notices’, provides:

‘(1) A retention notice must specify:

(a) the public telecommunications operator (or description of operators) to whom it relates,

(b) the relevant communications data which is to be retained,

(c) the period or periods for which the data is to be retained,

(d) any other requirements, or any restrictions, in relation to the retention of the data.

(2) A retention notice must not require any data to be retained for more than 12 months beginning
with:

(a) in the case of traffic data or service use data, the day of the communication concerned, and

(b) in the case of subscriber data, the day on which the person concerned leaves the
telecommunications service concerned or (if earlier) the day on which the data is changed.

...’

36 Regulation 7 of the 2014 Regulations, headed ‘Data integrity and security’, provides:

‘(1) A public telecommunications operator who retains communications data by virtue of section 1
of [DRIPA] must:

(a) secure that the data is of the same integrity and subject to at least the same security and
protection as the data on any system from which it is derived,

(b) secure, by appropriate technical and organisational measures, that the data can be accessed
only by specially authorised personnel, and

(c) protect, by appropriate technical and organisational measures, the data against accidental
or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful retention,
processing, access or disclosure.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 12/27
8.9.2017 CURIA - Documents

(2) A public telecommunications operator who retains communications data by virtue of section 1
of [DRIPA] must destroy the data if the retention of the data ceases to be authorised by virtue of
that section and is not otherwise authorised by law.

(3) The requirement in paragraph (2) to destroy the data is a requirement to delete the data in such a
way as to make access to the data impossible.

(4) It is sufficient for the operator to make arrangements for the deletion of the data to take place at
such monthly or shorter intervals as appear to the operator to be practicable.’

37 Regulation 8 of the 2014 Regulations, headed Disclosure of retained data’, provides:

‘(1) A public telecommunications operator must put in place adequate security systems (including
technical and organisational measures) governing access to communications data retained by
virtue of section 1 of [DRIPA] in order to protect against any disclosure of a kind which does not
fall within section 1(6)(a) of [DRIPA].

(2) A public telecommunications operator who retains communications data by virtue of section 1
of [DRIPA] must retain the data in such a way that it can be transmitted without undue delay in
response to requests.’

38 Regulation 9 of the 2014 Regulations, headed ‘Oversight by the Information Commissioner’, states:

‘The Information Commissioner must audit compliance with requirements or restrictions imposed by
this Part in relation to the integrity, security or destruction of data retained by virtue of section 1 of
[DRIPA].’

The Code of Practice

39 The Acquisition and Disclosure of Communications Data Code of Practice (‘the Code of Practice’)
contains, in paragraphs 2.5 to 2.9 and 2.36 to 2.45, guidance on the necessity for and proportionality of
obtaining communications data. As explained by the referring court in Case C‑698/15, particular
attention must, in accordance with paragraphs 3.72 to 3.77 of that code, be paid to necessity and
proportionality where the communications data sought relates to a person who is a member of a
profession that handles privileged or otherwise confidential information.

40 Under paragraph 3.78 to 3.84 of that code, a court order is required in the specific case of an
application for communications data that is made in order to identify a journalist’s source. Under
paragraphs 3.85 to 3.87 of that code, judicial approval is required when an application for access is
made by local authorities. No authorisation, on the other hand, need be obtained from a court or any
independent body with respect to access to communications data protected by legal professional
privilege or relating to doctors of medicine, Members of Parliament or ministers of religion.

41 Paragraph 7.1 of the Code of Practice provides that communications data acquired or obtained under
the provisions of RIPA, and all copies, extracts and summaries of that data, must be handled and stored
securely. In additions, the requirements of the Data Protection Act must be adhered to.

42 In accordance with paragraph 7.18 of the Code of Practice, where a United Kingdom public authority
is considering the possible disclosure to overseas authorities of communications data, it must, inter
alia, consider whether that data will be adequately protected. However, it is stated in paragraph 7.22 of
that code that a transfer of data to a third country may take place where that transfer is necessary for
reasons of substantial public interest, even where the third country does not provide an adequate level
of protection. On the information given by the referring court in Case C‑698/15, the Secretary of State
for the Home Department may issue a national security certificate that exempts certain data from the
provisions of the legislation.

43 In paragraph 8.1 of that code, it is stated that RIPA established the Interception of Communications
Commissioner (United Kingdom), whose remit is, inter alia, to provide independent oversight of the

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 13/27
8.9.2017 CURIA - Documents

exercise and performance of the powers and duties contained in Chapter II of Part I of RIPA. As is
stated in paragraph 8.3 of the code, the Commissioner may, where he can ‘establish that an individual
has been adversely affected by any wilful or reckless failure’, inform that individual of suspected
unlawful use of powers.

The disputes in the main proceedings and the questions referred for a preliminary ruling

Case C‑203/15

44 On 9 April 2014, Tele2 Sverige, a provider of electronic communications services established in

Sweden, informed the PTS that, following the ruling in the judgment of 8 April 2014, Digital Rights
Ireland and Others (C‑293/12 and C‑594/12; ‘the Digital Rights judgment’, EU:C:2014:238) that
Directive 2006/24 was invalid, it would cease, as from 14 April 2014, to retain electronic
communications data, covered by the LEK, and that it would erase data retained prior to that date.

45 On 15 April 2014, the Rikspolisstyrelsen (the Swedish National Police Authority, Sweden) sent to the
PTS a complaint to the effect that Tele2 Sverige had ceased to send to it the data concerned.

46 On 29 April 2014, the justitieminister (Swedish Minister for Justice) appointed a special reporter to
examine the Swedish legislation at issue in the light of the Digital Rights judgment. In a report dated
13 June 2014, entitled ‘Datalagring, EU-rätten och svensk rätt, Ds 2014:23’ (Data retention, EU law
and Swedish law; ‘the 2014 report’), the special reporter concluded that the national legislation on the
retention of data, as set out in Paragraphs 16a to 16f of the LEK, was not incompatible with either EU
law or the European Convention for the Protection of Human Rights and Fundamental Freedoms,
signed in Rome on 4 November 1950 (‘the ECHR’). The special reporter emphasised that the Digital
Rights judgment could not be interpreted as meaning that the general and indiscriminate retention of
data was to be condemned as a matter of principle. From his perspective, neither should the Digital
Rights judgment be understood as meaning that the Court had established, in that judgment, a set of
criteria all of which had to be satisfied if legislation was to be able to be regarded as proportionate. He
considered that it was necessary to assess all the circumstances in order to determine the compatibility
of the Swedish legislation with EU law, such as the extent of data retention in the light of the
provisions on access to data, on the duration of retention, and on the protection and the security of data.

47 On that basis, on 19 June 2014 the PTS informed Tele2 Sverige that it was in breach of its obligations
under the national legislation in failing to retain the data covered by the LEK for six months, for the
purpose of combating crime. By an order of 27 June 2014, the PTS ordered Tele2 Sverige to
commence, by no later than 25 July 2014, the retention of that data.

48 Tele2 Sverige considered that the 2014 report was based on a misinterpretation of the Digital Rights
judgment and that the obligation to retain data was in breach of the fundamental rights guaranteed by
the Charter, and therefore brought an action before the Förvaltningsrätten i Stockholm (Administrative
Court, Stockholm) challenging the order of 27 June 2014. Since that court dismissed the action, by
judgment of 13 October 2014, Tele2 Sverige brought an appeal against that judgment before the
referring court.

49 In the opinion of the referring court, the compatibility of the Swedish legislation with EU law should
be assessed with regard to Article 15(1) of Directive 2002/58. While that directive establishes the
general rule that traffic and location data should be erased or made anonymous when no longer
required for the transmission of a communication, Article 15(1) of that directive introduces a
derogation from that general rule since it permits the Member States, where justified on one of the
specified grounds, to restrict that obligation to erase or render anonymous, or even to make provision
for the retention of data. Accordingly, EU law allows, in certain situations, the retention of electronic
communications data.

50 The referring court nonetheless seeks to ascertain whether a general and indiscriminate obligation to
retain electronic communications data, such as that at issue in the main proceedings, is compatible,
taking into consideration the Digital Rights judgment, with Article 15(1) of Directive 2002/58, read in
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 14/27
8.9.2017 CURIA - Documents

the light of Articles 7 and 8 and Article 52(1) of the Charter. Given that the opinions of the parties
differ on that point, it is necessary that the Court give an unequivocal ruling on whether, as maintained
by Tele2 Sverige, the general and indiscriminate retention of electronic communications data is per se
incompatible with Articles 7 and 8 and Article 52(1) of the Charter, or whether, as stated in the 2014
Report, the compatibility of such retention of data is to be assessed in the light of provisions relating to
access to the data, the protection and security of the data and the duration of retention.

51 In those circumstances the Kammarrätten i Stockholm (Administrative Court of Appeal of Stockholm,

Sweden) decided to stay the proceedings and to refer to the Court the following questions for a
preliminary ruling:

‘(1) Is a general obligation to retain traffic data covering all persons, all means of electronic
communication and all traffic data without any distinctions, limitations or exceptions for the
purpose of combating crime … compatible with Article 15(1) of Directive 2002/58/EC, taking
account of Articles 7 and 8 and Article 52(1) of the Charter?

(2) If the answer to question 1 is in the negative, may the retention nevertheless be permitted where:

(a) access by the national authorities to the retained data is determined as [described in
paragraphs 19 to 36 of the order for reference], and

(b) data protection and security requirements are regulated as [described in paragraphs 38 to
43 of the order for reference], and

(c) all relevant data is to be retained for six months, calculated as from the day when the
communication is ended, and subsequently erased as [described in paragraph 37 of the
order for reference]?’

Case C‑698/15

52 Mr Watson, Mr Brice and Mr Lewis each lodged, before the High Court of Justice (England & Wales),
Queen’s Bench Division (Divisional Court) (United Kingdom), applications for judicial review of the
legality of Section 1 of DRIPA, claiming, inter alia, that that section is incompatible with Articles 7
and 8 of the Charter and Article 8 of the ECHR.

53 By judgment of 17 July 2015, the High Court of Justice (England & Wales), Queen’s Bench Division
(Divisional Court) held that the Digital Rights judgment laid down ‘mandatory requirements of EU
law’ applicable to the legislation of Member States on the retention of communications data and access
to such data. According to the High Court of Justice, since the Court, in that judgment, held that
Directive 2006/24 was incompatible with the principle of proportionality, national legislation
containing the same provisions as that directive could, equally, not be compatible with that principle. It
follows from the underlying logic of the Digital Rights judgment that legislation that establishes a
general body of rules for the retention of communications data is in breach of the rights guaranteed in
Articles 7 and 8 of the Charter, unless that legislation is complemented by a body of rules for access to
the data, defined by national law, which provides sufficient safeguards to protect those rights.
Accordingly, Section 1 of DRIPA is not compatible with Articles 7 and 8 of the Charter in so far as it
does not lay down clear and precise rules providing for access to and use of retained data and in so far
as access to that data is not made dependent on prior review by a court or an independent
administrative body.

54 The Secretary of State for the Home Department brought an appeal against that judgment before the
Court of Appeal (England & Wales) (Civil Division) (United Kingdom).

55 That court states that Section 1(1) of DRIPA empowers the Secretary of State for the Home
Department to adopt, without any prior authorisation from a court or an independent administrative
body, a general regime requiring public telecommunications operators to retain all data relating to any
postal service or any telecommunications service for a maximum period of 12 months if he/she
considers that such a requirement is necessary and proportionate to achieve the purposes stated in the

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 15/27
8.9.2017 CURIA - Documents

United Kingdom legislation. Even though that data does not include the content of a communication, it
could be highly intrusive into the privacy of users of communications services.

56 In the order for reference and in its judgment of 20 November 2015, delivered in the appeal procedure,
wherein it decided to send to the Court this request for a preliminary ruling, the referring court
considers that the national rules on the retention of data necessarily fall within the scope of
Article 15(1) of Directive 2002/58 and must therefore conform to the requirements of the Charter.
However, as stated in Article 1(3) of that directive, the EU legislature did not harmonise the rules
relating to access to retained data.

57 As regards the effect of the Digital Rights judgment on the issues raised in the main proceedings, the
referring court states that, in the case that gave rise to that judgment, the Court was considering the
validity of Directive 2006/24 and not the validity of any national legislation. Having regard, inter alia,
to the close relationship between the retention of data and access to that data, it was essential that that
directive should incorporate a set of safeguards and that the Digital Rights judgment should analyse,
when examining the lawfulness of the data retention regime established by that directive, the rules
relating to access to that data. The Court had not therefore intended to lay down, in that judgment,
mandatory requirements applicable to national legislation on access to data that does not implement
EU law. Further, the reasoning of the Court was closely linked to the objective pursued by Directive
2006/24. National legislation should, however, be assessed in the light of the objectives pursued by that
legislation and its context.

58 As regards the need to refer questions to the Court for a preliminary ruling, the referring court draws
attention to the fact that, when the order for reference was issued, six courts in other Member States,
five of those courts being courts of last resort, had declared national legislation to be invalid on the
basis of the Digital Rights judgment. The answer to the questions referred is therefore not obvious,
although the answer is required to give a ruling on the cases brought before that court.

59 In those circumstances, the Court of Appeal (England & Wales) (Civil Division) decided to stay the
proceedings and to refer to the Court the following questions for a preliminary ruling:

‘(1) Does [the Digital Rights judgment] (including, in particular, paragraphs 60 to 62 thereof) lay
down mandatory requirements of EU law applicable to a Member State’s domestic regime
governing access to data retained in accordance with national legislation, in order to comply with
Articles 7 and 8 of [the Charter]?

(2) Does [the Digital Rights judgment] expand the scope of Articles 7 and/or 8 of [the Charter]
beyond that of Article 8 of the European Convention of Human Rights … as established in the
jurisprudence of the European Court of Human Rights …?’

The procedure before the Court

60 By order of 1 February 2016, Davis and Others (C‑698/15, not published, EU:C:2016:70), the
President of the Court decided to grant the request of the Court of Appeal (England & Wales) (Civil
Division) that Case C‑698/15 should be dealt with under the expedited procedure provided for in
Article 105(1) of the Court’s Rules of Procedure.

61 By decision of the President of the Court of 10 March 2016, Cases C‑203/15 and C‑698/15 were
joined for the purposes of the oral part of the procedure and the judgment.

Consideration of the questions referred for a preliminary ruling

The first question in Case C‑203/15

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 16/27
8.9.2017 CURIA - Documents

62 By the first question in Case C‑203/15, the Kammarrätten i Stockholm (Administrative Court of
Appeal, Stockholm) seeks, in essence, to ascertain whether Article 15(1) of Directive 2002/58, read in
the light of Articles 7 and 8 and Article 52(1) of the Charter, must be interpreted as precluding national
legislation such as that at issue in the main proceedings that provides, for the purpose of fighting crime,
for general and indiscriminate retention of all traffic and location data of all subscribers and registered
users with respect to all means of electronic communications.

63 That question arises, in particular, from the fact that Directive 2006/24, which the national legislation
at issue in the main proceedings was intended to transpose, was declared to be invalid by the Digital
Rights judgment, though the parties disagree on the scope of that judgment and its effect on that
legislation, given that it governs the retention of traffic and location data and access to that data by the
national authorities.

64 It is necessary first to examine whether national legislation such as that at issue in the main proceeding
falls within the scope of EU law.

The scope of Directive 2002/58

65 The Member States that have submitted written observations to the Court have differed in their
opinions as to whether and to what extent national legislation on the retention of traffic and location
data and access to that data by the national authorities, for the purpose of combating crime, falls within
the scope of Directive 2002/58. Whereas, in particular, the Belgian, Danish, German and Estonian
Governments, Ireland and the Netherlands Government have expressed the opinion that the answer is
that it does, the Czech Government has proposed that the answer is that it does not, since the sole
objective of such legislation is to combat crime. The United Kingdom Government, for its part, argues
that only legislation relating to the retention of data, but not legislation relating to the access to that
data by the competent national law enforcement authorities, falls within the scope of that directive.

66 As regards, finally, the Commission, while it maintained, in its written observations submitted to the
Court in Case C‑203/15, that the national legislation at issue in the main proceedings falls within the
scope of Directive 2002/58, the Commission argues, in its written observations in Case C‑698/15, that
only national rules relating to the retention of data, and not those relating to the access of the national
authorities to that data, fall within the scope of that directive. The latter rules should, however,
according to the Commission, be taken into consideration in order to assess whether national
legislation governing the retention of data by providers of electronic communications services
constitutes a proportionate interference in the fundamental rights guaranteed in Articles 7 and 8 of the
Charter.

67 In that regard, it must be observed that a determination of the scope of Directive 2002/58 must take
into consideration, inter alia, the general structure of that directive.

68 Article 1(1) of Directive 2002/58 indicates that the directive provides, inter alia, for the harmonisation
of the provisions of national law required to ensure an equivalent level of protection of fundamental
rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the
processing of personal data in the electronic communications sector.

69 Article 1(3) of that directive excludes from its scope ‘activities of the State’ in specified fields,
including the activities of the State in areas of criminal law and in the areas of public security, defence
and State security, including the economic well-being of the State when the activities relate to State
security matters (see, by analogy, with respect to the first indent of Article 3(2) of Directive 95/46,
judgments of 6 November 2003, Lindqvist, C‑101/01, EU:C:2003:596, paragraph 43, and of
16 December 2008, Satakunnan Markkinapörssi and Satamedia, C‑73/07, EU:C:2008:727,
paragraph 41).

70 Article 3 of Directive 2002/58 states that the directive is to apply to the processing of personal data in
connection with the provision of publicly available electronic communications services in public
communications networks in the European Union, including public communications networks
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 17/27
8.9.2017 CURIA - Documents

supporting data collection and identification devices (‘electronic communications services’).

Consequently, that directive must be regarded as regulating the activities of the providers of such
services.

71 Article 15(1) of Directive 2002/58 states that Member States may adopt, subject to the conditions laid
down, ‘legislative measures to restrict the scope of the rights and obligations provided for in Article 5,
Article 6, Article 8(1), (2), (3) and (4), and Article 9 [of that directive]’. The second sentence of
Article 15(1) of that directive identifies, as an example of measures that may thus be adopted by
Member States, measures ‘providing for the retention of data’.

72 Admittedly, the legislative measures that are referred to in Article 15(1) of Directive 2002/58 concern
activities characteristic of States or State authorities, and are unrelated to fields in which individuals
are active (see, to that effect, judgment of 29 January 2008, Promusicae, C‑275/06, EU:C:2008:54,
paragraph 51). Moreover, the objectives which, under that provision, such measures must pursue, such
as safeguarding national security, defence and public security and the prevention, investigation,
detection and prosecution of criminal offences or of unauthorised use of the electronic communications
system, overlap substantially with the objectives pursued by the activities referred to in Article 1(3) of
that directive.

73 However, having regard to the general structure of Directive 2002/58, the factors identified in the
preceding paragraph of this judgment do not permit the conclusion that the legislative measures
referred to in Article 15(1) of Directive 2002/58 are excluded from the scope of that directive, for
otherwise that provision would be deprived of any purpose. Indeed, Article 15(1) necessarily
presupposes that the national measures referred to therein, such as those relating to the retention of data
for the purpose of combating crime, fall within the scope of that directive, since it expressly authorises
the Member States to adopt them only if the conditions laid down in the directive are met.

74 Further, the legislative measures referred to in Article 15(1) of Directive 2002/58 govern, for the
purposes mentioned in that provision, the activity of providers of electronic communications services.
Accordingly, Article 15(1), read together with Article 3 of that directive, must be interpreted as
meaning that such legislative measures fall within the scope of that directive.

75 The scope of that directive extends, in particular, to a legislative measure, such as that at issue in the
main proceedings, that requires such providers to retain traffic and location data, since to do so
necessarily involves the processing, by those providers, of personal data.

76 The scope of that directive also extends to a legislative measure relating, as in the main proceedings,
to the access of the national authorities to the data retained by the providers of electronic
communications services.

77 The protection of the confidentiality of electronic communications and related traffic data, guaranteed
in Article 5(1) of Directive 2002/58, applies to the measures taken by all persons other than users,
whether private persons or bodies or State bodies. As confirmed in recital 21 of that directive, the aim
of the directive is to prevent unauthorised access to communications, including ‘any data related to
such communications’, in order to protect the confidentiality of electronic communications.

78 In those circumstances, a legislative measure whereby a Member State, on the basis of Article 15(1) of
Directive 2002/58, requires providers of electronic communications services, for the purposes set out
in that provision, to grant national authorities, on the conditions laid down in such a measure, access to
the data retained by those providers, concerns the processing of personal data by those providers, and
that processing falls within the scope of that directive.

79 Further, since data is retained only for the purpose, when necessary, of making that data accessible to
the competent national authorities, national legislation that imposes the retention of data necessarily
entails, in principle, the existence of provisions relating to access by the competent national authorities
to the data retained by the providers of electronic communications services.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 18/27
8.9.2017 CURIA - Documents

80 That interpretation is confirmed by Article 15(1b) of Directive 2002/58, which provides that providers
are to establish internal procedures for responding to requests for access to users’ personal data, based
on provisions of national law adopted pursuant to Article 15(1) of that directive.

81 It follows from the foregoing that national legislation, such as that at issue in the main proceedings in
Cases C‑203/15 and C‑698/15, falls within the scope of Directive 2002/58.

The interpretation of Article 15(1) of Directive 2002/58, in the light of Articles 7, 8, 11 and
Article 52(1) of the Charter

82 It must be observed that, according to Article 1(2) of Directive 2002/58, the provisions of that
directive ‘particularise and complement’ Directive 95/46. As stated in its recital 2, Directive 2002/58
seeks to ensure, in particular, full respect for the rights set out in Articles 7 and 8 of the Charter. In that
regard, it is clear from the explanatory memorandum of the Proposal for a Directive of the European
Parliament and of the Council concerning the processing of personal data and the protection of privacy
in the electronic communications sector (COM(2000) 385 final), which led to Directive 2002/58, that
the EU legislature sought ‘to ensure that a high level of protection of personal data and privacy will
continue to be guaranteed for all electronic communications services regardless of the technology
used’.

83 To that end, Directive 2002/58 contains specific provisions designed, as is apparent from, in particular,
recitals 6 and 7 of that directive, to offer to the users of electronic communications services protection
against risks to their personal data and privacy that arise from new technology and the increasing
capacity for automated storage and processing of data.

84 In particular, Article 5(1) of that directive provides that the Member States must ensure, by means of
their national legislation, the confidentiality of communications effected by means of a public
communications network and publicly available electronic communications services, and the
confidentiality of the related traffic data.

85 The principle of confidentiality of communications established by Directive 2002/58 implies, inter

alia, as stated in the second sentence of Article 5(1) of that directive, that, as a general rule, any person
other than the users is prohibited from storing, without the consent of the users concerned, the traffic
data related to electronic communications. The only exceptions relate to persons lawfully authorised in
accordance with Article 15(1) of that directive and to the technical storage necessary for conveyance of
a communication (see, to that effect, judgment of 29 January 2008, Promusicae, C‑275/06,
EU:C:2008:54, paragraph 47).

86 Accordingly, as confirmed by recitals 22 and 26 of Directive 2002/58, under Article 6 of that directive,
the processing and storage of traffic data are permitted only to the extent necessary and for the time
necessary for the billing and marketing of services and the provision of value added services (see, to
that effect, judgment of 29 January 2008, Promusicae, C‑275/06, EU:C:2008:54, paragraphs 47 and
48). As regards, in particular, the billing of services, that processing is permitted only up to the end of
the period during which the bill may be lawfully challenged or legal proceedings brought to obtain
payment. Once that period has elapsed, the data processed and stored must be erased or made
anonymous. As regards location data other than traffic data, Article 9(1) of that directive provides that
that data may be processed only subject to certain conditions and after it has been made anonymous or
the consent of the users or subscribers obtained.

87 The scope of Article 5, Article 6 and Article 9(1) of Directive 2002/58, which seek to ensure the
confidentiality of communications and related data, and to minimise the risks of misuse, must
moreover be assessed in the light of recital 30 of that directive, which states: ‘Systems for the provision
of electronic communications networks and services should be designed to limit the amount of
personal data necessary to a strict minimum’.

88 Admittedly, Article 15(1) of Directive 2002/58 enables the Member States to introduce exceptions to
the obligation of principle, laid down in Article 5(1) of that directive, to ensure the confidentiality of

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 19/27
8.9.2017 CURIA - Documents

personal data, and to the corresponding obligations, referred to in Articles 6 and 9 of that directive (see,
to that effect, judgment of 29 January 2008, Promusicae, C‑275/06, EU:C:2008:54, paragraph 50).

89 Nonetheless, in so far as Article 15(1) of Directive 2002/58 enables Member States to restrict the
scope of the obligation of principle to ensure the confidentiality of communications and related traffic
data, that provision must, in accordance with the Court’s settled case-law, be interpreted strictly (see,
by analogy, judgment of 22 November 2012, Probst, C‑119/12, EU:C:2012:748, paragraph 23). That
provision cannot, therefore, permit the exception to that obligation of principle and, in particular, to the
prohibition on storage of data, laid down in Article 5 of Directive 2002/58, to become the rule, if the
latter provision is not to be rendered largely meaningless.

90 It must, in that regard, be observed that the first sentence of Article 15(1) of Directive 2002/58
provides that the objectives pursued by the legislative measures that it covers, which derogate from the
principle of confidentiality of communications and related traffic data, must be ‘to safeguard national
security — that is, State security — defence, public security, and the prevention, investigation,
detection and prosecution of criminal offences or of unauthorised use of the electronic communication
system’, or one of the other objectives specified in Article 13(1) of Directive 95/46, to which the first
sentence of Article 15(1) of Directive 2002/58 refers (see, to that effect, judgment of 29 January 2008,
Promusicae, C‑275/06, EU:C:2008:54, paragraph 53). That list of objectives is exhaustive, as is
apparent from the second sentence of Article 15(1) of Directive 2002/58, which states that the
legislative measures must be justified on ‘the grounds laid down’ in the first sentence of Article 15(1)
of that directive. Accordingly, the Member States cannot adopt such measures for purposes other than
those listed in that latter provision.

91 Further, the third sentence of Article 15(1) of Directive 2002/58 provides that ‘[a]ll the measures
referred to [in Article 15(1)] shall be in accordance with the general principles of [European Union]
law, including those referred to in Article 6(1) and (2) [EU]’, which include the general principles and
fundamental rights now guaranteed by the Charter. Article 15(1) of Directive 2002/58 must, therefore,
be interpreted in the light of the fundamental rights guaranteed by the Charter (see, by analogy, in
relation to Directive 95/46, judgments of 20 May 2003, Österreichischer Rundfunk and Others,
C‑465/00, C‑138/01 and C‑139/01, EU:C:2003:294, paragraph 68; of 13 May 2014, Google Spain and
Google, C‑131/12, EU:C:2014:317, paragraph 68, and of 6 October 2015, Schrems, C‑362/14,
EU:C:2015:650, paragraph 38).

92 In that regard, it must be emphasised that the obligation imposed on providers of electronic
communications services, by national legislation such as that at issue in the main proceedings, to retain
traffic data in order, when necessary, to make that data available to the competent national authorities,
raises questions relating to compatibility not only with Articles 7 and 8 of the Charter, which are
expressly referred to in the questions referred for a preliminary ruling, but also with the freedom of
expression guaranteed in Article 11 of the Charter (see, by analogy, in relation to Directive 2006/24,
the Digital Rights judgment, paragraphs 25 and 70).

93 Accordingly, the importance both of the right to privacy, guaranteed in Article 7 of the Charter, and of
the right to protection of personal data, guaranteed in Article 8 of the Charter, as derived from the
Court’s case-law (see, to that effect, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650,
paragraph 39 and the case-law cited), must be taken into consideration in interpreting Article 15(1) of
Directive 2002/58. The same is true of the right to freedom of expression in the light of the particular
importance accorded to that freedom in any democratic society. That fundamental right, guaranteed in
Article 11 of the Charter, constitutes one of the essential foundations of a pluralist, democratic society,
and is one of the values on which, under Article 2 TEU, the Union is founded (see, to that effect,
judgments of 12 June 2003, Schmidberger, C‑112/00, EU:C:2003:333, paragraph 79, and of
6 September 2011, Patriciello, C‑163/10, EU:C:2011:543, paragraph 31).

94 In that regard, it must be recalled that, under Article 52(1) of the Charter, any limitation on the
exercise of the rights and freedoms recognised by the Charter must be provided for by law and must
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 20/27
8.9.2017 CURIA - Documents

respect the essence of those rights and freedoms. With due regard to the principle of proportionality,
limitations may be imposed on the exercise of those rights and freedoms only if they are necessary and
if they genuinely meet objectives of general interest recognised by the European Union or the need to
protect the rights and freedoms of others (judgment of 15 February 2016, N., C‑601/15 PPU,
EU:C:2016:84, paragraph 50).

95 With respect to that last issue, the first sentence of Article 15(1) of Directive 2002/58 provides that
Member States may adopt a measure that derogates from the principle of confidentiality of
communications and related traffic data where it is a ‘necessary, appropriate and proportionate measure
within a democratic society’, in view of the objectives laid down in that provision. As regards recital
11 of that directive, it states that a measure of that kind must be ‘strictly’ proportionate to the intended
purpose. In relation to, in particular, the retention of data, the requirement laid down in the second
sentence of Article 15(1) of that directive is that data should be retained ‘for a limited period’ and be
‘justified’ by reference to one of the objectives stated in the first sentence of Article 15(1) of that
directive.

96 Due regard to the principle of proportionality also derives from the Court’s settled case-law to the
effect that the protection of the fundamental right to respect for private life at EU level requires that
derogations from and limitations on the protection of personal data should apply only in so far as is
strictly necessary (judgments of 16 December 2008, Satakunnan Markkinapörssi and Satamedia,
C‑73/07, EU:C:2008:727, paragraph 56; of 9 November 2010, Volker und Markus Schecke and Eifert,
C‑92/09 and C‑93/09, EU:C:2010:662, paragraph 77; the Digital Rights judgment, paragraph 52, and
of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 92).

97 As regards whether national legislation, such as that at issue in Case C‑203/15, satisfies those
conditions, it must be observed that that legislation provides for a general and indiscriminate retention
of all traffic and location data of all subscribers and registered users relating to all means of electronic
communication, and that it imposes on providers of electronic communications services an obligation
to retain that data systematically and continuously, with no exceptions. As stated in the order for
reference, the categories of data covered by that legislation correspond, in essence, to the data whose
retention was required by Directive 2006/24.

98 The data which providers of electronic communications services must therefore retain makes it
possible to trace and identify the source of a communication and its destination, to identify the date,
time, duration and type of a communication, to identify users’ communication equipment, and to
establish the location of mobile communication equipment. That data includes, inter alia, the name and
address of the subscriber or registered user, the telephone number of the caller, the number called and
an IP address for internet services. That data makes it possible, in particular, to identify the person with
whom a subscriber or registered user has communicated and by what means, and to identify the time of
the communication as well as the place from which that communication took place. Further, that data
makes it possible to know how often the subscriber or registered user communicated with certain
persons in a given period (see, by analogy, with respect to Directive 2006/24, the Digital Rights
judgment, paragraph 26).

99 That data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the
private lives of the persons whose data has been retained, such as everyday habits, permanent or
temporary places of residence, daily or other movements, the activities carried out, the social
relationships of those persons and the social environments frequented by them (see, by analogy, in
relation to Directive 2006/24, the Digital Rights judgment, paragraph 27). In particular, that data
provides the means, as observed by the Advocate General in points 253, 254 and 257 to 259 of his
Opinion, of establishing a profile of the individuals concerned, information that is no less sensitive,
having regard to the right to privacy, than the actual content of communications.

100 The interference entailed by such legislation in the fundamental rights enshrined in Articles 7 and 8 of
the Charter is very far-reaching and must be considered to be particularly serious. The fact that the data
is retained without the subscriber or registered user being informed is likely to cause the persons

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 21/27
8.9.2017 CURIA - Documents

concerned to feel that their private lives are the subject of constant surveillance (see, by analogy, in
relation to Directive 2006/24, the Digital Rights judgment, paragraph 37).

101 Even if such legislation does not permit retention of the content of a communication and is not,
therefore, such as to affect adversely the essence of those rights (see, by analogy, in relation to
Directive 2006/24, the Digital Rights judgment, paragraph 39), the retention of traffic and location data
could nonetheless have an effect on the use of means of electronic communication and, consequently,
on the exercise by the users thereof of their freedom of expression, guaranteed in Article 11 of the
Charter (see, by analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraph 28).

102 Given the seriousness of the interference in the fundamental rights concerned represented by national
legislation which, for the purpose of fighting crime, provides for the retention of traffic and location
data, only the objective of fighting serious crime is capable of justifying such a measure (see, by
analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraph 60).

103 Further, while the effectiveness of the fight against serious crime, in particular organised crime and
terrorism, may depend to a great extent on the use of modern investigation techniques, such an
objective of general interest, however fundamental it may be, cannot in itself justify that national
legislation providing for the general and indiscriminate retention of all traffic and location data should
be considered to be necessary for the purposes of that fight (see, by analogy, in relation to Directive
2006/24, the Digital Rights judgment, paragraph 51).

104 In that regard, it must be observed, first, that the effect of such legislation, in the light of its
characteristic features as described in paragraph 97 of the present judgment, is that the retention of
traffic and location data is the rule, whereas the system put in place by Directive 2002/58 requires the
retention of data to be the exception.

105 Second, national legislation such as that at issue in the main proceedings, which covers, in a
generalised manner, all subscribers and registered users and all means of electronic communication as
well as all traffic data, provides for no differentiation, limitation or exception according to the objective
pursued. It is comprehensive in that it affects all persons using electronic communication services,
even though those persons are not, even indirectly, in a situation that is liable to give rise to criminal
proceedings. It therefore applies even to persons for whom there is no evidence capable of suggesting
that their conduct might have a link, even an indirect or remote one, with serious criminal offences.
Further, it does not provide for any exception, and consequently it applies even to persons whose
communications are subject, according to rules of national law, to the obligation of professional
secrecy (see, by analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraphs 57
and 58).

106 Such legislation does not require there to be any relationship between the data which must be retained
and a threat to public security. In particular, it is not restricted to retention in relation to (i) data
pertaining to a particular time period and/or geographical area and/or a group of persons likely to be
involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons,
contribute, through their data being retained, to fighting crime (see, by analogy, in relation to Directive
2006/24, the Digital Rights judgment, paragraph 59).

107 National legislation such as that at issue in the main proceedings therefore exceeds the limits of what
is strictly necessary and cannot be considered to be justified, within a democratic society, as required
by Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the
Charter.

108 However, Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1)
of the Charter, does not prevent a Member State from adopting legislation permitting, as a preventive
measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime,
provided that the retention of data is limited, with respect to the categories of data to be retained, the
means of communication affected, the persons concerned and the retention period adopted, to what is
strictly necessary.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 22/27
8.9.2017 CURIA - Documents

109 In order to satisfy the requirements set out in the preceding paragraph of the present judgment, that
national legislation must, first, lay down clear and precise rules governing the scope and application of
such a data retention measure and imposing minimum safeguards, so that the persons whose data has
been retained have sufficient guarantees of the effective protection of their personal data against the
risk of misuse. That legislation must, in particular, indicate in what circumstances and under which
conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that
such a measure is limited to what is strictly necessary (see, by analogy, in relation to Directive
2006/24, the Digital Rights judgment, paragraph 54 and the case-law cited).

110 Second, as regards the substantive conditions which must be satisfied by national legislation that
authorises, in the context of fighting crime, the retention, as a preventive measure, of traffic and
location data, if it is to be ensured that data retention is limited to what is strictly necessary, it must be
observed that, while those conditions may vary according to the nature of the measures taken for the
purposes of prevention, investigation, detection and prosecution of serious crime, the retention of data
must continue nonetheless to meet objective criteria, that establish a connection between the data to be
retained and the objective pursued. In particular, such conditions must be shown to be such as actually
to circumscribe, in practice, the extent of that measure and, thus, the public affected.

111 As regard the setting of limits on such a measure with respect to the public and the situations that may
potentially be affected, the national legislation must be based on objective evidence which makes it
possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious
criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a
serious risk to public security. Such limits may be set by using a geographical criterion where the
competent national authorities consider, on the basis of objective evidence, that there exists, in one or
more geographical areas, a high risk of preparation for or commission of such offences.

112 Having regard to all of the foregoing, the answer to the first question referred in Case C‑203/15 is that
Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the
Charter, must be interpreted as precluding national legislation which, for the purpose of fighting crime,
provides for the general and indiscriminate retention of all traffic and location data of all subscribers
and registered users relating to all means of electronic communication.

The second question in Case C‑203/15 and the first question in Case C‑698/15

113 It must, at the outset, be noted that the Kammarrätten i Stockholm (Administrative Court of Appeal,
Stockholm) referred the second question in Case C‑203/15 only in the event that the answer to the first
question in that case was negative. That second question, however, arises irrespective of whether
retention of data is generalised or targeted, as set out in paragraphs 108 to 111 of this judgment.
Accordingly, the Court must answer the second question in Case C‑203/15 together with the first
question in Case C‑698/15, which is referred regardless of the extent of the obligation to retain data
that is imposed on providers of electronic communications services.

114 By the second question in Case C‑203/15 and the first question in Case C‑698/15, the referring courts
seek, in essence, to ascertain whether Article 15(1) of Directive 2002/58, read in the light of Articles 7,
8 and Article 52(1) of the Charter, must be interpreted as precluding national legislation governing the
protection and security of traffic and location data, and more particularly, the access of the competent
national authorities to retained data, where that legislation does not restrict that access solely to the
objective of fighting serious crime, where that access is not subject to prior review by a court or an
independent administrative authority, and where there is no requirement that the data concerned should
be retained within the European Union.

115 As regards objectives that are capable of justifying national legislation that derogates from the
principle of confidentiality of electronic communications, it must be borne in mind that, since, as stated
in paragraphs 90 and 102 of this judgment, the list of objectives set out in the first sentence of
Article 15(1) of Directive 2002/58 is exhaustive, access to the retained data must correspond,
genuinely and strictly, to one of those objectives. Further, since the objective pursued by that
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 23/27
8.9.2017 CURIA - Documents

legislation must be proportionate to the seriousness of the interference in fundamental rights that that
access entails, it follows that, in the area of prevention, investigation, detection and prosecution of
criminal offences, only the objective of fighting serious crime is capable of justifying such access to
the retained data.

116 As regards compatibility with the principle of proportionality, national legislation governing the
conditions under which the providers of electronic communications services must grant the competent
national authorities access to the retained data must ensure, in accordance with what was stated in
paragraphs 95 and 96 of this judgment, that such access does not exceed the limits of what is strictly
necessary.

117 Further, since the legislative measures referred to in Article 15(1) of Directive 2002/58 must, in
accordance with recital 11 of that directive, ‘be subject to adequate safeguards’, a data retention
measure must, as follows from the case-law cited in paragraph 109 of this judgment, lay down clear
and precise rules indicating in what circumstances and under which conditions the providers of
electronic communications services must grant the competent national authorities access to the data.
Likewise, a measure of that kind must be legally binding under domestic law.

118 In order to ensure that access of the competent national authorities to retained data is limited to what is
strictly necessary, it is, indeed, for national law to determine the conditions under which the providers
of electronic communications services must grant such access. However, the national legislation
concerned cannot be limited to requiring that access should be for one of the objectives referred to in
Article 15(1) of Directive 2002/58, even if that objective is to fight serious crime. That national
legislation must also lay down the substantive and procedural conditions governing the access of the
competent national authorities to the retained data (see, by analogy, in relation to Directive 2006/24,
the Digital Rights judgment, paragraph 61).

119 Accordingly, and since general access to all retained data, regardless of whether there is any link, at
least indirect, with the intended purpose, cannot be regarded as limited to what is strictly necessary, the
national legislation concerned must be based on objective criteria in order to define the circumstances
and conditions under which the competent national authorities are to be granted access to the data of
subscribers or registered users. In that regard, access can, as a general rule, be granted, in relation to
the objective of fighting crime, only to the data of individuals suspected of planning, committing or
having committed a serious crime or of being implicated in one way or another in such a crime (see, by
analogy, ECtHR, 4 December 2015, Zakharov v. Russia, CE:ECHR:2015:1204JUD004714306, § 260).
However, in particular situations, where for example vital national security, defence or public security
interests are threatened by terrorist activities, access to the data of other persons might also be granted
where there is objective evidence from which it can be deduced that that data might, in a specific case,
make an effective contribution to combating such activities.

120 In order to ensure, in practice, that those conditions are fully respected, it is essential that access of the
competent national authorities to retained data should, as a general rule, except in cases of validly
established urgency, be subject to a prior review carried out either by a court or by an independent
administrative body, and that the decision of that court or body should be made following a reasoned
request by those authorities submitted, inter alia, within the framework of procedures for the
prevention, detection or prosecution of crime (see, by analogy, in relation to Directive 2006/24, the
Digital Rights judgment, paragraph 62; see also, by analogy, in relation to Article 8 of the ECHR,
ECtHR, 12 January 2016, Szabó and Vissy v. Hungary, CE:ECHR:2016:0112JUD003713814, §§ 77
and 80).

121 Likewise, the competent national authorities to whom access to the retained data has been granted
must notify the persons affected, under the applicable national procedures, as soon as that notification
is no longer liable to jeopardise the investigations being undertaken by those authorities. That
notification is, in fact, necessary to enable the persons affected to exercise, inter alia, their right to a
legal remedy, expressly provided for in Article 15(2) of Directive 2002/58, read together with
Article 22 of Directive 95/46, where their rights have been infringed (see, by analogy, judgments of
7 May 2009, Rijkeboer, C‑553/07, EU:C:2009:293, paragraph 52, and of 6 October 2015, Schrems,
C‑362/14, EU:C:2015:650, paragraph 95).
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 24/27
8.9.2017 CURIA - Documents

122 With respect to the rules relating to the security and protection of data retained by providers of
electronic communications services, it must be noted that Article 15(1) of Directive 2002/58 does not
allow Member States to derogate from Article 4(1) and Article 4(1a) of that directive. Those provisions
require those providers to take appropriate technical and organisational measures to ensure the
effective protection of retained data against risks of misuse and against any unlawful access to that
data. Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to
it, the providers of electronic communications services must, in order to ensure the full integrity and
confidentiality of that data, guarantee a particularly high level of protection and security by means of
appropriate technical and organisational measures. In particular, the national legislation must make
provision for the data to be retained within the European Union and for the irreversible destruction of
the data at the end of the data retention period (see, by analogy, in relation to Directive 2006/24, the
Digital Rights judgment, paragraphs 66 to 68).

123 In any event, the Member States must ensure review, by an independent authority, of compliance with
the level of protection guaranteed by EU law with respect to the protection of individuals in relation to
the processing of personal data, that control being expressly required by Article 8(3) of the Charter and
constituting, in accordance with the Court’s settled case-law, an essential element of respect for the
protection of individuals in relation to the processing of personal data. If that were not so, persons
whose personal data was retained would be deprived of the right, guaranteed in Article 8(1) and (3) of
the Charter, to lodge with the national supervisory authorities a claim seeking the protection of their
data (see, to that effect, the Digital Rights judgment, paragraph 68, and the judgment of 6 October
2015, Schrems, C‑362/14, EU:C:2015:650, paragraphs 41 and 58).

124 It is the task of the referring courts to determine whether and to what extent the national legislation at
issue in the main proceedings satisfies the requirements stemming from Article 15(1) of Directive
2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, as set out in
paragraphs 115 to 123 of this judgment, with respect to both the access of the competent national
authorities to the retained data and the protection and level of security of that data.

125 Having regard to all of the foregoing, the answer to the second question in Case C‑203/15 and to the
first question in Case C‑698/15 is that Article 15(1) of Directive 2002/58, read in the light of
Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national
legislation governing the protection and security of traffic and location data and, in particular, access of
the competent national authorities to the retained data, where the objective pursued by that access, in
the context of fighting crime, is not restricted solely to fighting serious crime, where access is not
subject to prior review by a court or an independent administrative authority, and where there is no
requirement that the data concerned should be retained within the European Union.

The second question in Case C‑698/15

126 By the second question in Case C‑698/15, the Court of Appeal (England & Wales) (Civil Division)
seeks in essence to ascertain whether, in the Digital Rights judgment, the Court interpreted Articles 7
and/or 8 of the Charter in such a way as to expand the scope conferred on Article 8 ECHR by the
European Court of Human Rights.

127 As a preliminary point, it should be recalled that, whilst, as Article 6(3) TEU confirms, fundamental
rights recognised by the ECHR constitute general principles of EU law, the ECHR does not constitute,
as long as the European Union has not acceded to it, a legal instrument which has been formally
incorporated into EU law (see, to that effect, judgment of 15 February 2016, N., C‑601/15 PPU,
EU:C:2016:84, paragraph 45 and the case-law cited).

128 Accordingly, the interpretation of Directive 2002/58, which is at issue in this case, must be undertaken
solely in the light of the fundamental rights guaranteed by the Charter (see, to that effect, judgment of
15 February 2016, N., C‑601/15 PPU, EU:C:2016:84, paragraph 46 and the case-law cited).

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 25/27
8.9.2017 CURIA - Documents

129 Further, it must be borne in mind that the explanation on Article 52 of the Charter indicates that
paragraph 3 of that article is intended to ensure the necessary consistency between the Charter and the
ECHR, ‘without thereby adversely affecting the autonomy of Union law and … that of the Court of
Justice of the European Union’ (judgment of 15 February 2016, N., C‑601/15 PPU, EU:C:2016:84,
paragraph 47). In particular, as expressly stated in the second sentence of Article 52(3) of the Charter,
the first sentence of Article 52(3) does not preclude Union law from providing protection that is more
extensive then the ECHR. It should be added, finally, that Article 8 of the Charter concerns a
fundamental right which is distinct from that enshrined in Article 7 of the Charter and which has no
equivalent in the ECHR.

130 However, in accordance with the Court’s settled case-law, the justification for making a request for a
preliminary ruling is not for advisory opinions to be delivered on general or hypothetical questions, but
rather that it is necessary for the effective resolution of a dispute concerning EU law (see, to that effect,
judgments of 24 April 2012, Kamberaj, C‑571/10, EU:C:2012:233, paragraph 41; of 26 February 2013,
Åkerberg Fransson, C‑617/10, EU:C:2013:105, paragraph 42, and of 27 February 2014, Pohotovosť,
C‑470/12, EU:C:2014:101 paragraph 29).

131 In this case, in view of the considerations set out, in particular, in paragraphs 128 and 129 of the
present judgment, the question whether the protection conferred by Articles 7 and 8 of the Charter is
wider than that guaranteed in Article 8 of the ECHR is not such as to affect the interpretation of
Directive 2002/58, read in the light of the Charter, which is the matter in dispute in the proceedings in
Case C‑698/15.

132 Accordingly, it does not appear that an answer to the second question in Case C‑698/15 can provide
any interpretation of points of EU law that is required for the resolution, in the light of that law, of that
dispute.

133 It follows that the second question in Case C‑698/15 is inadmissible.

Costs

134 Since these proceedings are, for the parties to the main proceedings, a step in the actions pending
before the national courts, the decision on costs is a matter for those courts. Costs incurred in
submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Grand Chamber) hereby rules:

1. Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of
12 July 2002 concerning the processing of personal data and the protection of privacy in the
electronic communications sector (Directive on privacy and electronic communications), as
amended by Directive 2009/136/EC of the European Parliament and of the Council of
25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter
of Fundamental Rights of the European Union, must be interpreted as precluding national
legislation which, for the purpose of fighting crime, provides for general and indiscriminate
retention of all traffic and location data of all subscribers and registered users relating to
all means of electronic communication.

2. Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of
Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights, must be
interpreted as precluding national legislation governing the protection and security of
traffic and location data and, in particular, access of the competent national authorities to
the retained data, where the objective pursued by that access, in the context of fighting
crime, is not restricted solely to fighting serious crime, where access is not subject to prior

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 26/27
8.9.2017 CURIA - Documents

review by a court or an independent administrative authority, and where there is no

requirement that the data concerned should be retained within the European Union.

3. The second question referred by the Court of Appeal (England & Wales) (Civil Division) is
inadmissible.

Lenaerts Tizzano Silva de Lapuerta

von Danwitz Da Cruz Vilaça Juhász

Vilaras Borg Barthet Malenovský

Levits Bonichot Arabadjiev

Rodin Biltgen Lycourgos

Delivered in open court in Luxembourg on 21 December 2016.

A. Calot Escobar K. Lenaerts

Registrar President

** Languages of the case: English and Swedish.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=186492&occ=first&dir=… 27/27
 GRAND CHAMBER

CASE OF ROMAN ZAKHAROV v. RUSSIA

(Application no. 47143/06)

JUDGMENT

STRASBOURG

4 December 2015

This judgment is final but it may be subject to editorial revision.

 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 1

In the case of Roman Zakharov v. Russia,

The European Court of Human Rights, sitting as a Grand Chamber
composed of:
Dean Spielmann, President,
Josep Casadevall,
Guido Raimondi,
Ineta Ziemele,
Mark Villiger,
Luis López Guerra,
Khanlar Hajiyev,
Angelika Nußberger,
Julia Laffranque,
Linos-Alexandre Sicilianos,
Erik Møse,
André Potocki,
Paul Lemmens,
Helena Jäderblom,
Faris Vehabović,
Ksenija Turković,
Dmitry Dedov, judges,
and Lawrence Early, Jurisconsult,
Having deliberated in private on 24 September 2014 and 15 October
2015,
Delivers the following judgment, which was adopted on the
last-mentioned date:

PROCEDURE
1. The case originated in an application (no. 47143/06) against the
Russian Federation lodged with the Court under Article 34 of the
Convention for the Protection of Human Rights and Fundamental Freedoms
(“the Convention”) by a Russian national, Mr Roman Andreyevich
Zakharov (“the applicant”), on 20 October 2006.
2. The applicant was initially represented by Mr B. Gruzd, a lawyer
practising in St Petersburg. He was subsequently represented by lawyers of
the NGO EHRAC/Memorial Human Rights Centre, based in Moscow. The
Russian Government (“the Government”) were represented by
Mr G. Matyushkin, Representative of the Russian Federation at the
European Court of Human Rights.
3. The applicant alleged that the system of secret interception of mobile
telephone communications in Russia violated his right to respect for his
2 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

private life and correspondence and that he did not have any effective
remedy in that respect.
4. On 19 October 2009 the application was communicated to the
Government.
5. On 11 March 2014 the Chamber of the First Section, to which the
case had been allocated (Rule 52 § 1 of the Rules of Court), composed of
Isabelle Berro-Lefèvre, President, Khanlar Hajiyev, Julia Laffranque,
Linos-Alexandre Sicilianos, Erik Møse, Ksenija Turković, Dmitry Dedov,
judges, and also of Søren Nielsen, Section Registrar, relinquished
jurisdiction in favour of the Grand Chamber, neither of the parties having
objected to relinquishment (Article 30 of the Convention and Rule 72).
6. A hearing took place in public in the Human Rights Building,
Strasbourg, on 24 September 2014 (Rule 59 § 3).
There appeared before the Court:

(a) for the Government

MR G. MATYUSHKIN, Representative of the Russian Federation
at the European Court of Human Rights, Agent,
MS O. SIROTKINA,
MS I. KORIEVA,
MS O. IURCHENKO,
MR O. AFANASEV,
MR A. LAKOV, Advisers;

(b) for the applicant

MR P. LEACH,
MS K. LEVINE,
MR K. KOROTEEV,
MS A. RAZHIKOVA, Counsel,
MS E. LEVCHISHINA, Adviser.

The Court heard addresses by Mr Matyushkin, Mr Leach, Ms Levine,

Ms Razhikova and Mr Koroteev, and also replies by Mr Matyushkin and
Mr Leach to questions put by the judges.

THE FACTS

I. THE CIRCUMSTANCES OF THE CASE

7. The applicant was born in 1977 and lives in St Petersburg.

8. The applicant is the editor-in-chief of a publishing company and of an
aviation magazine. He is also the chairperson of the St Petersburg branch of
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 3

the Glasnost Defence Foundation, an NGO monitoring the state of media

freedom in the Russian regions, which promotes the independence of the
regional mass media, freedom of speech and respect for journalists’ rights,
and provides legal support, including through litigation, to journalists.
9. He was subscribed to the services of several mobile network
operators.
10. On 23 December 2003 he brought judicial proceeding against three
mobile network operators, claiming that there had been an interference with
his right to the privacy of his telephone communications. He claimed that
pursuant to Order no. 70 (see paragraphs 115 to 122 below) of the Ministry
of Communications’ predecessor, the State Committee for Communications
and Information Technologies, the mobile network operators had installed
equipment which permitted the Federal Security Service (“the FSB”) to
intercept all telephone communications without prior judicial authorisation.
The applicant argued that Order no. 70, which had never been published,
unduly restricted his right to privacy. He asked the court to issue an
injunction ordering the removal of the equipment installed pursuant to
Order no. 70, and to ensure that access to mobile telephone communications
was given to authorised persons only. The Ministry of Communications and
Information Technologies (hereafter “the Ministry of Communications”)
and the St Petersburg and Leningrad Region Department of the FSB were
joined as a third party to the proceedings.
11. On 5 December 2005 the Vasileostrovskiy District Court of
St Petersburg dismissed the applicant’s claims. It found that the applicant
had not proved that the mobile network operators had transmitted any
protected information to unauthorised persons or permitted the unrestricted
or unauthorised interception of communications. The equipment to which
he referred had been installed to enable law-enforcement agencies to
conduct operational-search activities in accordance with the procedure
prescribed by law. The installation of such equipment had not in itself
interfered with the privacy of the applicant’s communications. The applicant
had failed to demonstrate any facts which would warrant a finding that his
right to the privacy of his telephone communications had been violated.
12. The applicant appealed. He claimed, in particular, that the District
Court had refused to accept several documents in evidence. Those
documents had included two judicial orders authorising the interception of
mobile telephone communications retrospectively and an addendum to the
standard service provider agreement issued by one of the mobile network
operators. One of the judicial orders in question, issued on 8 October 2002,
authorised the interception of several people’s mobile telephone
communications during the periods from 1 to 5 April, from 19 to 23 June,
from 30 June to 4 July and from 16 to 20 October 2001. The other judicial
order, issued on 18 July 2003, authorised the interception of a Mr E.’s
mobile telephone communications during the period from 11 April to
4 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

11 October 2003. As to the addendum, it informed the subscriber that if his

number were used to make terrorist threats, the mobile network operator
might suspend the provision of the telephone service and transfer the
collected data to the law-enforcement agencies. In the applicant’s opinion,
the judicial orders and the addendum proved that the mobile network
operators and law-enforcement agencies were technically capable of
intercepting all telephone communications without obtaining prior judicial
authorisation, and routinely resorted to unauthorised interception.
13. On 26 April 2006 the St Petersburg City Court upheld the judgment
on appeal. It confirmed the District Court’s finding that the applicant had
failed to prove that his telephone communications had been intercepted. Nor
had he shown that there was a danger that his right to the privacy of his
telephone communications might be unlawfully infringed. To establish the
existence of such a danger, the applicant would have had to prove that the
respondents had acted unlawfully. However, mobile network operators were
required by law to install equipment enabling law-enforcement agencies to
perform operational-search activities and the existence of that equipment
did not in itself interfere with the privacy of the applicant’s
communications. The refusal to admit the judicial orders of 8 October 2002
and 18 July 2003 in evidence had been lawful, as the judicial orders had
been issued in respect of third persons and were irrelevant to the applicant’s
case. The City Court further decided to admit in evidence and examine the
addendum to the service provider agreement, but found that it did not
contain any information warranting reconsideration of the District Court’s
judgment.
14. It can be seen from a document submitted by the applicant that in
January 2007 an NGO, “Civilian Control”, asked the Prosecutor General’s
office to carry out an inspection of the Ministry of Communications’ Orders
in the sphere of interception of communications in order to verify their
compatibility with federal laws. In February 2007 an official from the
Prosecutor General’s office telephoned “Civilian Control” and asked for
copies of the unpublished attachments to Order No. 70, saying that the
prosecutor’s office had been unable to obtain them from the Ministry of
Communications. In April 2007 the Prosecutor General’s office refused to
carry out the requested inspection.

II. RELEVANT DOMESTIC LAW

A. Right to respect for private life and correspondence

15. The Constitution guarantees to everyone the right to respect for his
private life, personal and family secrets and the right to defend his honour
and reputation (Article 23 § 1). It further guarantees the right to respect for
correspondence, telephone, postal, telegraph and other communications.
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 5

That right may be restricted only on the basis of a court order (Article 23
§ 2).
16. The Constitution also stipulates that it is not permissible to collect,
store, use or disseminate information about a person’s private life without
his/her consent. State and municipal authorities must ensure that any person
has access to documents and materials affecting his rights and freedoms,
except where the law provides otherwise (Article 24).
17. The Communications Act of 7 July 2003 (no. 126-FZ) guarantees
the privacy of postal, telegraphic and other forms of communication
transmitted by means of telecommunications networks or mail services.
Restrictions on the privacy of communications are permissible only in cases
specified in federal laws (section 63(1)). The interception of
communications is subject to prior judicial authorisation, except in cases
specified in federal laws (section 63(3)).
18. On 2 October 2003 in its decision no. 345-O the Constitutional Court
held that the right to privacy of telephone communications covered all data
transmitted, stored or discovered by means of telephone equipment,
including non-content-based data, such as information about the incoming
and outgoing connections of a specified subscriber. The monitoring of such
data was also subject to prior judicial authorisation.

B. Responsibility for breach of privacy

19. The unauthorised collection or dissemination of information about

the private or family life of a person without his or her consent, where it is
committed out of mercenary or other personal interest and is damaging to
the rights and lawful interests of citizens, is punishable by a fine,
correctional labour or a custodial sentence of up to four months. The same
actions committed by an official using his or her position are punishable by
a fine, a prohibition on occupying certain positions or a custodial sentence
of up to six months (Article 137 of the Criminal Code).
20. Any breach of citizens’ right to the privacy of their postal,
telegraphic, telephone or other forms of communication is punishable by a
fine or correctional labour. The same act committed by an official using his
or her position is punishable by a fine, a prohibition on occupying certain
positions or a custodial sentence of up to four months (Article 138 of the
Criminal Code).
21. Abuse of power by an official, where it is committed out of
mercenary or other personal interest and entails a substantial violation of an
individual’s or a legal entity’s rights and lawful interests, is punishable by a
fine, a prohibition on occupying certain posts or engaging in certain
activities for a period of up to five years, correctional labour for a period of
up to four years or imprisonment for a period ranging from four months to
four years (Article 285 § 1 of the Criminal Code).
6 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

22. Actions by a public official which clearly exceed his or her authority
and entail a substantial violation of an individual’s or a legal entity’s rights
and lawful interests, are punishable by a fine, a prohibition on occupying
certain posts or engaging in certain activities for a period of up to five years,
correctional labour for a period of up to four years or imprisonment for a
period ranging from four months to four years (Article 286 § 1 of the
Criminal Code).
23. Ruling no. 19 of 16 October 2009 by the Plenary Supreme Court
provides that for the purposes of Articles 285 and 286 of the Criminal Code
“a substantial violation of an individual’s or a legal entity’s rights and
lawful interests” means a violation of the rights and freedoms guaranteed by
the generally established principles and provisions of international law and
the Constitution of the Russian Federation – such as the right to respect for
a person’s honour and dignity, private or family life, correspondence,
telephone, postal, telegraph and other communications, the inviolability of
the home, etc. In assessing whether the violation was “substantial” in
respect of a legal entity, it is necessary to take into account the extent of the
damage sustained as a result of the unlawful act, the nature and the amount
of the pecuniary damage, the number of persons affected and the gravity of
the physical, pecuniary or non-pecuniary damage inflicted on them
(paragraph 18 (2)).
24. Criminal proceedings are opened if there are sufficient facts showing
that a criminal offence has been committed (Article 140 § 2 of the Code of
Criminal Procedure).

C. General provisions on interception of communications

25. The interception of communications is governed by the Operational-

Search Activities Act of 12 August 1995 (no. 144-FZ, hereafter “the
OSAA”), applicable to the interception of communications both in the
framework of criminal proceedings and outside such framework; and the
Code of Criminal Procedure of 18 December 2001 (no. 174-FZ, in force
since 1 July 2002, hereafter “the CCrP”), applicable only to the interception
of communications in the framework of criminal proceedings.
26. The aims of operational-search activities are: (1) the detection,
prevention, suppression and investigation of criminal offences and the
identification of persons conspiring to commit, committing, or having
committed a criminal offence; (2) the tracing of fugitives from justice and
missing persons; (3) obtaining information about events or activities
endangering the national, military, economic or ecological security of the
Russian Federation (section 2 of the OSAA). On 25 December 2008 that
section was amended and a further aim, that of obtaining information about
property subject to confiscation, was added.
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 7

27. State officials and agencies performing operational-search activities

must show respect for the private and family life, home and correspondence
of citizens. It is prohibited to perform operational-search activities to
achieve aims or objectives other than those specified in the Act (section 5(1)
and (2) of the OSAA).
28. State officials and agencies may not (1) conduct operational-search
activities in the interest of political parties, non-profit or religious
organisations; (2) conduct secret operational-search activities in respect of
federal, regional or municipal authorities, political parties, or non-profit or
religious organisations with the aim of influencing their activities or
decisions; (3) disclose to anyone the data collected in the course of the
operational-search activities if that data concern the private or family life of
citizens or damage their reputation or good name, except in cases specified
in federal laws; (4) incite, induce or entrap anyone to commit a criminal
offence; (5) falsify the results of operational-search activities (section 5(8)
of the OSAA).
29. Operational-search activities include, inter alia, the interception of
postal, telegraphic, telephone and other forms of communication and the
collection of data from technical channels of communication. The Act
stipulates that audio and video recording, photography, filming and other
technical means may be used during operational-search activities, provided
that they are not harmful to the life or health of those involved or to the
environment. Operational-search activities involving the interception of
postal, telegraphic, telephone and other forms of communication and
collection of data from technical channels of communication using
equipment installed by communications service providers is carried out by
technical means by the FSB and the agencies of the Ministry of the Interior,
in accordance with decisions and agreements signed between the agencies
involved (section 6 of the OSAA).
30. Presidential Decree no. 891 of 1 September 1995 provides that the
interception of postal, telegraphic or other communications is to be carried
out by the FSB in the interests and on behalf of all law-enforcement
agencies (paragraph 1). In situations where the FSB does not have available
the necessary technical equipment, interceptions may be carried out by the
agencies of the Ministry of the Interior in the interests and on behalf of all
law-enforcement agencies (paragraph 2). Similar provisions are contained in
paragraphs 2 and 3 of Order no. 538, issued by the Government on
27 August 2005.

D. Situations that may give rise to interception of communications

31. Operational-search activities involving interference with the

constitutional right to the privacy of postal, telegraphic and other
communications transmitted by means of a telecommunications network or
8 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

mail services, or within the privacy of the home, may be conducted

following the receipt of information (1) that a criminal offence has been
committed or is ongoing, or is being plotted; (2) about persons conspiring
to commit, or committing, or having committed a criminal offence; or (3)
about events or activities endangering the national, military, economic or
ecological security of the Russian Federation (section 8(2) of the OSAA).
32. The OSAA provides that interception of telephone and other
communications may be authorised only in cases where a person is
suspected of, or charged with, a criminal offence of medium severity, a
serious offence or an especially serious criminal offence, or may have
information about such an offence (section 8(4) of the OSAA). The CCrP
also provides that interception of telephone and other communications of a
suspect, an accused or other person may be authorised if there are reasons to
believe that they may contain information relevant for the criminal case in
respect of a criminal offence of medium severity, a serious offence or an
especially serious criminal offence (Article 186 § 1 of the CCrP).
33. Article 15 of the Criminal Code provides that “offences of medium
severity” are premeditated offences for which the Criminal Code prescribes
a maximum penalty of between three and five years’ imprisonment and
unpremeditated offences for which the Criminal Code prescribes a
maximum penalty of more than three years’ imprisonment. “Serious
offences” are premeditated offences for which the Criminal Code prescribes
a maximum penalty of between five and ten years’ imprisonment.
“Especially serious offences” are premeditated offences for which the Code
prescribes a maximum penalty of more than ten years’ imprisonment or a
harsher penalty.

E. Authorisation procedure and time-limits

1. Operational-Search Activities Act

34. Operational-search measures involving interference with the
constitutional right to the privacy of postal, telegraphic and other
communications transmitted by means of a telecommunications network or
mail services or within the privacy of the home – such as an inspection of
premises or buildings, an interception of postal, telegraphic, telephone and
other forms of communication or a collection of data from technical
channels of communication – require prior judicial authorisation
(section 8(2) of the OSAA).
35. In urgent cases where there is an immediate danger that a serious or
especially serious offence may be committed or where there is information
about events or activities endangering national, military, economic or
ecological security, the operational-search measures specified in
section 8(2) may be conducted without prior judicial authorisation. In such
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 9

cases a judge must be informed within twenty-four hours of the

commencement of the operational-search activities. If judicial authorisation
has not been obtained within forty-eight hours of the commencement of the
operational-search activities, those activities must be stopped immediately
(section 8(3) of the Act).
36. The examination of requests to take measures involving interference
with the constitutional right to the privacy of correspondence and telephone,
postal, telegraphic and other communications transmitted by means of
telecommunications networks or mail services, or with the right to privacy
of the home, falls within the competence of a court in the locality where the
requested measure is to be carried out or in the locality where the requesting
body is located. The request must be examined immediately by a single
judge (section 9(1) of the Act).
37. The judge takes a decision on the basis of a reasoned request by the
head of one of the agencies competent to perform operational-search
activities. Relevant supporting materials, except materials containing
information about undercover agents or police informers or about the
organisation and tactics of operational-search measures, may also be
produced at the judge’s request (section 9(2) and (3) of the Act).
38. The judge examining the request shall decide whether to authorise
measures involving interference with the above-mentioned constitutional
rights, or to refuse authorisation, giving reasons. The judge must specify the
period of time for which the authorisation is granted, which shall not
normally exceed six months. If necessary, the judge may extend the
authorised period after a fresh examination of all the relevant materials
(section 9(4) and (5) of the Act).
39. The judicial decision authorising operational-search activities and
the materials that served as a basis for that decision must be held in the
exclusive possession of the State agency performing the operational-search
activities (section 12(3) of the Act).
40. On 14 July 1998 the Constitutional Court, in its decision no. 86-O,
dismissed as inadmissible a request for a review of the constitutionality of
certain provisions of the OSAA. It held, in particular, that a judge was to
authorise investigative measures involving interference with constitutional
rights only if he or she was persuaded that such measures were lawful,
necessary and justified, that is, compatible with all the requirements of the
OSAA. The burden of proof was on the requesting State agency to show the
necessity of the measures. Supporting materials were to be produced to the
judge at his or her request. Given that some of those materials might contain
State secrets, only judges with the necessary level of security clearance
could examine authorisation requests. Further, relying on the need to keep
the surveillance measures secret, the Constitutional Court held that the
principles of a public hearing and adversarial proceedings were not
applicable to the authorisation proceedings. The fact that the person
10 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

concerned was not entitled to participate in the authorisation proceedings, to

be informed about the decision taken or to appeal to a higher court did not
therefore violate that person’s constitutional rights.
41. On 2 October 2003 the Constitutional Court, in its decision
no. 345-O, held that the judge had an obligation to examine the materials
submitted to him or her in support of a request for interception thoroughly
and carefully. If the request was insufficiently substantiated, the judge might
request additional information.
42. Further, on 8 February 2007 the Constitutional Court, in its decision
no. 1-O, dismissed as inadmissible a request for a review of the
constitutionality of section 9 of the OSAA. The Court found that before
granting authorisation to perform operational-search measures the judge had
an obligation to verify the grounds for that measure. The judicial decision
authorising operational-search measures was to contain reasons and to refer
to specific grounds for suspecting that a criminal offence had been
committed, or was ongoing, or was being plotted or that activities
endangering national, military, economic or ecological security were being
carried out, and that the person in respect of whom operational-search
measures were requested was involved in those criminal or otherwise
dangerous activities.
43. On 15 July 2008 the Constitutional Court, in its decision
no. 460-O-O, dismissed as inadmissible a request for a review of the
constitutionality of sections 5, 11 and 12 of the OSAA. The Constitutional
Court found that the person whose communications had been intercepted
was entitled to lodge a supervisory review complaint against the judicial
decision authorising the interception. The fact that he had no copy of that
decision did not prevent him from lodging the supervisory-review
complaint, because the relevant court could request it from the competent
authorities.

2. Code of Criminal Procedure

44. Investigative measures involving a search in a person’s home or
interception of his or her telephone calls and other communications are
subject to prior judicial authorisation. A request to search a person’s home
or intercept his or her communications must be submitted by an investigator
with a prosecutor’s approval and must be examined by a single judge within
twenty-four hours. The prosecutor and the investigator are entitled to attend.
The judge examining the request shall decide whether to authorise the
requested measure, or to refuse authorisation, giving reasons (Article 165 of
the CCrP).
45. A court may grant authorisation to intercept the communications of a
suspect, an accused or other persons if there are reasons to believe that
information relevant to the criminal case may be discussed (Article 186 § 1
of the CCrP).
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 11

46. A request for authorisation to intercept communications must clearly

mention the following: (1) the criminal case to which the request is related;
(2) the grounds for conducting the requested measures; (3) the family name,
the first name and the patronymic of the person whose communications are
to be intercepted; (4) the duration of the requested measure; (5) the State
agency that will perform the interception (Article 186 § 3 of the CCrP)
47. The judicial decision authorising interception of communications
must be forwarded by the investigator to the State agency charged with its
implementation. The interception of communications may be authorised for
a period not exceeding six months, and is discontinued by the investigator
when it is no longer necessary. It must in any case be discontinued when the
investigation has been completed (Article 186 §§ 4 and 5 of the CCrP).
48. A court may also authorise the monitoring of communications data
relating to a person’s telephone or wireless connections if there are
sufficient reasons to believe that such data may be relevant to a criminal
case. A request for authorisation must contain the same elements referred to
in paragraph 46 above. A copy of the judicial decision authorising the
monitoring of a person’s communications-related data is forwarded by the
investigator to the relevant communications service provider, which must
then submit the requested data to the investigator on a regular basis, and at
least once a week. The monitoring of communications data may be
authorised for a period not exceeding six months, and is discontinued by the
investigator when it is no longer necessary. It must in any case be
discontinued when the investigation has been completed (Article 186.1 of
the CCrP, added on 1 July 2010).

F. Storage, use and destruction of collected data

1. Storage of collected data

49. Section 10 of the OSAA stipulates that law-enforcement agencies
performing operational-search activities may create and use databases or
open personal files. The personal file must be closed when the aims
specified in section 2 of the Act have been achieved or if it has been
established that it is impossible to achieve them.
50. In its decision of 14 July 1998 (cited in paragraph 40 above) the
Constitutional Court noted, as regards the possibility provided by section 10
for law-enforcement agencies conducting operational-search activities to
create databases or open personal files, that only the data relating to the
prevention or investigation of criminal offences could be entered into such
databases or personal files. Given that criminal activities did not fall within
the sphere of private life, collection of information about such criminal
activities did not interfere with the right to respect for private life. If
12 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

information about a person’s criminal activities entered into a file was not
subsequently confirmed, the personal file had to be closed.
51. Records of intercepted telephone and other communications must be
sealed and stored under conditions excluding any risk of their being listened
to or copied by unauthorised persons (section 8(4) of the OSAA).
52. Information about the facilities used in operational-search activities,
the methods employed, the officials involved and the data collected
constitutes a State secret. It may be declassified only pursuant to a special
decision of the head of the State agency performing the operational-search
activities (section 12(1) of the OSAA and section 5(4) of the State Secrets
Act, Law no. 5485-I of 21 July 1993).
53. Materials containing State secrets should be clearly marked with the
following information: degree of secrecy, the State agency which has taken
the decision to classify them, registration number, and the date or conditions
for declassifying them (section 12 of the State Secrets Act).

2. Use of collected data and conditions for their disclosure

54. Information containing State secrets may be disclosed to another
State authority, an organisation or an individual only subject to
authorisation by the State authority which took the decision to classify that
information. It may be disclosed only to State authorities or organisations
holding a special license or to individuals with the required level of security
clearance. The State authority or organisation to which classified
information is disclosed must ensure that that information is adequately
protected. The head of such State authority or organisation is personally
responsible for protecting the classified information against unauthorised
access or disclosure (sections 16 and 17 of the State Secrets Act).
55. A license to access State secrets may be issued to an organisation or
a company only after it has been confirmed that it has specific internal
sections charged with data protection, that its employees are qualified to
work with classified information and that it uses approved systems of data
protection (section 27 of the State Secrets Act).
56. Security clearance is granted only to those state officials who
genuinely need it for the performance of their duties. It is also granted to
judges for the period of their service and to counsel participating in a
criminal case if the case-file contains materials involving State secrets.
Anyone who has been granted security clearance must give a written
undertaking not to disclose the classified information entrusted to him or her
(paragraphs 7, 11 and 21 of Regulation no. 63 of 6 February 2010 of the
Government of the Russian Federation).
57. The head of the State authority or organisation in possession of
information containing State secrets is responsible for giving State officials
and other authorised persons access to that information. He or she must
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 13

ensure that only the information that the recipient needs for the performance
of his or her duties is disclosed (section 25 of the State Secrets Act).
58. If the data collected in the course of operational-search activities
contain information about the commission of a criminal offence, that
information, together with all the necessary supporting material such as
photographs and audio or video recordings, must be sent to the competent
investigation authorities or a court. If the information was obtained as a
result of operational-search measures involving interference with the right
to the privacy of postal, telegraphic and other communications transmitted
by means of a telecommunications network or mail services, or with the
privacy of the home, it must be sent to the investigation or prosecution
authorities together with the judicial decision authorising those
measures. The information must be transmitted in accordance with
the special procedure for handling classified information, unless the
State agency performing operational-search activities has decided
to declassify it (paragraphs 1, 12, 14 and 16 of Order
no. 776/703/509/507/1820/42/535/398/68 of 27 September 2013 by the
Ministry of the Interior).
59. If the person whose telephone or other communications were
intercepted is charged with a criminal offence, the records are to be given to
the investigator and attached to the criminal case file. Their further use and
storage are governed by criminal procedural law (section 8(5) of the
OSAA).
60. Data collected as a result of operational-search activities may be
used for the preparation and conduct of the investigation and court
proceedings and used as evidence in criminal proceedings in accordance
with the legal provisions governing the collection, evaluation and
assessment of evidence. The decision to transfer the collected data to other
law-enforcement agencies or to a court is taken by the head of the State
agency performing the operational-search activities (section 11 of the
OSAA).
61. If the interception was authorised in the framework of criminal
proceedings, the investigator may obtain the records from the agency
conducting it at any time during the authorised period of interception. The
records must be sealed and must be accompanied by a cover letter indicating
the dates and time of the beginning and end of the recorded
communications, as well as the technical means used to intercept them.
Recordings must be listened to by the investigator in the presence of
attesting witnesses, an expert where necessary and the persons whose
communications have been intercepted. The investigator must draw up an
official report containing a verbatim transcription of those parts of the
recorded communications that are relevant to the criminal case
(Article 186 §§ 6 and 7 of the CCrP). On 4 March 2013 Article 186 § 7 was
14 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

amended and the requirement of the presence of attesting witnesses was

deleted.
62. Recordings and communications-related data collected are to be
attached to the criminal case file. They must be sealed and stored under
conditions excluding any risk of their being listened to or copied by
unauthorised persons (Article 186 § 8 of the CCrP and Article 186.1, added
on 1 July 2010).
63. The results of operational-search activities involving a restriction on
the right to respect for correspondence, telephone, postal, telegraph or other
communications may be used as evidence in criminal proceedings only if
they have been obtained pursuant to a court order and if the operational-
search activities have been carried out in accordance with the law on
criminal procedure (paragraph 14 of Ruling no. 8 of 31 October 1995 by the
Plenary Supreme Court of the Russian Federation).
64. It is prohibited to use in evidence data, obtained as a result of
operational-search activities, which do not comply with the admissibility-of-
evidence requirements of the CCrP (Article 89 of the CCrP). Evidence
obtained in breach of the CCrP shall be inadmissible. Inadmissible evidence
shall have no legal force and cannot be relied on as grounds for criminal
charges or for proving any of the circumstances for which evidence is
required in criminal proceedings. If a court decides to exclude evidence, that
evidence shall have no legal force and cannot be relied on in a judgment or
other judicial decision, or be examined or used during the trial (Articles 75
and 235 of the CCrP).

3. Destruction of collected data

65. The data collected in the course of operational-search activities in
respect of a person whose guilt has not been proved in accordance with the
procedure prescribed by law must be stored for a year and then destroyed,
unless that data are needed in the interests of the service or justice. Audio
recordings and other materials collected as a result of intercepting telephone
or other communications must be stored for six months and then destroyed
if the person has not been charged with a criminal offence. The judge who
authorised the interception must be informed of the scheduled destruction
three months in advance (section 5(7) of the OSAA).
66. If the person has been charged with a criminal offence, at the end of
the criminal proceedings the trial court takes a decision on the further
storage or destruction of the data used in evidence. The destruction must be
recorded in a report to be signed by the head of the investigation authority
and included in the case file (Article 81 § 3 of the CCrP and paragraph 49 of
Order no. 142 of 30 September 2011 of the Investigations Committee).
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 15

G. Supervision of interception of communications

67. The heads of the agencies conducting operational-search activities

are personally responsible for the lawfulness of all operational-search
activities (section 22 of the OSAA).
68. Overall supervision of operational-search activities is exercised by
the President, the Parliament and the Government of the Russian Federation
within the limits of their competence (section 20 of the OSAA).
69. The Prosecutor General and competent lower-level prosecutors may
also exercise supervision over operational-search activities. At the request
of a competent prosecutor, the head of a State agency performing
operational-search activities must produce operational-search materials,
including personal files, information on the use of technical equipment,
registration logs and internal instructions. Materials containing information
about undercover agents or police informers may be disclosed to the
prosecutor only with the agent’s or informer’s consent, except in cases of
criminal proceedings against them. The head of a State agency may be held
liable in accordance with the law for failure to comply with the prosecutor’s
request. The prosecutor must ensure the protection of the data contained in
the materials produced (section 21 of the OSAA).
70. The Prosecutors’ Office Act (Federal law no. 2202-I of 17 January
1992) provides that the Prosecutor General is to be appointed or dismissed
by the Federation Council (the upper house of the Parliament) on proposal
by the President (section 12). Lower-level prosecutors are to be appointed
by the Prosecutor General after consultation with the regional executive
authorities (section 13). To be appointed as a prosecutor the person must be
a Russian citizen and must have a Russian law degree (section 40.1).
71. In addition to their prosecuting functions, prosecutors are
responsible for supervising whether the administration of detention
facilities, bailiffs’ activities, operational-search activities and criminal
investigations are in compliance with the Russian Constitution and Russian
laws (section 1). Prosecutors also coordinate the activities of all law-
enforcement authorities in combatting crime (section 8).
72. As regards supervision of operational-search activities, prosecutors
may review whether measures taken in the course of operational-search
activities are lawful and respectful of human rights (section 29).
Prosecutors’ orders made in the context of such supervision must be
complied with within the time-limit set. Failure to comply may result in
liability in accordance with the law (section 6).
73. Prosecutors may also examine complaints of breaches of the law and
give a reasoned decision on each complaint. Such a decision does not
prevent the complainant from bringing the same complaint before a court. If
a prosecutor discovers a breach of the law, he or she must take measures to
bring the responsible persons to liability (section 10).
16 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

74. The Federal Security Service Act of 3 April 1995 (no. 40-FZ,
hereafter “the FSB Act”) provides that information about the security
services’ undercover agents, as well as about the tactics, methods and means
used by them is outside the scope of supervision by prosecutors
(section 24).
75. The procedures for prosecutors’ supervision of operational-search
activities have been set out in Order no. 33, issued by the Prosecutor
General’s Office on 15 February 2011.
76. Order no. 33 provides that a prosecutor may carry out routine
inspections of agencies carrying out operational-search activities, as well as
ad hoc inspections following a complaint by an individual or receipt of
information about potential violations. Operational-search activities
performed by the FSB in the sphere of counterintelligence may be inspected
only following an individual complaint (paragraph 5 of Order no. 33).
77. During the inspection the prosecutor must verify compliance with
the following requirements:
- observance of citizens’ constitutional rights, such as the right to respect
for private and family life, home, correspondence, telephone, postal,
telegraph and other communications;
- that the measures taken in the course of operational-search activities
are lawful and justified, including those measures that have been authorised
by a court (paragraphs 4 and 6 of Order no. 33).
78. During the inspection the prosecutor must study the originals of the
relevant operational-search materials, including personal files, information
on the use of technical equipment, registration logs and internal instructions,
and may request explanations from competent officials. The prosecutors
must protect the sensitive data entrusted to them from unauthorised access
or disclosure (paragraphs 9 and 12 of Order no. 33).
79. If a prosecutor identifies a breach of the law, he or she must request
the official responsible for it to remedy the breach. He or she must also take
measures to stop and remedy violations of citizens’ rights and to bring those
responsible to liability (paragraphs 9 and 10 of Order no. 33). A State
official who refuses to comply with a prosecutor’s orders may be brought to
liability in accordance with the law (paragraph 11).
80. The prosecutors responsible for supervision of operational-search
activities must submit six-monthly reports detailing the results of the
inspections to the Prosecutor General’s Office (paragraph 15 of Order
no. 33). A report form to be filled by prosecutors is attached to Order
no. 33. The form indicates that it is confidential. It contains two sections,
both in table format. The first section concerns inspections carried out
during the reference period and contains information about the number of
inspections, number of files inspected and number of breaches detected. The
second section concerns citizens’ complaints and contains information about
the number of complaints examined and granted.
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 17

H. Access by individuals to data collected about them in the course

of interception of communications

81. Russian law does not provide that a person whose communications
are intercepted must be notified at any point. However, a person who is in
possession of the facts of the operational-search measures to which he or
she was subjected and whose guilt has not been proved in accordance with
the procedure prescribed by law, that is, he or she has not been charged or
the charges have been dropped on the ground that the alleged offence was
not committed or that one or more elements of a criminal offence were
missing, is entitled to receive information about the data collected in the
course of the operational-search activities, to the extent compatible with the
requirements of operational confidentiality (“конспирации”) and excluding
data which could enable State secrets to be disclosed (section 5(4-6) of the
OSAA).
82. In its decision of 14 July 1998 (cited in paragraph 40 above) the
Constitutional Court noted that any person who was in possession of the
facts of the operational-search measures to which he or she had been
subjected was entitled to receive information about the data collected in the
course of those activities, unless that data contained State secrets. Under
section 12 of the OSAA, data collected in the course of operational-search
activities – such as information about criminal offences and the persons
involved in their commission – were a State secret. However, information
about breaches of citizens’ rights or unlawful acts on the part of the
authorities could not be classified as a State secret and should be disclosed.
Section 12 could not therefore serve as a basis for refusing access to
information affecting a person’s rights, provided that such information did
not concern the aims of, or the grounds for, the operational-search activities.
In view of the above, the fact that, pursuant to the contested Act, a person
was not entitled to be granted access to the entirety of the data collected
about him or her did not constitute a violation of that person’s constitutional
rights.

I. Judicial review

1. General provisions on judicial review of interception of

communications as established by the OSAA
83. A person claiming that his or her rights have been or are being
violated by a State official performing operational-search activities may
complain to the official’s superior, a prosecutor or a court. If a citizen’s
rights were violated in the course of operational-search activities by a State
official, the official’s superior, a prosecutor or a court must take measures to
remedy the violation and compensate the damage (section 5(3) and (9) of
the OSAA).
18 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

84. If a person was refused access to information about the data

collected about him or her in the course of operational-search activities, he
or she is entitled to know the reasons for the refusal of access and may
appeal against the refusal to a court. The burden of proof is on the
law-enforcement authorities to show that the refusal of access is justified.
To ensure a full and thorough judicial examination, the law-enforcement
agency responsible for the operational-search activities must produce, at the
judge’s request, operational-search materials containing information about
the data to which access was refused, with the exception of materials
containing information about undercover agents or police informers. If the
court finds that the refusal to grant access was unjustified, it may compel the
law-enforcement agency to disclose the materials to the person concerned
(section 5(4 to 6) of the OSAA).
85. In its decision of 14 July 1998 (cited in paragraph 40 above) the
Constitutional Court noted that a person who learned that he or she had been
subjected to operational-search activities and believed that the actions of
State officials had violated his or her rights was entitled, under section 5 of
the OSAA, to challenge before a court the grounds for conducting such
activities, as well as the specific actions performed by the competent
authorities in the course of such activities, including in those cases where
they had been authorised by a court.
86. As regards procedural matters, the Constitutional Court held that in
proceedings in which the grounds for the operational-search activities or the
actions of the competent authorities conducting such activities were
challenged, as well as proceedings against the refusal to give access to the
data collected, the law-enforcement authorities were to submit to the judge,
at his or her request, all relevant operational-search materials, except
materials containing information about undercover agents or police
informers.
87. A person wishing to complain about interception of his or her
communications may lodge a judicial review complaint under Article 125 of
the CCrP; a judicial review complaint under Chapter 25 of the Code of Civil
Procedure and the Judicial Review Act replaced, as from 15 September
2015, by the Code of Administrative Procedure; or a civil tort claim under
Article 1069 of the Civil Code.

2. A judicial review complaint under Article 125 of the CCrP

88. The Plenary Supreme Court in its Ruling no. 1 of 10 February 2009
held that actions of officials or State agencies conducting operational-search
activities at the request of an investigator could be challenged in accordance
with the procedure prescribed by Article 125 of the CCrP (paragraph 4).
The complaints lodged under that Article may be examined only while the
criminal investigation is pending. If the case has already been transmitted to
a court for trial, the judge declares the complaint inadmissible and explains
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 19

to the complainant that he or she may raise the complaints before the
relevant trial court (paragraph 9).
89. Article 125 of the CCrP provides for the judicial review of decisions
and acts or failures to act by an investigator or a prosecutor which are
capable of adversely affecting the constitutional rights or freedoms of the
participants to criminal proceedings. The lodging of a complaint does not
suspend the challenged decision or act, unless the investigator, the
prosecutor, or the court decides otherwise. The court must examine the
complaint within five days. The complainant, his counsel, the investigator
and the prosecutor are entitled to attend the hearing. The complainant must
substantiate his complaint (Article 125 §§ 1-4 of the CCrP).
90. Participants in the hearing are entitled to study all the materials
submitted to the court and to submit additional materials relevant to the
complaint. Disclosure of criminal-case materials is permissible only if it is
not contrary to the interests of the investigation and does not breach the
rights of the participants in the criminal proceedings. The judge may request
the parties to produce the materials which served as a basis for the contested
decision or any other relevant materials (paragraph 12 of Ruling no. 1 of
10 February 2009 of the Plenary Supreme Court of the Russian Federation).
91. Following the examination of the complaint, the court either declares
the challenged decision, act or failure to act unlawful or unjustified and
instructs the responsible official to rectify the indicated shortcoming, or
dismisses the complaint (Article 125 § 5 of the CCrP). When instructing the
official to rectify the indicated shortcoming, the court may not indicate any
specific measures to be taken by the official or annul or order that the
official annul the decision found to be unlawful or unjustified (paragraph 21
of Ruling no. 1 of 10 February 2009 of the Plenary Supreme Court of the
Russian Federation).

3. A judicial review complaint under Chapter 25 of the Code of Civil

Procedure, the Judicial Review Act and the Code of Administrative
Procedure
92. Ruling no. 2 of 10 February 2009 of the Plenary Supreme Court of
the Russian Federation provides that complaints about decisions and acts of
officials or agencies performing operational-search activities that may not
be challenged in criminal proceedings, as well as complaints about a refusal
of access to information about the data collected in the course of
operational-search activities, may be examined in accordance with the
procedure established by Chapter 25 of the Code of Civil Procedure
(paragraph 7).
93. Chapter 25 of the Code of Civil Procedure (the CCP), in force until
15 September 2015, established the procedure for examining complaints
against decisions and acts of officials violating citizens’ rights and
freedoms, which was further detailed in the Judicial Review Act (Law
20 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

no. 4866-1 of 27 April 1993 on Judicial review of decisions and acts

violating citizens’ rights and freedoms). On 15 September 2015 Chapter 25
of the CCP and the Judicial Review Act were repealed and replaced by the
Code of Administrative Procedure (Law no. 21-FZ of 8 March 2015,
hereafter “the CAP”) which entered into force on that date. The CAP
confirmed in substance and expounded the provisions of Chapter 25 of the
CCP and the Judicial Review Act.
94. The CCP, the Judicial Review Act and the CAP all provide that a
citizen may lodge a complaint before a court about an act or decision by any
State or municipal authority or official if he considers that it has violated his
rights and freedoms (Article 254 of the CCP and section 1 of the Judicial
Review Act). The complaint may concern any decision, act or omission
which has violated the citizen’s rights or freedoms, has impeded the
exercise of rights or freedoms, or has imposed a duty or liability on him
(Article 255 of the CCP, section 2 of the Judicial Review Act and
Article 218 § 1 of the CAP).
95. The complaint must be lodged with a court of general jurisdiction
within three months of the date on which the complainant learnt of the
breach of his rights. The time-limit may be extended for valid reasons
(Article 254 of the CCP, sections 4 and 5 of the Judicial Review Act and
Articles 218 § 5 and 219 §§ 1 and 7 of the CAP). The complaint must
mention the identification number and the date of the contested decision or
the date and place of commission of the contested act (Article 220 § 2 (3) of
the CAP). The claimant must submit confirming documents or explain why
he or she is unable to submit them (Article 220 §§ 2 (8) and 3 of the CAP).
If the claimant does not meet the above requirements, the judge declares the
complaint inadmissible (Article 222 § 3 of the CAP).
96. The burden of proof as to the lawfulness of the contested decision,
act or omission lies with the authority or official concerned. The
complainant must, however, prove that his rights and freedoms were
breached by the contested decision, act or omission (section 6 of the Judicial
Review Act and Article 226 § 11 of the CAP).
97. Under the CCP the complaint had to be examined within ten days
(Article 257 of the CCP), while under the CAP it must be examined within
two months (Article 226 § 1 of the CAP). If the court finds the complaint
justified, it issues a decision annulling the contested decision or act and
requiring the authority or official to remedy in full the breach of the
citizen’s rights (Article 258 § 1 of the CCP, section 7 of the Judicial Review
Act and Article 227 §§ 2 and 3 of the CAP). The court may determine the
time-limit for remedying the violation and/or the specific steps which need
to be taken to remedy the violation in full (paragraph 28 of Ruling no. 2 of
10 February 2009 of the Plenary Supreme Court of the Russian Federation
and Article 227 § 3 of the CAP). The claimant may then claim
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 21

compensation in respect of pecuniary and non-pecuniary damage in separate

civil proceedings (section 7 of the Judicial Review Act).
98. The court may reject the complaint if it finds that the challenged act
or decision has been taken by a competent authority or official, is lawful and
does not breach the citizen’s rights (Article 258 § 4 of the CCP and
Articles 226 § 9 and 227 § 2 of the CAP).
99. A party to the proceedings may lodge an appeal with a higher court
(Article 336 of the CCP as in force until 1 January 2012, Article 320 of the
CCP as in force after 1 January 2012, and Article 228 of the CAP). The
appeal decision enters into force on the day of its delivery (Article 367 of
the CCP as in force until 1 January 2012, Article 329 § 5 as in force after
1 January 2012, and Articles 186 and 227 § 5 of the CAP).
100. The CCP provided that a judicial decision allowing a complaint and
requiring the authority or official to remedy the breach of the citizen’s rights
had to be dispatched to the head of the authority concerned, to the official
concerned or to their superiors within three days of its entry into force
(Article 258 § 2 of the CCP). The Judicial Review Act required that the
judicial decision be dispatched within ten days of its entry into force
(section 8). The CAP requires that the judicial decision be dispatched on the
day of its entry into force (Article 227 § 7). The court and the complainant
must be notified of the enforcement of the decision no later than one month
after its receipt (Article 258 § 3 of the CCP, section 8 of the Judicial Review
Act and Article 227 § 9 of the CAP).

4. A tort claim under Article 1069 the Civil Code

101. Damage caused to the person or property of a citizen shall be
compensated in full by the tortfeasor. The tortfeasor is not liable for damage
if he or she proves that the damage has been caused through no fault of his
or her own (Article 1064 §§ 1 and 2 of the Civil Code).
102. State and municipal bodies and officials shall be liable for damage
caused to a citizen by their unlawful actions or omissions (Article 1069 of
the Civil Code). Irrespective of any fault by State officials, the State or
regional treasury is liable for damage sustained by a citizen on account of
(i) unlawful criminal conviction or prosecution; (ii) unlawful application of
a preventive measure, and (iii) unlawful administrative punishment
(Article 1070 of the Civil Code).
103. A court may impose on the tortfeasor an obligation to compensate
non-pecuniary damage (physical or mental suffering). Compensation for
non-pecuniary damage is unrelated to any award in respect of pecuniary
damage (Articles 151 § 1 and 1099 of the Civil Code). The amount of
compensation is determined by reference to the gravity of the tortfeasor’s
fault and other significant circumstances. The court also takes into account
the extent of physical or mental suffering in relation to the victim’s
22 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

individual characteristics (Article 151 § 2 and Article 1101 of the Civil

Code).
104. Irrespective of the tortfeasor’s fault, non-pecuniary damage shall be
compensated for if the damage was caused (i) by a hazardous device; (ii) in
the event of unlawful conviction or prosecution or unlawful application of a
preventive measure or unlawful administrative punishment, and (iii) through
dissemination of information which was damaging to honour, dignity or
reputation (Article 1100 of the Civil Code).
105. In civil proceedings a party who alleges something must prove that
allegation, unless provided otherwise by Federal Law (Article 56 § 1 of the
CCP).

5. A complaint to the Constitutional Court

106. The Constitutional Court Act (Law no. 1-FKZ of 21 July 1994)
provides that the Constitutional Court’s opinion as to whether the
interpretation of a legislative provision adopted by judicial and other law-
enforcement practice is compatible with the Constitution, when that opinion
is expressed in a judgment, must be followed by the courts and law-
enforcement authorities from the date of that judgment’s delivery
(section 79 (5)).

J. Obligations of communications service providers

1. Obligation to protect personal data and privacy of communications

107. The Communications Act provides that communications service
providers must ensure privacy of communications. Information about the
communications transmitted by means of telecommunications networks or
mail services, and the contents of those communications may be disclosed
only to the sender and the addressee or their authorised representatives,
except in cases specified in federal laws (section 63(2) and (4) of the
Communications Act).
108. Information about subscribers and the services provided to them is
confidential. Information about subscribers includes their family names,
first names, patronymics and nicknames for natural persons; company
names and family names, first names and patronymics of company directors
and employees for legal persons; subscribers’ addresses, numbers and other
information permitting identification of the subscriber or his terminal
equipment; data from payment databases, including information about the
subscribers’ communications, traffic and payments. Information about
subscribers may not be disclosed to third persons without the subscriber’s
consent, except in cases specified in federal laws (section 53 of the
Communications Act).
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 23

2. Obligation to co-operate with law-enforcement authorities

109. The Communications Act imposes an obligation on
communications service providers to furnish to the law-enforcement
agencies, in cases specified in federal laws, information about subscribers
and services received by them and any other information they require in
order to achieve their aims and objectives (section 64(1) of the
Communications Act).
110. On 31 March 2008 the Moscow City Council discussed a proposal
to introduce an amendment to section 64(1) of the Communications Act
requiring law-enforcement agencies to show judicial authorisation to
communications service providers when requesting information about
subscribers. The representatives of the FSB and the Ministry of the Interior
informed those present that judicial decisions authorising interceptions were
classified documents and could not therefore be shown to communications
service providers. The proposal to introduce the amendment was later
rejected.
111. Communications service providers must ensure that their networks
and equipment comply with the technical requirements developed by the
Ministry of Communications in cooperation with law-enforcement agencies.
Communications service providers must also ensure that the methods and
tactics employed by law-enforcement agencies remain confidential
(section 64(2) of the Communications Act).
112. In cases specified in federal laws communications service providers
must suspend provision of service to a subscriber upon receipt of a reasoned
written order by the head of a law-enforcement agency conducting
operational-search activities or protecting national security (section 64(3) of
the Communications Act).
113. The FSB Act requires communications service providers to install
equipment permitting the FSB to carry out operational-search activities
(section 15).

3. Technical requirements for equipment to be installed by

communications service providers
114. The main characteristics of the system of technical facilities
enabling operational-search activities to be carried out (“Система
технических средств для обеспечения функций оперативно-разыскных
мероприятий” (‘СОРМ’), hereafter referred to as “the SORM”) are
outlined in a number of orders and regulations issued by the Ministry of
Communications.

(a) Order no. 70

115. Order no. 70 on the technical requirements for the system of
technical facilities enabling the conduct of operational-search activities
24 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

using telecommunications networks, issued by the Ministry of

Communications on 20 April 1999, stipulates that equipment installed by
communications service providers must meet certain technical requirements,
which are described in the addendums to the Order. The Order, with the
addendums, has been published in the Ministry of Communications’ official
magazine SvyazInform, distributed through subscription. It can also be
accessed through a privately-maintained internet legal database, which
reproduced it from the publication in SvyazInform.
116. Addendums nos. 1 and 3 describe the technical requirements for the
SORM on mobile telephone networks. They specify that interception of
communications is performed by law-enforcement agencies from a remote-
control terminal connected to the interception equipment installed by the
mobile network operators. The equipment must be capable, inter alia, of
(a) creating databases of interception subjects, to be managed from the
remote-control terminal; (b) intercepting communications and transmitting
the data thereby obtained to the remote-control terminal; (c) protecting the
data from unauthorised access, including by the employees of the mobile
network operator; (d) providing access to subscriber address databases
(paragraphs 1.1. and 1.6 of Addendum no. 1).
117. More precisely, the equipment must ensure (a) interception of all
the incoming and outgoing calls of the interception subject; (b) access to
information about his or her whereabouts; (c) maintenance of interception
capability where an ongoing connection is transferred between the networks
of different mobile network operators; (d) maintenance of interception
capability in cases involving supplementary services, such as call
forwarding, call transfer or conference calls, with the possibility of
registering the number or numbers to which the call is routed; (e) collection
of communications data concerning all types of connections, including fax,
short messaging (SMS) or other; (f) access to information about the services
provided to the interception subject (paragraph 2.1.2 of Addendum no. 1).
118. There are two types of interception: “total interception” and
“statistical monitoring”. Total interception is the real-time interception of
communications data and of the contents of all communications to or by the
interception subject. Statistical monitoring is real-time monitoring of
communications data only, with no interception of the content of
communications. Communications data include the telephone number
called, the start and end times of the connection, supplementary services
used, location of the interception subject and his or her connection status
(paragraphs 2.2 and 2.4 of Addendum no. 1).
119. The equipment installed must be capable of launching the
interception of communications within thirty seconds of receiving a
command from the remote-control terminal (paragraph 2.5 of Addendum
no. 1).
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 25

120. Information about interception subjects or about the transmittal of

any data to the remote-control terminal cannot be logged or recorded
(paragraph 5.4 of Addendum no. 1).
121. The remote-control terminal receives a password from the mobile
network operator giving it full access to the SORM. The remote-control
terminal then changes the password so that unauthorized persons cannot
gain access to the SORM. From the remote-control terminal, the SORM can
be commanded, among others, to start interception in respect of a
subscriber, interrupt or discontinue the interception, intercept a subscriber’s
ongoing communication, and submit specified information about a
subscriber (paragraph 3.1.2 of Addendum no. 3).
122. The remote-control centre receives the following automatic
notifications about the interception subjects: short messages (SMS) sent or
received by the interception subject, including their contents; a number
being dialled; a connection being established; a connection being
interrupted; use of supplementary services; a change in the subject’s
connection status or location (paragraphs 3.1.4 of Addendum no. 3).

(b) Order no. 130

123. Order no. 130 on the installation procedures for technical facilities
enabling the conduct of operational-search activities, issued by the Ministry
of Communications on 25 July 2000, stipulated that communications
service providers had to install equipment which met the technical
requirements laid down in Order no. 70. The installation procedure and
schedule had to be approved by the FSB (paragraph 1.4).
124. Communications service providers had to take measures to protect
information regarding the methods and tactics employed in operational-
search activities (paragraph 2.4)
125. Communications service providers had to ensure that any
interception of communications or access to communications data was
granted only pursuant to a court order and in accordance with the procedure
established by the OSAA (paragraph 2.5).
126. Communications service providers did not have to be informed
about interceptions in respect of their subscribers. Nor did they have to be
provided with judicial orders authorising interceptions (paragraph 2.6).
127. Interceptions were carried out by the staff and technical facilities of
the FSB and the agencies of the Ministry of the Interior (paragraph 2.7).
128. Paragraphs 1.4 and 2.6 of Order no. 130 were challenged by a
Mr N. before the Supreme Court. Mr N. argued that the reference to Order
no. 70 contained in paragraph 1.4 was unlawful, as Order no. 70 had not
been published and was invalid. As to paragraph 2.6, it was incompatible
with the Communications Act, which provided that communications service
providers had an obligation to ensure the privacy of communications. On
25 September 2000 the Supreme Court found that the reference to Order
26 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

no. 70 in paragraph 1.4 was lawful, as Order no. 70 was technical in nature
and was therefore not subject to publication in a generally accessible official
publication. It had therefore been published only in a specialised magazine.
As to paragraph 2.6, the Supreme Court considered that it could be
interpreted as requiring communications service providers to grant
law-enforcement agencies access to information about subscribers without
judicial authorisation. Such a requirement was, however, incompatible with
the Communications Act. The Supreme Court therefore found that
paragraph 2.6 was unlawful and inapplicable.
129. On 25 October 2000 the Ministry of Communications amended
Order no. 130 by repealing paragraph 2.6.
130. In reply to a request for information by the NGO “Civilian
Control”, the Ministry of Communications stated, in a letter dated
20 August 2006, that the repealing of paragraph 2.6 of Order no. 130 did not
mean that communications service providers had to be informed about
operational-search measures in respect of a subscriber or be provided with a
copy of the relevant decision granting judicial authorisation for such
surveillance.
131. Order no. 130 was repealed on 16 January 2008 (see paragraph 134
below).

(c) Order no. 538

132. Order no. 538 on cooperation between communications service
providers and law enforcement agencies, issued by the Government on
27 August 2005, provides that communications service providers must be
diligent in updating databases containing information about subscribers and
the services provided to them. That information must be stored for three
years. Law-enforcement agencies must have remote access to the databases
at all times (paragraph 12).
133. Databases must contain the following information about
subscribers: (a) first name, patronymic and family name, home address and
passport number for natural persons; (b) company name, address and list of
persons having access to the terminal equipment with their names,
patronymics and family names, home addresses and passport numbers for
legal persons; (c) information about connections, traffic and payments
(paragraph 14).

(d) Order no. 6

134. Order no. 6 on requirements for telecommunications networks
concerning the conduct of operational-search activities, Part I, issued by the
Ministry of Communications on 16 January 2008, replaced Order no. 130.
135. It retained the requirement that communications service providers
had to ensure transmittal to the relevant law-enforcement agency’s remote-
control terminal of information about (a) subscribers’ numbers and
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 27

identification codes; and (b) the contents of their communications. The

information must be transmitted in real time following a request from the
remote-control terminal. Communications service providers must also
ensure that the subscriber’s location is identified (paragraphs 2, 3 and 5).
136. The remote-control terminal must have access to databases
containing information about subscribers, including their numbers and
identification codes (paragraphs 7 and 8).
137. Communications service providers must ensure that the
interception subject remains unaware of the interception of his
communications. Information about ongoing or past interceptions must be
protected from unauthorised access by the employees of the
communications service providers (paragraph 9).

(e) Order no. 73

138. Order no. 73 on requirements for telecommunications networks
concerning the conduct of operational-search activities, Part II, issued by the
Ministry of Communications on 27 May 2010, elaborates on certain
requirements contained in Order no. 6. In particular, it provides that the
equipment installed by communications service providers must ensure that
agencies performing operational-search activities have access to all data
transmitted through the telecommunications networks and are capable of
selecting data and transmitting the selected data to its control terminal
(paragraph 2).

III. RELEVANT INTERNATIONAL AND EUROPEAN INSTRUMENTS

A. United Nations

139. Resolution no. 68/167, on The Right to Privacy in the Digital Age,
adopted by the General Assembly on 18 December 2013, reads as follows:
“The General Assembly,
...
4. Calls upon all States:
...
(c) To review their procedures, practices and legislation regarding the surveillance
of communications, their interception and the collection of personal data, including
mass surveillance, interception and collection, with a view to upholding the right to
privacy by ensuring the full and effective implementation of all their obligations under
international human rights law;
(d) To establish or maintain existing independent, effective domestic oversight
mechanisms capable of ensuring transparency, as appropriate, and accountability for
State surveillance of communications, their interception and the collection of personal
data ...”
28 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

B. Council of Europe

140. The Convention for the Protection of Individuals with regard to

Automatic Processing of Personal Data of 28 January 1981 (CETS No. 108,
hereafter “Convention no. 108”) sets out standards for data protection in the
sphere of automatic processing of personal data in the public and private
sectors. It reads:
“Article 8 – Additional safeguards for the data subject
Any person shall be enabled:
a. to establish the existence of an automated personal data file, its main purposes, as
well as the identity and habitual residence or principal place of business of the
controller of the file;
b. to obtain at reasonable intervals and without excessive delay or expense
confirmation of whether personal data relating to him are stored in the automated
data file as well as communication to him of such data in an intelligible form;
c. to obtain, as the case may be, rectification or erasure of such data if these have
been processed contrary to the provisions of domestic law giving effect to the
basic principles set out in Articles 5 and 6 of this convention;
d. to have a remedy if a request for confirmation or, as the case may be,
communication, rectification or erasure as referred to in paragraphs b and c of this
article is not complied with.
Article 9 – Exceptions and restrictions
1. No exception to the provisions of Articles 5, 6 and 8 of this convention shall be
allowed except within the limits defined in this article.
2. Derogation from the provisions of Articles 5, 6 and 8 of this convention shall be
allowed when such derogation is provided for by the law of the Party and
constitutes a necessary measure in a democratic society in the interests of:
a. protecting State security, public safety, the monetary interests of the State
or the suppression of criminal offences;
b. protecting the data subject or the rights and freedoms of others ...
Article 10 – Sanctions and remedies
Each Party undertakes to establish appropriate sanctions and remedies for violations
of provisions of domestic law giving effect to the basic principles for data protection
set out in this chapter.”
141. Convention no. 108 was ratified by Russia on 15 May 2013 and
entered into force in respect of Russia on 1 September 2013. The instrument
of ratification deposited by the Russian Federation on 15 May 2013 contains
the following declaration:
“The Russian Federation declares that in accordance with subparagraph “a” of
paragraph 2 of Article 3 of the Convention, it will not apply the Convention to
personal data:
...
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 29

(b) falling under State secrecy in accordance with the legislation of the Russian
Federation on State secrecy.
The Russian Federation declares that in accordance with subparagraph “c” of
paragraph 2 of Article 3 of the Convention, it will apply the Convention to personal
data which is not processed automatically, if the application of the Convention
corresponds to the nature of the actions performed with the personal data without
using automatic means.
The Russian Federation declares that in accordance with subparagraph “a” of
paragraph 2 of Article 9 of the Convention, it retains the right to limit the right of the
data subject to access personal data on himself for the purposes of protecting State
security and public order.”
142. The Additional Protocol to the Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data,
regarding supervisory authorities and transborder data flows of 8 November
2001 (CETS No. 181), signed but not ratified by Russia, provides as
follows:
“Article 1 – Supervisory authorities
1. Each Party shall provide for one or more authorities to be responsible for
ensuring compliance with the measures in its domestic law giving effect to the
principles stated in Chapters II and III of the Convention and in this Protocol.
2. a. To this end, the said authorities shall have, in particular, powers of
investigation and intervention, as well as the power to engage in legal proceedings or
bring to the attention of the competent judicial authorities violations of provisions of
domestic law giving effect to the principles mentioned in paragraph 1 of Article 1 of
this Protocol.
b. Each supervisory authority shall hear claims lodged by any person concerning
the protection of his/her rights and fundamental freedoms with regard to the
processing of personal data within its competence.
3. The supervisory authorities shall exercise their functions in complete
independence.
4. Decisions of the supervisory authorities, which give rise to complaints, may be
appealed against through the courts ...”
143. A Recommendation by the Committee of Ministers, regulating the
use of personal data in the police sector, adopted on 17 September 1987
(No. R (87) 15), reads as follows:
“1.1. Each member state should have an independent supervisory authority outside
the police sector which should be responsible for ensuring respect for the principles
contained in this recommendation ...
2.1. The collection of personal data for police purposes should be limited to such as
is necessary for the prevention of a real danger or the suppression of a specific
criminal offence. Any exception to this provision should be the subject of specific
national legislation.
2.2. Where data concerning an individual have been collected and stored without
his knowledge, and unless the data are deleted, he should be informed, where
30 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

practicable, that information is held about him as soon as the object of the police
activities is no longer likely to be prejudiced ...
3.1. As far as possible, the storage of personal data for police purposes should be
limited to accurate data and to such data as are necessary to allow police bodies to
perform their lawful tasks within the framework of national law and their obligations
arising from international law ...
5.2.i. Communication of data to other public bodies should only be permissible if,
in a particular case:
a. there exists a clear legal obligation or authorisation, or with the authorisation
of the supervisory authority, or if
b. these data are indispensable to the recipient to enable him to fulfil his own
lawful task and provided that the aim of the collection or processing to be carried out
by the recipient is not incompatible with the original processing, and the legal
obligations of the communicating body are not contrary to this.
5.2.ii. Furthermore, communication to other public bodies is exceptionally
permissible if, in a particular case:
a. the communication is undoubtedly in the interest of the data subject and either
the data subject has consented or circumstances are such as to allow a clear
presumption of such consent, or if
b. the communication is necessary so as to prevent a serious and imminent
danger.
5.3.i. The communication of data to private parties should only be permissible if, in
a particular case, there exists a clear legal obligation or authorisation, or with the
authorisation of the supervisory authority ...
6.4. Exercise of the rights [of the data subject] of access, rectification and erasure
should only be restricted insofar as a restriction is indispensable for the performance
of a legal task of the police or is necessary for the protection of the data subject or the
rights and freedoms of others ...
6.5. A refusal or a restriction of those rights should be reasoned in writing. It should
only be possible to refuse to communicate the reasons insofar as this is indispensable
for the performance of a legal task of the police or is necessary for the protection of
the rights and freedoms of others.
6.6. Where access is refused, the data subject should be able to appeal to the
supervisory authority or to another independent body which shall satisfy itself that the
refusal is well founded.
7.1. Measures should be taken so that personal data kept for police purposes are
deleted if they are no longer necessary for the purposes for which they were stored.
For this purpose, consideration shall in particular be given to the following criteria:
the need to retain data in the light of the conclusion of an inquiry into a particular
case; a final judicial decision, in particular an acquittal; rehabilitation; spent
convictions; amnesties; the age of the data subject, particular categories of data.
7.2. Rules aimed at fixing storage periods for the different categories of personal
data as well as regular checks on their quality should be established in agreement with
the supervisory authority or in accordance with domestic law.
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 31

8. The responsible body should take all the necessary measures to ensure the
appropriate physical and logical security of the data and prevent unauthorised access,
communication or alteration. The different characteristics and contents of files should,
for this purpose, be taken into account.”
144. A Recommendation by the Committee of Ministers on the
protection of personal data in the area of telecommunication services, with
particular reference to telephone services, adopted on 7 February 1995
(No. R (95) 4), reads in so far as relevant as follows:
“2.4. Interference by public authorities with the content of a communication,
including the use of listening or tapping devices or other means of surveillance or
interception of communications, must be carried out only when this is provided for by
law and constitutes a necessary measure in a democratic society in the interests of:
a. protecting state security, public safety, the monetary interests of the state or the
suppression of criminal offences;
b. protecting the data subject or the rights and freedoms of others.
2.5. In the case of interference by public authorities with the content of a
communication, domestic law should regulate:
a. the exercise of the data subject’s rights of access and rectification;
b. in what circumstances the responsible public authorities are entitled to refuse to
provide information to the person concerned, or delay providing it;
c. storage or destruction of such data.
If a network operator or service provider is instructed by a public authority to effect
an interference, the data so collected should be communicated only to the body
designated in the authorisation for that interference ...”

C. European Union

145. Council Resolution of 17 January 1995 on the lawful interception

of telecommunications (96/C 329/01) provides as follows:
“This section presents the requirements of law enforcement agencies relating to the
lawful interception of telecommunications. These requirements are subject to national
law and should be interpreted in accordance with applicable national policies...
1.3. Law enforcement agencies require that the telecommunications to and from a
target service be provided to the exclusion of any telecommunications that do not fall
within the scope of the interception authorization...
2. Law enforcement agencies require a real-time, fulltime monitoring capability for
the interception of telecommunications. Call associated data should also be provided
in real time. If call associated data cannot be made available in real time, law
enforcement agencies require the data to be available as soon as possible upon call
termination.
3. Law enforcement agencies require network operators/service providers to
provide one or several interfaces from which the intercepted communications can be
transmitted to the law enforcement monitoring facility. These interfaces have to be
commonly agreed on by the interception authorities and the network operators/service
32 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

providers. Other issues associated with these interfaces will be handled according to
accepted practices in individual countries...
5. Law enforcement agencies require the interception to be designed and
implemented to preclude unauthorized or improper use and to safeguard the
information related to the interception...
5.2. Law enforcement agencies require network operators/service providers to
ensure that intercepted communications are only transmitted to the monitoring agency
specified in the interception authorization...”
146. The above requirements were confirmed and expounded in Council
Resolution No. 9194/01 of 20 June 2001 on law-enforcement operational
needs with respect to public telecommunication networks and services.
147. The judgment adopted by the Court of Justice of the European
Union (the CJEU) on 8 April 2014 in the joint cases of Digital Rights
Ireland and Seitinger and Others declared invalid the Data Retention
Directive 2006/24/EC laying down the obligation on the providers of
publicly available electronic communication services or of public
communications networks to retain all traffic and location data for periods
from six months to two years, in order to ensure that the data were available
for the purpose of the investigation, detection and prosecution of serious
crime, as defined by each Member State in its national law. The CJEU noted
that, even though the directive did not permit the retention of the content of
the communication, the traffic and location data covered by it might allow
very precise conclusions to be drawn concerning the private lives of the
persons whose data had been retained. Accordingly, the obligation to retain
those data constituted in itself an interference with the right to respect for
private life and communications guaranteed by Article 7 of the Charter of
Fundamental Rights of the EU and the right to protection of personal data
under Article 8 of the Charter. Furthermore, the access of the competent
national authorities to the data constituted a further interference with those
fundamental rights. The CJEU further held that the interference was
particularly serious. The fact that data were retained and subsequently used
without the subscriber or registered user being informed was likely to
generate in the minds of the persons concerned the feeling that their private
lives were the subject of constant surveillance. The interference satisfied an
objective of general interest, namely to contribute to the fight against
serious crime and terrorism and thus, ultimately, to public security.
However, it failed to satisfy the requirement of proportionality. Firstly, the
directive covered, in a generalised manner, all persons and all means of
electronic communication as well as all traffic data without any
differentiation, limitation or exception being made in the light of the
objective of fighting against serious crime. It therefore entailed an
interference with the fundamental rights of practically the entire European
population. It applied even to persons for whom there was no evidence
capable of suggesting that their conduct might have a link, even an indirect
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 33

or remote one, with serious crime. Secondly, the directive did not contain
substantive and procedural conditions relating to the access of the
competent national authorities to the data and to their subsequent use. By
simply referring, in a general manner, to serious crime, as defined by each
Member State in its national law, the directive failed to lay down any
objective criterion by which to determine which offences might be
considered to be sufficiently serious to justify such an extensive interference
with the fundamental rights enshrined in Articles 7 and 8 of the Charter.
Above all, the access by the competent national authorities to the data
retained was not made dependent on a prior review carried out by a court or
by an independent administrative body whose decision sought to limit
access to the data and their use to what was strictly necessary for the
purpose of attaining the objective pursued. Thirdly, the directive required
that all data be retained for a period of at least six months, without any
distinction being made between the categories of data on the basis of their
possible usefulness for the purposes of the objective pursued or according to
the persons concerned. The CJEU concluded that the directive entailed a
wide-ranging and particularly serious interference with the fundamental
rights enshrined in Articles 7 and 8 of the Charter, without such an
interference being precisely circumscribed by provisions to ensure that it
was actually limited to what was strictly necessary. The CJEU also noted
that the directive did not provide for sufficient safeguards, by means of
technical and organisational measures, to ensure effective protection of the
data retained against the risk of abuse and against any unlawful access and
use of those data.

THE LAW

I. ALLEGED VIOLATION OF ARTICLE 8 OF THE CONVENTION

148. The applicant complained that the system of covert interception of

mobile telephone communications in Russia did not comply with the
requirements of Article 8 of the Convention, which reads as follows:
“1. Everyone has the right to respect for his private and family life, his home and
his correspondence.
2. There shall be no interference by a public authority with the exercise of this right
except such as is in accordance with the law and is necessary in a democratic society
in the interests of national security, public safety or the economic well-being of the
country, for the prevention of disorder or crime, for the protection of health or morals,
or for the protection of the rights and freedoms of others.”
34 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

A. Admissibility

149. The Government submitted that the applicant could not claim to be
a victim of the alleged violation of his right to respect for his private life or
correspondence (see paragraphs 152 to 157 below). Moreover, he had not
exhausted domestic remedies (see paragraphs 219 to 226 below).
150. The Court considers that the Government’s objections are so
closely linked to the substance of the applicant’s complaint that they must
be joined to the merits.
151. The Court further notes that this complaint is not manifestly
ill-founded within the meaning of Article 35 § 3 (a) of the Convention. It is
not inadmissible on any other grounds. It must therefore be declared
admissible.

B. Merits

1. The applicant’s victim status and the existence of an “interference”

(a) Submissions by the parties

(i) The Government

152. The Government submitted that the applicant could not claim to be
a victim of the alleged violation of Article 8 of the Convention and that
there had been no interference with his rights. He had not complained that
his communications had been intercepted. The gist of his complaint before
the domestic courts and the Court was that communications service
providers had installed special equipment enabling the authorities to
perform operational-search activities. In the Government’s opinion, the case
of Orange Slovensko, A. S. v. Slovakia ((dec.), no. 43983/02, 24 October
2006) confirmed that installation of interception equipment, or even its
financing, by private companies was not in itself contrary to the
Convention.
153. The Government further submitted that Article 34 could not be
used to lodge an application in the nature of an actio popularis; nor could it
form the basis of a claim made in abstracto that a law contravened the
Convention (they referred to Aalmoes and 112 Others v. the Netherlands
(dec.), no. 16269/02, 25 November 2004). They argued that the approach to
victim status established in the cases of Klass and Others v. Germany
(6 September 1978, § 34, Series A no. 28) and Malone v. the United
Kingdom (2 August 1984, § 64, Series A no. 82) – according to which an
individual might, under certain conditions, claim to be the victim of a
violation occasioned by the mere existence of secret measures or of
legislation permitting secret measures, without having to allege that such
measures had been in fact applied to him or her – could not be interpreted so
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 35

broadly as to encompass every person in the respondent State who feared

that the security services might have compiled information about him or her.
An applicant was required to demonstrate that there was a “reasonable
likelihood” that the security services had compiled and retained information
concerning his or her private life (they referred to Esbester v. the United
Kingdom, no. 18601/91, Commission decision of 2 April 1993; Redgrave
v. the United Kingdom, no. 20271/92, Commission decision of 1 September
1993; Matthews v. the United Kingdom, no. 28576/95, Commission decision
of 16 October 1996; Halford v. the United Kingdom, 25 June 1997, § 17,
Reports of Judgments and Decisions 1997-III; Weber and Saravia
v. Germany (dec.), no. 54934/00, §§ 4-6 and 78, ECHR 2006-XI; and
Kennedy v. the United Kingdom, no. 26839/05, §§ 122 and 123, 18 May
2010).
154. The Government maintained that exceptions to the rule of
“reasonable likelihood” were permissible only for special reasons. An
individual could claim an interference as a result of the mere existence of
legislation permitting secret surveillance measures in exceptional
circumstances only, having regard to the availability of any remedies at the
national level and the risk of secret surveillance measures being applied to
him or her (they cited Kennedy, cited above, § 124). According to the
Government, no such special reasons could be established in the present
case.
155. Firstly, there was no “reasonable likelihood”, or indeed any risk
whatsoever, that the applicant had been subjected to surveillance measures
because he had not been suspected of any criminal offences. The fact that he
was the editor-in-chief of a publishing company could not serve as a ground
for interception under Russian law. The Government asserted that the
applicant’s telephone conversations had never been intercepted. The
applicant had not produced any proof to the contrary. The documents
submitted by him in the domestic proceedings had concerned third persons
and had not contained any proof that his telephone had been tapped.
156. Secondly, remedies were available at the national level to challenge
both the alleged insufficiency of safeguards against abuse in Russian law
and any specific surveillance measures applied to an individual. It was
possible to request the Constitutional Court to review the constitutionality
of the OSAA. It was also possible to lodge a complaint with the Supreme
Court, as had been successfully done by Mr N., who had obtained a finding
of unlawfulness in respect of a provision of the Ministry of
Communications’ Order no. 130 (see paragraph 128 above). As regards
Order no. 70, contrary to the applicant’s allegations, it had been duly
published (see paragraph 181 below) and could therefore be challenged in
courts. A person whose communications had been intercepted unlawfully
without prior judicial authorisation could also obtain redress in a civil court.
The Government referred to the Supreme Court’s judgment of 15 July 2009,
36 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

which found that the installation of a video camera in the claimant’s office
and the tapping of his office telephone had been unlawful because those
surveillance measures had been carried out without prior judicial
authorisation (see also paragraphs 219 to 224 below). Finally, Russian law
provided for supervision of interception of communications by an
independent body, the prosecutor’s office.
157. The Government concluded, in view of the above, that the present
case was different from the case of Association for European Integration
and Human Rights and Ekimdzhiev v. Bulgaria (no. 62540/00, 28 June
2007) where the Court had refused to apply the “reasonable likelihood” test
because of the absence of any safeguards against unlawful interception in
Bulgaria. Given that Russian law provided for adequate and sufficient
safeguards against abuse in the sphere of interception of communications,
including available remedies, in the Government’ opinion, the applicant
could not claim an interference as a result of the mere existence of
legislation permitting secret surveillance. In the absence of a “reasonable
likelihood” that his telephone communications had been intercepted, he
could not claim to be a victim of the alleged violation of Article 8 of the
Convention.
(ii) The applicant
158. The applicant submitted that he could claim to be a victim of a
violation of Article 8 occasioned by the mere existence of legislation which
allowed a system of secret interception of communications, without having
to demonstrate that such secret measures had been in fact applied to him.
The existence of such legislation entailed a threat of surveillance for all
users of the telecommunications services and therefore amounted in itself to
an interference with the exercise of his rights under Article 8. He relied in
support of his position on the cases of Klass and Others (cited above, §§ 34
and 37), Association for European Integration and Human Rights and
Ekimdzhiev (cited above, § 58) and Kennedy (cited above, § 123).
159. The applicant maintained that the test of “reasonable likelihood”
had been applied by the Court only in those cases where the applicant had
alleged actual interception, while in the cases concerning general complaints
about legislation and practice permitting secret surveillance measures the
“mere existence” test established in the Klass and Others judgment had
been applied (see Association for European Integration and Human Rights
and Ekimdzhiev, cited above, § 59, and Kennedy, cited above, §§ 122 and
123, with further references). In the case of Liberty and Others v. the United
Kingdom (no. 58243/00, §§ 56 and 57, 1 July 2008), the Court found that
the existence of powers permitting the authorities to intercept
communications constituted an interference with the Article 8 rights of the
applicants, since they were persons to whom these powers might have been
applied. In the case of Kennedy (cited above, § 124) that test had been
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 37

further elaborated to include the assessment of availability of any remedies

at the national level and the risk of secret surveillance measures being
applied to the applicant. Finally, in the case of Mersch and Others
v. Luxemburg (nos. 10439/83 et al., Commission decision of 10 May 1985)
the Commission found that in those cases where the authorities had no
obligation to notify the persons concerned about the surveillance measures
to which they had been subjected, the applicants could claim to be “victims”
of a violation of the Convention on account of the mere existence of secret
surveillance legislation, even though they could not allege in support of
their applications that they had been subjected to an actual measure of
surveillance.
160. The applicant argued that he could claim to be a victim of a
violation of Article 8, on account both of the mere existence of secret
surveillance legislation and of his personal situation. The OSAA, taken
together with the FSB Act, the Communications Act and the Orders adopted
by the Ministry of Communication, such as Order no. 70, permitted the
security services to intercept, through technical means, any person’s
communications without obtaining prior judicial authorisation for
interception. In particular, the security services had no obligation to produce
the interception authorisation to any person, including the communications
service provider. The contested legislation therefore permitted blanket
interception of communications.
161. No remedies were available under Russian law to challenge that
legislation. Thus, as regards the possibility to challenge Order no. 70, the
applicant referred to the Supreme Court’s decision of 25 September 2000 on
a complaint by a Mr N. (see paragraph 128 above), finding that that Order
was technical rather than legal in nature and was therefore not subject to
official publication. He also submitted a copy of the decision of 24 May
2010 by the Supreme Commercial Court finding that the Orders by the
Ministry of Communications requiring communications providers to install
equipment enabling the authorities to perform operational-search activities
were not subject to judicial review in commercial courts. The domestic
proceedings brought by the applicant had shown that Order no. 70 could not
be effectively challenged before Russian courts. Further, as far as the OSAA
was concerned, the Constitutional Court had already examined its
constitutionality on a number of occasions and had found that it was
compatible with the Constitution. Finally, as regards the possibility to
challenge individual surveillance measures, the applicant submitted that the
person concerned was not notified about the interception, unless the
intercepted material had been used as evidence in criminal proceedings
against him. In the absence of notification, the domestic remedies were
ineffective (see also paragraph 217 below).
162. As to his personal situation, the applicant submitted that he was a
journalist and the chairperson of the St Petersburg branch of the Glasnost
38 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

Defence Foundation, which monitored the state of media freedom and

provided legal support to journalists whose professional rights had been
violated (see paragraph 8 above). His communications were therefore at an
increased risk of being intercepted. The applicant referred in that connection
to the fundamental importance of protecting journalists’ sources,
emphasised by the Grand Chamber judgment in Sanoma Uitgevers B.V.
v. the Netherlands ([GC], no. 38224/03, § 50, 14 September 2010).

(b) The Court’s assessment

163. The Court observes that the applicant in the present case claims that
there has been an interference with his rights as a result of the mere
existence of legislation permitting covert interception of mobile telephone
communications and a risk of being subjected to interception measures,
rather than as a result of any specific interception measures applied to him.
(i) Summary of the Court’s case-law
164. The Court has consistently held in its case-law that the Convention
does not provide for the institution of an actio popularis and that its task is
not normally to review the relevant law and practice in abstracto, but to
determine whether the manner in which they were applied to, or affected,
the applicant gave rise to a violation of the Convention (see, among other
authorities, N.C. v. Italy [GC], no. 24952/94, § 56, ECHR 2002-X; Krone
Verlag GmbH & Co. KG v. Austria (no. 4), no. 72331/01, § 26, 9 November
2006; and Centre for Legal Resources on behalf of Valentin Câmpeanu
v. Romania [GC], no. 47848/08, § 101, ECHR 2014). Accordingly, in order
to be able to lodge an application in accordance with Article 34, an
individual must be able to show that he or she was “directly affected” by the
measure complained of. This is indispensable for putting the protection
mechanism of the Convention into motion, although this criterion is not to
be applied in a rigid, mechanical and inflexible way throughout the
proceedings (see Centre for Legal Resources on behalf of Valentin
Câmpeanu, cited above, § 96).
165. Thus, the Court has permitted general challenges to the relevant
legislative regime in the sphere of secret surveillance in recognition of the
particular features of secret surveillance measures and the importance of
ensuring effective control and supervision of them. In the case of Klass and
Others v. Germany the Court held that an individual might, under certain
conditions, claim to be the victim of a violation occasioned by the mere
existence of secret measures or of legislation permitting secret measures,
without having to allege that such measures had been in fact applied to him.
The relevant conditions were to be determined in each case according to the
Convention right or rights alleged to have been infringed, the secret
character of the measures objected to, and the connection between the
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 39

applicant and those measures (see Klass and Others, cited above, § 34). The
Court explained the reasons for its approach as follows:
“36. The Court points out that where a State institutes secret surveillance the
existence of which remains unknown to the persons being controlled, with the effect
that the surveillance remains unchallengeable, Article 8 could to a large extent be
reduced to a nullity. It is possible in such a situation for an individual to be treated in a
manner contrary to Article 8, or even to be deprived of the right granted by that
Article, without his being aware of it and therefore without being able to obtain a
remedy either at the national level or before the Convention institutions ...
The Court finds it unacceptable that the assurance of the enjoyment of a right
guaranteed by the Convention could be thus removed by the simple fact that the
person concerned is kept unaware of its violation. A right of recourse to the
Commission for persons potentially affected by secret surveillance is to be derived
from Article 25 [currently Article 34], since otherwise Article 8 runs the risk of being
nullified.
37. As to the facts of the particular case, the Court observes that the contested
legislation institutes a system of surveillance under which all persons in the Federal
Republic of Germany can potentially have their mail, post and telecommunications
monitored, without their ever knowing this unless there has been either some
indiscretion or subsequent notification in the circumstances laid down in the Federal
Constitutional Court’s judgment ... To that extent, the disputed legislation directly
affects all users or potential users of the postal and telecommunication services in the
Federal Republic of Germany. Furthermore, as the Delegates rightly pointed out, this
menace of surveillance can be claimed in itself to restrict free communication through
the postal and telecommunication services, thereby constituting for all users or
potential users a direct interference with the right guaranteed by Article 8 ...
38. Having regard to the specific circumstances of the present case, the Court
concludes that each of the applicants is entitled to ‘(claim) to be the victim of a
violation’ of the Convention, even though he is not able to allege in support of his
application that he has been subject to a concrete measure of surveillance. The
question whether the applicants were actually the victims of any violation of the
Convention involves determining whether the contested legislation is in itself
compatible with the Convention’s provisions ...”
166. Following the Klass and Others case, the case-law of the
Convention organs developed two parallel approaches to victim status in
secret surveillance cases.
167. In several cases the Commission and the Court held that the test in
Klass and Others could not be interpreted so broadly as to encompass every
person in the respondent State who feared that the security services might
have compiled information about him or her. An applicant could not,
however, be reasonably expected to prove that information concerning his
or her private life had been compiled and retained. It was sufficient, in the
area of secret measures, that the existence of practices permitting secret
surveillance be established and that there was a reasonable likelihood that
the security services had compiled and retained information concerning his
or her private life (see Esbester, cited above; Redgrave, cited above;
Christie v. the United Kingdom, no. 21482/93, Commission decision of
40 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

27 June 1994; Matthews, cited above; Halford, cited above, §§ 47 and

55-57; and Iliya Stefanov v. Bulgaria, no. 65755/01, §§ 49 and 50, 22 May
2008). In all of the above cases the applicants alleged actual interception of
their communications. In some of them they also made general complaints
about legislation and practice permitting secret surveillance measures
(see Esbester, Redgrave, Matthews, and Christie, all cited above).
168. In other cases the Court reiterated the Klass and Others approach
that the mere existence of laws and practices which permitted and
established a system for effecting secret surveillance of communications
entailed a threat of surveillance for all those to whom the legislation might
be applied. This threat necessarily affected freedom of communication
between users of the telecommunications services and thereby amounted in
itself to an interference with the exercise of the applicants’ rights under
Article 8, irrespective of any measures actually taken against them
(see Malone, cited above, § 64; Weber and Saravia, cited above, § 78;
Association for European Integration and Human Rights and Ekimdzhiev,
cited above, §§ 58, 59 and 69; Liberty and Others, cited above, §§ 56 and
57; and Iordachi and Others v. Moldova, no. 25198/02, §§ 30-35,
10 February 2009). In all of the above cases the applicants made general
complaints about legislation and practice permitting secret surveillance
measures. In some of them they also alleged actual interception of their
communications (see Malone, cited above, § 62; and Liberty and Others,
cited above, §§ 41 and 42).
169. Finally, in its most recent case on the subject, Kennedy
v. the United Kingdom, the Court held that sight should not be lost of the
special reasons justifying the Court’s departure, in cases concerning secret
measures, from its general approach which denies individuals the right to
challenge a law in abstracto. The principal reason was to ensure that the
secrecy of such measures did not result in the measures being effectively
unchallengeable and outside the supervision of the national judicial
authorities and the Court. In order to assess, in a particular case, whether an
individual can claim an interference as a result of the mere existence of
legislation permitting secret surveillance measures, the Court must have
regard to the availability of any remedies at the national level and the risk of
secret surveillance measures being applied to him or her. Where there is no
possibility of challenging the alleged application of secret surveillance
measures at domestic level, widespread suspicion and concern among the
general public that secret surveillance powers are being abused cannot be
said to be unjustified. In such cases, even where the actual risk of
surveillance is low, there is a greater need for scrutiny by this Court
(see Kennedy, cited above, § 124).
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 41

(ii) Harmonisation of the approach to be taken

170. The Court considers, against this background, that it is necessary to
clarify the conditions under which an applicant can claim to be the victim of
a violation of Article 8 without having to prove that secret surveillance
measures had in fact been applied to him, so that a uniform and foreseeable
approach may be adopted.
171. In the Court’s view the Kennedy approach is best tailored to the
need to ensure that the secrecy of surveillance measures does not result in
the measures being effectively unchallengeable and outside the supervision
of the national judicial authorities and of the Court. Accordingly, the Court
accepts that an applicant can claim to be the victim of a violation
occasioned by the mere existence of secret surveillance measures, or
legislation permitting secret surveillance measures, if the following
conditions are satisfied. Firstly, the Court will take into account the scope of
the legislation permitting secret surveillance measures by examining
whether the applicant can possibly be affected by it, either because he or she
belongs to a group of persons targeted by the contested legislation or
because the legislation directly affects all users of communication services
by instituting a system where any person can have his or her
communications intercepted. Secondly, the Court will take into account the
availability of remedies at the national level and will adjust the degree of
scrutiny depending on the effectiveness of such remedies. As the Court
underlined in Kennedy, where the domestic system does not afford an
effective remedy to the person who suspects that he or she was subjected to
secret surveillance, widespread suspicion and concern among the general
public that secret surveillance powers are being abused cannot be said to be
unjustified (see Kennedy, cited above, § 124). In such circumstances the
menace of surveillance can be claimed in itself to restrict free
communication through the postal and telecommunication services, thereby
constituting for all users or potential users a direct interference with the
right guaranteed by Article 8. There is therefore a greater need for scrutiny
by the Court and an exception to the rule, which denies individuals the right
to challenge a law in abstracto, is justified. In such cases the individual does
not need to demonstrate the existence of any risk that secret surveillance
measures were applied to him. By contrast, if the national system provides
for effective remedies, a widespread suspicion of abuse is more difficult to
justify. In such cases, the individual may claim to be a victim of a violation
occasioned by the mere existence of secret measures or of legislation
permitting secret measures only if he is able to show that, due to his
personal situation, he is potentially at risk of being subjected to such
measures.
172. The Kennedy approach therefore provides the Court with the
requisite degree of flexibility to deal with a variety of situations which
might arise in the context of secret surveillance, taking into account the
42 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

particularities of the legal systems in the member States, namely the

available remedies, as well as the different personal situations of applicants.
(iii) Application to the present case
173. It is not disputed that mobile telephone communications are
covered by the notions of “private life” and “correspondence” in
Article 8 § 1 (see, for example, Liberty and Others, cited above, § 56).
174. The Court observes that the applicant in the present case claims that
there has been an interference with his rights as a result of the mere
existence of legislation permitting secret surveillance measures and a risk of
being subjected to such measures, rather than as a result of any specific
surveillance measures applied to him.
175. The Court notes that the contested legislation institutes a system of
secret surveillance under which any person using mobile telephone services
of Russian providers can have his or her mobile telephone communications
intercepted, without ever being notified of the surveillance. To that extent,
the legislation in question directly affects all users of these mobile telephone
services.
176. Furthermore, for the reasons set out below (see paragraphs 286 to
300), Russian law does not provide for effective remedies for a person who
suspects that he or she was subjected to secret surveillance.
177. In view of the above finding, the applicant does not need to
demonstrate that, due to his personal situation, he is at risk of being
subjected to secret surveillance.
178. Having regard to the secret nature of the surveillance measures
provided for by the contested legislation, the broad scope of their
application, affecting all users of mobile telephone communications, and the
lack of effective means to challenge the alleged application of secret
surveillance measures at domestic level, the Court considers an examination
of the relevant legislation in abstracto to be justified.
179. The Court therefore finds that the applicant is entitled to claim to be
the victim of a violation of the Convention, even though he is unable to
allege that he has been subject to a concrete measure of surveillance in
support of his application. For the same reasons, the mere existence of the
contested legislation amounts in itself to an interference with the exercise of
his rights under Article 8. The Court therefore dismisses the Government’s
objection concerning the applicant’s lack of victim status.
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 43

2. The justification for the interference

(a) Submissions by the parties

(i) Accessibility of domestic law

180. The applicant submitted that the addendums to Order no. 70
describing the technical requirements for the equipment to be installed by
communications service providers had never been officially published and
were not accessible to the public. In the applicant’s opinion, in so far as they
determined the powers of the law-enforcement authorities with regard to
secret surveillance, they affected citizens’ rights and ought therefore to have
been published. The fact that the applicant had eventually had access to the
addendums in the domestic proceedings could not remedy the lack of an
official publication (he referred to Kasymakhunov and Saybatalov v. Russia,
nos. 26261/05 and 26377/06, § 92, 14 March 2013). Citizens should not be
required to engage judicial proceedings to obtain access to regulations
applicable to them. The Court had already found that it was essential to have
clear, detailed and accessible rules on the application of secret measures of
surveillance (Shimovolos v. Russia, no. 30194/09, § 68, 21 June 2011).
181. The Government submitted that Order no. 70 was technical in
nature and was not therefore subject to official publication. It had been
published in a specialised magazine, SvyazInform, in issue no. 6 of 1999. It
was also available in the ConsultantPlus internet legal database, and was
accessible without charge. The applicant had submitted a copy of the Order
with its addendums to the Court, which showed that he had been able to
obtain access to it. The domestic law was therefore accessible.
(ii) Scope of application of secret surveillance measures
182. The applicant submitted that the Court had already found that the
OSAA did not meet the “foreseeability” requirement because the legal
discretion of the authorities to order “an operative experiment” involving
recording of private communications through a radio-transmitting device
was not subject to any conditions, and the scope and the manner of its
exercise were not defined (see Bykov v. Russia [GC], no. 4378/02, § 80,
10 March 2009). The present case was similar to the Bykov case. In
particular, Russian law did not clearly specify the categories of persons who
might be subjected to interception measures. In particular, surveillance
measures were not limited to persons suspected or accused of criminal
offences. Any person who had information about a criminal offence could
have his or her telephone tapped. Furthermore, interception was not limited
to serious and especially serious offences. Russian law allowed interception
measures in connection with offences of medium severity, such as, for
example, pickpocketing.
44 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

183. The Government submitted that interception of communications

might be conducted only following the receipt of information that a criminal
offence had been committed or was ongoing, or was being plotted;
about persons conspiring to commit, or committing, or having committed a
criminal offence; or about events or activities endangering the national,
military, economic or ecological security of the Russian Federation. The
Constitutional Court had held in its ruling of 14 July 1998 that collecting
information about a person’s private life was permissible only with the aim
of preventing, detecting and investigating criminal offences or in pursuance
of other lawful aims listed in the OSAA.
184. Only offences of medium severity, serious offences and especially
serious offences might give rise to an interception order and only persons
suspected of such offences or who might have information about such
offences could be subject to interception measures. The Government
submitted in this connection that the Court had already found that
surveillance measures in respect of a person who was not suspected of any
offence could be justified under the Convention (see Greuter
v. the Netherlands (dec.), no. 40045/98, 19 March 2002).
185. Further, in respect of interceptions for the purposes of protecting
national security, the Government argued that the requirement of
“foreseeability” of the law did not go so far as to compel States to enact
legal provisions listing in detail all conduct that might prompt a decision to
subject an individual to surveillance on “national security” grounds
(see Kennedy, cited above, § 159).
(iii) The duration of secret surveillance measures
186. The applicant submitted that the OSAA did not explain under
which circumstance interception could be extended beyond six months. Nor
did it establish the maximum duration of interception measures.
187. The Government submitted that under Russian law interception
might be authorised by a judge for a maximum period of six months and
might be extended if necessary. It had to be discontinued if the investigation
was terminated. They argued that it was reasonable to leave the duration of
the interception to the discretion of the domestic authorities, having regard
to the complexity and the duration of the investigation in a specific case
(see Kennedy, cited above). They also referred to the case of Van Pelt
v. the Netherlands (no. 20555/92, Commission decision of 6 April 1994),
where the Commission had found that the tapping of the applicant’s
telephone for almost two years had not violated the Convention.
(iv) Procedures to be followed for storing, accessing, examining, using,
communicating and destroying the intercepted data
188. The applicant further submitted that the OSAA did not specify the
procedures to be followed for examining, storing, accessing or using the
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 45

intercept data or the precautions to be taken when communicating the data

to other parties. It provided that the data had to be destroyed within six
months, unless that data were needed in the interest of the service or of
justice. There was however no definition of what the “interest of the service
or of justice” meant. Russian law also gave complete freedom to the trial
judge as to whether to store or to destroy data used in evidence after the end
of the trial.
189. The Government submitted that the OSAA required that records of
intercepted communications had to be stored under conditions excluding
any risk of their being listened to or copied by unauthorised persons. The
judicial decision authorising interception of communications, the materials
that served as a basis for that decision and the data collected as result of
interception constituted a State secret and were to be held in the exclusive
possession of the State agency performing interceptions. If it was necessary
to transmit them to an investigator, a prosecutor or a court, they could be
declassified by the heads of the agencies conducting operational-search
activities. Interception authorisations were declassified by the courts which
had issued them. The procedure for transmitting the data collected in the
course of operational-search activities to the competent investigating
authorities or a court was set out in the Ministry of the Interior’s Order of
27 September 2013 (see paragraph 58 above).
190. The data collected in the course of operational-search activities
were to be stored for one year and then destroyed, unless it was needed in
the interests of the service or of justice. Recordings were to be stored for six
months and then destroyed. Russian law was therefore foreseeable and
contained sufficient safeguards.

(v) Authorisation of secret surveillance measures

(α) The applicant

191. The applicant submitted that although domestic law required prior
judicial authorisation for interceptions, the authorisation procedure did not
provide for sufficient safeguards against abuse. Firstly, in urgent cases
communications could be intercepted without judicial authorisation for up
to forty-eight hours. Secondly, in contrast to the CCrP, the OSAA did not
provide for any requirements concerning the content of the interception
authorisation. In particular, it did not require that the interception subject be
clearly specified in the authorisation by name, telephone number or address
(see, by contrast, the United Kingdom’s and Bulgarian legislation
reproduced in Kennedy, cited above, §§ 41 and 160; and Association for
European Integration and Human Rights and Ekimdzhiev, cited above,
§ 13). Nor did domestic law require that the authorisation specify which
communications, or types of communications, should be recorded in order
to limit the law-enforcement authorities’ discretion to determine the scope
46 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

of surveillance measures. Russian law did not establish any special rules for
surveillance in sensitive situations, for example where the confidentiality of
journalists’ sources was at stake, or where surveillance concerned privileged
lawyer-client communications.
192. The applicant further submitted that the domestic law did not
impose any requirement on the judge to verify the existence of a
“reasonable suspicion” against the person concerned or to apply the
“necessity” and “proportionality” test. The requesting authorities had no
obligation to attach any supporting materials to the interception requests.
Moreover, the OSAA expressly prohibited submission to the judge of
certain materials – those containing information about undercover agents or
police informers or about the organisation and tactics of operational-search
measures – thereby making it impossible for the judge to effectively verify
the existence of a “reasonable suspicion”. Russian law did not require that
the judge should authorise interception only when it was impossible to
achieve the legitimate aims by other less intrusive means.
193. In support of his allegation that the judges did not verify the
existence of a “reasonable suspicion” against the person concerned and did
not apply the “necessity” and “proportionality” test, the applicant produced
copies of analytical notes issued by three District Courts in different
Russian regions (the Tambov region, the Tula region and the Dagestan
Republic). The courts summarised their own case-law concerning
operational-search measures involving interference with the privacy of
communications or privacy of the home for the period from 2010 to 2013.
One of the courts noted that it refused authorisation to carry out an
operational-search measure if it did not appear on the list of operational-
search measures in the OSAA, if the request for authorisation was not
signed by a competent official or was not reasoned, or if the case fell under
statutory restrictions on the use of that measure (for example, relating to the
person’s status or to the nature of the offence). Authorisation was given if
all of the above conditions were met. Another court stated that authorisation
could also be refused if the request was insufficiently reasoned, that is, if it
did not contain sufficient information permitting the judge to ascertain that
the measure was lawful and justified. The third court stated that it granted
authorisation if that was requested by the law-enforcement authorities. It
never refused a request for authorisation. All three courts considered that the
request was sufficiently reasoned if it referred to the existence of
information listed in section 8(2) of the OSAA (see paragraph 31 above).
One of the courts noted that supporting materials were never attached to
requests for authorisation; another court noted that some, but not all, of the
requests were accompanied by supporting materials, while the third court
stated that all requests were accompanied by supporting materials. In all
three courts the judges never requested the law-enforcement authorities to
submit additional supporting materials, such as materials confirming the
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 47

grounds for the interception or proving that the telephone numbers to be

tapped belonged to the person concerned. Two courts granted interception
authorisations in respect of unidentified persons, one of them specifying that
such authorisations only concerned collection of data from technical
channels of communication. Such authorisations did not mention a specific
person or a telephone number to be tapped, but authorised interception of all
telephone communications in the area where a criminal offence had been
committed. One court never gave such authorisations. Two courts noted that
authorisations always indicated the duration for which the interception was
authorised, while one court stated that the duration of interception was not
indicated in the authorisations issued by it. Finally, none of the three courts
had examined any complaints from persons whose communications had
been intercepted.
194. The applicant also produced official statistics by the Supreme Court
for the period from 2009 to 2013. It could be seen from those statistics that
in 2009 Russian courts granted 130,083 out of 132,821 requests under the
CCrP and 245,645 out of 246,228 requests under the OSAA (99%). In 2010
the courts allowed 136,953 out of 140,372 interception requests under the
CCrP and 276,682 out of 284,137 requests under the OSAA. In 2011 the
courts allowed 140,047 out of 144,762 interception requests under the CCrP
and 326,105 out of 329,415 requests under the OSAA. In 2012 they granted
156,751 out of 163,469 interception requests under the CCrP (95%) and
372,744 out of 376,368 requests under the OSAA (99%). In 2013 the courts
allowed 178,149 out of 189,741 interception requests lodged under the
CCrP (93%) and 416,045 out of 420,242 interception requests lodged under
the OSAA (99%). The applicant drew the Court’s attention to the fact that
the number of interception authorisations had almost doubled between 2009
and 2013. He also argued that the very high percentage of authorisations
granted showed that the judges did not verify the existence of a “reasonable
suspicion” against the interception subject and did not exercise careful and
rigorous scrutiny. As a result interceptions were ordered in respect of vast
numbers of people in situations where the information could have been
obtained by other less intrusive means.
195. The applicant concluded from the above that the authorisation
procedure was defective and was therefore not capable of confining the use
of secret surveillance measures to what was necessary in a democratic
society.
196. As regards safeguards against unauthorised interceptions, the
applicant submitted that the law-enforcement authorities were not required
under domestic law to show judicial authorisation to the communications
service provider before obtaining access to a person’s communications. All
judicial authorisations were classified documents, kept in the exclusive
possession of law-enforcement authorities. An obligation to forward an
interception authorisation to the communications service provider was
48 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

mentioned only once in Russian law in connection with monitoring of

communications-related data under the CCrP (see paragraph 48 above). The
equipment the communications service providers had installed pursuant to
the Orders issued by the Ministry of Communications, in particular the
unpublished addendums to Order No. 70, allowed the law-enforcement
authorities direct and unrestricted access to all mobile telephone
communications of all users. The communications service providers also
had an obligation under Order no. 538 to create databases storing for three
years information about all subscribers and the services provided to them.
The secret services had direct remote access to those databases. The manner
in which the system of secret surveillance thus operated gave the security
services and the police technical means to circumvent the authorisation
procedure and to intercept any communications without obtaining prior
judicial authorisation. The necessity to obtain prior judicial authorisation
therefore arose only in those cases where the intercepted data had to be used
as evidence in criminal proceedings.
197. The applicant produced documents showing, in his view, that law-
enforcement officials unlawfully intercepted telephone communications
without prior judicial authorisation and disclosed the records to
unauthorised persons. For example, he produced printouts from the Internet
containing transcripts of the private telephone conversations of politicians.
He also submitted news articles describing criminal proceedings against
several high-ranking officers from the police technical department. The
officers were suspected of unlawfully intercepting the private
communications of politicians and businessmen in return for bribes from
their political or business rivals. The news articles referred to witness
statements to the effect that intercepting communications in return for bribes
was a widespread practice and that anyone could buy a transcript of another
person’s telephone conversations from the police.
(β) The Government
198. The Government submitted that any interception of telephone or
other communications had to be authorised by a court. The court took a
decision on the basis of a reasoned request by a law-enforcement authority.
The burden of proof was on the requesting authority to justify the necessity
of the interception measures. To satisfy that burden of proof, the requesting
authorities enclosed with their request all relevant supporting materials,
except materials containing information about undercover agents or police
informers or about the organisation and tactics of operational-search
measures. That exception was justified by the necessity to ensure the
security and protection of undercover agents and police informers and their
family members and was therefore compatible with the Convention.
199. The Government further referred to the Plenary Supreme Court’s
Ruling of 27 June 2013, which explained to the lower courts that any
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 49

restrictions on human rights and freedoms had to be prescribed by law and

be necessary in a democratic society, that is, proportionate to a legitimate
aim. Courts were instructed to rely on established facts, verify the existence
of relevant and sufficient reasons to justify a restriction on an individual’s
right and balance the interests of the individual whose rights were restricted
against the interests of other individuals, the State and society. The OSAA
explicitly required the courts to give reasons for the decision to authorise
interception. In line with the Constitutional Court’s decision of 8 February
2007 (see paragraph 42 above), the interception authorisation was to refer to
the specific grounds for suspecting the person in respect of whom
operational-search measures were requested of a criminal offence or of
activities endangering national, military, economic or ecological security. In
its decision of 2 October 2003 (see paragraph 41 above), the Constitutional
Court also held that judges had an obligation to examine the materials
submitted to them carefully and thoroughly.
200. According to the Government, in practice, each interception
authorisation specified the State agency which was responsible for
performing the interception, the grounds for conducting the surveillance
measures and the reasons why they were necessary, a reference to
applicable legal provisions, the person whose communications were to be
intercepted, the grounds for suspecting that person’s involvement in the
commission of a specific criminal offence, that person’s telephone number
or IMEI code, the period of time for which the authorisation was granted
and other necessary information. In exceptional circumstances it was
permissible to authorise the interception of communications of unidentified
persons. As a rule, in such cases a judge authorised the collection of data
from technical channels of communication in order to identify the persons
present at a specific location at the time that a criminal offence was
committed there. That practice was compatible with the principles
established in the Court’s case-law, because in such cases the interception
authorisation specified a single set of premises (locations) as the premises
(locations) in respect of which the authorisation was ordered (they referred
to Kennedy, cited above).
201. Russian law permitted communications to be intercepted without
prior judicial authorisation in cases of urgency. A judge had to be informed
of any such case within twenty-four hours and judicial authorisation for
continuing the interception had to be obtained within forty-eight hours.
According to the Government, the judge had to examine the lawfulness of
such interception even in those cases when it had already been discontinued.
They referred to an appeal judgment of 13 December 2013, in a criminal
case in which the Supreme Court declared inadmissible as evidence
recordings of telephone conversations obtained under the urgent procedure
without prior judicial authorisation. The Supreme Court had held that
50 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

although a judge had been informed about the interception, no judicial

decision on its lawfulness and necessity had ever been issued.
(vi) Supervision of the implementation of secret surveillance measures

(α) The applicant

202. Regarding supervision of interceptions, the applicant argued at the
outset that in Russia the effectiveness of any supervision was undermined
by the absence of an obligation on the intercepting authorities to keep
records of interceptions carried out by them. Moreover, Order no. 70
explicitly provided that information about interceptions could not be logged
or recorded.
203. The applicant further submitted that in Russia neither the judge
who had issued the interception authorisation nor any other independent
official qualified for judicial office had power to supervise its
implementation, and in particular to review whether the surveillance
remained within the scope determined by the interception authorisation and
complied with various requirements contained in domestic law.
204. Domestic law did not set out any procedures for the supervision of
interceptions by the President, Parliament and the Government. They
certainly had no powers to supervise the implementation of interception
measures in specific cases.
205. As regards supervision by the Prosecutor General and competent
low-level prosecutors, they could not be considered independent because of
their position within the criminal justice system and their prosecuting
functions. In particular, prosecutors gave their approval to all interception
requests lodged by investigators in the framework of criminal proceedings
and participated in the related court hearings. They could then use the data
obtained as a result of the interception in the framework of their prosecuting
functions, in particular by presenting it as evidence during a trial. There was
therefore a conflict of interest with the prosecutor performing the dual
function of a party to a criminal case and an authority supervising
interceptions.
206. The applicant further submitted that the prosecutors’ supervisory
functions were limited because certain materials, in particular those
revealing the identity of undercover agents or the tactics, methods and
means used by the security services, were outside the scope of their
supervision. The prosecutors’ supervisory powers were also limited in the
area of counter-intelligence, where inspections could be carried out only
following an individual complaint. Given the secrecy of interception
measures and the lack of any notification of the person concerned, such
individual complaints were unlikely to be lodged, with the result that
counter-intelligence-related surveillance measures de facto escaped any
supervision by prosecutors. It was also significant that prosecutors had no
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 51

power to cancel an interception authorisation, to discontinue unlawful

interceptions or to order the destruction of unlawfully obtained data.
207. Further, prosecutors’ biannual reports were not published or
publicly discussed. The reports were classified documents and contained
statistical information only. They did not contain any substantive analysis of
the state of legality in the sphere of operational-search activities or any
information about what breaches of law had been detected and what
measures had been taken to remedy them. Moreover, the reports
amalgamated together all types of operational-search activities, without
separating interceptions from other measures.

(β) The Government

208. The Government submitted that supervision of operational-search
activities, including interceptions of telephone communications, was
exercised by the President, the Parliament and the Government. In
particular, the President determined the national security strategy and
appointed and dismissed the heads of all law-enforcement agencies. There
was also a special department within the President’s Administration which
supervised the activities of the law-enforcement agencies, including
operational-search activities. That department consisted of officials from the
Interior Ministry and the FSB who had the appropriate level of security
clearance. Parliament participated in the supervision process by adopting
and amending laws governing operational-search activities. It could also
form committees and commissions and held parliamentary hearings on all
issues, including those relating to operational-search activities, and could
hear the heads of law-enforcement agencies if necessary. The Government
adopted decrees and orders governing operational-search activities and
allocated the budgetary funds to the law-enforcement agencies.
209. Supervision was also exercised by the Prosecutor General and
competent low-level prosecutors who were independent from the federal,
regional and local authorities. The Prosecutor General and his deputies were
appointed and dismissed by the Federation Council, the upper house of
Parliament. Prosecutors were not entitled to lodge interception requests.
Such requests could be lodged either by the State agency performing
operational-search activities in the framework of the OSAA, or by the
investigator in the framework of the CCrP. The prosecutor could not give
any instructions to the investigator. In the course of a prosecutor’s
inspection, the head of the intercepting agency had an obligation to submit
all relevant materials to the prosecutor at his or her request and could be
held liable for the failure to do so. The prosecutors responsible for
supervision of operational-search activities submitted six-monthly reports to
the Prosecutor General. The reports did not however analyse interceptions
separately from other operational-search measures.
52 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

(vii) Notification of secret surveillance measures

(α) The applicant

210. The applicant further submitted that Russian law did not provide
that a person whose communications had been intercepted was to be
notified before, during or after the interception. He conceded that it was
acceptable not to notify the person before or during the interception, since
the secrecy of the measure was essential to its efficacy. He argued, however,
that such notification was possible after the interception had ended, “as soon
as it could be made without jeopardising the purpose of the restriction” (he
referred to Klass and Others, cited above). In Russia the person concerned
was not notified at any point. He or she could therefore learn about the
interception only if there was a leak or if criminal proceedings were opened
against him or her, and the intercepted data were used in evidence.
211. With regard to the possibility of obtaining access to the data
collected in the course of interception, the applicant submitted that such
access was possible only in very limited circumstances. If criminal
proceedings had never been opened or if the charges had been dropped on
other grounds than those listed in the OSAA, the person concerned was not
entitled to have access. Furthermore, before obtaining access, the claimant
had to prove that his or her communications had been intercepted. Given the
secrecy of the surveillance measures and the lack of notification, such
burden of proof was impossible to satisfy unless the information about the
interception had been leaked. Even after satisfying all those preconditions,
the person could only receive “information about the data collected” rather
than obtain access to the data themselves. Finally, only information that did
not contain State secrets could be disclosed. Given that under the OSAA all
data collected in the course of operational-search activities constituted a
State secret and the decision to declassify it belonged to the head of the
intercepting authority, access to interception-related documents depended
entirely on the intercepting authorities’ discretion.
212. A refusal to grant access to the collected data could be appealed
against to a court and the OSAA required the intercepting authorities to
produce, at the judge’s request, “operational-search materials containing
information about the data to which access [had been] refused”. It was
significant that the intercepting authorities were required to submit
“information about the data” rather than the data themselves. Materials
containing information about undercover agents or police informers could
not be submitted to the court and were thereby excluded from the scope of
judicial review.
(β) The Government
213. The Government submitted that under Russian law, an individual
subject to secret surveillance measures did not have to be informed of those
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 53

measures at any point. The Constitutional Court held (see paragraph 40

above) that in view of the necessity to keep the surveillance measures
secret, the principles of a public hearing and adversarial proceedings were
not applicable to the interception authorisation proceedings. The person
concerned was therefore not entitled to participate in the authorisation
proceedings or to be informed about the decision taken.
214. After the termination of the investigation the defendant was entitled
to study all the materials in the criminal case-file, including the data
obtained in the course of operational-search activities. Otherwise, in cases
where the investigator decided not to open criminal proceedings against the
interception subject or to discontinue the criminal proceedings on the
ground that the alleged offence had not been committed or one or more
elements of a criminal offence were missing, the interception subject was
entitled to request and receive information about the data collected. A
refusal to provide such information could be challenged before a court,
which had power to order the disclosure of information if it considered the
refusal to be ill-founded. The Government submitted a copy of the decision
of 4 August 2009 by the Alekseyevskiy District Court of the Belgorod
Region, ordering that the police provide, within one month, an interception
subject with information about the data collected about him in the course of
the interception “to the extent permitted by the requirements of
confidentiality and with the exception of data which could enable State
secrets to be disclosed”.
215. The Government argued that Russian law was different from the
Bulgarian law criticised by the Court in its judgment of Association for
European Integration and Human Rights and Ekimdzhiev (cited above,
§ 91) because it provided for a possibility to declassify the interception
materials and to grant the person concerned access to them. In support of
that allegation they referred to the criminal conviction judgment of 11 July
2012 by the Zabaykalsk Regional Court. That judgment – a copy of which
was not provided to the Court – relied, according to the Government, on a
judicial decision authorising the interception of the defendant’s telephone
communications which had been declassified and submitted to the trial
judge at his request. The Government also referred to two further judgments
– by the Presidium of the Krasnoyarsk Regional Court and the Presidium of
the Supreme Court of the Mariy-El Republic – quashing by way of
supervisory review judicial decisions authorising interception of
communications. They did not submit copies of the judgments.
(viii) Available remedies

(α) The applicant

216. The applicant submitted that the questions of notification of
surveillance measures and of the effectiveness of remedies before the courts
54 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

were inextricably linked, since there was in principle little scope for
recourse to the courts by the individual concerned unless the latter was
advised of the measures taken without his or her knowledge and was thus
able to challenge their legality retrospectively (he referred to Weber and
Saravia, cited above).
217. The applicant argued that remedies available under Russian law
were ineffective. As regards the possibility for the subject of surveillance to
apply for judicial review of the measures applied, the burden of proof was
on the claimant to demonstrate that his or her telephone had been tapped.
However, since those monitored were not informed about the surveillance
measures unless charged with a criminal offence, the burden of proof was
impossible to satisfy. The copies of domestic judgments submitted by the
Government concerned searches and seizures, that is, operative-search
measures which were known to the person concerned (see paragraphs 220,
221 and 223 below). The applicant knew of no publicly available judicial
decisions where an interception subject’s complaint about unlawful
interception had been allowed. It was also significant that in none of the
judgments produced by the Government had the domestic courts assessed
the proportionality of the contested operative-search measures. The
domestic proceedings brought by the applicant had also clearly
demonstrated that remedies available under Russian law were ineffective.
Moreover, in the case of Avanesyan v. Russia (no. 41152/06, 18 September
2014) the Court had already found that there were no effective remedies
under Russian law to challenge operational-search measures.
218. Lastly, the applicant submitted that an interception subject or the
communications service providers could not challenge the ministerial orders
governing secret interceptions of communications, because those orders
were considered to be technical rather than legal in nature and were
therefore not subject to judicial review, as demonstrated by the decisions
mentioned in paragraph 161 above.
(β) The Government
219. The Government argued that in Russia a person claiming that his or
her rights had been or were being violated by a State official performing
operational-search activities was entitled to complain to the official’s
superior, the prosecutor or a court, in accordance with section 5 of the
OSAA (see paragraph 83 above).
220. As explained by the Plenary Supreme Court, if the person
concerned learned about the interception, he or she could apply to a court of
general jurisdiction in accordance with the procedure established by
Chapter 25 of the Code of Civil Procedure (see paragraph 92 above).
According to the Government, a claimant did not have to prove that his or
her right had been breached as a result of the interception measures. The
burden of proof was on the intercepting authorities to show that the
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 55

interception measures had been lawful and justified. Russian law provided
that if a breach of the claimant’s rights was found by a court in civil
proceedings, the court had to take measures to remedy the violation and
compensate the damage (see paragraph 97 above). The Government
submitted copies of two judicial decisions under Chapter 25 of the Code of
Civil Procedure, declaring searches and seizures of objects or documents
unlawful and ordering the police to take specific measures to remedy the
violations.
221. Furthermore, according to the Government, the interception
subject was also entitled to lodge a supervisory-review complaint against
the judicial decision authorising the interception, as explained by the
Constitutional Court in its decision of 15 July 2008 (see paragraph 43
above). He or she was likewise entitled to lodge an appeal or a cassation
appeal.
222. If the interception was carried out in the framework of criminal
proceedings, the person concerned could also lodge a complaint under
Article 125 of the CCrP. The Government referred to the Supreme Court’s
decision of 26 October 2010 quashing, by way of supervisory review, the
lower courts’ decisions to declare inadmissible K.’s complaint under
Article 125 of the CCrP about the investigator’s refusal to give her a copy
of the judicial decision authorising interception of her communications. The
Supreme Court held that her complaint was to be examined under Article
125 of the CCrP, despite the fact that she had been already convicted, and
that she was entitled to receive a copy of the interception authorisation. The
Government submitted copies of ten judicial decisions allowing complaints
under Article 125 of the CCrP about unlawful searches and seizures of
objects or documents. They also produced a copy of a judgment acquitting a
defendant on appeal after finding that his conviction at first instance had
been based on inadmissible evidence obtained as a result of an unlawful test
purchase of drugs.
223. The Government further submitted that the person concerned could
apply for compensation under Article 1069 of the Civil Code
(see paragraph 102 above). That Article provided for compensation of
pecuniary and non-pecuniary damage caused to an individual or a legal
entity by unlawful actions by State and municipal bodies and officials,
provided that the body’s or the official’s fault had been established.
Compensation for non-pecuniary damage was determined in accordance
with the rules set out in Articles 1099-1101 of the Civil Code
(see paragraphs 103 and 104 above). The Government highlighted, in
particular, that non-pecuniary damage caused through dissemination of
information which was damaging to honour, dignity or reputation could be
compensated irrespective of the tortfeasor’s fault. The Government
submitted a copy of a decision of 9 December 2013 by the Vichuga Town
Court of the Ivanovo Region, awarding compensation in respect of non-
56 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

pecuniary damage for unlawful interception of a suspect’s telephone

conversations after the recordings obtained as a result of that interception
had been declared inadmissible as evidence by the trial court. The
Government also submitted a judicial decision awarding compensation for
an unlawful search and seizure of documents and a judicial decision
awarding compensation to an acquitted defendant for unlawful prosecution.
224. Russian law also provided for criminal remedies for abuse of
power (Articles 285 and 286 of the Criminal Code), unauthorised collection
or dissemination of information about a person’s private and family life
(Article 137 of the Criminal Code) and breach of citizens’ right to privacy
of communications (Article 138 of the Criminal Code) (see paragraphs 19 to
22 above). The Government referred in that connection to the Supreme
Court’s judgment of 24 October 2002, convicting a certain E.S. of an
offence under Article 138 of the Criminal Code for inciting an official to
supply him with the names of the owners of several telephone numbers and
to provide him with call detail records in respect of those telephone
numbers. They also referred to the Supreme Court’s judgment of 15 March
2007, convicting a customs official of an offence under Article 138 of the
Criminal Code for intercepting the telephone communications of a certain P.
They submitted copies of two more conviction judgments under Article 138
of the Criminal Code: the first conviction concerned the selling of espionage
equipment, namely pens and watches with in-build cameras, while the
second conviction concerned the covert hacking of a communication
provider’s database in order to obtain the users’ call detail records.
225. Lastly, the Government argued that remedies were also available in
Russian law to challenge the alleged insufficiency of safeguards against
abuse in the sphere of interception of communications (see paragraph 156
above).
226. The Government submitted that the applicant had not used any of
the remedies available to him under Russian law and described above. In
particular, he had chosen to bring judicial proceedings against mobile
network operators, the Ministry of Communications being joined only as a
third party to the proceedings.

(b) The Court’s assessment

(i) General principles

227. The Court reiterates that any interference can only be justified
under Article 8 § 2 if it is in accordance with the law, pursues one or more
of the legitimate aims to which paragraph 2 of Article 8 refers and is
necessary in a democratic society in order to achieve any such aim
(see Kennedy, cited above, § 130).
228. The Court notes from its well established case-law that the wording
“in accordance with the law” requires the impugned measure both to have
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 57

some basis in domestic law and to be compatible with the rule of law, which
is expressly mentioned in the Preamble to the Convention and inherent in
the object and purpose of Article 8. The law must thus meet quality
requirements: it must be accessible to the person concerned and foreseeable
as to its effects (see, among many other authorities, Rotaru v. Romania
[GC], no. 28341/95, § 52, ECHR 2000-V; S. and Marper v. the United
Kingdom [GC], nos. 30562/04 and 30566/04, § 95, ECHR 2008; and
Kennedy, cited above, § 151).
229. The Court has held on several occasions that the reference to
“foreseeability” in the context of interception of communications cannot be
the same as in many other fields. Foreseeability in the special context of
secret measures of surveillance, such as the interception of communications,
cannot mean that an individual should be able to foresee when the
authorities are likely to intercept his communications so that he can adapt
his conduct accordingly. However, especially where a power vested in the
executive is exercised in secret, the risks of arbitrariness are evident. It is
therefore essential to have clear, detailed rules on interception of telephone
conversations, especially as the technology available for use is continually
becoming more sophisticated. The domestic law must be sufficiently clear
to give citizens an adequate indication as to the circumstances in which and
the conditions on which public authorities are empowered to resort to any
such measures (see Malone, cited above, § 67; Leander v. Sweden,
26 March 1987, § 51, Series A no. 116; Huvig v. France, 24 April 1990,
§ 29, Series A no. 176-B; Valenzuela Contreras v. Spain, 30 July 1998, §
46, Reports of Judgments and Decisions 1998-V; Rotaru, cited above, § 55;
Weber and Saravia, cited above, § 93; and Association for European
Integration and Human Rights and Ekimdzhiev, cited above, § 75).
230. Moreover, since the implementation in practice of measures of
secret surveillance of communications is not open to scrutiny by the
individuals concerned or the public at large, it would be contrary to the rule
of law for the discretion granted to the executive or to a judge to be
expressed in terms of an unfettered power. Consequently, the law must
indicate the scope of any such discretion conferred on the competent
authorities and the manner of its exercise with sufficient clarity to give the
individual adequate protection against arbitrary interference (see, among
other authorities, Malone, cited above, § 68; Leander, cited above, § 51;
Huvig, cited above, § 29; and Weber and Saravia, cited above, § 94).
231. In its case-law on secret measures of surveillance, the Court has
developed the following minimum safeguards that should be set out in law
in order to avoid abuses of power: the nature of offences which may give
rise to an interception order; a definition of the categories of people liable to
have their telephones tapped; a limit on the duration of telephone tapping;
the procedure to be followed for examining, using and storing the data
obtained; the precautions to be taken when communicating the data to other
58 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

parties; and the circumstances in which recordings may or must be erased or

destroyed (see Huvig, cited above, § 34; Amann v. Switzerland [GC],
no. 27798/95, §§ 56-58, ECHR 2000-II; Valenzuela Contreras, cited above,
§ 46; Prado Bugallo v. Spain, no. 58496/00, § 30, 18 February 2003; Weber
and Saravia, cited above, § 95; and Association for European Integration
and Human Rights and Ekimdzhiev, cited above, § 76).
232. As to the question whether an interference was “necessary in a
democratic society” in pursuit of a legitimate aim, the Court has
acknowledged that, when balancing the interest of the respondent State in
protecting its national security through secret surveillance measures against
the seriousness of the interference with an applicant’s right to respect for his
or her private life, the national authorities enjoy a certain margin of
appreciation in choosing the means for achieving the legitimate aim of
protecting national security. However, this margin is subject to European
supervision embracing both legislation and decisions applying it. In view of
the risk that a system of secret surveillance set up to protect national
security may undermine or even destroy democracy under the cloak of
defending it, the Court must be satisfied that there are adequate and
effective guarantees against abuse. The assessment depends on all the
circumstances of the case, such as the nature, scope and duration of the
possible measures, the grounds required for ordering them, the authorities
competent to authorise, carry out and supervise them, and the kind of
remedy provided by the national law. The Court has to determine whether
the procedures for supervising the ordering and implementation of the
restrictive measures are such as to keep the “interference” to what is
“necessary in a democratic society” (see Klass and Others, cited above,
§§ 49, 50 and 59; Weber and Saravia, cited above, § 106; Kvasnica
v. Slovakia, no. 72094/01, § 80, 9 June 2009; and Kennedy, cited above,
§§ 153 and 154).
233. Review and supervision of secret surveillance measures may come
into play at three stages: when the surveillance is first ordered, while it is
being carried out, or after it has been terminated. As regards the first two
stages, the very nature and logic of secret surveillance dictate that not only
the surveillance itself but also the accompanying review should be effected
without the individual’s knowledge. Consequently, since the individual will
necessarily be prevented from seeking an effective remedy of his or her own
accord or from taking a direct part in any review proceedings, it is essential
that the procedures established should themselves provide adequate and
equivalent guarantees safeguarding his or her rights. In addition, the values
of a democratic society must be followed as faithfully as possible in the
supervisory procedures if the bounds of necessity, within the meaning of
Article 8 § 2, are not to be exceeded. In a field where abuse is potentially so
easy in individual cases and could have such harmful consequences for
democratic society as a whole, it is in principle desirable to entrust
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 59

supervisory control to a judge, judicial control offering the best guarantees

of independence, impartiality and a proper procedure (see Klass and Others,
cited above, §§ 55 and 56).
234. As regards the third stage, after the surveillance has been
terminated, the question of subsequent notification of surveillance measures
is inextricably linked to the effectiveness of remedies before the courts and
hence to the existence of effective safeguards against the abuse of
monitoring powers. There is in principle little scope for recourse to the
courts by the individual concerned unless the latter is advised of the
measures taken without his or her knowledge and thus able to challenge
their legality retrospectively (see Klass and Others, cited above, § 57, and
Weber and Saravia, cited above, § 135) or, in the alternative, unless any
person who suspects that his or her communications are being or have been
intercepted can apply to courts, so that the courts’ jurisdiction does not
depend on notification to the interception subject that there has been an
interception of his communications (see Kennedy, cited above, § 167).
(ii) Application of the general principles to the present case
235. The Court notes that it has found there to be an interference under
Article 8 § 1 in respect of the applicant’s general complaint about Russian
legislation governing covert interception of mobile telephone
communications. Accordingly, in its examination of the justification for the
interference under Article 8 § 2, the Court is required to examine whether
the contested legislation itself is in conformity with the Convention.
236. In cases where the legislation permitting secret surveillance is
contested before the Court, the lawfulness of the interference is closely
related to the question whether the “necessity” test has been complied with
and it is therefore appropriate for the Court to address jointly the “in
accordance with the law” and “necessity” requirements (see Kennedy, cited
above, § 155; see also Kvasnica, cited above, § 84). The “quality of law” in
this sense implies that the domestic law must not only be accessible and
foreseeable in its application, it must also ensure that secret surveillance
measures are applied only when “necessary in a democratic society”, in
particular by providing for adequate and effective safeguards and guarantees
against abuse.
237. It has not been disputed by the parties that interceptions of mobile
telephone communications have a basis in the domestic law. They are
governed, in particular, by the CCrP and the OSAA, as well as by the
Communications Act and the Orders issued by the Ministry of
Communications. Furthermore, the Court considers it clear that the
surveillance measures permitted by Russian law pursue the legitimate aims
of the protection of national security and public safety, the prevention of
crime and the protection of the economic well-being of the country
(see paragraph 26 above). It therefore remains to be ascertained whether the
60 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

domestic law is accessible and contains adequate and effective safeguards

and guarantees to meet the requirements of “foreseeability” and “necessity
in a democratic society”.
238. The Court will therefore assess in turn the accessibility of the
domestic law, the scope and duration of the secret surveillance measures,
the procedures to be followed for storing, accessing, examining, using,
communicating and destroying the intercepted data, the authorisation
procedures, the arrangements for supervising the implementation of secret
surveillance measures, any notification mechanisms and the remedies
provided for by national law.

(α) Accessibility of domestic law

239. It is common ground between the parties that almost all legal
provisions governing secret surveillance – including the CCrP, the OSAA,
the Communications Act and the majority of the Orders issued by the
Ministry of Communications – have been officially published and are
accessible to the public. The parties disputed, however, whether the
addendums to Order no. 70 by the Ministry of Communications met the
requirements of accessibility.
240. The Court observes that the addendums to Order no. 70 have never
been published in a generally accessible official publication, as they were
considered to be technical in nature (see paragraph 128 above).
241. The Court accepts that the addendums to Order no. 70 mainly
describe the technical requirements for the interception equipment to be
installed by communications service providers. At the same time, by
requiring that the equipment at issue must ensure that the law-enforcement
authorities have direct access to all mobile telephone communications of all
users and must not log or record information about interceptions initiated by
the law-enforcement authorities (see paragraphs 115 to 122 above), the
addendums to Order No. 70 are capable of affecting the users’ right to
respect for their private life and correspondence. The Court therefore
considers that they must be accessible to the public.
242. The publication of the Order in the Ministry of Communications’
official magazine SvyazInform, distributed through subscription, made it
available only to communications specialists rather than to the public at
large. At the same time, the Court notes that the text of the Order, with the
addendums, can be accessed through a privately-maintained internet legal
database, which reproduced it from the publication in SvyazInform
(see paragraph 115 above). The Court finds the lack of a generally
accessible official publication of Order no. 70 regrettable. However, taking
into account the fact that it has been published in an official ministerial
magazine, combined with the fact that it can be accessed by the general
public through an internet legal database, the Court does not find it
necessary to pursue further the issue of the accessibility of domestic law. It
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 61

will concentrate instead on the requirements of “foreseeability” and

“necessity”.
(β) Scope of application of secret surveillance measures
243. The Court reiterates that the national law must define the scope of
application of secret surveillance measures by giving citizens an adequate
indication as to the circumstances in which public authorities are
empowered to resort to such measures – in particular by clearly setting out
the nature of the offences which may give rise to an interception order and a
definition of the categories of people liable to have their telephones tapped
(see paragraph 231 above).
244. As regards the nature of the offences, the Court emphasises that the
condition of foreseeability does not require States to set out exhaustively, by
name, the specific offences which may give rise to interception. However,
sufficient detail should be provided on the nature of the offences in question
(see Kennedy, cited above, § 159). Both the OSAA and the CCrP provide
that telephone and other communications may be intercepted in connection
with an offence of medium severity, a serious offence or an especially
serious criminal offence – that is, an offence for which the Criminal Code
prescribes a maximum penalty of more than three years’ imprisonment –
which has been already committed, is ongoing or being plotted
(see paragraphs 31 to 33 above). The Court considers that the nature of the
offences which may give rise to an interception order is sufficiently clear.
At the same time it notes with concern that Russian law allows secret
interception of communications in respect of a very wide range of criminal
offences, including for example, as pointed out by the applicant,
pickpocketing (see paragraph 182 above; see also, for similar reasoning,
Iordachi and Others, cited above, §§ 43 and 44).
245. The Court further notes that interceptions may be ordered not only
in respect of a suspect or an accused, but also in respect of a person who
may have information about an offence or may have other information
relevant to the criminal case (see paragraph 32 above). The Court has earlier
found that interception measures in respect of a person who was not
suspected of any offence but could possess information about such an
offence might be justified under Article 8 of the Convention (see Greuter,
cited above). At the same time, the Court notes the absence of any
clarifications in Russian legislation or established case-law as to how the
terms “a person who may have information about a criminal offence” and “a
person who may have information relevant to the criminal case” are to be
applied in practice (see, for similar reasoning, Iordachi and Others, cited
above, § 44).
246. The Court also observes that in addition to interceptions for the
purposes of preventing or detecting criminal offences, the OSAA also
provides that telephone or other communications may be intercepted
62 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

following the receipt of information about events or activities endangering

Russia’s national, military, economic or ecological security
(see paragraph 31 above). Which events or activities may be considered as
endangering such types of security interests is nowhere defined in Russian
law.
247. The Court has previously found that the requirement of
“foreseeability” of the law does not go so far as to compel States to enact
legal provisions listing in detail all conduct that may prompt a decision to
subject an individual to secret surveillance on “national security” grounds.
By the nature of things, threats to national security may vary in character
and may be unanticipated or difficult to define in advance (see Kennedy,
cited above, § 159). At the same time, the Court has also emphasised that in
matters affecting fundamental rights it would be contrary to the rule of law,
one of the basic principles of a democratic society enshrined in the
Convention, for a discretion granted to the executive in the sphere of
national security to be expressed in terms of unfettered power.
Consequently, the law must indicate the scope of any such discretion
conferred on the competent authorities and the manner of its exercise with
sufficient clarity, having regard to the legitimate aim of the measure in
question, to give the individual adequate protection against arbitrary
interference (see Liu v. Russia, no. 42086/05, § 56, 6 December 2007, with
further references).
248. It is significant that the OSAA does not give any indication of the
circumstances under which an individual’s communications may be
intercepted on account of events or activities endangering Russia’s national,
military, economic or ecological security. It leaves the authorities an almost
unlimited degree of discretion in determining which events or acts constitute
such a threat and whether that threat is serious enough to justify secret
surveillance, thereby creating possibilities for abuse (see, for similar
reasoning, Iordachi and Others, cited above, § 46).
249. That being said, the Court does not lose sight of the fact that prior
judicial authorisation for interceptions is required in Russia. Such judicial
authorisation may serve to limit the law-enforcement authorities’ discretion
in interpreting the broad terms of “a person who may have information
about a criminal offence”, “a person who may have information relevant to
the criminal case”, and “events or activities endangering Russia’s national,
military, economic or ecological security” by following an established
judicial interpretation of the terms or an established practice to verify
whether sufficient reasons for intercepting a specific individual’s
communications exist in each case. The Court accepts that the requirement
of prior judicial authorisation constitutes an important safeguard against
arbitrariness. The effectiveness of that safeguard will be examined below.
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 63

(γ) The duration of secret surveillance measures

250. The Court has held that it is not unreasonable to leave the overall
duration of interception to the discretion of the relevant domestic authorities
which have competence to issue and renew interception warrants, provided
that adequate safeguards exist, such as a clear indication in the domestic law
of the period after which an interception warrant will expire, the conditions
under which a warrant can be renewed and the circumstances in which it
must be cancelled (see Kennedy, cited above, § 161; see also Klass and
Others, cited above, 52, and Weber and Saravia, cited above, § 98).
251. As regards the first safeguard, both the CCrP and the OSAA
provide that interceptions may be authorised by a judge for a period not
exceeding six months (see paragraphs 38 and 47 above). There is therefore a
clear indication in the domestic law of the period after which an interception
authorisation will expire. Secondly, the conditions under which an
authorisation can be renewed are also clearly set out in law. In particular,
under both the CCrP and the OSAA a judge may extend interception for a
maximum of six months at a time, after a fresh examination of all the
relevant materials (id.). However, as regards the third safeguard concerning
the circumstances in which the interception must be discontinued, the Court
notes that the requirement to discontinue interception when no longer
necessary is mentioned in the CCrP only. Regrettably, the OSAA does not
contain such a requirement (id.). In practice, this means that interceptions in
the framework of criminal proceedings are attended by more safeguards
than interceptions conducted outside such a framework, in particular in
connection with “events or activities endangering national, military,
economic or ecological security”.
252. The Court concludes from the above that while Russian law
contains clear rules on the duration and renewal of interceptions providing
adequate safeguards against abuse, the OSAA provisions on discontinuation
of the surveillance measures do not provide sufficient guarantees against
arbitrary interference.
(δ) Procedures to be followed for storing, accessing, examining, using,
communicating and destroying the intercepted data
253. Russian law stipulates that data collected as a result of secret
surveillance measures constitute a State secret and are to be sealed and
stored under conditions excluding any risk of unauthorised access. They
may be disclosed to those State officials who genuinely need the data for the
performance of their duties and have the appropriate level of security
clearance. Steps must be taken to ensure that only the amount of
information needed by the recipient to perform his or her duties is disclosed,
and no more. The official responsible for ensuring that the data are securely
stored and inaccessible to those without the necessary security clearance is
clearly defined (see paragraphs 51 to 57 above). Domestic law also sets out
64 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

the conditions and procedures for communicating intercepted data

containing information about a criminal offence to the prosecuting
authorities. It describes, in particular, the requirements for their secure
storage and the conditions for their use as evidence in criminal proceedings
(see paragraphs 58 to 64 above). The Court is satisfied that Russian law
contains clear rules governing the storage, use and communication of
intercepted data, making it possible to minimise the risk of unauthorised
access or disclosure (see, for similar reasoning, Kennedy, cited above,
§§ 162 and 163).
254. As far as the destruction of intercept material is concerned,
domestic law provides that intercept material must be destroyed after six
months of storage, if the person concerned has not been charged with a
criminal offence. If the person has been charged with a criminal offence, the
trial judge must make a decision, at the end of the criminal proceedings, on
the further storage and destruction of the intercept material used in evidence
(see paragraphs 65 and 66 above).
255. As regards the cases where the person concerned has not been
charged with a criminal offence, the Court is not convinced by the
applicant’s argument that Russian law permits storage of the intercept
material beyond the statutory time-limit (see paragraph 188 above). It
appears that the provision referred to by the applicant does not apply to the
specific case of storage of data collected as a result of interception of
communications. The Court considers the six-month storage time-limit set
out in Russian law for such data reasonable. At the same time, it deplores
the lack of a requirement to destroy immediately any data that are not
relevant to the purpose for which they have been obtained (compare Klass
and Others, cited above, § 52, and Kennedy, cited above, § 162). The
automatic storage for six months of clearly irrelevant data cannot be
considered justified under Article 8.
256. Furthermore, as regards the cases where the person has been
charged with a criminal offence, the Court notes with concern that Russian
law allows unlimited discretion to the trial judge to store or to destroy the
data used in evidence after the end of the trial (see paragraph 66 above).
Russian law does not give citizens any indication as to the circumstances in
which the intercept material may be stored after the end of the trial. The
Court therefore considers that the domestic law is not sufficiently clear on
this point.
(ε) Authorisation of interceptions

Authorisation procedures
257. The Court will take into account a number of factors in assessing
whether the authorisation procedures are capable of ensuring that secret
surveillance is not ordered haphazardly, irregularly or without due and
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 65

proper consideration. These factors include, in particular, the authority

competent to authorise the surveillance, its scope of review and the content
of the interception authorisation.
258. As regards the authority competent to authorise the surveillance,
authorising of telephone tapping by a non-judicial authority may be
compatible with the Convention (see, for example, Klass and Others, cited
above, § 51; Weber and Saravia, cited above, § 115; and Kennedy, cited
above, § 31), provided that that authority is sufficiently independent from
the executive (see Dumitru Popescu v. Romania (no. 2), no. 71525/01, § 71,
26 April 2007).
259. Russian law contains an important safeguard against arbitrary or
indiscriminate secret surveillance. It dictates that any interception of
telephone or other communications must be authorised by a court
(see paragraphs 34 and 44 above). The law-enforcement agency seeking
authorisation for interception must submit a reasoned request to that effect
to a judge, who may require the agency to produce supporting materials
(see paragraphs 37 and 46 above). The judge must give reasons for the
decision to authorise interceptions (see paragraphs 38 and 44 above).
260. Turning now to the authorisation authority’s scope of review, the
Court reiterates that it must be capable of verifying the existence of a
reasonable suspicion against the person concerned, in particular, whether
there are factual indications for suspecting that person of planning,
committing or having committed criminal acts or other acts that may give
rise to secret surveillance measures, such as, for example, acts endangering
national security. It must also ascertain whether the requested interception
meets the requirement of “necessity in a democratic society”, as provided by
Article 8 § 2 of the Convention, including whether it is proportionate to the
legitimate aims pursued, by verifying, for example whether it is possible to
achieve the aims by less restrictive means (see Klass and Others, cited
above, § 51; Association for European Integration and Human Rights and
Ekimdzhiev, cited above, §§ 79 and 80; Iordachi and Others, cited above,
§ 51; and Kennedy, cited above, §§ 31 and 32).
261. The Court notes that in Russia judicial scrutiny is limited in scope.
Thus, materials containing information about undercover agents or police
informers or about the organisation and tactics of operational-search
measures may not be submitted to the judge and are therefore excluded from
the court’s scope of review (see paragraph 37 above). The Court considers
that the failure to disclose the relevant information to the courts deprives
them of the power to assess whether there is a sufficient factual basis to
suspect the person in respect of whom operational-search measures are
requested of a criminal offence or of activities endangering national,
military, economic or ecological security (see, mutatis mutandis, Liu, cited
above, §§ 59-63). The Court has earlier found that there are techniques that
can be employed which both accommodate legitimate security concerns
66 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

about the nature and sources of intelligence information and yet accord the
individual a substantial measure of procedural justice (see, mutatis
mutandis, Chahal v. the United Kingdom, 15 November 1996, § 131,
Reports of Judgments and Decisions 1996-V).
262. Furthermore, the Court observes that in Russia the judges are not
instructed, either by the CCrP or by the OSAA, to verify the existence of a
“reasonable suspicion” against the person concerned or to apply the
“necessity” and “proportionality” test”. At the same time, the Court notes
that the Constitutional Court has explained in its decisions that the burden
of proof is on the requesting agency to show that interception is necessary
and that the judge examining an interception request should verify the
grounds for that measure and grant authorisation only if he or she is
persuaded that interception is lawful, necessary and justified. The
Constitutional Court has also held that the judicial decision authorising
interception should contain reasons and refer to specific grounds for
suspecting that a criminal offence has been committed, or is ongoing, or is
being plotted or that activities endangering national, military, economic or
ecological security are being carried out, as well as that the person in respect
of whom interception is requested is involved in these criminal or otherwise
dangerous activities (see paragraphs 40 to 42 above). The Constitutional
Court has therefore recommended, in substance, that when examining
interception authorisation requests Russian courts should verify the
existence of a reasonable suspicion against the person concerned and should
authorise interception only if it meets the requirements of necessity and
proportionality.
263. However, the Court observes that the domestic law does not
explicitly require the courts of general jurisdiction to follow the
Constitutional Court’s opinion as to how a legislative provision should be
interpreted if such opinion has been expressed in a decision rather than a
judgment (see paragraph 106 above). Indeed, the materials submitted by the
applicant show that the domestic courts do not always follow the above-
mentioned recommendations of the Constitutional Court, all of which were
contained in decisions rather than in judgments. Thus, it transpires from the
analytical notes issued by District Courts that interception requests are often
not accompanied by any supporting materials, that the judges of these
District Courts never request the interception agency to submit such
materials and that a mere reference to the existence of information about a
criminal offence or activities endangering national, military, economic or
ecological security is considered to be sufficient for the authorisation to be
granted. An interception request is rejected only if it is not signed by a
competent person, contains no reference to the offence in connection with
which interception is to be ordered, or concerns a criminal offence in
respect of which interception is not permitted under domestic law
(see paragraph 193 above). Thus, the analytical notes issued by District
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 67

Courts, taken together with the statistical information for the period from
2009 to 2013 provided by the applicant (see paragraph 194 above), indicate
that in their everyday practice Russian courts do not verify whether there is
a “reasonable suspicion” against the person concerned and do not apply the
“necessity” and “proportionality” test.
264. Lastly, as regards the content of the interception authorisation, it
must clearly identify a specific person to be placed under surveillance or a
single set of premises as the premises in respect of which the authorisation
is ordered. Such identification may be made by names, addresses, telephone
numbers or other relevant information (see Klass and Others, cited above,
§ 51; Liberty and Others, cited above, §§ 64 and 65; Dumitru Popescu
(no. 2), cited above, § 78; Association for European Integration and Human
Rights and Ekimdzhiev, cited above, § 80; and Kennedy, cited above, § 160).
265. The Court observes that the CCrP requires that a request for
interception authorisation must clearly mention a specific person whose
communications are to be intercepted, as well as the duration of the
interception measure (see paragraph 46 above). By contrast, the OSAA does
not contain any requirements either with regard to the content of the request
for interception or to the content of the interception authorisation. As a
result, courts sometimes grant interception authorisations which do not
mention a specific person or telephone number to be tapped, but authorise
interception of all telephone communications in the area where a criminal
offence has been committed. Some authorisations do not mention the
duration for which interception is authorised (see paragraph 193 above).
The Court considers that such authorisations, which are not clearly
prohibited by the OSAA, grant a very wide discretion to the
law-enforcement authorities as to which communications to intercept, and
for how long.
266. The Court further notes that in cases of urgency it is possible to
intercept communications without prior judicial authorisation for up to
forty-eight hours. A judge must be informed of any such case within
twenty-four hours from the commencement of the interception. If no
judicial authorisation has been issued within forty-eight hours, the
interception must be stopped immediately (see paragraph 35 above). The
Court has already examined the “urgency” procedure provided for in
Bulgarian law and found that it was compatible with the Convention
(see Association for European Integration and Human Rights and
Ekimdzhiev, cited above, §§ 16 and 82). However, in contrast to the
Bulgarian provision, the Russian “urgent procedure” does not provide for
sufficient safeguards to ensure that it is used sparingly and only in duly
justified cases. Thus, although in the criminal sphere the OSAA limits
recourse to the urgency procedure to cases where there exists an immediate
danger that a serious or especially serious offence may be committed, it
does not contain any such limitations in respect of secret surveillance in
68 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

connection with events or activities endangering national, military,

economic or ecological security. The domestic law does not limit the use of
the urgency procedure to cases involving an immediate serious danger to
national, military, economic or ecological security. It leaves the authorities
an unlimited degree of discretion in determining in which situations it is
justified to use the non-judicial urgent procedure, thereby creating
possibilities for abusive recourse to it (see, by contrast, Association for
European Integration and Human Rights and Ekimdzhiev, cited above,
§ 16). Furthermore, although Russian law requires that a judge be
immediately informed of each instance of urgent interception, his or her
power is limited to authorising the extension of the interception measure
beyond forty-eight hours. He or she has no power to assess whether the use
of the urgent procedure was justified or to decide whether the material
obtained during the previous forty-eight hours is to be kept or destroyed
(see, by contrast, Association for European Integration and Human Rights
and Ekimdzhiev, cited above, § 16). Russian law does therefore not provide
for an effective judicial review of the urgency procedure.
267. In view of the above considerations the Court considers that the
authorisation procedures provided for by Russian law are not capable of
ensuring that secret surveillance measures are not ordered haphazardly,
irregularly or without due and proper consideration.

The authorities’ access to communications

268. The Court takes note of the applicant’s argument that the security
services and the police have the technical means to intercept mobile
telephone communications without obtaining judicial authorisation, as they
have direct access to all communications and as their ability to intercept the
communications of a particular individual or individuals is not conditional
on providing an interception authorisation to the communications service
provider.
269. The Court considers that the requirement to show an interception
authorisation to the communications service provider before obtaining
access to a person’s communications is one of the important safeguards
against abuse by the law-enforcement authorities, ensuring that proper
authorisation is obtained in all cases of interception. In Russia the
law-enforcement authorities are not required under domestic law to show
the judicial authorisation to the communications service provider before
obtaining access to a person’s communications (see, by contrast, the EU
Council Resolution cited in paragraph 145 above), except in connection
with the monitoring of communications-related data under the CCrP
(see paragraph 48 above). Indeed, pursuant to Orders issued by the Ministry
of Communications, in particular the addendums to Order No. 70,
communications service providers must install equipment giving the
law-enforcement authorities direct access to all mobile telephone
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 69

communications of all users (see paragraphs 115 to 122 above). The

communications service providers also have an obligation under Order
no. 538 to create databases storing information about all subscribers, and the
services provided to them, for three years; the secret services have direct
remote access to those databases (see paragraphs 132 and 133 above). The
law-enforcement authorities thus have direct access to all mobile telephone
communications and related communications data.
270. The Court considers that the manner in which the system of secret
surveillance operates in Russia gives the security services and the police
technical means to circumvent the authorisation procedure and to intercept
any communications without obtaining prior judicial authorisation.
Although the possibility of improper action by a dishonest, negligent or
over-zealous official can never be completely ruled out whatever the system
(see Klass and Others, cited above, § 59), the Court considers that a system,
such as the Russian one, which enables the secret services and the police to
intercept directly the communications of each and every citizen without
requiring them to show an interception authorisation to the communications
service provider, or to anyone else, is particularly prone to abuse. The need
for safeguards against arbitrariness and abuse appears therefore to be
particularly great.
271. The Court will therefore examine with particular attention whether
the supervision arrangements provided by Russian law are capable of
ensuring that all interceptions are performed lawfully on the basis of proper
judicial authorisation.
(ζ) Supervision of the implementation of secret surveillance measures
272. The Court notes at the outset that Order no. 70 requires that the
equipment installed by the communications service providers does not
record or log information about interceptions (see paragraph 120 above).
The Court has found that an obligation on the intercepting agencies to keep
records of interceptions is particularly important to ensure that the
supervisory body had effective access to details of surveillance activities
undertaken (see Kennedy, cited above, § 165). The prohibition on logging or
recording interceptions set out in Russian law makes it impossible for the
supervising authority to discover interceptions carried out without proper
judicial authorisation. Combined with the law-enforcement authorities’
technical ability, pursuant to the same Order no. 70, to intercept directly all
communications, this provision renders any supervision arrangements
incapable of detecting unlawful interceptions and therefore ineffective.
273. As regards supervision of interceptions carried out on the basis of
proper judicial authorisations, the Court will examine whether the
supervision arrangements existing in Russia are capable of ensuring that the
statutory requirements relating to the implementation of the surveillance
70 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

measures, the storage, access to, use, processing, communication and

destruction of intercept material are routinely respected.
274. A court which has granted authorisation for interception has no
competence to supervise its implementation. It is not informed of the results
of the interceptions and has no power to review whether the requirements of
the decision granting authorisation were complied with. Nor do Russian
courts in general have competence to carry out the overall supervision of
interceptions. Judicial supervision is limited to the initial authorisation
stage. Subsequent supervision is entrusted to the President, Parliament, the
Government, the Prosecutor General and competent lower-level
prosecutors.
275. The Court has earlier found that, although it is in principle desirable
to entrust supervisory control to a judge, supervision by non-judicial bodies
may be considered compatible with the Convention, provided that the
supervisory body is independent of the authorities carrying out the
surveillance, and is vested with sufficient powers and competence to
exercise an effective and continuous control (see Klass and Others, cited
above, § 56).
276. As far as the President, Parliament and the Government are
concerned, Russian law does not set out the manner in which they may
supervise interceptions. There are no publicly available regulations or
instructions describing the scope of their review, the conditions under which
it may be carried out, the procedures for reviewing the surveillance
measures or for remedying the breaches detected (see, for similar reasoning,
Association for European Integration and Human Rights and Ekimdzhiev,
cited above, § 88).
277. As regards supervision of interceptions by prosecutors, the Court
observes that the national law sets out the scope of, and the procedures for,
prosecutors’ supervision of operational-search activities (see paragraphs 69
to 80 above). It stipulates that prosecutors may carry out routine and ad hoc
inspections of agencies performing operational-search activities and are
entitled to study the relevant documents, including confidential ones. They
may take measures to stop or remedy the detected breaches of law and to
bring those responsible to liability. They must submit semi-annual reports
detailing the results of the inspections to the Prosecutor General’s Office.
The Court accepts that a legal framework exists which provides, at least in
theory, for some supervision by prosecutors of secret surveillance measures.
It must be next examined whether the prosecutors are independent of the
authorities carrying out the surveillance, and are vested with sufficient
powers and competence to exercise effective and continuous control.
278. As to the independence requirement, in previous cases the Court
has taken into account the manner of appointment and the legal status of the
members of the supervisory body. In particular, it found sufficiently
independent the bodies composed of members of parliament of both the
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 71

majority and the opposition, or of persons qualified to hold judicial office,

appointed either by parliament or by the Prime Minister (see, for example,
Klass and Others, cited above, §§ 21 and 56; Weber and Saravia, cited
above, §§ 24, 25 and 117; Leander, cited above, § 65; (see L. v. Norway,
no. 13564/88, Commission decision of 8 June 1990); and Kennedy, cited
above, §§ 57 and 166). In contrast, a Minister of Internal Affairs – who not
only was a political appointee and a member of the executive, but was
directly involved in the commissioning of special means of surveillance –
was found to be insufficiently independent (see Association for European
Integration and Human Rights and Ekimdzhiev, cited above, §§ 85 and 87).
Similarly, a Prosecutor General and competent lower-level prosecutors were
also found to be insufficiently independent (see Iordachi and Others, cited
above, § 47).
279. In contrast to the supervisory bodies cited above, in Russia
prosecutors are appointed and dismissed by the Prosecutor General after
consultation with the regional executive authorities (see paragraph 70
above). This fact may raise doubts as to their independence from the
executive.
280. Furthermore, it is essential that any role prosecutors have in the
general protection of human rights does not give rise to any conflict of
interest (see Menchinskaya v. Russia, no. 42454/02, §§ 19 and 38,
15 January 2009). The Court observes that prosecutor’s offices do not
specialise in supervision of interceptions (see paragraph 71 above). Such
supervision is only one part of their broad and diversified functions, which
include prosecution and supervision of criminal investigations. In the
framework of their prosecuting functions, prosecutors give their approval to
all interception requests lodged by investigators in the framework of
criminal proceedings (see paragraph 44 above). This blending of functions
within one prosecutor’s office, with the same office giving approval to
requests for interceptions and then supervising their implementation, may
also raise doubts as to the prosecutors’ independence (see, by way of
contrast, Ananyev and Others v. Russia, nos. 42525/07 and 60800/08, § 215,
10 January 2012, concerning supervision by prosecutors of detention
facilities, where it was found that prosecutors complied with the
requirement of independence vis-à-vis the penitentiary system’s bodies).
281. Turning now to the prosecutors’ powers and competences, the
Court notes that it is essential that the supervisory body has access to all
relevant documents, including closed materials and that all those involved in
interception activities have a duty to disclose to it any material it required
(see Kennedy, cited above, § 166). Russian law stipulates that prosecutors
are entitled to study relevant documents, including confidential ones. It is
however important to note that information about the security services’
undercover agents, and about the tactics, methods and means used by them,
is outside the scope of prosecutors’ supervision (see paragraph 74 above).
72 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

The scope of their supervision is therefore limited. Moreover, interceptions

performed by the FSB in the sphere of counterintelligence may be inspected
only following an individual complaint (see paragraph 76 above). As
individuals are not notified of interceptions (see paragraph 81 above and
paragraph 289 below), it is unlikely that such a complaint will ever be
lodged. As a result, surveillance measures related to counter-intelligence de
facto escape supervision by prosecutors.
282. The supervisory body’s powers with respect to any breaches
detected are also an important element for the assessment of the
effectiveness of its supervision (see, for example, Klass and Others, cited
above, § 53, where the intercepting agency was required to terminate the
interception immediately if the G10 Commission found it illegal or
unnecessary; and Kennedy, cited above, § 168, where any intercept material
was to be destroyed as soon as the Interception of Communications
Commissioner discovered that the interception was unlawful). The Court is
satisfied that prosecutors have certain powers with respect to the breaches
detected by them. Thus, they may take measures to stop or remedy the
detected breaches of law and to bring those responsible to liability
(see paragraph 79 above). However, there is no specific provision requiring
destruction of the unlawfully obtained intercept material (see Kennedy, cited
above, § 168).
283. The Court must also examine whether the supervisory body’s
activities are open to public scrutiny (see, for example, L. v. Norway, cited
above, where the supervision was performed by the Control Committee,
which reported annually to the Government and whose reports were
published and discussed by Parliament; Kennedy, cited above, § 166, where
the supervision of interceptions was performed by the Interception of
Communications Commissioner, who reported annually to the Prime
Minister, his report being a public document laid before Parliament; and, by
contrast, Association for European Integration and Human Rights and
Ekimdzhiev, cited above, § 88, where the Court found fault with the system
where neither the Minister of Internal Affairs nor any other official was
required to report regularly to an independent body or to the general public
on the overall operation of the system or on the measures applied in
individual cases). In Russia, prosecutors must submit semi-annual reports
detailing the results of the inspections to the Prosecutor General’s Office.
However, these reports concern all types of operational-search measures,
amalgamated together, without interceptions being treated separately from
other measures. Moreover, the reports contain only statistical information
about the number of inspections of operational-search measures carried out
and the number of breaches detected, without specifying the nature of the
breaches or the measures taken to remedy them. It is also significant that the
reports are confidential documents. They are not published or otherwise
accessible to the public (see paragraph 80 above). It follows that in Russia
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 73

supervision by prosecutors is conducted in a manner which is not open to

public scrutiny and knowledge.
284. Lastly, the Court notes that it is for the Government to illustrate the
practical effectiveness of the supervision arrangements with appropriate
examples (see, mutatis mutandis, Ananyev and Others, cited above, §§ 109
and 110). However, the Russian Government did not submit any inspection
reports or decisions by prosecutors ordering the taking of measures to stop
or remedy a detected breach of law. It follows that the Government did not
demonstrate that prosecutors’ supervision of secret surveillance measures is
effective in practice. The Court also takes note in this connection of the
documents submitted by the applicant illustrating prosecutors’ inability to
obtain access to classified materials relating to interceptions
(see paragraph 14 above). That example also raises doubts as to the
effectiveness of supervision by prosecutors in practice.
285. In view of the defects identified above, and taking into account the
particular importance of supervision in a system where law-enforcement
authorities have direct access to all communications, the Court considers
that the prosecutors’ supervision of interceptions as it is currently organised
is not capable of providing adequate and effective guarantees against abuse.
(η) Notification of interception of communications and available remedies
286. The Court will now turn to the issue of notification of interception
of communications which is inextricably linked to the effectiveness of
remedies before the courts (see case-law cited in paragraph 234 above).
287. It may not be feasible in practice to require subsequent notification
in all cases. The activity or danger against which a particular series of
surveillance measures is directed may continue for years, even decades,
after the suspension of those measures. Subsequent notification to each
individual affected by a suspended measure might well jeopardise the long-
term purpose that originally prompted the surveillance. Furthermore, such
notification might serve to reveal the working methods and fields of
operation of the intelligence services and even possibly to identify their
agents. Therefore, the fact that persons concerned by secret surveillance
measures are not subsequently notified once surveillance has ceased cannot
by itself warrant the conclusion that the interference was not “necessary in a
democratic society”, as it is the very absence of knowledge of surveillance
which ensures the efficacy of the interference. As soon as notification can
be carried out without jeopardising the purpose of the restriction after the
termination of the surveillance measure, information should, however, be
provided to the persons concerned (see Klass and Others, cited above, § 58,
and Weber and Saravia, cited above, § 135). The Court also takes note of
the Recommendation of the Committee of Ministers regulating the use of
personal data in the police sector, which provides that where data
concerning an individual have been collected and stored without his or her
74 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

knowledge, and unless the data are deleted, he or she should be informed,
where practicable, that information is held about him or her as soon as the
object of the police activities is no longer likely to be prejudiced (§ 2.2, see
paragraph 143 above).
288. In the cases of Klass and Others and Weber and Saravia the Court
examined German legislation which provided for notification of
surveillance as soon as that could be done after its termination without
jeopardising its purpose. The Court took into account that it was an
independent authority, the G10 Commission, which had the power to decide
whether an individual being monitored was to be notified of a surveillance
measure. The Court found that the provision in question ensured an
effective notification mechanism which contributed to keeping the
interference with the secrecy of telecommunications within the limits of
what was necessary to achieve the legitimate aims pursued (see Klass and
Others, cited above, § 58, and Weber and Saravia, cited above, § 136). In
the cases of Association for European Integration and Human Rights and
Ekimdzhiev and Dumitru Popescu (no. 2), the Court found that the absence
of a requirement to notify the subject of interception at any point was
incompatible with the Convention, in that it deprived the interception
subject of an opportunity to seek redress for unlawful interferences with his
or her Article 8 rights and rendered the remedies available under the
national law theoretical and illusory rather than practical and effective. The
national law thus eschewed an important safeguard against the improper use
of special means of surveillance (see Association for European Integration
and Human Rights and Ekimdzhiev, cited above, §§ 90 and 91, and Dumitru
Popescu (no. 2), cited above, § 77). By contrast, in the case of Kennedy the
absence of a requirement to notify the subject of interception at any point in
time was compatible with the Convention, because in the United Kingdom
any person who suspected that his communications were being or had been
intercepted could apply to the Investigatory Powers Tribunal, whose
jurisdiction did not depend on notification to the interception subject that
there had been an interception of his or her communications (see Kennedy,
cited above, § 167).
289. Turning now to the circumstances of the present case, the Court
observes that in Russia persons whose communications have been
intercepted are not notified of this fact at any point or under any
circumstances. It follows that, unless criminal proceedings have been
opened against the interception subject and the intercepted data have been
used in evidence, or unless there has been a leak, the person concerned is
unlikely ever to find out if his or her communications have been intercepted.
290. The Court takes note of the fact that a person who has somehow
learned that his or her communications have been intercepted may request
information about the corresponding data (see paragraph 81 above). It is
worth noting in this connection that in order to be entitled to lodge such a
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 75

request the person must be in possession of the facts of the operational-

search measures to which he or she was subjected. It follows that the access
to information is conditional on the person’s ability to prove that his or her
communications were intercepted. Furthermore, the interception subject is
not entitled to obtain access to documents relating to interception of his or
her communications; he or she is at best entitled to receive “information”
about the collected data. Such information is provided only in very limited
circumstances, namely if the person’s guilt has not been proved in
accordance with the procedure prescribed by law, that is, he or she has not
been charged or the charges have been dropped on the ground that the
alleged offence was not committed or that one or more elements of a
criminal offence were missing. It is also significant that only information
that does not contain State secrets may be disclosed to the interception
subject and that under Russian law information about the facilities used in
operational-search activities, the methods employed, the officials involved
and the data collected constitutes a State secret (see paragraph 52 above). In
view of the above features of Russian law, the possibility to obtain
information about interceptions appears to be ineffective.
291. The Court will bear the above factors – the absence of notification
and the lack of an effective possibility to request and obtain information
about interceptions from the authorities – in mind when assessing the
effectiveness of remedies available under Russian law.
292. Russian law provides that a person claiming that his or her rights
have been or are being violated by a State official performing operational-
search activities may complain to the official’s superior, a prosecutor or a
court (see paragraph 83 above). The Court reiterates that a hierarchical
appeal to a direct supervisor of the authority whose actions are being
challenged does not meet the requisite standards of independence needed to
constitute sufficient protection against the abuse of authority (see, for
similar reasoning, Khan v. the United Kingdom, no. 35394/97, §§ 45-47,
ECHR 2000-V; Dumitru Popescu (no. 2), cited above, § 72; and Avanesyan,
cited above, § 32). A prosecutor also lacks independence and has a limited
scope of review, as demonstrated above (see paragraphs 277 to 285 above).
It remains to be ascertained whether a complaint to a court may be regarded
as an effective remedy.
293. There are four judicial procedures which, according to the
Government, may be used by a person wishing to complain about
interception of his communications: an appeal, a cassation appeal or a
supervisory-review complaint against the judicial decision authorising
interception of communications; a judicial review complaint under
Article 125 of the CCrP; a judicial review complaint under the Judicial
Review Act and Chapter 25 of the Code of Civil Procedure; and a civil tort
claim under Article 1069 of the Civil Code. The Court will examine them in
turn.
76 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

294. The first of the procedures invoked by the Government is an

appeal, cassation appeal or supervisory-review complaint against the
judicial decision authorising interception of communications. However, the
Constitutional Court stated clearly that the interception subject had no right
to appeal against the judicial decision authorising interception of his
communications (see paragraph 40 above; see also Avanesyan, cited above,
§ 30). Domestic law is silent on the possibility of lodging a cassation
appeal. Given that the Government did not submit any examples of
domestic practice on examination of cassation appeals, the Court has strong
doubts as to the existence of a right to lodge a cassation appeal against a
judicial decision authorising interception of communications. At the same
time, the interception subject is clearly entitled to lodge a supervisory
review complaint (see paragraph 43 above). However, in order to lodge a
supervisory review complaint against the judicial decision authorising
interception of communications, the person concerned must be aware that
such a decision exists. Although the Constitutional Court has held that it is
not necessary to attach a copy of the contested judicial decision to the
supervisory review complaint (ibid.), it is difficult to imagine how a person
can lodge such a complaint without having at least the minimum
information about the decision he or she is challenging, such as its date and
the court which has issued it. In the absence of notification of surveillance
measures under Russian law, an individual would hardly ever be able to
obtain that information unless it were to be disclosed in the context of
criminal proceedings against him or her or there was some indiscretion
which resulted in disclosure.
295. Further, a complaint under Article 125 of the CCrP may be lodged
only by a participant to criminal proceedings while a pre-trial investigation
is pending (see paragraphs 88 and 89 above). This remedy is therefore
available only to persons who have learned about the interception of their
communications in the framework of criminal proceedings against them. It
cannot be used by a person against whom no criminal proceedings have
been brought following the interception of his or her communications and
who does not know whether his or her communications were intercepted. It
is also worth noting that the Government did not submit any judicial
decisions examining a complaint under Article 125 of the CCrP about the
interception of communications. They therefore failed to illustrate the
practical effectiveness of the remedy invoked by them with examples from
the case-law of the domestic courts (see, for similar reasoning, Rotaru, cited
above, § 70, and Ananyev and Others, cited above, §§ 109 and 110).
296. As regards the judicial review complaint under the Judicial Review
Act, Chapter 25 of the Code of Civil Procedure and the new Code of
Administrative Procedure and a civil tort claim under Article 1069 of the
Civil Code, the burden of proof is on the claimant to show that the
interception has taken place and that his or her rights were thereby breached
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 77

(see paragraphs 85, 95, 96 and 105 above). In the absence of notification or
some form of access to official documents relating to the interceptions such
a burden of proof is virtually impossible to satisfy. Indeed, the applicant’s
judicial complaint was rejected by the domestic courts on the ground that he
had failed to prove that his telephone communications had been intercepted
(see paragraphs 11 and 13 above). The Court notes that the Government
submitted several judicial decisions taken under Chapter 25 of the Code of
Civil Procedure or Article 1069 of the Civil Code (see paragraphs 220
to 223 above). However, all of those decisions, with one exception, concern
searches or seizures of documents or objects, that is, operational-search
measures carried out with the knowledge of the person concerned. Only one
judicial decision concerns interception of communications. In that case the
intercept subject was able to discharge the burden of proof because she had
learned about the interception of her communications in the course of
criminal proceedings against her.
297. Further, the Court takes note of the Government’s argument that
Russian law provides for criminal remedies for abuse of power,
unauthorised collection or dissemination of information about a person’s
private and family life and breach of citizens’ right to privacy of
communications. For the reasons set out in the preceding paragraphs these
remedies are also available only to persons who are capable of submitting to
the prosecuting authorities at least some factual information about the
interception of their communications (see paragraph 24 above).
298. The Court concludes from the above that the remedies referred to
by the Government are available only to persons who are in possession of
information about the interception of their communications. Their
effectiveness is therefore undermined by the absence of a requirement to
notify the subject of interception at any point, or an adequate possibility to
request and obtain information about interceptions from the authorities.
Accordingly, the Court finds that Russian law does not provide for an
effective judicial remedy against secret surveillance measures in cases
where no criminal proceedings were brought against the interception
subject. It is not the Court’s task in the present case to decide whether these
remedies will be effective in cases where an individual learns about the
interception of his or her communications in the course of criminal
proceedings against him or her (see, however, Avanesyan, cited above,
where some of these remedies were found to be ineffective to complain
about an “inspection” of the applicant’s flat).
299. Lastly, with respect to the remedies to challenge the alleged
insufficiency of safeguards against abuse in Russian law before the Russian
courts, the Court is not convinced by the Government’s argument that such
remedies are effective (see paragraphs 156 and 225 above). As regards the
possibility to challenge the OSAA before the Constitutional Court, the
Court observes that the Constitutional Court has examined the
78 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

constitutionality of the OSAA on many occasions and found that it was

compatible with the Constitution (see paragraphs 40 to 43, 50, 82 and 85
to 87 above). In such circumstances the Court finds it unlikely that a
complaint by the applicant to the Constitutional Court, raising the same
issues that have already been examined by it, would have any prospects of
success. Nor is the Court convinced that a challenge of Order no. 70 before
the Supreme Court or the lower courts would constitute an effective remedy.
Indeed, the applicant did challenge Order no. 70 in the domestic
proceedings. However, both the District and City Courts found that the
applicant had no standing to challenge the Order because the equipment
installed pursuant to that order did not in itself interfere with the privacy of
his communications (see paragraphs 10, 11 and 13 above). It is also
significant that the Supreme Court found that Order no. 70 was technical
rather than legal in nature (see paragraph 128 above).
300. In view of the above considerations, the Court finds that Russian
law does not provide for effective remedies to a person who suspects that he
or she has been subjected to secret surveillance. By depriving the subject of
interception of the effective possibility of challenging interceptions
retrospectively, Russian law thus eschews an important safeguard against
the improper use of secret surveillance measures.
301. For the above reasons, the Court also rejects the Government’s
objection as to non-exhaustion of domestic remedies.
(θ) Conclusion
302. The Court concludes that Russian legal provisions governing
interceptions of communications do not provide for adequate and effective
guarantees against arbitrariness and the risk of abuse which is inherent in
any system of secret surveillance, and which is particularly high in a system
where the secret services and the police have direct access, by technical
means, to all mobile telephone communications. In particular, the
circumstances in which public authorities are empowered to resort to secret
surveillance measures are not defined with sufficient clarity. Provisions on
discontinuation of secret surveillance measures do not provide sufficient
guarantees against arbitrary interference. The domestic law permits
automatic storage of clearly irrelevant data and is not sufficiently clear as to
the circumstances in which the intercept material will be stored and
destroyed after the end of a trial. The authorisation procedures are not
capable of ensuring that secret surveillance measures are ordered only when
“necessary in a democratic society”. The supervision of interceptions, as it
is currently organised, does not comply with the requirements of
independence, powers and competence which are sufficient to exercise an
effective and continuous control, public scrutiny and effectiveness in
practice. The effectiveness of the remedies is undermined by the absence of
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 79

notification at any point of interceptions, or adequate access to documents

relating to interceptions.
303. It is significant that the shortcomings in the legal framework as
identified above appear to have an impact on the actual operation of the
system of secret surveillance which exists in Russia. The Court is not
convinced by the Government’s assertion that all interceptions in Russia are
performed lawfully on the basis of a proper judicial authorisation. The
examples submitted by the applicant in the domestic proceedings
(see paragraph 12 above) and in the proceedings before the Court
(see paragraph 197 above) indicate the existence of arbitrary and abusive
surveillance practices, which appear to be due to the inadequate safeguards
provided by law (see, for similar reasoning, Association for European
Integration and Human Rights and Ekimdzhiev, cited above, § 92; and, by
contrast, Klass and Others, cited above, § 59, and Kennedy, cited above,
§§ 168 and 169).
304. In view of the shortcomings identified above, the Court finds that
Russian law does not meet the “quality of law” requirement and is incapable
of keeping the “interference” to what is “necessary in a democratic society”.
305. There has accordingly been a violation of Article 8 of the
Convention.

II. ALLEGED VIOLATION OF ARTICLE 13 OF THE CONVENTION

306. The applicant complained that he had no effective remedy for his
complaint under Article 8. He relied on Article 13 of the Convention, which
reads as follows:
“Everyone whose rights and freedoms as set forth in [the] Convention are violated
shall have an effective remedy before a national authority notwithstanding that the
violation has been committed by persons acting in an official capacity.”
307. Having regard to the findings under Article 8 of the Convention in
paragraphs 286 to 300 above, the Court considers that, although the
complaint under Article 13 of the Convention is closely linked to the
complaint under Article 8 and therefore has to be declared admissible, it is
not necessary to examine it separately (see Liberty and Others, cited above,
§ 73).

III. APPLICATION OF ARTICLE 41 OF THE CONVENTION

308. Article 41 of the Convention provides:

80 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

“If the Court finds that there has been a violation of the Convention or the Protocols
thereto, and if the internal law of the High Contracting Party concerned allows only
partial reparation to be made, the Court shall, if necessary, afford just satisfaction to
the injured party.”

A. Damage

309. The applicant claimed 9,000 euros (EUR) in respect of non-

pecuniary damage.
310. The Government submitted that the claim was excessive, taking
into account that the applicant had challenged Russian law in abstracto
without being in any way personally affected by it. The finding of a
violation would therefore constitute sufficient just satisfaction.
311. The Court reiterates that, in the context of the execution of
judgments in accordance with Article 46 of the Convention, a judgment in
which it finds a violation of the Convention or its Protocols imposes on the
respondent State a legal obligation not just to pay those concerned any sums
awarded by way of just satisfaction, but also to choose, subject to
supervision by the Committee of Ministers, the general and/or, if
appropriate, individual measures to be adopted in its domestic legal order to
put an end to the violation found by the Court and make all feasible
reparation for its consequences in such a way as to restore as far as possible
the situation existing before the breach. Furthermore, in ratifying the
Convention, the Contracting States undertake to ensure that their domestic
law is compatible with it (see Association for European Integration and
Human Rights and Ekimdzhiev, cited above, § 111, with further references).
312. The Court considers that the finding of a violation constitutes
sufficient just satisfaction for any non-pecuniary damage caused to the
applicant.

B. Costs and expenses

313. Before the Chamber, the applicant claimed 26,579 Russian roubles
(RUB, about 670 euros (EUR) on the date of submission) for postal and
translation expenses. He relied on postal and fax service invoices and a
translation services contract.
314. Before the Grand Chamber, the applicant claimed 22,800 pounds
sterling (GBP, about EUR 29,000 on the date of submission) and
EUR 13,800 for legal fees. He relied on lawyers’ time-sheets. Relying on
bills and invoices, he also claimed GBP 6,833.24 (about EUR 8,700 on the
date of submission) for translation, travelling and other administrative
expenses.
315. The Government accepted the claim for costs and expenses made
before the Chamber because it was supported by documentary evidence. As
 ROMAN ZAKHAROV v. RUSSIA JUDGMENT 81

regards the claims for costs and expenses made before the Grand Chamber,
the Government submitted that the claims had been submitted more than a
month after the hearing. As regards the legal fees, the Government
submitted that part of those fees covered the work performed by the
representatives before the applicant had signed an authority form and that
there was no authority form in the name of Ms Levine. Furthermore, the
number of representatives and the number of hours spent by them on the
preparation of the case had been excessive. There was moreover no
evidence that the applicant had paid the legal fees in question or was under a
legal or contractual obligation to pay them. As regards the translation and
other administrative expenses, the Government submitted that the applicant
had not submitted any documents showing that he had paid the amounts
claimed. Nor had he proved that the translation expenses had been indeed
necessary, given that some of the applicant’s lawyers spoke Russian. The
rates claimed by the translators had been excessive. Lastly, the travelling
expenses had been also excessive.
316. According to the Court’s case-law, an applicant is entitled to the
reimbursement of costs and expenses only in so far as it has been shown
that these have been actually and necessarily incurred and are reasonable as
to quantum. In the present case, regard being had to the documents in its
possession and the above criteria, the Court considers it reasonable to award
the sum of EUR 40,000 covering costs under all heads, plus any tax that
may be chargeable to the applicant.

C. Default interest

317. The Court considers it appropriate that the default interest rate
should be based on the marginal lending rate of the European Central Bank,
to which should be added three percentage points.

FOR THESE REASONS, THE COURT

1. Joins, unanimously, to the merits the Government’s objections regarding
the applicant’s lack of victim status and non-exhaustion of domestic
remedies and declares the application admissible;

2. Holds, unanimously, that there has been a violation of Article 8 of the

Convention and dismisses the Government’s above-mentioned
objections;

3. Holds, unanimously, that there is no need to examine the complaint

under Article 13 of the Convention;
82 ROMAN ZAKHAROV v. RUSSIA JUDGMENT

4. Holds, by sixteen votes to one, that the finding of a violation constitutes

in itself sufficient just satisfaction for any non-pecuniary damage
sustained by the applicant;

5. Holds, unanimously,
(a) that the respondent State is to pay the applicant, within three
months, EUR 40,000 (forty thousand euros), plus any tax that may be
chargeable to the applicant, in respect of costs and expenses;
(b) that from the expiry of the above-mentioned three months until
settlement simple interest shall be payable on the above amount at a rate
equal to the marginal lending rate of the European Central Bank during
the default period plus three percentage points;

6. Dismisses, unanimously, the remainder of the applicant’s claim for just

satisfaction.

Done in English and French, and delivered at a public hearing in the

Human Rights Building, Strasbourg, on 4 December 2015.

Lawrence Early Dean Spielmann

Jurisconsult President

In accordance with Article 45 § 2 of the Convention and Rule 74 § 2 of

the Rules of Court, the following separate opinions are annexed to this
judgment:
(a) Concurring opinion of Judge Dedov;
(b) Partly dissenting opinion of Judge Ziemele.

D.S.
T.L.E.
 ROMAN ZAKHAROV v. RUSSIA – SEPARATE OPINIONS 83

CONCURRING OPINION OF JUDGE DEDOV

1. Competence of the Court to examine the domestic law in abstracto

As pointed out by the Government, doubts may exist as to the Court’s

competence to examine the quality and effectiveness of the domestic law in
abstracto without the applicant’s victim status being established and
without determining that there had been interference with his right to
respect for his private life in practice, and not merely theoretically.
This approach has already been used by the Court in interception cases in
order to prevent potential abuses of power. In two leading cases, Kennedy
v. the United Kingdom (no. 26839/05, §§ 122-123, 18 May 2010) and Klass
and Others v. Germany (6 September 1978, § 34, Series A no. 28), against
two prominent democratic States, namely the United Kingdom and the
Federal Republic of Germany, the Court confirmed the effectiveness of the
relevant domestic systems against arbitrariness. However, and regrettably,
we cannot ignore the fact that both of these States have recently been
involved in major well-publicised surveillance scandals. Firstly, the mobile
telephone conversations of the Federal Chancellor of Germany were
unlawfully intercepted by the national secret service; and secondly, the UK
authorities provided a US secret service with access to and information
about the former State’s entire communication database, with the result that
the US authorities were able to intercept all UK citizens without being
subject to any appropriate domestic safeguards at all.
This indicates that something was wrong with the Court’s approach from
the very outset. It would perhaps be more effective to deal with applications
on an individual basis, so that the Court has an opportunity to establish
interference and to find a violation of the Convention, as indeed it regularly
finds in relation to unjustified searches of applicants’ premises. Generally
speaking, the problem in those cases does not concern the authorisation
powers of the domestic courts, but the manner in which the judges authorise
the requests for investigative searches.
The Court’s approach can easily shift from the actual application of the
law to the potential for interference. Here are examples from the Kennedy
case:
“119. The Court has consistently held in its case-law that its task is not normally to
review the relevant law and practice in abstracto, but to determine whether the
manner in which they were applied to, or affected, the applicant gave rise to a
violation of the Convention (see, inter alia, Klass and Others, cited above, § 33; N.C.
v. Italy [GC], no. 24952/94, § 56, ECHR 2002-X; and Krone Verlag GmbH & Co. KG
v. Austria (no. 4), no. 72331/01, § 26, 9 November 2006)”;
and from the Klass case:
84 ROMAN ZAKHAROV v. RUSSIA – SEPARATE OPINIONS

“36...The Court finds it unacceptable that the assurance of the enjoyment of a right
guaranteed by the Convention could be thus removed by the simple fact that the
person concerned is kept unaware of its violation. A right of recourse to the
Commission for persons potentially affected by secret surveillance is to be derived
from Article 25 ..., since otherwise Article 8 ... runs the risk of being nullified”.
However, the German and English scandals referred to above confirm
that, sooner or later, the individual concerned will become aware of the
interception. One may find relevant examples in the Russian context (see
Shimovolos v. Russia, no. 30194/09, 21 June 2011). The applicant in the
present case is not aware of any interception of his communications, and
this fact cannot be ignored by the Court.
The Court has on many occasions avoided examining cases in abstracto
(see Silver and Others v. the United Kingdom, 25 March 1983, Series A
no. 61, § 79; Nikolova v. Bulgaria [GC], no. 31195/96, § 60, ECHR
1999-II; Nejdet Şahin and Perihan Şahin v. Turkey [GC], no. 13279/05,
§§ 68-70, 20 October 2011; Sabanchiyeva and Others v. Russia,
no. 38450/05, § 137, ECHR 2013; and Monnat v. Switzerland,
no. 73604/01, §§ 31-32, ECHR 2006-X). Thus, one can presume that the
interception cases are unique. We then need to know the reasons why the
Court should change its general approach when examining such cases. Yet
we have no idea about what those reasons might be. If the legislation creates
the risk of arbitrariness, then we need to see the outcome of that
arbitrariness. I am not sure that a few examples (unrelated to the applicant’s
case) prove that the entire system of safeguards should be revised and
strengthened. I would accept such an approach if the Court had a huge
backlog of individual repetitive petitions showing that Order no. 70 (on the
connection of interception equipment to operators’ networks) is not
technical in nature but that it creates a structural problem in Russia. If that is
the case, however, we need a pilot procedure and a pilot judgment.
Every case in which the Court has found a violation of the Convention
(more than 15,000 judgments) is based on the abuse of power, even where
the domestic legislation is of good quality. Every abuse of power is a
question of ethics, and cannot be eliminated by legislative measures alone.
The Court has consistently held that its task is not to review domestic law
and practice in abstracto or to express a view as to the compatibility of the
provisions of legislation with the Convention, but to determine whether the
manner in which they were applied or in which they affected the applicant
gave rise to a violation of the Convention (see, among other authorities, in
the Article 14 context, Religionsgemeinschaft der Zeugen Jehovas and
Others v. Austria, no. 40825/98, § 90, 31 July 2008).
Article 34 of the Convention does not institute for individuals a kind of
actio popularis for the interpretation of the Convention; it does not permit
individuals to complain against a law in abstracto simply because they feel
that it contravenes the Convention. In principle, it does not suffice for an
 ROMAN ZAKHAROV v. RUSSIA – SEPARATE OPINIONS 85

individual applicant to claim that the mere existence of a law violates his
rights under the Convention; it is necessary that the law should have been
applied to his detriment (see Klass, cited above, § 33). These principles
should not be applied arbitrarily.

2. Legislature and judiciary: the Court should respect differences

This case is very important in terms of the separation of functions

between the Court and the Parliamentary Assembly of the Council of
Europe, as it is necessary to separate the powers of the legislature and
judiciary. The Parliamentary Assembly adopts recommendations,
resolutions and opinions which serve as guidelines for the Committee of
Ministers, national governments, parliaments and political parties.
Ultimately, through conventions, legislation and practice, the Council of
Europe promotes human rights, democracy and the rule of law. It monitors
member States’ progress in these areas and makes recommendations
through independent expert monitoring bodies. The European Court of
Human Rights rules on individual or State applications alleging violations
of the civil and political rights set out in the European Convention on
Human Rights. Taking account of the above separation of functions, the
examination of a case in abstracto is similar to an expert report, but not to a
judgment.
Morten Kjaerum, Director of European Union Agency for Human Rights
(FRA), addressed a joint debate on fundamental rights at the European
Parliamentary Committee on Civil Liberties, Justice and Home Affairs
(LIBE) on 4 September 2014. The Director pointed out:
“The Snowden revelations of mass surveillance highlighted the fact that the
protection of personal data is under threat. The protection of the right to privacy is far
from sufficient when we look across Europe today. Following last year’s debates, we
very much welcome the European Parliament’s request to the Fundamental Rights
Agency to further investigate the fundamental rights and safeguards in place in the
context of large-scale surveillance programmes. And of course you will be informed
probably towards the end of this year about the findings of this particular request.
But it’s not only the big surveillance programmes. There are also misgivings about
oversight mechanisms in the area of general data protection. When we give data to
health authorities, to tax authorities, to other institutions, public or private. We see
from the work of the Fundamental Rights Agency that the national oversight
structures in the EU are currently too weak to fulfil their mission. Data protection
authorities, which are established in all Member States have an important role to play
in the enforcement of the overall data protection system, but the powers and resources
of national data protection authorities urgently needs to be strengthened and also their
independence needs to be guaranteed.
Finally, I would also highlight that those who are entrusted to store the data, whether
it is private or public, that the institutions need to be accountable, at a much stronger
level that we see today if the safeguards that they create are not sufficiently in place.”
86 ROMAN ZAKHAROV v. RUSSIA – SEPARATE OPINIONS

These remarks were addressed to the newly elected members of the

European Parliament (rather than to judges), raising issues of concern across
Europe and calling for more a sophisticated system of data protection. The
aim of the speech was to initiate public debate in order to find effective
measures and to promote proper ethical standards in society; the courtroom
is not a place for such a debate.
I would suggest that the Court more properly focus on a particular
interference and the effectiveness of the measures in place to prevent that
specific violation (as the Court usually does in all other categories of cases).
This is the Court’s primary task: to establish that an interference has taken
place and then to examine whether the interference was lawful and
necessary in a democratic society. It is ethically unacceptable for judges to
presume that every citizen in a particular country could be under unlawful
secret surveillance without knowledge of the facts. A judgment cannot be
built on the basis of allegations.
The Court has used many tools to fight against violations. One of them
was to find a violation of Article 10 on account of an intelligence service’s
refusal to provide information to the applicant organisation about
individuals placed under electronic surveillance for a specified period
(Youth Initiative for Human Rights v. Serbia, no. 48135/06, 25 June 2013).
In the operative part of that judgment, the Court invited the Government to
ensure that the disputed information was made available to the applicant
organisation (without waiting for measures to be proposed by the
Committee of Ministers). I recognize this as an effective measure and a
judicial success.

3. The “reasonable likelihood” approach should be developed

Establishment of the applicant’s victim status is an integral part of the

judicial process. Article 34 of the Convention provides that “the Court may
receive applications from any person, non-governmental organisation or
group of individuals claiming to be the victim of a violation by one of the
High Contracting Parties of the rights set forth in the Convention or the
Protocols thereto”. The notion of “victim” does not imply the existence of
prejudice (see Brumărescu v. Romania [GC], no. 28342/95, § 50, ECHR
1999-VII).
The Court has previously ruled that, while the existence of a surveillance
regime might interfere with privacy, a claim that this created a violation of
rights was justiciable only where there was a “reasonable likelihood” that a
person had actually been subjected to unlawful surveillance (see Esbester
v. the United Kingdom, no. 18601/91, Commission decision of 2 April
1993; Redgrave v. the United Kingdom, application no. 202711/92,
Commission decision of 1 September 1993; and Matthews v. the United
Kingdom, application no. 28576/95, Commission decision of 16 October
 ROMAN ZAKHAROV v. RUSSIA – SEPARATE OPINIONS 87

1996). These references are to inadmissibility decisions, since all of the

allegations of interception were considered manifestly ill-founded.
However, the Court changed its approach completely in the Klass case:
“... it could not be excluded that secret surveillance measures were applied
to him or that the applicant was potentially at risk of being subjected to such
measures” (Klass, cited above, §§ 125-129). Today we see that this change
in the case-law was not effective.
The term “reasonable likelihood” implies that there are negative
consequences for an applicant who is potentially subject to secret
surveillance, on account of certain information that is made available to the
authorities through interception, and excluding the possibility that this
information could be uncovered by other means. The Court made this
approach dangerously simple in order to examine the merits of these cases,
presuming that persons who are subject to secret supervision by the
authorities are not always subsequently informed of such measures against
them, and thus it is impossible for the applicants to show that any of their
rights have been interfered with. In these circumstances the Court concluded
that applicants must be considered to be entitled to lodge an application
even if they cannot show that they are victims. The applicants in the Klass
and Liberty (Liberty and Others v. the United Kingdom, no. 58243/00,
1 July 2008) cases were lawyers and theoretically “they could [have been]
subject to secret surveillance in consequence of contacts they may have with
clients who might be suspected of illegal activities” (Klass, § 37).
In the Kennedy case the applicant alleged that local calls to his telephone
were not being put through to him and that he was receiving a number of
time-wasting hoax calls. The applicant suspected that this was because his
mail, telephone and email communications were being intercepted, and the
Court took this into serious consideration, rejecting the Government’s
objections that the applicant had failed to show that there had been
interference for the purposes of Article 8, and that he had not established a
reasonable likelihood. The Court also rejected the non-exhaustion
submissions, in spite of the fact that the applicant had not checked the
quality of telecoms services with his operator, but had made subject access
requests to MI5 and GCHQ (the United Kingdom’s intelligence agencies
responsible for national security) under the Data Protection Act 1998.
Returning to the circumstances of the present case, it can reasonably be
concluded that the interconnection between the telecoms equipment and the
interception equipment does not necessary mean that interception of the
applicant’s telephone conversations has actually taken place. Nor can the
Court base its findings on the presumption of the “possibility of improper
action by a dishonest, negligent or over-zealous official” (see Klass, §§ 49,
50, 59; Weber and Saravia v. Germany (dec.), no. 54934/00, § 106, ECHR
2006-XI; Kennedy, §§ 153-154). Equally, the Court cannot presume in
general (in order to examine the case in abstracto) the existence of State
88 ROMAN ZAKHAROV v. RUSSIA – SEPARATE OPINIONS

violence against the opposition movements and other democratic

institutions in the respondent State, even if corresponding resolutions have
been adopted by the Parliamentary Assembly. The Court must maintain its
impartiality and neutrality.

4. Role of the judiciary in civil society

Nonetheless, I have voted for admissibility and for the finding of a

violation of Article 8 of the Convention on account of the fact that the
fundamental importance of safeguards to protect private communications
against arbitrary surveillance, especially in the non-criminal context, was
never addressed in the domestic proceedings. The Russian courts refused to
address the applicant’s allegations on the merits, mistakenly referring to the
technical nature of the impugned ministerial orders. As a national judge, I
cannot ignore the fact that a widespread suspicion exists in Russian society
that surveillance is exercised over political and economic figures, including
human-rights activists, opposition activists and leaders, journalists, State
officials, managers of State property – in other words, over all those who
are involved in public affairs. Such a suspicion is based on past experience
of the totalitarian regime during the Soviet era, and even on the long history
of the Russian Empire.
This judgment could serve as a basis for improving the legislation in the
sphere of operational and search activities and for establishing an effective
system of public control over surveillance. Moreover, this judgment
demonstrates that if widespread suspicion exists in society, and if there is no
other possibility for society to lift this suspicion without a social contract
and appropriate changes in national law and practice, then where the
problem is not identified by the other branches of power, the judiciary must
be active in order to facilitate those changes. This is even more obvious if
there are no other means available to protect democracy and the rule of law.
This is an important role which the judiciary must play in civil society.
The Court could be criticised for failing to provide more specific
reasoning for its in abstracto examination within the social context, with the
observation that the Court has merely followed its own Chamber case-law.
However, the judgment in the present case is a difficult one, since before
reaching their conclusion the judges had to take care to establish whether or
not all other means were useless. In contrast, in the case of Clapper
v. Amnesty International USA (568 U.S. ___ (2013), the US Supreme Court
failed to take a step forward, despite the existence of a mass surveillance
programme and “the widespread suspicion” of its existence (or, in other
words written by Justice Breyer in dissent, “[the harm] is as likely to take
place as are most future events that common-sense inference and ordinary
knowledge of human nature tell us will happen”). Instead, it rejected as
insufficient the argument by the plaintiffs (including human-rights, legal
 ROMAN ZAKHAROV v. RUSSIA – SEPARATE OPINIONS 89

and media organisations) that they were likely to be subject to surveillance

due to the nature of their work.
I shall stop here, leaving the discussions on judicial aggression, activism
or restraint for academics. I should like merely to close my opinion by
quoting Edward Snowden’s remark: “With each court victory, with every
change in the law, we demonstrate facts are more convincing than fear. As a
society, we rediscover that the value of the right is not in what it hides, but
in what it protects”.
90 ROMAN ZAKHAROV v. RUSSIA JUDGMENT SEPARATE OPINIONS

PARTLY DISSENTING OPINION OF JUDGE ZIEMELE

1. I fully agree with the finding of a violation in this case. The Court has
rendered a very important judgment on a matter of principle, since secret
surveillance as carried out in the manner described in the facts of the case is,
in its very essence, incompatible with the rule of law and the principles of
democracy.
2. It is especially in such a context that I cannot agree with the Court’s
decision not to award any compensation for the non-pecuniary damage
sustained. I consider that the applicant’s claim for damages was very
reasonable (see paragraph 309 of the judgment) and that the finding of a
violation, while very important as a matter of principle in this case, is not
appropriate satisfaction for the applicant’s specific situation. I therefore
voted against operative provision no. 4.
 FOURTH SECTION

CASE OF SZABÓ AND VISSY v. HUNGARY

(Application no. 37138/14)

JUDGMENT

STRASBOURG

12 January 2016

FINAL

06/06/2016
This judgment has become final under Article 44 § 2 of the Convention. It may be
subject to editorial revision.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 1

In the case of Szabó and Vissy v. Hungary,

The European Court of Human Rights (Fourth Section), sitting as a
Chamber composed of:
Vincent A. De Gaetano, President,
András Sajó,
Boštjan M. Zupančič,
Nona Tsotsoria,
Paulo Pinto de Albuquerque,
Krzysztof Wojtyczek,
Iulia Antoanella Motoc, judges,
and Fatoş Aracı, Deputy Section Registrar,
Having deliberated in private on 14 April and 15 December 2015,
Delivers the following judgment, which was adopted on the
last-mentioned date:

PROCEDURE
1. The case originated in an application (no. 37138/14) against Hungary
lodged with the Court under Article 34 of the Convention for the Protection
of Human Rights and Fundamental Freedoms (“the Convention”) by two
Hungarian nationals, Mr Máté Szabó and Ms Beatrix Vissy (“the
applicants”), on 13 May 2014.
2. The applicants were represented by Mr L. Majtényi, a lawyer
practising in Budapest. The Hungarian Government (“the Government”)
were represented Mr Z. Tallódi, Agent, Ministry of Justice.
3. The applicants complained under Article 8 of the Convention that
they could potentially be subjected to unjustified and disproportionately
intrusive measures within the framework of “section 7/E (3) surveillance”
(see paragraphs 10-12 below), in particular for want of judicial control. In
their view, the latter issue also constituted a violation of their rights under
Articles 6 and 13 of the Convention.
4. On 12 June 2014 the application was communicated to the
Government.
5. On 27 August and 1 September 2014, respectively, Privacy
International and Center for Democracy and Technology, both
non-governmental organisations, were granted leave to make written
submissions (Article 36 § 2 of the Convention and Rule 44 § 3 of the Rules
of Court).
2 SZABÓ AND VISSY v. HUNGARY JUDGMENT

THE FACTS

I. THE CIRCUMSTANCES OF THE CASE

6. The applicants were born in 1976 and 1986 respectively and live in
Budapest.
7. When introducing the application, the applicants were staff members
of Eötvös Károly Közpolitikai Intézet, a non-governmental, “watchdog”
organisation voicing criticism of the Government. The subsequent employer
of one of the applicants was subjected to financial control measures by the
Government in 2014, which according to the applicants verged on vexation.
8. Act no. CXLVII of 2010 defines combating terrorism as one of the
tasks of the police. Within the force, a specific Anti-Terrorism Task Force
(“TEK”) was established as of 1 January 2011. Its competence is defined in
section 7/E of Act no. XXXIV of 1994 on the Police, as amended by Act
no. CCVII of 2011 (the “Police Act”).
9. Under this legislation, TEK’s prerogatives in the field of secret
intelligence gathering include secret house search and surveillance with
recording, opening of letters and parcels, as well as checking and recording
the contents of electronic or computerised communications, all this without
the consent of the persons concerned.
10. The authorisation process for these activities is dependent on the
actual competence exercised by TEK, namely whether it is within the
framework of secret surveillance linked to the investigation of certain
specific crimes enumerated in the law (section 7/E (2)) or to secret
surveillance within the framework of intelligence gathering for national
security (section 7/E (3)).
11. Whereas the scenario under section 7/E (2) is as such subject to
judicial authorisation, the one under section 7/E (3) is authorised by the
Minister in charge of justice, (i) in order to prevent terrorist acts or in the
interests of Hungary’s national security or (ii) in order to rescue Hungarian
citizens from capture abroad in war zones or in the context of terrorist acts.
12. “Section 7/E (3) surveillance” takes place under the rules of the
National Security Act under the condition that the necessary intelligence
cannot be obtained in any other way. Otherwise, the law does not contain
any particular rules on the circumstances in which this measure can be
ordered, as opposed to “section 7/E (2) surveillance”, which is conditional
on the suspicion of certain serious crimes. The time-frame of
“section 7/E (3) surveillance” is 90 days, which can be prolonged for
another 90-day period by the Minister; however, the latter has no right to
know about the results of the ongoing surveillance when called on to decide
on its prolongation. Once the surveillance is terminated, the law imposes no
specific obligation on the authorities to destroy any irrelevant intelligence
obtained.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 3

13. The applicants filed a constitutional complaint on 15 June 2012,

arguing in essence that the sweeping prerogatives under section 7/E (3)
infringed their constitutional right to privacy. They emphasised that the
legislation on secret surveillance measures for national security purposes
provided fewer safeguards for the protection of the right to privacy than the
provision on secret surveillance linked to the investigation of particular
crimes. They pointed out that (i) “section 7/E (2) surveillance” was always
linked to a particular crime and could only be ordered for the purposes of
identifying or locating suspects, whereas “section 7/E (3) surveillance” was
not linked to any particular crime; (ii) “section 7/E (2) surveillance” was
always ordered by the court, whereas “section 7/E (3) surveillance” was
authorised by the government minister in charge of justice; (iii) the decision
on ordering “section 7/E (2) surveillance” was subject to detailed reasoning,
whereas no reasoning was included in the minister’s decision on ordering
“section 7/E (3) surveillance”; and (iv) under the legislation relating to
“section 7/E (2) surveillance”, all collected but irrelevant information had to
be destroyed within eight days, unlike in the case of “section 7/E (3)
surveillance”.
14. On 18 November 2013 the Constitutional Court dismissed the
majority of the applicants’ complaints. In one aspect the Constitutional
Court agreed with the applicants, namely, it held that the decision of the
minister ordering secret intelligence gathering had to be supported by
reasons. However, the Constitutional Court held in essence that the scope of
national security-related tasks was much broader that the scope of the tasks
related to the investigation of particular crimes. For the purpose of national
security, the events of real life were examined not for their criminal law
relevance; therefore they might not necessarily be linked to a particular
crime. Furthermore, in the context of national security, the external control
of any surveillance authorised by the minister was exercised by Parliament’s
National Security Committee (which had the right to call the minister to
give account both in general terms and in concrete cases) and by the
Ombudsman, and that this scheme was sufficient to guarantee respect for
the constitutional right to privacy of those concerned. Finally, the
Constitutional Court was of the opinion that the National Security Act,
which applies to “section 7/E (3) surveillance”, contained general provisions
on ex officio deletion of any data unnecessary for achieving the aim
underlying the gathering of intelligence.
15. This decision was published in the Official Gazette on 22 November
2013.

II. RELEVANT DOMESTIC LAW

16. Act no. XXXIV of 1994 on the Police (“the Police Act”) provides as
relevant:
4 SZABÓ AND VISSY v. HUNGARY JUDGMENT

Section 1
“(2) The police – within the scope of its duties as prescribed by the Fundamental
Law of Hungary, by this Act and by other laws for preventing and combating crimes,
administrating and policing – ...
15. ... within the territory of Hungary ...
a) tracks terrorist organisations,
b) prevents, tracks and repels any attempts of individuals, groups or organisations to
carry out terrorist acts and impedes the commission of any crimes by them,
c) impedes the promotion of the operation of terrorist organisations by individuals,
groups or organisations through providing financial or other support.”

Section 7/E
“(1) The anti-terrorist organ does not exercise any investigatory competence. It:
a) fulfils the tasks prescribed in section 1 subsection (2) point 15, and within these
tasks ...
ad) – within the framework of the fight against terrorism and in order to safeguard
the national security interests of Hungary – prevents, tracks and repels any attempts to
carry out terrorist acts (terrorcselekmény) in Hungary. ...
d) on the basis of the decision of the Minister responsible for policing as endorsed
by the Minister responsible for foreign affairs – in line with the rules of international
law – contributes to rescuing Hungarian citizens who are – outside the territory of
Hungary – in distress due to an imminent and life-threatening danger of act of war,
armed conflict, hostage-taking or terrorist action; to ensuring their safe return to
Hungary and to carrying out their evacuation; to this end it cooperates with the
Member States and the organs of the European Union, with the organs of the North
Atlantic Treaty Organization, with the related international organisations and with the
authorities of the concerned foreign country.
e) acquires, analyses, assesses and forwards information relating to foreign countries
or being of foreign origin which is required for fulfilling the task prescribed in section
d) above.
(2) The anti-terrorist organ may – for the purpose of fulfilling its tasks prescribed in
subsection (1) point a) sub-points aa) to ac) and in point c) – perform secret
intelligence gathering in line with the provisions of Chapter VII of the Act on Police.
(3) The anti-terrorist organ may – for the purpose of fulfilling its tasks prescribed in
subsection (1) point a) sub-point ad) and in point e) – perform secret intelligence
gathering in line with the provisions of sections 53-60 of Act no. CXXV of 1995 on
the National Security Services (the “Nbtv.”), in the course of which it may request and
handle data according to the provisions of sections 38-52 of Nbtv. The secret
intelligence gathering provided in section 56 points a)-e) of Nbtv. is subject to
authorisation of the Minister responsible for justice.”
The crime of “terrorist act” (terrorcselekmény) is defined in section 261
of the Old Criminal Code and sections 314 to 316 of the New Criminal
Code.
17. Act no. CXXV of 1995 on the National Security Services (the
“National Security Act”, “Nbtv.”) contains the passages below.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 5

Under section 11(5), complaints about the activities of the anti-terrorist

organ shall be investigated by the Minister of Home Affairs who shall
inform the complainants of the outcome of the investigations and of the
relevant measures within 30 days (this deadline may, on one occasion, be
extended by another 30 days).
Section 14(4) contains provisions concerning the relevant competences
of the National Security Committee. In exercising parliamentary
supervision, the Committee is entitled to request information from the
Minister and the directors of the national security services about the
country’s national security situation and the functioning and activities of the
services (sub-section (a)).
In individual complaint procedures, where a complainant does not accept
the results of the investigation under section 11(5), the Committee may
investigate complaints alleging unlawful activities on the part of the
National Security Services if, under the affirmative vote of at least one third
of the Committee members, the gravity of the complaint justifies an
investigation. In investigating a complaint the Committee shall examine the
complaint at issue and may request the Minister to submit his opinion on the
case. If the Committee is of the view that the operation of the Services has
been unlawful or abusive, it may request the Minister to conduct
investigations and to inform the Committee of the results of the
investigations or may itself carry out fact-finding investigations if it has the
impression that the operation of the Services is contrary to the relevant laws.
In carrying out the fact-finding investigations, the Committee may inspect
the relevant documents in the records of the National Security Services and
may hear staff members of the National Security Services. Relying on the
findings the Committee may invite the Minister to take the necessary
actions.

Section 43
“The National Security Services may use data having come to their knowledge
exclusively for the purpose that corresponds to the legal basis for ordering their
acquisition, except
a) if the data are indicative of the commission of a criminal act and forwarding the
data is legally allowed, or
b) if they substantiate an obligation to inform another National Security Service and
the party receiving the data is itself authorised to obtain them.”

Section 44
“(1) For the purpose of fulfilling their tasks the National Security Services may
request data from each other and are obliged to provide data to each other in line with
the provisions of this Act.
(4) The bodies requesting data disclosure shall be responsible for the management of
data disclosed to them according to the provisions of this Act and the data
6 SZABÓ AND VISSY v. HUNGARY JUDGMENT

management legislation; they shall register the data they receive and their utilisation
and, upon request, they shall inform the National Security Service thereof.”

Section 45
“(1) The National Security Services may, under an international obligation, transfer
personal data to foreign data processing authorities within the framework of laws on
protection of personal data.”

Section 50
“(2) Personal data processed by the National Security Services shall be deleted
immediately if
a) the deadline specified in subsection (1) has expired;
b) deletion was ordered by a court in data protection proceedings;
c) processing of the data is unlawful;
d) the conditions specified in section 60 (2) are met;
e) processing of the data became manifestly unnecessary.”

Section 53
“(2) The National Security Services may apply the special means and methods of
secret intelligence gathering only if the intelligence needed for the performance of the
tasks laid down in the present Act cannot be obtained in any other way.”

Section 56
“The National Security Services may, under an external permission
a) search a dwelling secretly and record by means of technical equipment what they
perceive;
b) keep a dwelling under surveillance by means of technical equipment and record
what they perceive;
c) open and check postal mail and any closed parcel belonging to an identifiable
person and record their contents by means of technical equipment;
d) detect the content of communications transmitted by electronic communications
network and record it by means of technical equipment;
e) detect the data transmitted by or contained on a computer or network, record it by
means of technical equipment and use it.”

Section 57
“(1) The motion to obtain permission for secret intelligence gathering as specified in
section 56 may be submitted by director generals of the Information Authority, the
Constitution Protection Authority, the Military National Security Service and – in
order to carry out its task specified in section 8 (1) f) above – the Special Service for
National Security.
(2) The motion shall contain:
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 7

a) the premises of the secret intelligence gathering, the person(s) concerned

identified by name or as a range of persons, and/or any other information capable of
identifying such person or persons;
b) specification of the secret intelligence gathering and reasoning substantiating its
necessity;
c) the date of the beginning and the end of the activity;
d) in the case of a motion to obtain permission specified in section 59 below,
reasoning why the requested intelligence is absolutely necessary in the specific case
for the successful functioning of the National Security Service.”

Section 58
“(3) The ... Minister in charge of justice ... decides [on the motion] within 72 hours
to be counted from the motion’s submission ... [he] grants permission or, in case of an
ill-founded request, rejects it. No appeal lies against the decision.
(4) Unless this law stipulates otherwise, the authoriser allows the secret intelligence
gathering for a period of a maximum of 90 days upon each request. In justified cases
and upon a motion from the director generals, this time limit may be extended by 90
days, unless this law stipulates otherwise.
(6) The authoriser does not inform the person concerned about the proceedings or
about the occurrence of secret intelligence gathering.”

Section 59
“(1) The directors of the National Security Services themselves may [exceptionally]
authorise the secret gathering of information within the meaning of section 56 at the
latest until the decision given [by the Minister] if the external authorisation procedure
entails such delay as obviously countering, in the given circumstances, the interests of
the successful functioning of the National Security Service.”

Section 60
“(1) Secret intelligence gathering based on external permission shall be discontinued
immediately if
a) it achieved its aim defined in the permission;
b) its continuation does not promise any results;
c) its time-limit has been expired without extension;
d) the secret intelligence gathering is unlawful for any reasons whatsoever.
(2) In the framework of the special procedure defined in section 59 (1), secret
intelligence gathering shall also be discontinued immediately if the authoriser does
not permit its continuation. In that case, the data obtained by secret intelligence
gathering shall be destroyed immediately, according to the laws regulating the
deletion of qualified data.”
Section 74(a) defines the notion of national security interests in the
following terms:
“Securing the sovereignty and protecting the constitutional order of Hungary and,
within that framework,
8 SZABÓ AND VISSY v. HUNGARY JUDGMENT

aa) obtaining intelligence on aggressive efforts targeted against the independence

and territorial integrity of the country,
ab) obtaining intelligence on and combating covert efforts violating or threatening
the political, economic or defence interests of the country,
ac) obtaining information of foreign relevance or origin required for government
decisions,
ad) obtaining intelligence on and combating covert efforts aimed at altering or
disturbing by unlawful means the country’s constitutional order guaranteeing respect
for fundamental human rights, pluralist representational democracy, the constitutional
institutions and
ae) obtaining intelligence on and combating acts of terrorism, illegal arms and drugs
trafficking, and illegal trafficking in internationally controlled products and
technologies;”
18. Act no. CXI of 2011 on the Commissioner for Fundamental Rights
(“Ajbt.”) provides as follows:
Under section 18 (1) f), law enforcement organs – including the
anti-terrorist organ – are authorities subject to investigation by the
Ombudsman. There is only one limitation on the investigations conducted
by the Ombudsman: the report drafted on the secret intelligence activities of
organs authorised for using secret intelligence devices shall not contain data
from which the conclusion can be drawn that in the given case secret
intelligence activities were or have been carried out by the organ [cf. section
28(3)]. The Commissioner for Fundamental Rights shall annually submit a
report to Parliament about the investigated cases and may – except for
proposals for amendments – request Parliament to investigate any given
case. Where the finding of an abuse or maladministration affects classified
data, the Commissioner for Fundamental Rights shall – simultaneously with
the annual report or, if the abuse or maladministration is very grave or
affects a great number of natural persons, before the submission of the
annual report – submit the case to the competent parliamentary committee
in a report classified according to the Act on the Protection of Classified
Data.
The applicants submitted a statement obtained from the Commissioner’s
Office on 9 July 2014, according to which the Commissioner had never
enquired into the field of secret surveillance measures.
19. Act no. CLI of 2011 on the Constitutional Court provides as follows:

Section 26 (1)
“Persons or organisations affected by a particular case may, under Article 24 (2) c)
of the Fundamental Law, submit a constitutional complaint to the Constitutional Court
where due to the application in the related court proceedings of a piece of legislation
contravening the Fundamental Law,
a) their rights enshrined in the Fundamental Law have been violated, and
b) legal remedies have been exhausted or no remedy exists.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 9

(2) By way of derogation from subsection (1), such Constitutional Court

proceedings may, exceptionally, also be initiated where
a) the injury originated directly from the application or becoming effective of a
provision contravening the Fundamental Law, without a court decision, and
b) no procedure to redress the injury is available or the available remedies have
already been exhausted by the complainant. ...”

Section 27
“Against a judicial decision contravening the Fundamental Law within the meaning
of Article 24 (2) d.) of the Fundamental Law, a person or organisation affected by the
particular case may file a constitutional complaint with the Constitutional Court where
the decision on the merits of the case or another decision terminating the judicial
proceedings
a) has violated the complainant’s rights enshrined in the Fundamental Law, and
b) the complainant has already exhausted the legal remedies or no legal remedy
exists.”
20. Decision no. 32/2013. (XI.22.) AB of the Constitutional Court
establishing the constitutional requirement to be met in respect of
section 58 (3) of Nbtv. and rejecting the related constitutional complaint
contains the following passages:
“... 1. The Constitutional Court finds that ... in order to make the external control
effective, the decision of the Minister responsible for justice ... authorising secret
intelligence gathering must be supplied with reasons. ...
[42] 1.1. The regulations in force specify two types of secret intelligence gathering:
secret surveillance linked to the investigation of particular crimes and secret
surveillance not linked to the investigation of particular crimes. ...
[47] 1.2. Secret surveillance not linked to the investigation of particular crimes is
either not subject to external authorisation [sections 54-55 of Nbtv.] or is subject to
external authorisation [sections 54-55 of Nbtv.] In cases specified in the Act
authorisation means authorisation by a judge or by the Minister of Justice.
[48] According to the reasoning of Nbtv., from international practice several
examples can be mentioned for States making a distinction between intelligence
gathering linked to the investigation of particular crimes (including the closely related
fields of crime prevention and crime detection) and intelligence gathering carried out
for national security purposes.
[49] On the basis of this principle, a system of divided authorisation has been
adopted in the Act. For the purpose of detecting actual criminal offences, secret
intelligence gathering is authorised – similarly to the solution applied in the Act on the
Police – by a judge designated for the task by the President of the Budapest High
Court, whereas section 56 activities carried out in the course of general intelligence
gathering shall be authorised by the Minister of Justice. ...
[51] Section 53 (2) of Nbtv., according to which secret intelligence gathering may
only be carried out if the data required to perform the statutory tasks cannot be
obtained in any other manner, shall apply to both cases. ...
10 SZABÓ AND VISSY v. HUNGARY JUDGMENT

[62] Under section 14 (4) of Nbtv. Parliament’s National Security Committee shall
exercise control over the authorisation process of the Minister of Justice. ...
[69] 2. Secret intelligence gathering governed by Nbtv and not linked to the
investigation of particular crimes ... has not been examined by the Constitutional
Court yet. However, in its decision no. 2/2007. (I. 24.) AB (henceforth: Abh.1.) the
Constitutional Court specified the general aspects under which secret intelligence
gathering and secret surveillance are acceptable in a democratic, rule-of-law State.
[70] Since the content of Article B) (1) of the Fundamental Law is identical to the
content of Article 2 (1) of the former Constitution, and since from the rules of
interpretation applicable to the Fundamental Law no conclusion contrary to the above
opinion of the Constitutional Court can be inferred, the statements of principle made
on the necessity and proportionality of secret intelligence gathering can be
maintained.
[71] The Constitutional Court has also taken into consideration the Strasbourg
Court’s jurisprudence, as recalled in its former decisions. Cases related to “covert
investigations” were examined by the Court in light of the Convention provisions set
forth in Article 8 which protects the right to respect for private life. In its judgments
the Court held that in a democratic society the rights enshrined under Article 8 § 1 can
only be restricted within the limits specified in paragraph 2, that is only for the
purposes specified in that provision and only in case the necessity of the restriction is
justified.
[72] Lawfulness under the Court’s case law does not merely require that a given
restriction be specified under the law. The phrase “in accordance with the law”
requires that the regulation itself should meet the rule-of-law principles. Since secret
intelligence gathering does, per definition, exclude the possibility of an effective
remedy, it is imperative that the process authorising such information gathering
should contain sufficient guarantees for the protection of the rights of the individuals.
Therefore, the use of secret intelligence gathering must be subject to a three-stage
control: when the interference is ordered, while the interference is carried out and
when the interference is terminated. Control must be exercised by “bodies”
independent of the executive power. First of all, only constant, continuous and
mandatory control can guarantee that in a given case the requirement of
proportionality is not violated ....
[73] In its judgments the Court laid down the minimum requirements to be met by a
legal regulation on the use of secret intelligence devices. The Court emphasised that
since the interference with the fundamental rights is secret and since the use of such
devices provides “unpredictable” opportunities for the executive power, it is
indispensable that the procedures themselves provide sufficient guarantees for the
observance of the rights of the individuals. Therefore States must create precise and
detailed rules that can be abided by and accessed by the citizens. From the legal
regulation the competence of the authority applying such devices, the essence of the
measures and the manner of their practice should be clear and apparent. As to the
requirement of the clarity of rules the Court also pointed out that the laws should
specify the cases and circumstances which warrant such interference and the
conditions of the interference. As a minimum guarantee the laws should determine the
criteria based on which the scope of persons potentially affected can be determined
and should contain provisions regulating the documentation of the use of secret
intelligence devices and specifying the rules applicable to the protection and
destruction of the documentation. As to decision-making on the application of secret
intelligence devices, an excessively wide margin of appreciation may not be granted
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 11

for the authorities (e.g. Valenzuela Contreras v. Spain (58/1997/842/1048)). As to the

application of secret intelligence devices, the requirement that access to the
information by outside persons should be restricted serves as an additional guarantee
(e.g. Kopp v. Switzerland (13/1997/797/1000) 25 March 1998).
[74] Use for a particular purpose means that secret intelligence devices may only be
used for reasons specified in Article 8 § 2 .... Compliance with the necessity test is
closely linked to this issue. It is a basic requirement that any interference should be
justified by pressing public interest and should be proportionate both to the danger
needed to be countered and to the injury caused.
[75] An examination of these issues should not be confined to scrutinising whether
the statutory conditions laid down for the restriction meet the necessity-
proportionality test but should also extend to examining the necessity of the use of
secret intelligence devices in the particular case. As to the requirement of necessity it
is of paramount importance that any use should only take place in case of
“aggravated” (serious) threat and only in case the traditional investigative means and
devices prove to be inefficient in the particular circumstances of a case; moreover, any
use of the secret intelligence devices should take place according to a strict procedure
that can be known in advance ...
[76] From the Convention and the relevant case law of the Court the Constitutional
Court has concluded that national security, public security and the prosecution of
crime are interests for which even covert investigations – which amount to serious
law-restricting devices – can be used where the above specified criteria are met.
[77] 3. The Constitutional Court has examined the contested provision within the
confines of the complainants’ complaint. The complainants challenged the anti-
terrorist organ’s secret intelligence gathering activities carried out for purposes other
than prosecuting crime. They alleged non-compliance with the Fundamental Law of
the contested provision by alleging that the provision at issue allowed for the anti-
terrorist organ’s secret intelligence gathering under Nbtv. – while Nbtv. contained no
guarantees for the observance of the fundamental rights at issue.
[78] The complainants did not make a distinction between the various stages of the
secret intelligence gathering (ordering, carrying out and terminating the interference)
but picked out some elements of the application [of this measure] and complained
about those elements. As to the ordering of the interference they complained that the
permission of the Minister responsible for justice did not constitute a sufficient
guarantee, in particular in view of the fact that the grounds on which the request for
authorisation can be made are not exhaustively enumerated. The complainants are of
the view that following the termination of the interference the fate of the information
irrelevant for the purposes of the surveillance and the fate of the data related to
persons not concerned in the case is not settled. ...
[80] Therefore, within the confines of the complaint the Constitutional Court must
examine whether the authorisation by the Minister responsible for justice of secret
intelligence gathering for the anti-terrorist organ and the handling of data following
the termination of the interference does or does not violate the fundamental rights
invoked, namely the right to privacy and the right to informational autonomy....
[92] 3.2. The Constitutional Court has first examined the constitutionality of the
authorisation by the Minister responsible for justice. The first phase of secret
surveillance is the ordering of the interference. Since in applying section 7/E (3) of the
Act on the Police (henceforth: Rtv.) the Minister responsible for justice gives – by
authorising the use of the secret intelligence gathering devices and methods listed in
12 SZABÓ AND VISSY v. HUNGARY JUDGMENT

section 56 a)-e) of Nbtv. – consent to a State interference which seriously violates

fundamental rights, the process of interference must be regulated under the law, the
prescribed norms must be clear, and the process must be subject to external control
mechanisms. ...
[94] ... The contested provision of Rtv. authorises the anti-terrorist organ to carry
out, in performing certain of its tasks, secret intelligence gathering under the Nbtv.
The Rtv. clearly specifies the two tasks for the performance of which secret
surveillance under the Nbtv. may be carried out: namely, the performance of the tasks
specified in section 7/E (1) a) and ad) and in section 7/E (1) e).
[95] The task specified under section 7/E (1) a) (subsection (ad)) to be performed in
the framework of combating terrorism is the prevention, detection and suppression of
endeavours to commit an act of terrorism in the territory of Hungary with a view to
promoting Hungary’s national security interests. Item e) refers back to item d) which
allows for the obtaining, analysing, assessing and forwarding of information on a
foreign State or originating in a foreign State in so far as the information is necessary
for the performance of the task specified there. The tasks specified under item d) are
participation in the rescue, return to Hungary and evacuation of Hungarian nationals
who have got into trouble due to acts of war or armed conflicts outside the territory of
Hungary imminently threatening the lives and limbs of Hungarian nationals or due to
terrorist acts or hostage-taking acts, as well as cooperation for such purposes with the
member States and institutions of the European Union, the organs of the North
Atlantic Treaty Organization, the international organisations concerned by the case
and the authorities of the foreign State at issue. These tasks shall be carried out upon a
decision to that effect taken by the Minister responsible for law enforcement in
agreement with the Minister responsible for foreign affairs.
[96] Section 7/E (3) of Rtv., contested by the complainants, refers to Nbtv. and
repeats the Nbtv. rules on secret intelligence gathering (sections 53-60) and the
handling of the acquired data [sections 38-52]. Section 7/E (3) of Rtv. provides for the
application, mutatis mutandis, of the Nbtv. provisions both to the investigation of a
complaint about an activity of the anti-terrorist organ, and to the parliamentary control
of the anti-terrorist organ and to the investigation of a report alleging unlawful
operation on the part of the anti-terrorist organ [section 11 (5), section 14 (1)-(2) and
(4) a)-f) and (5), section 15 (3), section 16, section 18 and section 27 (4) of Nbtv.]
Moreover, the contested provision clearly provides that the Minister responsible for
justice shall be entitled to authorise the use, within the scope of the statutory tasks, of
the secret intelligence devices enumerated in an exhaustive list. Therefore section
7/E (3) of Rtv. meets the requirement of being prescribed by law and the requirement
of clarity of norms, as it sufficiently specifies the conditions of ordering and the
circumstances of executing the measure regulated in the Act.
[97] Thereafter the Constitutional Court has proceeded to examine whether in the
given case the authorisation of secret intelligence gathering by the Minister
responsible for justice provided sufficient guarantees for the observance of the
fundamental rights of the individuals. ...
[102] Secret intelligence gathering for the purposes of national security may only
take place under Section 7/E (1) a) ad) or e) of Rtv., that is in order to combat
endeavours to commit an act of terrorism in the territory of Hungary and in relation to
the protection of Hungarian nationals have got into trouble in a foreign country. ...
[105] The scope of national security-related tasks is much broader than the scope of
the tasks related to the investigation of particular crimes as for the purposes of
national security the events of real life are examined not for their criminal law
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 13

relevance, and those events do not necessarily entail legal consequences. Identifying
and combating endeavours aimed at committing acts having relevance from the
aspects of securing the sovereignty of the State and of protecting the lawful order of
the State may fall outside the sphere of particular criminal offences. Therefore
national security-related tasks are not comparable to secret intelligence gathering
linked to investigating a crime, which is carried out under section 69 of Rtv. and is
subject to authorisation by a court. The prevention and elimination of risks to national
security require political decisions, therefore decisions of this type fall in the
competence of the executive power. This consideration justifies that general character
secret intelligence gathering should be authorised by the Minister responsible for
justice.
[106] However, in granting the authorisation the Minister responsible for justice
must weigh the interests of national security against the injury done to the
fundamental rights. Therefore in addition to assessing the national security interests of
the country from a political (home and foreign affairs) aspect, the person granting the
authorisation should also strike a fair balance between the interests of national
security and fundamental rights. In doing so, it must start from the principle that secret
intelligence methods for national security purposes may only be used even by the anti-
terrorist organ as a last resort means of detection. Section 53 (2) of Nbtv. clearly
provides for the ultima ratio nature of secret intelligence methods: the special devices
and methods of secret intelligence gathering can only be used where the data needed
for the completion of a prescribed task cannot be obtained in any other way, namely
by the traditional means of detection. This provision of Nbtv. is intended to serve as a
legal guarantee similar to that which the specification in the law of the acts amounting
to criminal offences constitutes in the context of secret intelligence gathering linked to
the investigation of a particular crime and carried out upon the suspicion of an
offence.
[107] ... The request for authorisation must be supported with reasons. The ...
grantor of the authorisation shall base his decision on the content of the request: the
request shall be granted or, in case of ill-foundedness, rejected. Hence, in case the
requesting authority cannot sufficiently justify that the data required for performing its
tasks cannot be acquired in any other manner no authorisation for the use of
intelligence devices and methods shall be given. ...
[114] As to the ordering and carrying out of the secret intelligence gathering
external control is a fundamental guarantee. Control over the activities performed by
the anti-terrorist organ under the rules of Nbtv. is exercised by the National Security
Committee (henceforth: Committee) of the Parliament ... Upon the Committee’s
request the Minister of Justice shall provide information on the nature of the
authorised information gathering and on the type of the case (section 14(4) b) Nbtv.).
[115] The Committee may acquire information about irregularities related to the
operation of the Services (anti-terrorist organ) from, among others, its own inquiries,
from citizen complaints or from information from the staff members of the Services.
...
[119] Nbtv. sets one single bar to the Committee’s control: the Committee may not
learn of information which might endanger the prime importance national security
interests in protecting the methods and sources (participating persons) relied on in the
case at issue (section 16(1) of Nbtv.) .
[120] The operation of the National Security Services and of the anti-terrorist organ
and of the Minister of justice’s authorising activity can be controlled, in addition to
the Parliament, by the Parliamentary Commissioner for Fundamental Rights as well.
14 SZABÓ AND VISSY v. HUNGARY JUDGMENT

[121] Under section 18 (1) f) of Act no. CXI of 2011 on the Parliamentary
Commissioner for Fundamental Rights (henceforth: Ajbt.) law enforcement organs,
including the anti-terrorist organ, are authorities that can be examined by the
Ombudsman. ... Hence no obstacle exists to an examination by the Ombudsman, the
only bar being that – similarly to the control by Parliament – the report made on the
examination of the secret intelligence activities of the authorities authorised for using
secret intelligence devices and methods may not contain data from which the secret
intelligence gathering activities carried out by the organ in the case at issue can be
inferred (section 28(3)). The Commissioner for Fundamental Rights may present, in
case the conditions specified under section 38 of Ajbt. are met, the cases examined by
him to Parliament in an annual report and may, with the exception of motions for
amendments, request Parliament to examine a case. ...
[122] On the basis of the above information the Constitutional Court has concluded
that Nbtv. allows for the control of the authorisation granting of the Minister of
Justice by bodies independent of the executive power. ...
[124] 3.3 In examining the reference in section 7/E (3) of Rtv. the Constitutional
Court has observed that section 58 (3) of Nbtv. does not expressly provide for a
reasoned decision ...
[127] A necessary element of any judicial decision to be taken on secret intelligence
gathering under the Rtv. is an examination of the compliance of the request for
authorisation with the statutory requirements. ...
[128] [...] The reference in section 7/E (3) of Rtv. also requires authorisation from
the Minister of Justice for national security-related secret intelligence gathering
carried out by the anti-terrorist organ, which is part of the Police Service, in order to
combat endeavours to commit an act of terrorism in the territory of Hungary or in
relation to the protection of Hungarian nationals who have got into trouble in a foreign
country. ...
[130] Since Nbtv. does not expressly require the Minister of Justice to issue a
reasoned decision, the authoriser is under no obligation to provide reasoning. In the
absence of reasoning, however, no posterior understanding, analysis or review of the
aspects and reasons giving rise to the decision in a particular case is possible for those
who exercise external control.
[131] Though section 58 (3) of Nbtv. prescribes that the authorisation grantor shall
base his decision on the content of the request, this content is, per definition, one-
sided since in arguing for the necessity of the secret information gathering the request
will solely invoke national security interests. The authorisation grantor must strike a
fair balance between the interests of national security and fundamental rights
enshrined under Article VI (1)-(2) of the Fundamental Law for persons affected by
secret intelligence gathering and must ensure, in addition to determining the necessity
of the restriction, that the restriction is proportionate. ...
[132] Given that the special nature of secret surveillance excludes the possibility of
a remedy, a restriction of the right to privacy and of the right to informational
autonomy that is proportionate to the protection of national security will require
effective external control already in granting the authorisation for the use of the secret
intelligence devices.
[133] The National Security Committee and the Commissioner for Fundamental
Rights may only constitute effective external control over the authorisation activity of
the Minister of Justice if the Minister’s decision authorising the secret surveillance
contains sufficiently detailed reasons. The reasons should be of a depth and detail that
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 15

enable those who exercise the external control to review the balance struck between
the interests of national security and the fundamental rights at issue.
[134] Upon the authorisation granted in section 46 (3) of Abtv., in order to ensure
effective external control, the Constitutional Court has laid down as a constitutional
requirement ensuring compliance with Article VI (1)-(2) of the Fundamental Law that
in applying section 58 (3) of Nbtv. the decision of the Minister responsible for justice
ordering secret intelligence gathering must be supported by reasons.
[135] 3.4. Thereafter the Constitutional Court has examined whether the data
handling by the anti-terrorist organ following the termination of the secret intelligence
gathering violates the right to informational autonomy. The complainants complained
that Nbtv., contrary to Rtv., fails to provide for the deletion of such recorded
information which is irrelevant for the purposes of the surveillance and of data which
are related to persons not concerned by the case. ...
[138] Based on the above considerations the Constitutional Court has established
that though Nbtv., contrary to section 73 (3) of Rtv., does not expressly provide for
the deletion of such recorded information which is irrelevant for the purposes of the
surveillance and of data which are related to persons not concerned by the case, from
the joint interpretation of the phrase “obviously unnecessary” in section 50 (2) e) and
of section 43 of Nbtv. it clearly follows that any data unnecessary for achieving the
aim serving as a legal ground for the data acquisition, in particular the data related to
persons not concerned by the case, must be deleted ex officio. Therefore the above
regulation meets the principle of being purpose-bound and is suitable to prevent
storing data acquisition. Moreover, Nbtv. allows for the concerned persons to file a
request for the deletion of their personal data, which request can only be rejected by
the Chief Director on specific grounds. External control exists over the data
processing as well, since the reasons for the rejection of a request must also be sent to
the National Data-Protection and Information Freedom Authority [section 48 of
Nbtv.].
[139] Therefore the Constitutional Court dismisses, in this respect as well, the
complaint alleging non-compliance of the contested provision with the Fundamental
Law and seeking the annulment of the contested provision. ...”

III. EUROPEAN COMMISSION FOR DEMOCRACY THROUGH LAW

(“THE VENICE COMMISSION”)

21. The Report on the Democratic oversight of the Security Services

adopted by the Venice Commission at its 71st Plenary Session (Venice,
1-2 June 2007) (CDL-AD(2007)016-e) contains the following passages:
“81. In the light of the importance and nature of the interests at stake, security
intelligence gathering is one of the main areas of national decision-making which a
government is most unwilling to submit to national legislative scrutiny and judicial
review and, a fortiori, to international supervision and control.
82. For a variety of reasons, there can be tension as regards national security policy,
not only between the governing party and the political opposition in a State, but also
constitutional tension between the executive and the legislative power, tension within
a government (especially a coalition government), and tension between political
masters and the staff of security intelligence agencies. A large degree of secrecy must
accompany national security policy making and operations. However secrecy also has
16 SZABÓ AND VISSY v. HUNGARY JUDGMENT

the effect of increasing the government’s control over policy at the expense of the
legislative power, and of insulating the former from criticism. This is exacerbated by
the fact that nowadays, there is a link between “external” and “internal” threats to the
State. Accordingly, security and intelligence information tends to form an indivisible
whole. ...
86. It is particularly important, as regards the limited scope of parliamentary and
judicial control, to note the special nature of security intelligence. The heart of a
security agency is its intelligence files. “Hard” data, purely factual information, is
insufficient for a security agency, or for that matter, any police organization. It also
needs to gather speculative intelligence in order to determine which people are, or are
probably or possibly, threatening national security. This information can be obtained
in different ways. A large proportion of non-open source internal security information
comes from informants. Like factual information, such “soft intelligence” can, and
must if the agency is to do its job properly, be collated to produce a personality profile
of a suspect or an analysis of a suspected activity. ...

VII. Internal and Governmental Controls as part of overall accountability systems

130. Internal control of security services is the primary guarantee against abuses of
power, when the staff working in the agencies are committed to the democratic values
of the State and to respecting human rights. External controls are essentially to
buttress the internal controls and periodically ensure these are working properly.
131. Internal controls mean in the first place that the senior management of the
agency must exercise efficient control in practice over the lower ranks of the agency.
134. Just as strong internal controls are a precondition for effective executive
control over the security agency, a strong executive control over the security agency is
a precondition for adequate parliamentary accountability, given that access by
parliament to intelligence usually depends on the executive. The same is less true for
expert review/authorization systems, to the extent that these have their own access to
officials and intelligence material ...
137. In order to provide for impartial verification and assurance for the government
that secret agencies are acting according to its policies, effectively and with propriety,
a number of countries have devised offices such as Inspectors-General, judicial
commissioners or auditors to check on the activities of the security sector and with
statutory powers of access to information and staff.

VIII. Parliamentary accountability

150. There are several reasons why parliamentarians should be involved in the
oversight of security agencies. Firstly, the ultimate authority and legitimacy of
security agencies is derived from legislative approval of their powers, operations and
expenditure. Secondly, there is a risk that the agencies may serve narrow political or
sectional interests, rather than the State as a whole and protecting the constitutional
order, if democratic scrutiny does not extend to them. A stable, politically bi-partisan
approach to security may be ensured therefore by proper control, to the benefit of the
State and the agencies themselves.
153. From a comparative international perspective, the most frequent arrangement
is for parliament to establish a single oversight body for all the major security and
intelligence agencies, rather than having multiple oversight bodies for specific
agencies.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 17

IX. Judicial Review and Authorization

195. Judicial control over internal security services can take different forms. First,
there is prior authorization in a pre-trial phase, and/or post hoc review, of special
investigative measures, such as telephone tapping, bugging and video surveillance.
This is the normal practice in European States.
204. Nonetheless, there is an obvious advantage of requiring prior judicial
authorization for special investigative techniques, namely that the security agency has
to go “outside of itself” and convince an independent person of the need for a
particular measure. It subordinates security concerns to the law, and as such it serves
to institutionalize respect for the law. If it works properly, judicial authorization will
have a preventive effect, deterring unmeritorious applications and/or cutting down the
duration of a special investigative measure. The Parliamentary Assembly has earlier
expressed a clear preference for prior judicial authorization of special investigative
measures (depending on the type of measures).

X. Accountability to expert bodies

218. Expert bodies can serve as either a supplement or a replacement for
parliamentary bodies or judicial accountability...
219. An expert body allows for greater expertise and time in the oversight of
security and intelligence services and avoids the risks of political division and
grand-standing to which parliamentary committees can be prone. The body may be
full or part time, but even if it is part time, the supervision exerted is likely to be more
continuous than that exercised by a parliamentary body, the members of which have
many other political interests and responsibilities. The members’ tenure can be made
longer than the standard electoral period, something which is particularly important as
intelligence has, as already mentioned ..., a relatively long “learning curve”.
220. Like parliamentary oversight, the mandate of an expert body can be
institutional, meaning that it can be established to exercise supervision only over a
specific internal security body (this is in contrast to functional review discussed
below) ...
222. It is, however, important that the scope of the review is drawn carefully, to
avoid disputes as to whether a particular activity falls within the body’s mandate and
to avoid overlaps with other accountability mechanisms, in particular judicial controls
over police powers and Ministerial accountability to parliament.

XI. Complaints mechanisms

241. Clearly it is necessary for individuals who claim to have been adversely
affected by the exceptional powers of security and intelligence agencies, such as
surveillance or security clearance, to have some avenue for redress. Quite apart from
strengthening accountability, complaints may also help to lead to improved
performance by the agencies through highlighting administrative failings. The
requirements of human rights treaties, and especially the European Convention on
Human Rights, with its protections of fair trial, respect for private life and the
requirement of an effective remedy must obviously also be borne in mind.
242. Plainly, though, legitimate targets of a security or intelligence agency should
not be able to use a complaints system to find out about the agency’s work.
A complaints system should balance, on the one hand, independence, robustness and
fairness, and, on the other hand, sensitivity to security needs. Designing such a system
is difficult but not impossible.
18 SZABÓ AND VISSY v. HUNGARY JUDGMENT

243. Individuals who allege wrongdoing by the State in other fields routinely have a
right of action for damages before the courts. The effectiveness of this right depends,
however, on the knowledge of the individual of the alleged wrongful act, and proof to
the satisfaction of the courts. As already mentioned, for a variety of reasons, the
capacity of the ordinary courts to serve as an adequate remedy in security fields is
limited. The case law of the European Court of Human Rights ... makes it very clear
that a remedy must not simply be on paper.
244. An alternative is to allow an investigation and report into a complaint against
an agency by an independent official, such as an ombudsman....
245. In these ombudsman-type systems, the emphasis is on an independent official
investigating on behalf of the complainant. These independent offices usually exist to
deal with an administrative failure by public bodies, rather than a legal error. Their
investigations may give less emphasis to the complainant’s own participation in the
process and to transparency than would be the case with legal proceedings. Typically
an investigation of this type will conclude not with a judgment and formal remedies,
but with a report, and (if the complaint is upheld) a recommendation for putting
matters right and future action...
246. A less common variation is for a State to use a parliamentary or expert
oversight body to deal with complaints and grievances of individuals.... There may be
a benefit for a parliamentary oversight body in handling complaints brought against
security and intelligence agencies since this will give an insight into potential failures
– of policy, legality and efficiency. On the other hand, if the oversight body is too
closely identified with the agencies it oversees or operates within the ring of secrecy,
the complainant may feel that the complaints process is insufficiently independent. In
cases where a single body handles complaints and oversight it is best if there are quite
distinct legal procedures for these different roles.
247. On the whole it is preferable that the two functions be given to different bodies
but that processes are in place so that the oversight body is made aware of the broader
implications of individual complaints. This approach is also supported by the ECHR.
The requirement in ECHR Article 13 of a mechanism for remedies for alleging
violations of Convention rights which is independent from the authorization process
means that a State’s control system, e.g. for data processing, may pass the test of
“accordance with the law” and “necessity in a democratic society” but that the
absence of a remedy means that there is nonetheless a violation of the Convention. As
already mentioned, the ECtHR has stated that a remedy must be effective in law and
fact. It should be noted in particular that the ECtHR has ruled that a data inspection
authority which is independent, and which has formal competence in law to award a
remedy for the holding of inaccurate, inappropriate etc. security data, but which in
fact lacks the expertise to evaluate this data, is not an effective remedy within the
meaning of Article 13.
249. In some countries, not only individuals but also members of the services are
permitted to bring service-related issues to the attention of an ombudsman or
parliamentary oversight body...
250. Another method of handling complaints is through a specialist tribunal.”
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 19

IV. OTHER RELEVANT INTERNATIONAL TEXTS

22. Several elements of international law, relevant in this context, are

outlined in the judgment Dragojević v. Croatia (no. 68955/11, §§ 62 to 66,
15 January 2015).
23. In Digital Rights Ireland v Minister for Communications & Others,
(cases C-293/12 and C-594/12, 8 April 2014), the Court of Justice of the
European Union held as follows:
“26. In that regard, it should be observed that the data which providers of publicly
available electronic communications services or of public communications networks
must retain, pursuant to Articles 3 and 5 of Directive 2006/24, include data necessary
to trace and identify the source of a communication and its destination, to identify the
date, time, duration and type of a communication, to identify users’ communication
equipment, and to identify the location of mobile communication equipment, data
which consist, inter alia, of the name and address of the subscriber or registered user,
the calling telephone number, the number called and an IP address for Internet
services. Those data make it possible, in particular, to know the identity of the person
with whom a subscriber or registered user has communicated and by what means, and
to identify the time of the communication as well as the place from which that
communication took place. They also make it possible to know the frequency of the
communications of the subscriber or registered user with certain persons during a
given period.
27. Those data, taken as a whole, may allow very precise conclusions to be drawn
concerning the private lives of the persons whose data has been retained, such as the
habits of everyday life, permanent or temporary places of residence, daily or other
movements, the activities carried out, the social relationships of those persons and the
social environments frequented by them.
...
52. So far as concerns the right to respect for private life, the protection of that
fundamental right requires, according to the Court’s settled case-law, in any event,
that derogations and limitations in relation to the protection of personal data must
apply only in so far as is strictly necessary (Case C-473/12 IPI EU:C: 2013:715,
paragraph 39 and the case-law cited).
...
62. In particular, Directive 2006/24 does not lay down any objective criterion by
which the number of persons authorised to access and subsequently use the data
retained is limited to what is strictly necessary in the light of the objective pursued.
Above all, the access by the competent national authorities to the data retained is not
made dependent on a prior review carried out by a court or by an independent
administrative body whose decision seeks to limit access to the data and their use to
what is strictly necessary for the purpose of attaining the objective pursued and which
intervenes following a reasoned request of those authorities submitted within the
framework of procedures of prevention, detection or criminal prosecutions. Nor does
it lay down a specific obligation on Member States designed to establish such limits.”
24. The 2013 Report of the United Nations Special Rapporteur on the
promotion and protection of the right to freedom of opinion and expression,
Frank La Rue, contains the following conclusions and recommendations:
20 SZABÓ AND VISSY v. HUNGARY JUDGMENT

“78. Communications techniques and technologies have evolved significantly,

changing the way in which communications surveillance is conducted by States.
States must therefore update their understandings and regulation of communications
surveillance and modify their practices in order to ensure that individuals’ human
rights are respected and protected.
79. States cannot ensure that individuals are able to freely seek and receive
information or express themselves without respecting, protecting and promoting their
right to privacy. Privacy and freedom of expression are interlinked and mutually
dependent; an infringement upon one can be both the cause and consequence of an
infringement upon the other. Without adequate legislation and legal standards to
ensure the privacy, security and anonymity of communications, journalists, human
rights defenders and whistleblowers, for example, cannot be assured that their
communications will not be subject to States’ scrutiny.
80. In order to meet their human rights obligations, States must ensure that the
rights to freedom of expression and privacy are at the heart of their communications
surveillance frameworks. To this end, the Special Rapporteur recommends the
following:

A. Updating and strengthening laws and legal standards

81. Communications surveillance should be regarded as a highly intrusive act that
potentially interferes with the rights to freedom of expression and privacy and
threatens the foundations of a democratic society. Legislation must stipulate that State
surveillance of communications must only occur under the most exceptional
circumstances and exclusively under the supervision of an independent judicial
authority. Safeguards must be articulated in law relating to the nature, scope and
duration of the possible measures, the grounds required for ordering them, the
authorities competent to authorize, carry out and supervise them, and the kind of
remedy provided by the national law.
82. Individuals should have a legal right to be notified that they have been subjected
to communications surveillance or that their communications data has been accessed
by the State. Recognizing that advance or concurrent notification might jeopardize the
effectiveness of the surveillance, individuals should nevertheless be notified once
surveillance has been completed and have the possibility to seek redress in respect of
the use of communications surveillance measures in their aftermath.
83. Legal frameworks must ensure that communications surveillance measures:
(a) Are prescribed by law, meeting a standard of clarity and precision that is
sufficient to ensure that individuals have advance notice of and can foresee their
application;
(b) Are strictly and demonstrably necessary to achieve a legitimate aim; and
(c) Adhere to the principle of proportionality, and are not employed when less
invasive techniques are available or have not yet been exhausted.
84. States should criminalize illegal surveillance by public or private actors. Such
laws must not be used to target whistleblowers or other individuals seeking to expose
human rights violations, nor should they hamper the legitimate oversight of
government action by citizens.
85. The provision of communications data by the private sector to States should be
sufficiently regulated to ensure that individuals’ human rights are prioritized at all
times. Access to communications data held by domestic corporate actors should only
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 21

be sought in circumstances where other available less invasive techniques have been
exhausted.
86. The provision of communications data to the State should be monitored by an
independent authority, such as a court or oversight mechanism. At the international
level, States should enact Mutual Legal Assistance Treaties to regulate access to
communications data held by foreign corporate actors.
87. Surveillance techniques and practices that are employed outside of the rule of
law must be brought under legislative control. Their extra-legal usage undermines
basic principles of democracy and is likely to have harmful political and social effects.

B. Facilitating private, secure and anonymous communications

88. States should refrain from compelling the identification of users as a
precondition for access to communications, including online services, cybercafés or
mobile telephony.
89. Individuals should be free to use whatever technology they choose to secure
their communications. States should not interfere with the use of encryption
technologies, nor compel the provision of encryption keys.
90. States should not retain or require the retention of particular information purely
for surveillance purposes.

C. Increasing public access to information, understanding and awareness of threats

to privacy
91. States should be completely transparent about the use and scope of
communications surveillance techniques and powers. They should publish, at
minimum, aggregate information on the number of requests approved and rejected, a
disaggregation of the requests by service provider and by investigation and purpose.
92. States should provide individuals with sufficient information to enable them to
fully comprehend the scope, nature and application of the laws permitting
communications surveillance. States should enable service providers to publish the
procedures they apply when dealing with State communications surveillance, adhere
to those procedures, and publish records of State communications surveillance.
93. States should establish independent oversight mechanisms capable to ensure
transparency and accountability of State surveillance of communications.
94. States should raise public awareness on the uses of new communication
technologies in order to support individuals in properly assessing, managing,
mitigating and making informed decisions on communications-related risks.

D. Regulating the commercialization of surveillance technology

95. States should ensure that communications data collected by corporate actors in
the provision of communications services meets the highest standards of data
protection.
96. States must refrain from forcing the private sector to implement measures
compromising the privacy, security and anonymity of communications services,
including requiring the construction of interception capabilities for State surveillance
purposes or prohibiting the use of encryption.
97. States must take measures to prevent the commercialization of surveillance
technologies, paying particular attention to research, development, trade, export and
22 SZABÓ AND VISSY v. HUNGARY JUDGMENT

use of these technologies considering their ability to facilitate systematic human rights
violations.

E. Furthering the assessment of relevant international human rights obligations

98. There is a significant need to advance international understanding on the
protection of the right to privacy in light of technological advancements. The Human
Rights Committee should consider issuing a new General Comment on the right to
privacy, to replace General Comment No. 16 (1988).
99. Human rights mechanisms should further assess the obligations of private actors
developing and supplying surveillance technologies.”
25. The European Parliament resolution of 12 March 2014 on the US
NSA surveillance programme, surveillance bodies in various Member States
and their impact on EU citizens’ fundamental rights and on transatlantic
cooperation in Justice and Home Affairs contains the following passages:

The impact of mass surveillance

“...
G. whereas the revelations since June 2013 have caused numerous concerns within
the EU as to: ...
- the possibility of these mass surveillance operations being used for reasons other
than national security and the fight against terrorism in the strict sense, for example
economic and industrial espionage or profiling on political grounds;
- the undermining of press freedom and of communications of members of
professions with a confidentiality privilege, including lawyers and doctors;
- the respective roles and degree of involvement of intelligence agencies and private
IT and telecom companies;
- the increasingly blurred boundaries between law enforcement and intelligence
activities, leading to every citizen being treated as a suspect and being subject to
surveillance;
- the threats to privacy in a digital era and the impact of mass surveillance on
citizens and societies;
...
T. whereas fundamental rights, notably freedom of expression, of the press, of
thought, of conscience, of religion and of association, private life, data protection, as
well as the right to an effective remedy, the presumption of innocence and the right to
a fair trial and non-discrimination, as enshrined in the Charter of Fundamental Rights
of the European Union and in the European Convention on Human Rights, are
cornerstones of democracy; whereas mass surveillance of human beings is
incompatible with these cornerstones;
...

Democratic oversight of intelligence services

BW. whereas intelligence services in democratic societies are given special powers
and capabilities to protect fundamental rights, democracy and the rule of law, citizens’
rights and the State against internal and external threats, and are subject to democratic
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 23

accountability and judicial oversight; whereas they are given special powers and
capabilities only to this end; whereas these powers should be used within the legal
limits imposed by fundamental rights, democracy and the rule of law and their
application should be strictly scrutinised, as otherwise they lose legitimacy and risk
undermining democracy;
BX. whereas the fact that a certain level of secrecy is conceded to intelligence
services in order to avoid endangering ongoing operations, revealing modi operandi or
putting at risk the lives of agents, such secrecy cannot override or exclude rules on
democratic and judicial scrutiny and examination of their activities, as well as on
transparency, notably in relation to the respect of fundamental rights and the rule of
law, all of which are cornerstones in a democratic society;
BY. whereas most of the existing national oversight mechanisms and bodies were
set up or revamped in the 1990s and have not necessarily been adapted to the rapid
political and technological developments over the last decade that have led to
increased international intelligence cooperation, also through the large scale exchange
of personal data, and often blurring the line between intelligence and law enforcement
activities;
BZ. whereas democratic oversight of intelligence activities is still only conducted at
national level, despite the increase in exchange of information between EU Member
States and between Member States and third countries; whereas there is an increasing
gap between the level of international cooperation on the one hand and oversight
capacities limited to the national level on the other, which results in insufficient and
ineffective democratic scrutiny;
CA. whereas national oversight bodies often do not have full access to intelligence
received from a foreign intelligence agency, which can lead to gaps in which
international information exchanges can take place without adequate review; whereas
this problem is further aggravated by the so-called ‘third party rule’ or the principle of
‘originator control’, which has been designed to enable originators to maintain control
over the further dissemination of their sensitive information, but is unfortunately often
interpreted as applying also to the recipient services’ oversight;
CB. whereas private and public transparency reform initiatives are key to ensuring
public trust in the activities of intelligence agencies; whereas legal systems should not
prevent companies from disclosing to the public information about how they handle
all types of government requests and court orders for access to user data, including the
possibility of disclosing aggregate information on the number of requests and orders
approved and rejected;

Main findings
...
6. Recalls the EU’s firm belief in the need to strike the right balance between
security measures and the protection of civil liberties and fundamental rights, while
ensuring the utmost respect for privacy and data protection;
7. Considers that data collection of such magnitude leaves considerable doubts as to
whether these actions are guided only by the fight against terrorism, since it involves
the collection of all possible data of all citizens; points, therefore, to the possible
existence of other purposes including political and economic espionage, which need to
be comprehensively dispelled;
24 SZABÓ AND VISSY v. HUNGARY JUDGMENT

8. Questions the compatibility of some Member States’ massive economic

espionage activities with the EU internal market and competition law as enshrined in
Titles I and VII of the Treaty on the Functioning of the European Union; reaffirms the
principle of sincere cooperation as enshrined in Article 4(3) of the Treaty on European
Union, as well as the principle that Member States shall ‘refrain from any measures
which could jeopardise the attainment of the Union’s objectives’;
10. Condemns the vast and systemic blanket collection of the personal data of
innocent people, often including intimate personal information; emphasises that the
systems of indiscriminate mass surveillance by intelligence services constitute a
serious interference with the fundamental rights of citizens; stresses that privacy is not
a luxury right, but is the foundation stone of a free and democratic society; points out,
furthermore, that mass surveillance has potentially severe effects on freedom of the
press, thought and speech and on freedom of assembly and of association, as well as
entailing a significant potential for abusive use of the information gathered against
political adversaries; emphasises that these mass surveillance activities also entail
illegal actions by intelligence services and raise questions regarding the
extraterritoriality of national laws;
12. Sees the surveillance programmes as yet another step towards the establishment
of a fully-fledged preventive state, changing the established paradigm of criminal law
in democratic societies whereby any interference with suspects’ fundamental rights
has to be authorised by a judge or prosecutor on the basis of a reasonable suspicion
and must be regulated by law, promoting instead a mix of law enforcement and
intelligence activities with blurred and weakened legal safeguards, often not in line
with democratic checks and balances and fundamental rights, especially the
presumption of innocence; recalls in this regard the decision of the German Federal
Constitutional Court on the prohibition of the use of preventive dragnets (‘präventive
Rasterfahndung’) unless there is proof of a concrete danger to other high-ranking
legally protected rights, whereby a general threat situation or international tensions do
not suffice to justify such measures;
...
14. Points out that the abovementioned concerns are exacerbated by rapid
technological and societal developments, since internet and mobile devices are
everywhere in modern daily life (‘ubiquitous computing’) and the business model of
most internet companies is based on the processing of personal data; considers that the
scale of this problem is unprecedented; notes that this may create a situation where
infrastructure for the mass collection and processing of data could be misused in cases
of change of political regime; ...”

THE LAW

I. ALLEGED VIOLATION OF ARTICLE 8 OF THE CONVENTION

26. The applicants complained under Article 8 of the Convention that

they could potentially be subjected to measures within the framework of
“section 7/E (3) surveillance”. They submitted that the legal framework was
prone to abuse, notably for want of judicial control.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 25

Article 8 provides as follows:

“1. Everyone has the right to respect for his private and family life, his home and
his correspondence.
2. There shall be no interference by a public authority with the exercise of this right
except such as is in accordance with the law and is necessary in a democratic society
in the interests of national security, public safety or the economic well-being of the
country, for the prevention of disorder or crime, for the protection of health or morals,
or for the protection of the rights and freedoms of others.”
27. The Government contested these allegations.

A. Admissibility

1. The parties’ submissions

28. The Government did not formally contest the applicants’ potential
victim status within the meaning of the Court’s jurisprudence, under which
the mere existence of a piece of legislation allowing for the use of secret
intelligence devices served as a ground for victim status, even if no such
device had ever been used against an applicant. However, the Government
disputed the applicants’ allegations that – as staff members of a watchdog
organisation – they were affected more directly by the possibility of being
subjected to secret surveillance than others.
29. Moreover, the Government submitted that in their constitutional
complaint the applicants had not complained about the presence or absence
of guarantees in the entire process of secret intelligence gathering. They had
only complained about the authorisation by the Minister of Justice of the
interference and the data handling following the termination of the
interference. The Government emphasised that in respect of any further
complaints that the applicants might have in relation to other phases of the
process, they had failed to exhaust the available domestic remedies.
30. Regarding victim status, the applicants emphasised that the lack of
meaningful external control over the use of covert surveillance had put
individuals’ privacy in danger as nothing prevented the political power from
using this prerogative arbitrarily. Their watchdog activity might not serve as
a ground for secret intelligence gathering. Nevertheless, their
statement - according to which they, as staff members of watchdog
organisations voicing criticism against the Government, felt more frustrated
and worried about being subjected to secret surveillance than average
citizens probably did – could not be regarded as fear based on completely
unfounded assumptions, especially if considering some of the Government’s
recent measures as being directed against civil organisations.
31. Concerning exhaustion of domestic remedies, the applicants did not
dispute that their constitutional complaint had been focused on the system
of authorisation, since only the safeguards built into this phase were able to
26 SZABÓ AND VISSY v. HUNGARY JUDGMENT

provide adequate protection to right to privacy. This meant that guarantees

related to later procedural phases were unable to counterbalance the
detriment caused to the right to privacy if there was no control mechanism
built into the process of authorisation of secret surveillance that was able to
impede legally unjustifiable interventions into the private sphere. However,
the question as to whether this assertion was correct might only be assessed
considering the procedure as a whole. The Government’s suggestion that the
Court should refrain from the assessment of procedural phases beyond the
authorisation phase was pointless and practically not feasible. Moreover, the
applicants emphasised that the complaint lodged with the Constitutional
Court and the complaint submitted to the Court did not completely
correspond to each other in terms of the arguments forwarded, and that
therefore the Court should not refrain, purely relying on the principle of
subsidiarity, from examining the question as to whether the other guarantees
provided in the procedure ensured adequate protection.

2. The Court’s assessment

32. As to the applicants’ victim status, the Court has consistently held in
its case-law that its task is not normally to review the relevant law and
practice in abstracto, but to determine whether the manner in which they
were applied to, or affected, the applicant gave rise to a violation of the
Convention (see, inter alia, Klass and Others v. Germany, 6 September
1978, § 33, Series A no. 28; N.C. v. Italy [GC], no. 24952/94, § 56, ECHR
2002-X; and Krone Verlag GmbH & Co. KG v. Austria (no. 4),
no. 72331/01, § 26, 9 November 2006).
33. However, in recognition of the particular features of secret
surveillance measures and the importance of ensuring effective control and
supervision of them, the Court has accepted that, under certain
circumstances, an individual may claim to be a victim on account of the
mere existence of legislation permitting secret surveillance, even if he
cannot point to any concrete measures specifically affecting him. The
Court’s approach to assessing whether there has been an interference in
cases raising a complaint about the legislation allowing secret surveillance
measures was set out in its Klass and Others judgment (cited above, §§ 34
and 36) as follows:
“34. ... the effectiveness (l’effet utile) of the Convention implies in such
circumstances some possibility of having access to the Commission. If this were not
so, the efficiency of the Convention’s enforcement machinery would be materially
weakened. The procedural provisions of the Convention must, in view of the fact that
the Convention and its institutions were set up to protect the individual, be applied in
a manner which serves to make the system of individual applications efficacious.
The Court therefore accepts that an individual may, under certain conditions, claim
to be the victim of a violation occasioned by the mere existence of secret measures or
of legislation permitting secret measures, without having to allege that such measures
were in fact applied to him. The relevant conditions are to be determined in each case
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 27

according to the Convention right or rights alleged to have been infringed, the secret
character of the measures objected to, and the connection between the applicant and
those measures.
...
36. The Court points out that where a State institutes secret surveillance the
existence of which remains unknown to the persons being controlled, with the effect
that the surveillance remains unchallengeable, Article 8 could to a large extent be
reduced to a nullity. It is possible in such a situation for an individual to be treated in a
manner contrary to Article 8, or even to be deprived of the right granted by that
Article, without his being aware of it and therefore without being able to obtain a
remedy either at the national level or before the Convention institutions. ...
The Court finds it unacceptable that the assurance of the enjoyment of a right
guaranteed by the Convention could be thus removed by the simple fact that the
person concerned is kept unaware of its violation. A right of recourse to the
Commission for persons potentially affected by secret surveillance is to be derived
from Article 25, since otherwise Article 8 runs the risk of being nullified.”
34. Following Klass and Others (cited above) and Malone v. the United
Kingdom (2 August 1984, § 64, Series A no. 82), the former Commission,
in a number of cases against the United Kingdom in which the applicants
alleged actual interception of their communications, emphasised that the test
in Klass and Others could not be interpreted so broadly as to encompass
every person in the United Kingdom who feared that the security services
may have conducted surveillance of him. Accordingly, the Commission
required applicants to demonstrate that there was a “reasonable likelihood”
that the measures had been applied to them (see, for example, Esbester v.
the United Kingdom, no. 18601/91, Commission decision of 2 April 1993;
Redgrave v. the United Kingdom, no. 20271/92, Commission decision of
1 September 1993; and Matthews v. the United Kingdom, no. 28576/95,
Commission decision of 16 October 1996); subsequently, the Court applied
a similar approach (see Halford v. the United Kingdom, 25 June 1997, §§ 56
to 57, Reports of Judgments and Decisions 1997-III).
35. More pertinently with regard to the present application, in other
cases which concerned complaints about the legislation and practice
permitting secret surveillance measures, the Court has reiterated the Klass
and Others approach on a number of occasions (see, inter alia, Weber and
Saravia (dec.), no. 54934/00, § 78, ECHR 2006 XI; Association for
European Integration and Human Rights and Ekimdzhiev v. Bulgaria,
no. 62540/00, §§ 58 to 60, 28 June 2007; Iliya Stefanov v. Bulgaria,
no. 65755/01, § 49, 22 May 2008; Liberty and Others v. the United
Kingdom, no. 58243/00, §§ 56 to 57, 1 July 2008; and Iordachi and Others
v. Moldova, no. 25198/02, §§ 30 to 35, 10 February 2009).
36. In the case of Kennedy v. the United Kingdom (no. 26839/05, § 124,
18 May 2010) the Court held that in order to assess, in a particular case,
whether an individual can claim an interference as a result of the mere
existence of legislation permitting secret surveillance measures, the Court
28 SZABÓ AND VISSY v. HUNGARY JUDGMENT

must have regard to the availability of any remedies at the national level and
the risk of secret surveillance measures being applied to him. Where there is
no possibility of challenging the alleged application of secret surveillance
measures at domestic level, widespread suspicion and concern among the
general public that secret surveillance powers are being abused cannot be
said to be unjustified. In such cases, even where the actual risk of
surveillance is low, there is a greater need for scrutiny by the Court.
Most recently, the Court adopted, in Roman Zakharov v. Russia ([GC],
no. 47143/06, §§ 170-172, 4 December 2015), a harmonised approach based
on Kennedy, according to which firstly the Court will take into account the
scope of the legislation permitting secret surveillance measures by
examining whether the applicant can possibly be affected by it, either
because he or she belongs to a group of persons targeted by the contested
legislation or because the legislation directly affect all users of
communication services by instituting a system where any person can have
his or her communications intercepted; and secondly the Court will take into
account the availability or remedies at the national level and will adjust the
degree of scrutiny depending on the effectiveness of such remedies.
37. The Court observes that the present applicants complained of an
interference with their homes, communications and privacy on the basis of
the very existence of the law permitting secret surveillance and the lack of
adequate safeguards, admitting that their personal or professional situations
were not of the kind that might normally attract the application of
surveillance measures. They nevertheless thought they were at particular
risk of having their communications intercepted as a result of their
employment with civil-society organisations criticising the Government.
38. The Court observes that affiliation with a civil-society organisation
does not fall within the grounds listed in section 7/E (1) point (a) sub-point
(ad) and point (e) of the Police Act, which concern in essence terrorist
threats and rescue operations to the benefit of Hungarian citizens in
dangerous situations abroad. Nevertheless, it appears that under these
provisions any person within Hungary may have his communications
intercepted if interception is deemed necessary on one of the grounds
enumerated in the law (see paragraph 16 above). The Court considers that it
cannot be excluded that the applicants are at risk of being subjected to such
measures should the authorities perceive that to do so might be of use to
pre-empt or avert a threat foreseen by the legislation – especially since the
law contains the notion of “persons concerned identified ... as a range of
persons” which might include indeed any person.
The Court also notes that, by examining their constitutional complaint on
the merits, the Constitutional Court implicitly acknowledged the applicants’
being personally affected by the legislation in question for the purposes of
section 26(1) of the Act on the Constitutional Court (see paragraph
19 above).
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 29

It is of importance at this juncture to note that they are staff members of a

watchdog organisation, whose activities have previously been found similar,
in some ways, to those of journalists (see Társaság a Szabadságjogokért
v. Hungary, no. 37374/05, § 36, 14 April 2009). The Court accepts the
applicants’ suggestion that any fear of being subjected to secret surveillance
might have an impact on such activities (see, mutatis mutandis, Nagla
v. Latvia, no. 73469/10, § 82, 16 July 2013). In any case, whether or not the
applicants belong to a targeted group, the Court considers that the
legislation directly affects all users of communication systems and all
homes.
39. Considering in addition that the domestic law does not appear to
provide any possibility for an individual who alleges interception of his or
her communications to lodge a complaint with an independent body, the
Court is of the view that the applicants can claim to be victims of a violation
of their rights under the Convention, within the meaning of Article 34 of the
Convention.
40. Concerning the exhaustion of domestic remedies, the Court is
satisfied that the applicants brought to the attention of the national
authorities, in the instant case the Constitutional Court, the essence of their
grievance, that is, the alleged insufficiency of guarantees in the rules
governing “section 7/E (3) surveillance”. While noting the Government’s
objection according to which this constitutional complaint was focused on
but a few central issues, the Court considers that, because of the nature of
the problem, the system of guarantees preceding the measures, prevailing
during their application and following it is a complex set of arrangements
which must be assessed in its entirety (see Klass and Others, cited above,
§§ 39 to 60). Consequently – and assuming that the procedure before the
Constitutional Court was at all an effective remedy to exhaust in the
circumstances – the fact that the applicants’ constitutional complaint did not
encompass all possible issues but highlighted a few cannot be held against
them so as to enable the rejection of their complaints on account of
non-exhaustion of domestic remedies, in so far as their representations made
to the Court on these issues can be seen as supplementing the ones
submitted to the Constitutional Court (see, mutatis mutandis, Gustafsson
v. Sweden, 25 April 1996, § 51, Reports 1996-II).
41. Moreover, the Court concludes that this complaint is not manifestly
ill-founded within the meaning of Article 35 § 3 (a) of the Convention. No
other ground for declaring it inadmissible has been established. It must
therefore be declared admissible.
30 SZABÓ AND VISSY v. HUNGARY JUDGMENT

B. Merits

1. Arguments of the parties

(a) The Government

42. With regard to the necessity of judicial authorisation in the context
of Article 8, the Government referred to the Venice Commission’s Report
on the Democratic Oversight of the Security Services (CDL-AD(2007)016,
adopted at the Venice Commission’s 71st Plenary Session, Venice, 1-2 June
2007). Relying on several observations made in this report, the Government
submitted that the domestic courts were not suitable to determine the
necessity of secret intelligence gathering for national security purposes due
to the nature of the data to be assessed, to the inherent subjectivity of the
risk assessment, to the political nature of the notion of national security and
to the wide margin of appreciation afforded in this field to the Government.
43. In the Government’s view, it was an inherent feature of a judicial
decision that the judge examines the compliance of the proposed decision
with the rules of positive law or with rules that could be inferred from
positive law. In the field of authorising national security-purposed secret
intelligence gathering no positive law specifying any exact criteria
providing grounds for judicial decisions existed or could be created. The
reason for that was that, in authorising national security secret intelligence
gathering, the decision, for which the decision-maker bore political
responsibility, was to be taken by assessing the country’s security interests
and by taking into account home and foreign political aspects.
Consequently, the Minister of Justice – bearing political responsibility - was
a person more qualified than judges to make such decisions. In any case,
experience showed that judicial review in this field was not more apt than
governmental supervision.
44. Moreover, the Government reiterated that the national security
related authorisation activity of the Minister of Justice had always been
controlled by the Parliamentary Committee for National Security and by the
Data Protection Ombudsman and there were no signs indicating that the
authorisation mechanism was formal or arbitrary.
45. Finally, the Government argued – relying on the observations made
by the Court in Klass and Others (cited above), in Goranova-Karaeneva
v. Bulgaria (no. 12739/05, 8 March 2011) and in Golder v. the United
Kingdom (21 February 1975, Series A no. 18) – that the complaint related to
the lack of an effective legal remedy under Article 13 was manifestly
ill-founded.

(b) The applicants

46. Replying to the arguments based on the Venice Commission’s
Report, the applicants stressed that because ordinary courts were, in
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 31

practice, frequently confronted with difficulties in dealing with the large

discretion afforded to the Government in this area, as observed by the
Venice Commission, it could not be concluded that judicial control resulted
in a less adequate control of secret surveillance for national security
purposes. The actual conclusion of the Report was that only a complex
arrangement of guarantees designed to involve judges in the control of
security services could ensure the adequate protection of individuals. As
pointed out in the Venice Convention’s Report, “[i]n order for judicial
control to be effective, the judges must be independent and possess the
necessary expertise”.
47. The applicants also emphasised that the preconditions for the use of
special secret surveillance instruments and methods of intelligence
information gathering were not precisely defined in the law and this might
also lead to arbitrary decision-making in the absence of judicial control. In
this connection the applicants referred to the Court’s case-law, arguing that
restrictions on the right to privacy by means of secret surveillance might
only be in line with the Convention if the restriction was properly defined
by the law (cf. Malone, cited above).
48. The applicants further argued that the Data Protection Ombudsman
and the Parliamentary Committee for National Security were not a substitute
for the judicial control in the authorisation phase since they constituted
oversight, rather than remedial, mechanisms and these had only general
consequences not affecting the concrete case. Upon queries addressed to
these two organs, the applicants found that none of them had ever dealt with
a case on surveillance of citizens. These potential control mechanisms were
thus not effective.

(c) The third parties

(i) Center for Democracy & Technology (CDT)

49. The CDT drew the Court’s attention to the States’ advanced
present-day capabilities for sophisticated and invasive surveillance, as well
as to their ability to build a detailed profile of any individual’s activities and
relationships using intercepted data. It mentioned the vast amount of
information that could be retrieved from a physically seized computer or
other personal electronic device. It further emphasised the development of
the possibilities to intercept communication and metadata, such as contacts
and location information, remotely, by tapping Internet or telephone
networks. In addition to mass surveillance and the sophisticated analysis of
the intercepted data, States were also able to conduct targeted surveillance
of specific individuals by installing remotely malicious software on their
devices, even enabling secret surveillance agencies to record keystrokes,
sounds, photos or videos, unbeknown to the owner.
32 SZABÓ AND VISSY v. HUNGARY JUDGMENT

50. According to the CDT, in the light of such surveillance capabilities,

Article 8 required judicial oversight over all secret surveillance programmes
conducted for the purpose of national security. Regarding those exceptional
cases where judicial oversight was impossible, the CDT invited the Court to
provide clear guidance to Contracting Parties and applicants by adopting a
set of specific criteria for determining whether a non-judicial oversight
process was sufficient to prevent the abuse of Article 8 rights – although the
CDT maintained that Article 8 nevertheless required judicial control as the
last resort. Finally, the CDT concluded that anyone within the jurisdiction of
a Contracting Party who had a credible claim to have been the victim of an
Article 8 violation arising from a secret national security surveillance
programme must have access to a remedy that was effective in the sense
that the remedial body was obliged to conduct an investigation into the
complaint, and was both empowered and obligated to provide effective
redress for the violation.
(ii) Privacy International
51. Privacy International reviewed the relevant jurisprudence, both of
the Court and national courts in Europe, Canada and the United Sates,
highlighting recent decisions affirming that surveillance measures, including
mere access to data retained by communications service providers, must be
subject to judicial control or dependent upon the issuance of a judicial
warrant. Moreover, Privacy International overviewed the international
human rights standards relevant to the question of judicial control of
surveillance, referring - among other things - to United Nations
announcements and to the International Principles on the Application of
Human Rights to Communications Surveillance which all include the need
for judicial control of surveillance and for the right to an effective remedy.

2. The Court’s assessment

52. It is not in dispute between the parties that the measures which the
TEK is entitled to apply under section 56 of the National Security Act (see
paragraph 17 above), that is, to search and keep under surveillance the
applicants’ homes secretly, to check their postal mail and parcels, to
monitor their electronic communications and computer data transmissions
and to make recordings of any data acquired through these methods can be
examined from the perspective of the notions of “private life”, “home” and
“correspondence”, guaranteed under Article 8 of the Convention. The Court
sees no reason to hold otherwise (see Klass and Others, cited above, § 41).
53. In the mere existence of the legislation itself there is involved, for all
those to whom the legislation could be applied, a menace of surveillance;
this menace necessarily strikes at freedom of communication between users
of the postal and telecommunication services and thereby constitutes an
“interference by a public authority” with the exercise of the applicants’ right
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 33

to respect for private and family life and for correspondence (see Klass and
Others, cited above, § 41). Given the technological advances since the Klass
and Others case, the potential interferences with email, mobile phone and
Internet services as well as those of mass surveillance attract the Convention
protection of private life even more acutely (see Copland v. the United
Kingdom, no. 62617/00, § 41, ECHR 2007-I).
54. Any interference can only be justified under Article 8 § 2 if it is in
accordance with the law, pursues one or more of the legitimate aims to
which paragraph 2 of Article 8 refers and is necessary in a democratic
society in order to achieve any such aim. This provision, “since it provides
for an exception to a right guaranteed by the Convention, is to be narrowly
interpreted. Powers of secret surveillance of citizens, characterising as they
do the police state, are tolerable under the Convention only in so far as
strictly necessary for safeguarding the democratic institutions” (see Klass
and Others, cited above, § 42).
55. The Court finds that the aim of the interference in question is to
safeguard national security and/or to prevent disorder or crime in pursuance
of Article 8 § 2. This has not been in dispute between the parties. On the
other hand, it has to be ascertained whether the means provided under the
impugned legislation for the achievement of the above-mentioned aim
remain in all respects within the bounds of what is necessary in a
democratic society (see Klass and Others, cited above, § 46).
56. In its case-law on secret measures of surveillance, the Court has
developed the following minimum safeguards that should be set out in law
in order to avoid abuses of power: the nature of offences which may give
rise to an interception order; the definition of the categories of people liable
to have their telephones tapped; a limit on the duration of telephone tapping;
the procedure to be followed for examining, using and storing the data
obtained; the precautions to be taken when communicating the data to other
parties; and the circumstances in which recordings may or must be erased or
destroyed (see Huvig v. France, 24 April 1990, § 34, Series A no. 176-B;
Amann v. Switzerland [GC], no. 27798/95, §§ 56-58, ECHR 2000-11;
Valenzuela Contreras v. Spain, 30 July 1998, § 46, Reports 1998-V; Prado
Bugallo v. Spain, no. 58496/00, § 30, 18 February 2003; Weber and
Saravia, cited above, § 95; Association for European Integration, cited
above, § 76; and Roman Zakharov, cited above, § 231).
57. When balancing the interest of the respondent State in protecting its
national security through secret surveillance measures against the
seriousness of the interference with an applicant’s right to respect for his or
her private life, the national authorities enjoy a certain margin of
appreciation in choosing the means for achieving the legitimate aim of
protecting national security. However, this margin is subject to European
supervision embracing both legislation and decisions applying it. In view of
the risk that a system of secret surveillance set up to protect national
34 SZABÓ AND VISSY v. HUNGARY JUDGMENT

security may undermine or even destroy democracy under the cloak of

defending it, the Court must be satisfied that there are adequate and
effective guarantees against abuse. The assessment depends on all the
circumstances of the case, such as the nature, scope and duration of the
possible measures, the grounds required for ordering them, the authorities
competent to authorise, carry out and supervise them, and the kind of
remedy provided by the national law. The Court has to determine whether
the procedures for supervising the ordering and implementation of the
restrictive measures are such as to keep the “interference” to what is
“necessary in a democratic society” (see Klass and Others, cited above,
§§ 49, 50 and 59; Weber and Saravia, cited above, §106; Kvasnica
v. Slovakia, no. 72094/01, § 80, 9 June 2009; Kennedy, cited above,
§§ 153 and 154; and Roman Zakharov, cited above, § 232).
58. The Court has found an interference under Article 8 § 1 in respect of
the applicants’ general complaint about the rules of “section 7/E (3)
surveillance” and not in respect of any actual interception activity allegedly
taking place. Accordingly, in its examination of the justification for the
interference under Article 8 § 2, the Court is required to examine this
legislation itself and the safeguards built into the system allowing for secret
surveillance, rather than the proportionality of any specific measures taken
in respect of the applicants. In the circumstances, the lawfulness of the
interference is closely related to the question whether the “necessity” test
has been complied with in respect of the “section 7/E (3) surveillance”
regime and it is therefore appropriate for the Court to address jointly the “in
accordance with the law” and “necessity” requirements (see Kvasnica, cited
above, § 84).
59. The expression “in accordance with the law” in Article 8 § 2
requires, first, that the impugned measure should have some basis in
domestic law; it also refers to the quality of the law in question, requiring
that it should be compatible with the rule of law and accessible to the person
concerned, who must, moreover, be able to foresee its consequences for him
(see, among other authorities, Kruslin v. France, 24 April 1990, § 27, Series
A no. 176-A; Huvig, cited above, § 26; Lambert v. France, 24 August 1998,
§ 23, Reports 1998-V; Perry v. the United Kingdom, no. 63737/00, § 45,
ECHR 2003-IX (extracts); Dumitru Popescu v. Romania (no. 2),
no. 71525/01, § 61, 26 April 2007; Association for European Integration,
cited above, § 71; and Liberty, cited above, § 59). The “quality of law” in
this sense implies that the domestic law must not only be accessible and
foreseeable in its application, it must also ensure that secret surveillance
measures are applied only when “necessary in a democratic society”, in
particular by providing for adequate and effective safeguards and guarantees
against abuse (see Roman Zakharov, cited above, § 236).
60. It is not in dispute that the interference in question had a legal basis.
The relevant rules are contained in statute law, that is, in the Police Act and
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 35

the National Security Act. Their accessibility has not been called into
question.
61. The applicants, however, contended that this law was not sufficiently
detailed and precise to meet the “foreseeability” requirement of Article 8
§ 2, as it did not provide for sufficient guarantees against abuse and
arbitrariness.
62. The reference to “foreseeability” in the context of interception of
communications cannot be the same as in many other fields. Foreseeability
in the special context of secret measures of surveillance, such as the
interception of communications, cannot mean that an individual should be
able to foresee when the authorities are likely to intercept his
communications so that he can adapt his conduct accordingly. However,
especially where a power vested in the executive is exercised in secret, the
risks of arbitrariness are evident. It is therefore essential to have clear,
detailed rules on interception of telephone conversations, especially as the
technology available for use is continually becoming more sophisticated.
The domestic law must be sufficiently clear to give citizens an adequate
indication as to the circumstances in which and the conditions on which
public authorities are empowered to resort to any such measures (see
Roman Zakharov, cited above, § 229).
63. In the present case, two situations may entail secret surveillance,
namely, the prevention, tracking and repelling of terrorist acts in Hungary
(section 7/E (1) a) (ad) of the Police Act) and the gathering of intelligence
necessary for rescuing Hungarian citizens in distress abroad (section 7/E
(1) e), see in paragraph 16 above).
The applicants criticised these rules as being insufficiently clear.
64. The Court is not wholly persuaded by this argument, recalling that
the wording of many statutes is not absolutely precise, and that the need to
avoid excessive rigidity and to keep pace with changing circumstances
means that many laws are inevitably couched in terms which, to a greater or
lesser extent, are vague (see Kokkinakis v. Greece, 25 May 1993, § 40,
Series A no. 260-A). It is satisfied that even in the field of secret
surveillance, where foreseeability is of particular concern, the danger of
terrorist acts and the needs of rescue operations are both notions sufficiently
clear so as to meet the requirements of lawfulness. For the Court, the
requirement of “foreseeability” of the law does not go so far as to compel
States to enact legal provisions listing in detail all situations that may
prompt a decision to launch secret surveillance operations. The reference to
terrorist threats or rescue operations can be seen in principle as giving
citizens the requisite indication (compare and contrast Iordachi and Others,
cited above, § 46). For the Court, nothing indicates in the text of the
relevant legislation that the notion of “terrorist acts”, as used in section 7/E
(1) a) (ad) of the Police Act, does not correspond to the crime of the same
denomination contained in the Criminal Code (see paragraph 16 above).
36 SZABÓ AND VISSY v. HUNGARY JUDGMENT

65. However, in matters affecting fundamental rights it would be

contrary to the rule of law, one of the basic principles of a democratic
society enshrined in the Convention, for a discretion granted to the
executive in the sphere of national security to be expressed in terms of
unfettered power. Consequently, the law must indicate the scope of any
such discretion conferred on the competent authorities and the manner of its
exercise with sufficient clarity, having regard to the legitimate aim of the
measure in question, to give the individual adequate protection against
arbitrary interference (see Roman Zakharov, cited above, § 247).
66. The Court notes that under “section 7/E (3) surveillance”, it is
possible for virtually any person in Hungary to be subjected to secret
surveillance. The legislation does not describe the categories of persons
who, in practice, may have their communications intercepted. In this
respect, the Court observes that there is an overlap between the condition
that the categories of persons be set out and the condition that the nature of
the underlying situations be clearly defined. The relevant circumstances
which can give rise to interception, discussed in the preceding paragraphs,
give guidance as to the categories of persons who are likely, in practice, to
have their communications intercepted. Under the relevant Hungarian law,
the proposal submitted to the responsible government minister must specify,
either by name or as a range of persons, the person or persons as the
interception subjects and/or any other relevant information capable of
identifying them as well as the premises in respect of which the permission
is sought (section 57 (2) of the National Security Act, see paragraph 17
above).
67. It is of serious concern, however, that the notion of “persons
concerned identified ... as a range of persons” might include indeed any
person and be interpreted as paving the way for the unlimited surveillance
of a large number of citizens. The Court notes the absence of any
clarification in domestic legislation as to how this notion is to be applied in
practice (see, mutatis mutandis, Roman Zakharov, cited above, § 245). For
the Court, the category is overly broad, because there is no requirement of
any kind for the authorities to demonstrate the actual or presumed relation
between the persons or range of persons “concerned” and the prevention of
any terrorist threat – let alone in a manner enabling an analysis by the
authoriser which would go to the question of strict necessity (see in
paragraphs 72 and 73 below) with regard to the aims pursued and the means
employed – although such an analysis appears to be warranted by
section 53 (2) of the National Security Act, according to which “secret
intelligence gathering [may only be applied] if the intelligence needed ...
cannot be obtained in any other way”.
68. For the Court, it is a natural consequence of the forms taken by
present-day terrorism that governments resort to cutting-edge technologies
in pre-empting such attacks, including the massive monitoring of
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 37

communications susceptible to containing indications of impending

incidents. The techniques applied in such monitoring operations have
demonstrated a remarkable progress in recent years and reached a level of
sophistication which is hardly conceivable for the average citizen (see the
CDT’s submissions on this point in paragraphs 49-50 above), especially
when automated and systemic data collection is technically possible and
becomes widespread. In the face of this progress the Court must scrutinise
the question as to whether the development of surveillance methods
resulting in masses of data collected has been accompanied by a
simultaneous development of legal safeguards securing respect for citizens’
Convention rights. These data often compile further information about the
conditions in which the primary elements intercepted by the authorities were
created, such as the time and place of, as well as the equipment used for, the
creation of computer files, digital photographs, electronic and text messages
and the like. Indeed, it would defy the purpose of government efforts to
keep terrorism at bay, thus restoring citizens’ trust in their abilities to
maintain public security, if the terrorist threat were paradoxically substituted
for by a perceived threat of unfettered executive power intruding into
citizens’ private spheres by virtue of uncontrolled yet far-reaching
surveillance techniques and prerogatives. In this context the Court also
refers to the observations made by the Court of Justice of the European
Union and, especially, the United Nations Special Rapporteur, emphasising
the importance of adequate legislation of sufficient safeguards in the face of
the authorities’ enhanced technical possibilities to intercept private
information (see paragraphs 23 and 24 above).
69. The Court recalls that in Kennedy, the impugned legislation did not
allow for “indiscriminate capturing of vast amounts of communications”
(see Kennedy, cited above, § 160) which was one of the elements enabling it
not to find a violation of Article 8. However, in the present case, the Court
considers that, in the absence of specific rules to that effect or any
submissions to the contrary, it cannot be ruled out that the broad-based
provisions of the National Security Act can be taken to enable so-called
strategic, large-scale interception, which is a matter of serious concern.
70. The Court would add that the possibility occurring on the side of
Governments to acquire a detailed profile (see the CDT’s submissions on
this in paragraph 49 above) of the most intimate aspects of citizens’ lives
may result in particularly invasive interferences with private life. Reference
is made in this context to the views expressed by the Court of Justice of the
European Union and the European Parliament (see paragraphs 23 and
25 above). This threat to privacy must be subjected to very close scrutiny
both on the domestic level and under the Convention. The guarantees
required by the extant Convention case-law on interceptions need to be
enhanced so as to address the issue of such surveillance practices. However,
it is not warranted to embark on this matter in the present case, since the
38 SZABÓ AND VISSY v. HUNGARY JUDGMENT

Hungarian system of safeguards appears to fall short even of the previously

existing principles.
71. Moreover, under section 57 (2) b), in the motion requesting
permission from the Minister, the director must substantiate the necessity
for the secret intelligence gathering (see paragraph 17 above). However,
reading the relevant provisions jointly, the Court is not reassured that an
adequate analysis of the aims pursued and the means applied in performing
the national security tasks is possible or guaranteed. Indeed, the mere
requirement for the authorities to give reasons for the request, arguing for
the necessity of secret surveillance, falls short of an assessment of strict
necessity (see in paragraphs 72 and 73 below). There is no legal safeguard
requiring TEK to produce supportive materials or, in particular, a sufficient
factual basis for the application of secret intelligence gathering measures
which would enable the evaluation of necessity of the proposed
measure - and this on the basis of an individual suspicion regarding the
target person (see Roman Zakharov, cited above, §§ 259 and 261). For the
Court, only such information would allow the authorising authority to
perform an appropriate proportionality test.
72. Quite apart from what transpires from section 53(2) of the National
Security Act, the Court recalls at this point that in Klass and Others it held
that “powers of secret surveillance of citizens ... are tolerable under the
Convention only in so far as strictly necessary for safeguarding the
democratic institutions” (see Klass and Others, cited above, § 42, quoted in
paragraph 54 above). Admittedly, the expression “strictly necessary”
represents at first glance a test different from the one prescribed by the
wording of paragraph 2 of Article 8, that is, “necessary in a democratic
society”.
73. However, given the particular character of the interference in
question and the potential of cutting-edge surveillance technologies to
invade citizens’ privacy, the Court considers that the requirement
“necessary in a democratic society” must be interpreted in this context as
requiring “strict necessity” in two aspects. A measure of secret surveillance
can be found as being in compliance with the Convention only if it is
strictly necessary, as a general consideration, for the safeguarding the
democratic institutions and, moreover, if it is strictly necessary, as a
particular consideration, for the obtaining of vital intelligence in an
individual operation. In the Court’s view, any measure of secret surveillance
which does not correspond to these criteria will be prone to abuse by the
authorities with formidable technologies at their disposal. The Court notes
that both the Court of Justice of the European Union and the United Nations
Special Rapporteur require secret surveillance measures to answer to strict
necessity (see paragraphs 23 and 24 above) – an approach it considers
convenient to endorse. Moreover, particularly in this context the Court notes
the absence of prior judicial authorisation for interceptions, the importance
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 39

of which will be examined below in paragraphs 75 et seq. This safeguard

would serve to limit the law-enforcement authorities’ discretion in
interpreting the broad terms of “persons concerned identified ... as a range
of persons” by following an established judicial interpretation of the terms
or an established practice to verify whether sufficient reasons for
intercepting a specific individual’s communications exist in each case (see,
mutatis mutandis, Roman Zakharov, cited above, § 249). It is only in this
way that the need for safeguards to ensure that emergency measures are
used sparingly and only in duly justified cases can be satisfied (see
Roman Zakharov, cited above, § 266).
74. Furthermore, in respect of the duration of any surveillance, the
National Security Act stipulates, first, the period after which a surveillance
permission will expire (that is, after a maximum of 90 days, as per
section 58 (4) of the National Security Act) and, second, the conditions
under which a renewal is possible. Permissions can be renewed for another
90 days; and the government minister in charge must authorise any such
renewal upon a reasoned proposal from the service involved (see paragraph
17 above). Section 60 stipulates that the permission must be cancelled if it is
no longer necessary, if the continued surveillance has no prospect of
producing results, if its time-limit has expired or if it turns out to be in
breach of the law for any reason. The Court cannot overlook, however, that
it is not clear from the wording of the law – especially in the absence of
judicial interpretation – if such a renewal of the surveillance warrant is
possible only once or repeatedly, which is another element prone to abuse.
75. A central issue common to both the stage of authorisation of
surveillance measures and the one of their application is the absence of
judicial supervision. The measures are authorised by the Minister in charge
of justice upon a proposal from the executives of the relevant security
services, that is, of the TEK which, for its part, is a dedicated tactical
department within the police force, subordinated to the Ministry of Home
Affairs, with extensive prerogatives to apply force in combating terrorism
(see section 1(2) subsection 15 of the Police Act quoted in paragraph 16
above). For the Court, this supervision, eminently political (as observed by
the Constitutional Court, see point 105 of the decision quoted in paragraph
20 above) but carried out by the Minister of Justice who appears to be
formally independent of both the TEK and of the Minister of Home Affairs
– is inherently incapable of ensuring the requisite assessment of strict
necessity with regard to the aims and the means at stake. In particular,
although the security services are required, in their applications to the
Minister for warrants, to outline the necessity as such of secret information
gathering, this procedure does not guarantee that an assessment of strict
necessity is carried out, notably in terms of the range of persons and the
premises concerned (see section 57 (2) of the National Security Act quoted
in paragraph 17 above).
40 SZABÓ AND VISSY v. HUNGARY JUDGMENT

76. The Court notes the Government’s argument according to which a

government minister is better positioned than a judge to authorise or
supervise measures of secret surveillance. Although this consideration
might be arguable from an operational standpoint, the Court is not
convinced of the same when it comes to an analysis of the aims and means
in terms of strict necessity. In any case, it transpires from the parties’
submissions that anti-terrorism surveillance measures in Hungary have
never been subjected to judicial control, for which reason it is not possible
to pass judgement on its advantages or drawbacks. The Court finds therefore
the Government’s argument on this point unpersuasive (see, a contrario,
Roman Zakharov, cited above, § 259).
77. As regards the authority competent to authorise the surveillance,
authorising of telephone tapping by a non-judicial authority may be
compatible with the Convention (see, for example, Klass and Others, cited
above, § 51; Weber and Saravia, cited above, § 115; and Kennedy, cited
above, § 31), provided that that authority is sufficiently independent from
the executive (see Roman Zakharov, cited above, § 258). However, the
political nature of the authorisation and supervision increases the risk of
abusive measures. The Court recalls that the rule of law implies, inter alia,
that an interference by the executive authorities with an individual’s rights
should be subject to an effective control which should normally be assured
by the judiciary, at least in the last resort, judicial control offering the best
guarantees of independence, impartiality and a proper procedure. In a field
where abuse is potentially so easy in individual cases and could have such
harmful consequences for democratic society as a whole, it is in principle
desirable to entrust supervisory control to a judge (see Klass and Others,
cited above, §§ 55 and 56). The Court recalls that in Dumitru Popescu (cited
above, §§ 70-73) it expressed the view that either the body issuing
authorisations for interception should be independent or there should be
control by a judge or an independent body over the issuing body’s activity.
Accordingly, in this field, control by an independent body, normally a judge
with special expertise, should be the rule and substitute solutions the
exception, warranting close scrutiny (see Klass and Others, cited above,
§§ 42 and 55). The ex ante authorisation of such a measure is not an
absolute requirement per se, because where there is extensive post factum
judicial oversight, this may counterbalance the shortcomings of the
authorisation (see Kennedy, cited above, § 167). Indeed, in certain respects
and for certain circumstances, the Court has found already that ex ante
(quasi-)judicial authorisation is necessary, for example in regard to secret
surveillance measures targeting the media. In that connection the Court held
that a post factum review cannot restore the confidentiality of journalistic
sources once it is destroyed (see Telegraaf Media Nederland Landelijke
Media B.V. and Others v. the Netherlands, no. 39315/06, § 101,
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 41

22 November 2012; for other circumstances necessitating ex ante

authorisation see Kopp v. Switzerland, 25 March 1998, Reports 1998 II).
For the Court, supervision by a politically responsible member of the
executive, such as the Minister of Justice, does not provide the necessary
guarantees.
78. The governments’ more and more widespread practice of
transferring and sharing amongst themselves intelligence retrieved by virtue
of secret surveillance – a practice, whose usefulness in combating
international terrorism is, once again, not open to question and which
concerns both exchanges between Member States of the Council of Europe
and with other jurisdictions – is yet another factor in requiring particular
attention when it comes to external supervision and remedial measures.
79. It is in this context that the external, preferably judicial, a posteriori
control of secret surveillance activities, both in individual cases and as
general supervision, gains its true importance (see also Klass and Others,
cited above, §§ 56, 70 and 71; Dumitru Popescu, cited above, § 77; and
Kennedy, cited above, §§ 184-191), by reinforcing citizens’ trust that
guarantees of the rule of law are at work even in this sensitive field and by
providing redress for any abuse sustained. The significance of this control
cannot be overestimated in view of the magnitude of the pool of information
retrievable by the authorities applying highly efficient methods and
processing masses of data, potentially about each person, should he be, one
way or another, connected to suspected subjects or objects of planned
terrorist attacks. The Court notes the lack of such a control mechanism in
Hungary.
80. The Court concedes that by the nature of contemporary terrorist
threats there can be situations of emergency in which the mandatory
application of judicial authorisation is not feasible, would be
counterproductive for lack of special knowledge or would simply amount to
wasting precious time. This is especially true in the present-day upheaval
caused by terrorist attacks experienced throughout the world and in Europe,
all too often involving important losses of life, producing numerous
casualties and significant material damage, which inevitably disseminate a
feeling of insecurity amongst citizens. The observations made on this point
by the Court in Klass and Others are equally valid in the circumstances of
the present case: “[d]emocratic societies nowadays find themselves
threatened by highly sophisticated forms of espionage and by terrorism,
with the result that the State must be able, in order effectively to counter
such threats, to undertake the secret surveillance of subversive elements
operating within its jurisdiction. The Court has therefore to accept that the
existence of some legislation granting powers of secret surveillance over the
mail, post and telecommunications is, under exceptional conditions,
necessary in a democratic society in the interests of national security and/or
for the prevention of disorder or crime” (cited above, § 48).
42 SZABÓ AND VISSY v. HUNGARY JUDGMENT

81. Furthermore, where situations of extreme urgency are concerned, the

law contains a provision under which the director of the service may himself
authorise secret surveillance measures for a maximum of 72 hours (see
sections 58 and 59 of the National Security Act quoted in paragraph
17 above). For the Court, this exceptional power should be sufficient to
address any situations in which external, judicial control would run the risk
of losing precious time. Such measures must however be subject to a post
factum review, which is required, as a rule, in cases where the surveillance
was authorised ex ante by a non-judicial authority.
82. The Court notes at this juncture the liability of the executive to give
account, in general terms rather than concerning any individual cases, of
such operations to a parliamentary committee. However, it cannot identify
any provisions in Hungarian legislation permitting a remedy granted by this
procedure during the application of measures of secret surveillance to those
who are subjected to secret surveillance but, by necessity, are kept unaware
thereof. The Minister is under an obligation to present a general report, at
least twice a year, to the responsible parliamentary committee about the
functioning of national security services, which report, however, does not
seem to be available to the public and by this appears to fall short of
securing adequate safeguards in terms of public scrutiny (see
Roman Zakharov, cited above, § 283). The committee is entitled, of its own
motion, to request information from the Minister and the directors of the
services about the activities of the national security services. However, the
Court is not persuaded that this scrutiny is able to provide redress to any
individual grievances caused by secret surveillance or to control effectively,
that is, in a manner with a bearing on the operations themselves, the daily
functioning of the surveillance organs, especially since it does not appear
that the committee has access in detail to relevant documents. The scope of
their supervision is therefore limited (see, mutatis mutandis,
Roman Zakharov, cited above, § 281).
83. Moreover, the complaint procedure outlined in section 11(5) of the
National Security Act seems to be of little relevance, since citizens
subjected to secret surveillance will not take cognisance of the measures
applied. In regard to the latter point, the Court shares the view of the Venice
Commission according to which “individuals who allege wrongdoing by the
State in other fields routinely have a right of action for damages before the
courts. The effectiveness of this right depends, however, on the knowledge
of the individual of the alleged wrongful act, and proof to the satisfaction of
the courts.” (see point 243 of the Report, quoted in paragraph 21 above).
A complaint under section 11(5) of the National Security Act will be
investigated by the Minister of Home Affairs, who does not appear to be
sufficiently independent (see Association for European Integration, cited
above, § 87; and Roman Zakharov, cited above, § 278).
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 43

84. The Court further notes the evidence furnished by the applicants
according to which the Commissioner for Fundamental Rights has never so
far enquired into the question of secret surveillance (see paragraph 18
above).
85. In any event, the Court recalls that in Klass and Others a
combination of oversight mechanisms, short of formal judicial control, was
found acceptable in particular because of “an initial control effected by an
official qualified for judicial office” (cited above, § 56). However, the
Hungarian scheme of authorisation does not involve any such official. The
Hungarian Commissioner for Fundamental Rights has not been
demonstrated to be a person who necessarily holds or has held a judicial
office (see, a contrario, Kennedy, cited above, § 57).
86. Moreover, the Court has held that the question of subsequent
notification of surveillance measures is inextricably linked to the
effectiveness of remedies and hence to the existence of effective safeguards
against the abuse of monitoring powers, since there is in principle little
scope for any recourse by the individual concerned unless the latter is
advised of the measures taken without his or her knowledge and thus able to
challenge their justification retrospectively. As soon as notification can be
carried out without jeopardising the purpose of the restriction after the
termination of the surveillance measure, information should be provided to
the persons concerned (see Weber and Saravia, cited above, §135;
Roman Zakharov, cited above, § 287). In Hungarian law, however, no
notification, of any kind, of the measures is foreseen. This fact, coupled
with the absence of any formal remedies in case of abuse, indicates that the
legislation falls short of securing adequate safeguards.
87. It should be added that although the Constitutional Court held that
various provisions in the domestic law read in conjunction secured
sufficient safeguards for data storage, processing and deletion, special
reference was made to the importance of individual complaints made in this
context (see point 138 of the decision, quoted in paragraph 20 above). For
the Court, the latter procedure is hardly conceivable, since once more it
transpires from the legislation that the persons concerned will not be
notified of the application of secret surveillance to them.
88. Lastly, the Court notes that is for the Government to illustrate the
practical effectiveness of the supervision arrangements with appropriate
examples (see Roman Zakharov, cited above, § 284). However, the
Government were not able to do so in the instant case.
89. In total sum, the Court is not convinced that the Hungarian
legislation on “section 7/E (3) surveillance” provides safeguards sufficiently
precise, effective and comprehensive on the ordering, execution and
potential redressing of such measures.
Given that the scope of the measures could include virtually anyone, that
the ordering is taking place entirely within the realm of the executive and
44 SZABÓ AND VISSY v. HUNGARY JUDGMENT

without an assessment of strict necessity, that new technologies enable the

Government to intercept masses of data easily concerning even persons
outside the original range of operation, and given the absence of any
effective remedial measures, let alone judicial ones, the Court concludes
that there has been a violation of Article 8 of the Convention.

II. ALLEGED VIOLATIONS OF ARTICLE 6 AND ARTICLE 13 READ

IN CONJUNCTION WITH ARTICLE 8 OF THE CONVENTION

90. The applicants further complained that their exposure to secret

surveillance measures without judicial control or remedy amounted to a
violation of their rights under Article 6 as well as Article 13 read in
conjunction with Article 8 of the Convention.
91. The Government contested that argument.
92. The Court notes that these complaints are linked to the one examined
above and must therefore likewise be declared admissible.
93. The Court reiterates that Article 13 cannot be interpreted as requiring
a remedy against the state of domestic law (see Ostrovar v. Moldova,
no. 35207/03, § 113, 13 September 2005; Iordachi, cited above, § 56). In
these circumstances, the Court finds no breach of Article 13 of the
Convention taken together with Article 8.
94. Moreover, having regard to the finding relating to Article 8 (see
paragraph 89 above), the Court considers that it is not necessary to examine
whether, in this case, there has been a violation of Articles 6 of the
Convention.

III. APPLICATION OF ARTICLE 41 OF THE CONVENTION

95. Article 41 of the Convention provides:

“If the Court finds that there has been a violation of the Convention or the Protocols
thereto, and if the internal law of the High Contracting Party concerned allows only
partial reparation to be made, the Court shall, if necessary, afford just satisfaction to
the injured party.”

A. Damage

96. Each applicant claimed 10,000 euros (EUR) in respect of non-

pecuniary damage.
97. The Government found the claim excessive.
98. The Court considers that in the circumstances of the present case the
finding of a violation of Article 8 constitutes in itself sufficient just
satisfaction for any non-pecuniary damage sustained.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT 45

B. Costs and expenses

99. The applicants also claimed, jointly, EUR 7,500 for the costs and
expenses incurred before the Constitutional Court and the Court in
Strasbourg. This corresponds to altogether 50 hours of legal work billable
by their lawyer at an hourly rate of EUR.
100. The Government contested this claim.
101. According to the Court’s case-law, an applicant is entitled to the
reimbursement of costs and expenses only in so far as it has been shown
that these have been actually and necessarily incurred and are reasonable as
to quantum. In the present case, regard being had to the documents in its
possession and the above criteria, the Court considers it reasonable to award
the sum of EUR 4,000 covering costs under all heads.

C. Default interest

102. The Court considers it appropriate that the default interest rate
should be based on the marginal lending rate of the European Central Bank,
to which should be added three percentage points.

FOR THESE REASONS, THE COURT, UNANIMOUSLY,

1. Declares the application admissible;

2. Holds that there has been a violation of Article 8 of the Convention;

3. Holds that there has been no violation of Article 13 read in conjunction

with Article 8 of the Convention;

4. Holds that there is no need to examine the complaint under Article 6 of

the Convention;

5. Holds that the finding of a violation constitutes in itself sufficient just

satisfaction for any non-pecuniary damage sustained by the applicants;

6. Holds
(a) that the respondent State is to pay the applicants, jointly, within
three months from the date on which the judgment becomes final in
accordance with Article 44 § 2 of the Convention, EUR 4,000 (four
thousand euros), plus any tax that may be chargeable to the applicants,
in respect of costs and expenses, to be converted into the currency of the
respondent State at the rate applicable at the date of settlement;
46 SZABÓ AND VISSY v. HUNGARY JUDGMENT

(b) that from the expiry of the above-mentioned three months until
settlement simple interest shall be payable on the above amount at a rate
equal to the marginal lending rate of the European Central Bank during
the default period plus three percentage points;

7. Dismisses the remainder of the applicants’ claim for just satisfaction.

Done in English, and notified in writing on 12 January 2016, pursuant to

Rule 77 §§ 2 and 3 of the Rules of Court.

Fatoş Aracı V. De Gaetano

Deputy Registrar President

In accordance with Article 45 § 2 of the Convention and Rule 74 § 2 of

the Rules of Court, the separate opinion of Judge Pinto de Albuquerque is
annexed to this judgment.

V.D.G.
F.A.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 47

CONCURRING OPINION OF JUDGE PINTO DE

ALBUQUERQUE
1. The Chamber is unanimous in finding a violation of Article 8, but I
am not satisfied with the reasoning of the judgment. In two crucial issues,
the Chamber departs deliberately from the Grand Chamber judgment
delivered in the very recent Roman Zakharov v. Russia case1, which set the
European standard on mass surveillance for intelligence and national
security purposes. The two points of confrontation between the Chamber’s
reasoning and that provided by the Grand Chamber relate to the question of
the necessity test for determining covert surveillance operations and the
degree of suspicion of involvement in the offences or activities being
monitored.
2. I cannot agree with the Chamber’s approach, for two imperative
reasons: firstly, because I already took a different position on these issues in
my separate opinion joined to the judgment delivered in the Draksas v.
Lithuania case on phone tapping and other communication interception as
covert surveillance and intelligence gathering measures2, which should not
be confused with special investigation techniques in the criminal-law field3;
secondly, my opinion in Draksas was confirmed, in substance, by the Grand
Chamber in the above-mentioned Russian case. Hence, nothing could justify
my defiance to the Grand Chamber’s findings in Roman Zakharov. That is
why, in the following opinion, I will seek to defend the Grand Chamber’s
findings and to deconstruct the present judgment’s reasoning where it
departed from them.

Mass surveillance for the purpose of national security in international

law

3. Since the disclosure of mass surveillance practices in June 2013 by

the former United States National Security Agency (US NSA) contractor
Mr Edward Snowden, the discussion on the issue of protection of privacy
has regained a new impetus in the United Nations. In a chillingly accurate
forecast, the Report of the United Nations Special Rapporteur on the
promotion and protection of the right to freedom of opinion and expression,

1
Roman Zhakarov v. Russia [GC], no. 47143/06, 4 December 2015.
2
Draksas v. Lithuania, no. 36662/04, 31 July 2012.
3
See my opinion joined to the case of Lagutin and Others v. Russia, nos. 6228/09,
19123/09, 19678/07, 52340/08 and 7451/09, 24 April 2014. This case related to law-
enforcement and criminal investigations, whose standards differ from those of secret
surveillance for national security purposes. It should be noted that the Chamber often
confuses these standards (see, for example, paragraphs 22 and 56 of the judgment, citing
elements of international law and Court cases relevant for criminal investigation purposes).
48 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION

Frank La Rue, of 17 April 2013, analysed the implications of States’

surveillance of communications on the exercise of the human rights to
privacy and to freedom of opinion and expression4. Immediately after the
Snowden revelations, on 21 June 2013, the United Nations Special
Rapporteur on the Protection and Promotion of the Right to Freedom of
Opinion and Expression and the Special Rapporteur for Freedom of
Expression of the Inter-American Commission on Human Rights considered
it necessary to highlight a series of international legal principles on the issue
and published a “Joint Declaration on surveillance programs and their
impact on freedom of expression”5. On 26 September 2013 the 35th
International Conference of Data Protection and Privacy Commissioners
adopted a “Resolution on anchoring data protection and the protection of
privacy in international law”. The Commissioners resolved to call upon
governments to advocate the adoption of an additional protocol to Article 17
of the International Covenant on Civil and Political Rights (ICCPR), which
should be based on the standards that have been developed and endorsed by
the International Conference and the provisions in General Comment No. 16
to the Covenant.

4
A/HRC/23/40. The Rapporteur advocated judicial supervision of State surveillance of
communications, the right of the monitored person to be notified once the operation has
been completed and the right to seek redress (paragraphs 81 and 82). Prior to that report,
the UN Special Rapporteur on the promotion and protection of human rights and
fundamental freedoms while countering terrorism put forward the “Compilation of good
practices on legal and institutional frameworks and measures that ensure respect for human
rights by intelligence agencies while countering terrorism, including on their oversight”,
17 May 2010 (A/HRC/14/46). Important documents by civil society were also published on
this topic. The “International Principles on the Application of Human Rights to
Communications Surveillance”, endorsed by almost 400 non-governmental and human
rights organisations, were launched in May 2014. The Open Society Justice Initiative
published the “Global Principles on National Security and the Right to Information
(Tshwane Principles)”, on 12 June 2013, which were drafted by 22 organisations and
academic centres, following the “Johannesburg Principles on National Security, Freedom
of Expression and Access to Information” adopted by a group of experts convened by
Article 19 in 1995, and the “Principles of Oversight and Accountability for Security
Services in a Constitutional Democracy” elaborated in 1997 by the Centre for National
Security Studies (CNSS) and the Polish Helsinki Foundation for Human Rights.
5
Paragraph 9 of the Joint Declaration stated that the law must clearly specify the criteria to
be used for determining the cases in which such surveillance is legitimate for national
security purposes and that such measures shall be authorised only in the event of a clear
risk to protected interests and when the damage that may result would be greater than
society’s general interest in maintaining the right to privacy and the free circulation of ideas
and information. In any event, the collection of this information is to be monitored by an
independent oversight body and governed by sufficient due-process guarantees and judicial
oversight, within the limitations permissible in a democratic society.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 49

4. On 18 December 2013 the United Nations General Assembly adopted

Resolution 68/167, on “the Right to Privacy in the Digital Age” 6, which
expressed deep concern at the negative impact that surveillance and
interception of communications – including extraterritorial surveillance and
interception of communications, as well as the collection of personal data,
in particular when carried out on a mass scale – may have on the exercise
and enjoyment of human rights, and urged States to establish or maintain
existing independent, effective domestic oversight mechanisms capable of
ensuring transparency, as appropriate, and accountability for State
surveillance of communications, their interception and the collection of
personal data.
5. More specifically, on 26 March 2014 the Human Rights Committee,
in its Concluding observations on the fourth report of the United States of
America under the ICCPR7, recommended that measures should be taken to
ensure that any interference with the right to privacy complies with the
principles of legality, proportionality and necessity, regardless of the
nationality or location of the individuals whose communications are under
direct surveillance. It also insisted on the need for reform of the current
oversight system of surveillance activities to ensure its effectiveness,
including by providing for judicial involvement in the authorisation or
monitoring of surveillance measures, and considering the establishment of
strong and independent oversight mandates with a view to preventing
abuses.
6. On request of the General Assembly, the United Nations High
Commissioner for Human Rights (UNHCHR) presented a report on 30 June
2014 on the right to privacy in the digital age 8. The report dealt with the
protection and promotion of the right to privacy in the context of domestic
and extraterritorial surveillance and the interception of digital
communications and the collection of personal data, including on a mass
scale. Concerned with media revelations suggesting that the National
Security Agency in the United States of America and the General
Communications Headquarters in the United Kingdom had developed
technologies allowing access to much global internet traffic, call records in
the United States, individuals’ electronic address books and huge volumes
of other digital communications content, and that these technologies had
been deployed through a transnational network comprising strategic
intelligence relationships between Governments, regulatory control of
private companies and commercial contracts, the UNHCHR underscored

6
A/RES/68/167. The resolution, which was co-sponsored by 57 Member States, was taken
without a vote.
7
Human Rights Committee Concluding Observations on the 4th USA report,
CCPR/C/USA/CO/4, 26 March 2014, paragraph 22(d).
8
A/HRC/27/37.
50 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION

that, other than the right to privacy, the rights to freedom of opinion and
expression, and to seek, receive and impart information, to freedom of
peaceful assembly and association and to family life may also be affected by
mass surveillance, the interception of digital communications and the
collection of personal data. Targeted surveillance of digital communication
may constitute a necessary and effective measure for intelligence and law-
enforcement entities when conducted in compliance with international and
domestic law, but “it will not be enough that the measures are targeted to
find certain needles in a haystack; the proper measure is the impact of the
measures on the haystack, relative to the harm threatened; namely, whether
the measure is necessary and proportionate”. Mandatory third-party data
retention, whereby Governments require telephone companies and Internet
service providers to store metadata about their customers’ communications
and location for subsequent law-enforcement and intelligence agency
access, appears neither necessary nor proportionate. With the line between
criminal justice and protection of national security blurring significantly, the
sharing of data between law-enforcement agencies, intelligence bodies and
other State organs risks violating the right to privacy, because surveillance
measures that may be necessary and proportionate for one legitimate aim
may not be so for the purposes of another. Thus, States should take steps to
ensure that effective and independent oversight regimes and practices are in
place, with attention to the right of victims to an effective remedy9.
7. More recently, on 24 March 2015 the Human Rights Council decided
to appoint, for a period of three years, a special rapporteur on the right to
privacy10.
8. Within the Council of Europe, the disclosure of the mass surveillance
practices aroused renewed interest in the Convention for the protection of
Individuals with regard to automatic processing of personal data, of
28 January 198111, and the Additional Protocol to the Convention for the
Protection of Individuals with regard to Automatic Processing of Personal
Data, regarding supervisory authorities and transborder data flows of
8 November 200112, as well as in Committee of Ministers Recommendation
No. R (87) 15 on the use of personal data in the police sector, adopted on
17 September 1987, Recommendation No. R (95) 4, on the protection of
personal data in the area of telecommunication services, with particular
reference to telephone services, adopted on 7 February 1995, and
Parliamentary Assembly (PACE) Recommendation 1402(1999)1, on the
control of internal security services in Council of Europe member states,

9
Paragraphs 24-27 and 50 of the report.
10
A/HRC/28/L.27.
11
ETS no. 108.
12
ETS no. 181.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 51

adopted on 26 April 199913. Additionally, both the Venice Commission

report on the democratic oversight of the security services, adopted in June
200714, and the European Commission against Racism (ECRI) General
Policy Recommendation no. 11 on combating racism and racial
discrimination in policing, adopted on 29 June 2007, gained new actuality15.
9. Immediately after the publication of the Snowden files, the
Committee of Ministers adopted the “Declaration on Risks to Fundamental
Rights stemming from Digital Tracking and other Surveillance
Technologies”, of 11 June 2013, followed by PACE Recommendation
(2024)201316 and Resolution (1954)2013 on national security and the right
to information, both adopted on 2 October 201317, and the Commissioner
for Human Rights Comment on “human rights at risk when secret
surveillance spreads”, of 24 October 2013, and issue paper “The rule of law
on the internet and in the wider digital world”, of 8 December 201418.
10. More recently, in March 2015 the Venice Commission adopted the
“Update of the 2007 report on the democratic oversight of the security
services and report on the democratic oversight of signals intelligence

13
The PACE expressed its clear preference for extensive a priori and ex post facto judicial
control of surveillance activities with a high potential to infringe upon human rights, on the
basis of “probable cause for belief that an individual is committing, has committed, or is
about to commit an offence”, or “probable cause for belief that particular communications
or specific proof concerning that offence will be obtained through the proposed interception
or house searches, or that (in the case of arrest) a crime can thus be prevented” and “normal
investigative procedures have been attempted but have failed or appear unlikely to succeed
or be too dangerous.” The authorisation to undertake this kind of operative activity should
be time-limited (to a maximum of three months). Once observation or wire-tapping has
ended, the person concerned should be informed of the measure taken.
14
CDL-AD(2007)016-e. The Venice Commission stated its preference for judicial
authorisation and review of surveillance operations directed to “individual cases”, but
noting at the same time that much surveillance work is not directed towards pre-trial legal
procedures, such as data-mining, and this kind of surveillance work tends to escape judicial
control (paragraphs 29, 202-204). Finally, it conceded that “there may not be much in the
way of concrete suspicions to go on at the time when surveillance is requested but other
means of obtaining information may be regarded as impracticable.” (paragraph 207).
15
CRI(2007)39. The ECRI called on the Governments to introduce a reasonable suspicion
standard, whereby powers relating to control, surveillance or investigation activities can
only be exercised on the basis of a suspicion that is founded on objective criteria.
16
The Recommendation encouraged member States of the Council of Europe to take into
account the Tshwane Principles.
17
The Resolution affirmed that the neutrality of the Internet requires that public authorities,
Internet service providers and others abstain from using invasive wiretapping technologies,
such as deep packet inspection, or from otherwise interfering with the data traffic of
Internet users.
18
CommDH/IssuePaper(2014)1. The Commissioner asserted that “suspicion-less mass
retention of communications data” is fundamentally contrary to the rule of law,
incompatible with core data-protection principles and ineffective. Member States should
not resort to it or impose compulsory retention of data by third parties.
52 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION

agencies”, which distinguishes between targeted surveillance (covert

collection of conversations, telecommunications and metadata) and
“strategic surveillance” which “does not necessarily start with a suspicion
against a particular person or persons”. The Commission insists on a system
of judicial authorisation complemented by some form of follow-up control
that conditions are being complied with. The power to “contact chain”, i.e.
to identify people in contact with each other, should be framed narrowly:
contact chaining of metadata should normally only be possible for people
suspected of “actual involvement in particularly seriously offences”, such as
terrorism. Strengthened justification requirements and procedural
safeguards should apply, such as the involvement of a privacy advocate,
with regard to searches of content data. In the view of the Commission,
notification that one has been subject to strategic surveillance is not an
absolute requirement of Article 8 of the Convention. If a State has a general
complaints procedure to an independent oversight body, this can
compensate for non-notification19.
11. On 21 April 2015 the PACE approved Resolution 2045(2015) on
mass surveillance, urging the Council of Europe member and observer
States to ensure that their national laws only allow for the collection and
analysis of personal data, including metadata, with the consent of the person
concerned or following a court order granted on the basis of reasonable
suspicion of the target being involved in criminal activity.
12. In May 2015 the Council of Europe Commissioner for Human
Rights published an issue paper on “Democratic and effective oversight of
national security services”, advocating that independent ex ante
authorisation should be extended to untargeted bulk collection of
information, the collection of and access to communications data, including
when held by the private sector, and, potentially, computer network
exploitation. The process by which intrusive measures are authorised or re-
authorised should itself be subject to scrutiny. States must ensure that
individuals can also access a supervisory institution equipped to make
legally binding orders.
13. Reacting to the worldwide debate on mass surveillance, the
European Union (EU) did not speak with one voice. The first institutional
position came from the European Commission, with its Communications to
the European Parliament and the Council on the Functioning of the Safe
Harbour from the Perspective of EU Citizens and Companies Established20,

19
CDL-AD(2015)006, paragraphs 3, 16, 24, 51, and 103-105.
20
COM(2013) 847 final. The Commission identified a number of shortcomings and set out
13 recommendations. On the basis of these recommendations, the Commission has been
holding talks with the US authorities since January 2014 with the aim of putting in place a
renewed and stronger arrangement for transatlantic data exchanges.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 53

and on “Restoring Trust in EU-US data flows”21, both of 27 November

2013. Following the Schrems judgment by the Court of Justice, the
Commission delivered a Communication to the European Parliament and
the Council on the Transfer of Personal Data from the EU to the United
States of America under Directive 95/46/EC, on 6 November 2015, insisting
that a renewed and sound framework for transfers of personal data to the
United States remains a key priority for the Commission, but at the same
time identifying alternative, e.g. contractual, tools authorising data flows by
companies for lawful data transfers to third countries such as the United
States.
14. In its resolution of 12 March 2014 on the US NSA surveillance
programme, surveillance bodies in various Member States and their impact
on EU citizens’ fundamental rights and on transatlantic cooperation in
Justice and Home Affairs22, the European Parliament virulently condemned
the vast and systemic blanket collection of the personal data of innocent
people, often including intimate personal information, in an “indiscriminate
and non-suspicion-based manner”, calling on EU Member States to ensure
that their intelligence services were subject to parliamentary and judicial
oversight and public scrutiny and that they respect the principles of legality,
necessity, proportionality, due process, user notification and transparency.
In the framework of the relations between the EU and the US, the European
Parliament specifically required that effective guarantees be given to
Europeans to ensure that the use of surveillance and data processing for
foreign intelligence purposes is proportional, limited by clearly specified
conditions, and related to reasonable suspicion and probable cause of
terrorist activity, stressing that this purpose must be subject to transparent
judicial oversight. One year later, the European Parliament resolution of
29 October 2015 on the follow-up to the European Parliament resolution of
12 March 201423 called on the Commission to prepare guidelines for
Member States on how to bring any instruments of personal data collection
for the purpose of the prevention, detection, investigation and prosecution of
criminal offences, including terrorism, into line with the judgments of the
Court of Justice on data retention and on Safe Harbour, pointing in
particular to paragraphs 58 and 59 of the data retention judgment and to
paragraphs 93 and 94 of the Safe Harbour judgment, which, in the
parliamentarians’ view, clearly demand a targeted approach for data
collection rather than a ‘full take’. It further warned against the obvious

21
COM(2013) 846 final.
22
20013/20188(INI). This Resolution was preceded by the important “Report on the US
NSA surveillance programme, surveillance bodies in various Member States and their
impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and
Home Affairs” (A7-0139/2014), of 21 February 2014.
23
2015/2635(RSP).
54 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION

downward spiral for the fundamental right to privacy and personal data
protection occurring when every bit of information on human behaviour is
considered to be potentially useful in combating future criminal acts,
necessarily resulting in a mass surveillance culture where every citizen is
treated as a potential suspect and leading to the corrosion of societal
coherence and trust.
15. As a matter of fact, the Luxembourg Court played a major role in
redefining the limits of covert data gathering for national security purposes
in the EU and outside it. In Maximillian Schrems v. Data Protection
Commissioner24, the Court of Justice of the European Union declared that
the Commission’s US Safe Harbour Decision is invalid, because it
authorises, on a generalised basis, storage of all the personal data of all the
persons whose data is transferred from the EU to the United States without
any differentiation, limitation or exception being made in the light of the
objective pursued and without an objective criterion being laid down for
determining the limits of the access of the public authorities to the data and
of its subsequent use. The Court added that legislation permitting the public
authorities to have access on a generalised basis to the content of electronic
communications must be regarded as compromising the essence of the
fundamental right to respect for private life. Likewise, the Court observed
that legislation not providing for any possibility for an individual to pursue
legal remedies in order to have access to personal data relating to him, or to
obtain the rectification or erasure of such data, compromises the essence of
the fundamental right to effective judicial protection, the existence of such a
possibility being inherent in the existence of the rule of law. Finally, the
Court found that the Safe Harbour Decision denies the national data
protection supervisory authorities their powers where a person calls into
question whether the decision is compatible with the protection of the
privacy and of the fundamental rights and freedoms of individuals. The
Court held that the Commission did not have competence to restrict the
national supervisory authorities’ powers in that way.
In the joint cases of Digital Rights Ireland and Seitinger and Others25,
the Luxembourg Court had already declared invalid the Data Retention
Directive 2006/24/EC laying down the obligation on the providers of
publicly available electronic communication services or of public
communications networks to retain all traffic and location data (or
metadata) for periods from six months to two years, in order to ensure that
the data were available for the purpose of the investigation, detection and
prosecution of serious crime, as defined by each Member State in its
national law. Both individually and in the aggregate, these surveillance

24
Case C-362/14, judgment of 6 October 2015.
25
Cases C-293/12 and C-594/12, judgment of 8 April 2014.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 55

capabilities allowed the State to build a precise picture of the most intimate
aspects of an individual’s life. The potential threat to privacy resulting from
such compulsory, suspicion-less, untargeted data retention obligation,
generating in the minds of the persons concerned the feeling that their
private lives were subject to constant surveillance, breached Articles 7 and 8
of the EU Charter on Fundamental Rights26.
16. Finally, the European Data Protection Authorities made known their
views on the threats to privacy resulting from mass surveillance tools. The
European Data Protection Supervisor delivered, on 20 February 2014, an
Opinion on the Communications from the Commission to the European
Parliament and the Council on “Rebuilding Trust in EU-US Data Flows”
and on “the Functioning of the Safe Harbour from the Perspective of EU
Citizens and Companies Established in the EU” 27. Subsequently, the
Working Party Article 29 published its Opinion 4/2014 on surveillance of
electronic communications for intelligence and national security purposes,
of 10 April 201428. On 26 November 2014 the European Data Protection
Authorities Assembled in the Article 29 Working Party issued a Joint
Statement29.

Application of the international-law standards to the facts of the case

The categories of offences or activities being monitored

17. Act no. XXXIV of 1994 on the Police (the Police Act) does not
contain any definition of a “terrorist act” or “terrorist action”, which could
eventually raise a problem in terms of the foreseeability of the legal
framework of intelligence gathering for national security purposes under
section 7/E (3). It can be argued that the reference of section 69 (5) to
“terrorist act” as defined in section 261 of the former Criminal Code and
sections 314 to 316 of the new Criminal Code fills the definitional gap and
consequently that these concepts refer to the definitions of the Criminal

26
The Luxembourg Court was clearly inspired by the standard established in the data
retention directive case in Germany in 2010 (BVerfG 125, 260).
27
2014/C 116/04.
28
819/14/EN. While focusing on the access to metadata, the Working Party concluded that
secret, massive and indiscriminate surveillance programs are incompatible with the EU
fundamental laws and cannot be justified by the fight against terrorism or other important
threats to national security. The Working Party, amongst others, called for effective, robust
and independent external oversight, performed either by a dedicated body with the
involvement of the data protection authorities or by the data protection authority itself. The
recommendations of the Opinion were based on the legal analysis published in the Working
Document on surveillance of electronic communications for intelligence and national
security purposes, of 5 December 2014.
29
14/EN WP227.
56 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION

Code, as paragraph 64 of the judgment states30. Hence, the safeguard

mentioned in paragraph 231 of Roman Zakharov (“the nature of offences
which may give rise to an interception order”) is set out in the Hungarian
law with the necessary degree of clarity and precision31.

The degree of suspicion of involvement in the offences or activities

being monitored

18. Act no. CXXXV of 1995 on National Security Services (the

National Security Act) does not contain any requirement that the persons
being monitored must be subject to a “reasonable suspicion” standard, set
out in paragraphs 260, 262 and 263 of Roman Zakharov and previously in
paragraph 51 of Iordachi and Others32. The only standard established by the

30
Paragraph 64 of the judgment.
31
See also my separate opinion in Draksas, cited above, page 26, point (2). Hence, I cannot
share the Chamber’s statement that “the requirement of “foreseeability” of the law does not
go so far as to compel States to enact legal provisions listing in detail all situations that may
prompt a decision to launch secret surveillance operations” (paragraph 64 of the judgment),
which not only downgrades the role of the principle of legality in a field of law where its
rigorous reading is most needed, but also leaves the door wide open to creative
interpretation of the law by Government and therefore to State abuse. An example of this
worrying creative interpretation is given by the Government themselves in the present case,
when they refer to the following two tasks pursued by secret intelligence gathering subject
to ministerial authorisation in Hungary: “one the one hand, to detect and eliminate acts of
terrorism and, on the other hand, to find and rescue Hungarian nationals [who have] got
into trouble in a foreign country. The applicants may only be regarded to be affected by the
contested provisions in so much that the Act does not exclude them from the circle of
persons who in the context of the detection and identification of a person or a group of
persons potentially linked to an act of terrorism may, among the persons or at a location or
in a facility endangered by an act of terrorism, be affected by secret intelligence
gathering…” (see page 8 of the Government observations of 31 October 2014). This means
that any person with a “potential link” to an act of terrorism or a place endangered by an act
of terrorism, including the potential victims, may be submitted to a surveillance measure, as
well as any person potentially linked to an incident with an Hungarian who “got into
trouble in a foreign country”! In their security-purposed logic, the Government conclude
that “the national security aspects to be weighed can be specified under the law in very
broad terms, as in the actual assessment security policy aspects, that is, non-legal aspects
will have priority… In the field of authorising national security-purposed secret
intelligence gathering no positive law specifying an exact criteria system providing grounds
for a judicial decision exists or can be created … Therefore in the field of combatting
terrorism authorisation for national security-purposed secret intelligence gathering is
granted on the basis of a politically influenced criteria-system which cannot be specified
under positive law…” (see page 12 of the Observations). Summing up the Government’s
perspective, State secret surveillance is the realm of politics and no law “exits or can be
created” to limit this realm.
32
Iordachi and Others v. Moldova, no. 25198/02, 10 February 2009. See also my separate
opinion in Draksas, cited above, page 26, point (3), and page 27, for similar defects in the
Lithuanian law.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 57

Hungarian law is that of the “persons concerned [to be] identified by name
or as a range of persons” (section 57 (2) (a) of the National Security Act),
which inevitably allows for unfettered ministerial discretion and for a
“strategic, large-scale interception”33. In paragraph 71 of the present
judgment, the Chamber chose the lower standard of an unqualified
“individual suspicion”, which diminishes significantly the degree of
protection set out in Roman Zakharov and previously in Iordachi and
Others34. Worse still, the almost evanescent suspicion criterion chosen by
the Chamber is totally at odds with the growing concern of the United
Nations, the Council of Europe and the European Union with regard to
massive, indiscriminate and secret “bulk surveillance” and the present state
of international law, as established in the above-mentioned documents, such
as Parliamentary Assembly Resolution 2045(2015) and its Recommendation
1402(1999)1, the Venice Commission’s 2007 and 2015 reports, the
European Commission against Racism’s General Policy Recommendation
no. 11 and the European Parliament Resolutions of 12 March 2014 and of
29 October 2015.
19. Implicit in the Chamber’s reasoning, as well as in the Constitutional
Court’s, is the assumption that national security protection is not limited to
the investigation of past, ongoing or future offences and therefore the
“reasonable suspicion” criterion should be dispensed with. This assumption
is wrong in the present case, in face of the letter of section 7/E (3) of the
Police Act, which specifically refers to preventing, tracking and repealing of
attempts to carry out terrorist acts in Hungary (subsection (1) point a) sub-
point ad)) and to rescuing Hungarian citizens who are in distress due to an
imminent and life-threatening danger of act of war, armed conflict, hostage-
taking or terrorist action outside the territory of Hungary (subsection (1)
point (e)). As is clear, these tasks refer either to to the criminal prevention of
acts of terrorism in Hungary or to rescue operations in situations of danger,
war, armed conflict, hostage-taking or terrorist action already ongoing
outside the territory of Hungary. In both the cases of criminal prevention
and rescue operations, nothing hinders the applicability of the criterion of

33
The critique of the Chamber in paragraph 69 of the judgment is entirely right, but
unfortunately the Chamber did not follow through this argument to its logical end.
34
In other words, the Chamber standard is even below the lowest degree of bona fide
suspicion or “initial suspicion” (Anfangsverdacht) relevant in criminal law. The Chamber’s
reference to paragraphs 259 and 261 of Zakharov is misleading, since the Grand Chamber
qualified the “individual suspicion” by restricting it to a “reasonable suspicion” test in
paragraphs 260, 262 and 263, which the Chamber chose to ignore. Furthermore, the
Chamber’s reference to a “sufficient factual basis” adds nothing, because this evidentiary
“basis” refers to the “supportive materials” and not to the degree of suspicion required to
justify the application of any secret intelligence gathering measure. For further discussion
on the three possible degrees of suspicion in the field of criminal law, see my separate
opinion in Lagutin and Others, cited above, page 38, point 9.1).
58 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION

the “reasonable suspicion” that the targeted monitored person is involved in

the future commission of a terrorist act or in the creation of an imminent
situation of danger when collecting secret intelligence useful for the
performance of those tasks.
20. The real reason why the Chamber’s reasoning does not remain
faithful to the Grand Chamber’s criterion of “reasonable suspicion” is
because it assumes that the fight against terrorism requires a “pool of
information retrievable by the authorities applying highly efficient methods
and processing masses of data, potentially about each person, should he be,
one way or another, connected to suspected subjects or objects of planned
terrorist attacks”35. The vagueness of this language is impressive,
encapsulating the net-widening, all-inclusive, minimalist suspicion
threshold supposedly needed to fight efficiently terrorism. In so stating, the
Chamber ignores that “The Court does not consider that there is any ground
to apply different principles concerning the accessibility and clarity of the
rules governing the interception of individual communications, on the one
hand, and more general programmes of surveillance, on the other.” 36
Furthermore, such optimistic language is indicative of an illusory conviction
that global surveillance is the deus ex machina capable of combating the
scourge of global terrorism. Even worse, such delusory language obliterates
the fact that the vitrification of society brings with it the Orwellian
nightmare of 1984. In practice, the Chamber is condoning, to use the words
of the European Parliament, “the establishment of a fully-fledged preventive
state, changing the established paradigm of criminal law in democratic
societies whereby any interference with suspects’ fundamental rights has to
be authorised by a judge or prosecutor on the basis of a reasonable suspicion
and must be regulated by law, promoting instead a mix of law-enforcement
and intelligence activities with blurred and weakened legal safeguards, often
not in line with democratic checks and balances and fundamental rights,
especially the presumption of innocence”37.

The necessity test

21. Section 53 of the National Security Act provides for the necessity
test. Paragraphs 67, 71, 72, 74, 75 and 88 of the judgment use a “strict
necessity” test and refer it to two purposes: the safeguarding of democratic
institutions and the acquiring of vital intelligence in an individual

35
Paragraph 78 of the judgment.
36
Liberty and Others v. the United Kingdom, no. 58243/00, § 63, 1 July 2008, and Weber
and Saravia v. Germany (dec.), no. 54934/00, § 114, 29 June 2006, both concerned with
generalised “strategic monitoring”.
37
Paragraph 12 of the European Parliament Resolution of 12March 2014, cited above.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 59

operation38. This creative rephrasing of the legal test raises several

problems. Firstly, it is a stricter criterion than that in paragraphs 233 and
236 of Roman Zakharov39. Secondly, it does not match the looser criterion
for the degree of suspicion of involvement in the offences or activities being
monitored. It is logically inconsistent that the same judgment imposes a
“strict necessity” test for the determination of the surveillance measure, but
at the same time accepts a very loose criterion for the degree of suspicion of
involvement in the offences or activities being monitored, as demonstrated
above. It is logically incoherent to criticise the overly broad text of the
Hungarian law when it refers to the “persons concerned identified as a range
of persons” and yet to accept the linguistically vague and legally imprecise
“individual suspicion” test to ground the applicability of a surveillance
measure. Thirdly, the Chamber did not clarify in what the “strict necessity
test” consists, having merely linked the test to the purposes pursued.
Nowhere does the judgment clarify that the necessity test warrants that any
surveillance operation be ordered only if the establishment of the facts by
other less intrusive methods has proven unsuccessful or, exceptionally, if
other less intrusive methods are deemed unlikely to succeed40.

The list of special surveillance techniques and their maximum duration

22. Section 56 of the National Security Act provides an exhaustive list

of special investigation techniques, which include search and surveillance of
dwellings, interception of mail and electronic communications and
computer and network data interception. However, section 58 does not
provide a maximum time limit for the surveillance measures, as
paragraph 231 of Roman Zakharov laid down41. It only foresees a maximum
period of 90 days for each request, with the possibility of unlimited
renewals being open to the Minister of Justice. Furthermore, the Minister of
Justice has no access to the results of the ongoing surveillance operation
when he or she is called upon to decide on its prolongation, which evidently
facilitates the mere rubber-stamping of the prolongation request.

38
In fact, the Chamber uses a double language. Paragraph 58 refers to the “necessity” test
and the “necessity” requirements, but subsequently the language becomes more demanding,
adding the adjective “strict” to the word necessity.
39
Roman Zakharov, cited above, § 233 (“the bounds of necessity, within the meaning of
article 8 § 2”) and § 236 (“the necessity test”, “to address jointly the “in accordance with
the law” and “necessity” requirements”).
40
See my separate opinion in Draksas, cited above, page 26, point (4), and my separate
opinion in Lagutin and Others, cited above, page 36, point (6).
41
See my separate opinion in Draksas, cited above, page 26, point (5).
60 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION

The authorisation and review procedure

23. The National Security Act does not provide for an independent
authority to authorize the beginning of the surveillance operation (first stage
or ex ante review stage), since section 58 only refers to the Minister of
Justice as the sole authority to decide on the motion for a secret surveillance
measure, with no further appeal against his or her decision being
admissible42. The legal framework does not include an examination of the
case file or an assessment of the factual and legal grounds for authorisation
of the secret surveillance measure by an independent authority, preferably a
judge, as paragraph 233 of Roman Zakharov stated, following Klass and
Others43. In view of the enlarged consensus in international law mentioned
above and the gravity of the present-day dangers to citizens’ privacy, the
rule of law and democracy, the time has come not to dispense with the
fundamental guarantee of judicial authorisation and review in the field of
covert surveillance gathering44. Obviously, the judicial guarantee is not
incongruous with an additional external guarantee of political, e.g.
parliamentary, nature.
24. In the case at hand, the external control by Parliament’s National
Security Committee and the Commissioner for Fundamental Rights does not
guarantee an independent evaluation of the ministerial exercise of decisional
powers, in view of the external supervisory entities’ own lack of review
powers in concrete cases45. In addition, in the course of his or her inquiry

42
On the three stages of the oversight procedure, when the surveillance is first ordered,
while it is being carried out and after it has been terminated, see paragraph 233 of Roman
Zakharov, cited above, as well as paragraph 72 of Decision no. 32/2013 (XI.22) AB of the
Constitutional Court, cited in paragraph 20 of the present judgment.
43
Klass and Others v. Germany, 6 September 1978, §§ 55 and 56, Series A, no. 28.
44
See also my separate opinion in Draksas, cited above, page 26, point (6). Thus, I cannot
follow the Hungarian Constitutional Court when it argues that “Identifying and combating
endeavours aimed at committing acts having relevance from the aspects of securing the
sovereignty of the State and of protecting the lawful order of the State may fall outside the
sphere of particular criminal offences … The prevention and elimination of risks to
national security require political decisions, therefore decisions of this type fall in the
competence of the executive power” (paragraph 105 of Decision no. 32/2013 (XI.22) AB
of the Constitutional Court, cited in paragraph 20 of the judgment). Neither can I accept the
argument of the Government that judges are not welcomed, “because either due to lack of
expertise or the absence of external – political – accountability on the part of the courts or –
in case of specialisation – due to the courts’ becoming part of the system and their resulting
readiness to give preference to national security interests, courts tend to accept the risk-
assessments of the national security services, hence judicial control constitutes only formal
supervision.” (Government observations of 31 October 2014, page 11).
45
Although the Committee may request information on particular cases under section 14
(4) a) of the National Security Act, and the Minister or the chief director shall, within the
established deadline, reply, the Committee lacks any decision-making power with regard to
the particular cases.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 61

affecting the national security services, the Commissioner for Fundamental

Rights is deprived of almost all relevant documentation, since he or she may
not inspect registers for the identification of individuals cooperating with
the national security services, documents containing the technical data of
devices and methods used by the national security services for intelligence
information gathering, or documents making it possible to identify the
persons using them, documents relating to encryption activities and
encoding, security documents relating to the installations and staff of the
national security services, documents related to security documents and
technological control, documents in respect of which access would make
possible the identification of the source of the information, or documents
with regard to which access would infringe the obligations undertaken by
the national security services towards foreign partner services46.
25. The shortcomings in the external political control are correctly
criticised by the Chamber, but the judgment’s reasoning omits a holistic
assessment of the subsequent surveillance review procedure, which is
essential to assess if the overall fairness of the system put in place by the
Hungarian legislature compensates for the shortcomings in the first stage of
the secret intelligence gathering procedure47.
26. The National Security Act does not establish an independent (i.e.
judicial) authority to monitor and review – pending the surveillance
operation (second stage or implementation stage) – such matters as whether
the secret services are in fact complying with the decision authorising the
use of secret operational measures, whether they faithfully reproduce in the
records the original data obtained during the operation and whether the

46
Article 23 (2) of Act CXI of 2011 on the Commissioner for Fundamental Rights. This
contradicts the principle that oversight institutions should have the power to initiate their
own investigations into areas of the intelligence service’s work that fall under their
mandates, and are granted access to all information necessary to do so (see UN 2010
Compilation of good practices, cited above, paragraph 14, and the UNHCHR 2014 report,
cited above, paragraph 41). In fact, the reality is that the Ombudsman’s office has never
dealt with a case concerning the surveillance of a citizen (see paragraph 18 of the judgment
and annex 2 to the applicants’ observations).
47
Such a holistic assessment was made of the Russian law by the Grand Chamber in
Roman Zakharov, cited above, § 178. The Hungarian Constitutional Court examined both
the authorisation stage and the handling of the collected data following the termination of
the interference and found the protection of the right to privacy satisfactory in the light of
the guarantees subsequent to the authorisation stage, such as the parliamentary external
oversight. The Government themselves referred to these guarantees in paragraphs 16 to 18
of their observations. Although the Chamber considered, in paragraph 58 of the judgment,
that “the Court is required to examine this legislation itself and the safeguards built into the
system allowing for secret surveillance”, it did not deliver what it promised.
62 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION

surveillance remains necessary for the performance of the tasks specified in

the law, as paragraph 251 of Roman Zakharov emphasises48.
27. In addition, when the surveillance operation is over (third stage or ex
post review stage), there is no provision for acquainting an independent (i.e.
judicial) authority with the results of the surveillance, and the law does not
compel this authority to review whether the requirements of the law have
been complied with. There are no regulations specifying with an appropriate
degree of precision the manner for screening the original data obtained
through surveillance, the procedures for preserving its integrity and
confidentiality and the procedure for its destruction49. Similarly, there exists
no independent review of whether the original data are in fact destroyed
within a time-limit if the surveillance has proved fruitless50.

The urgent procedure

28. An urgent procedure may be decided by a non-independent

authority, such as the director of the national secret services, only where the
normal procedure would entail a delay that would render useless the
operation. Section 59 of the National Security Act refers to a situation in
which “the external authorisation procedure entails such delay as obviously
countering, in the given circumstances, the interests of the successful
functioning of the National Security Service”. But it does not limit the use
of the urgent procedure to cases involving an immediate serious danger to
national security. Furthermore, it does not provide that the director’s
decision be confirmed within a short period of time by an independent (i.e.
judicial) authority, with full reviewing power, as established in
paragraph 266 of Roman Zakharov and previously in paragraph 16 of

48
In paragraph 274 of Roman Zakharov, cited above, the Court noted that the domestic
courts had no competence to supervise the implementation stage of the secret surveillance
measure, finding in paragraph 285 that the supervision of this second stage by the public
prosecutor was insufficient.
49
The interpretation proposed by the Constitutional Court in paragraph 138 of Decision
no. 32/2013 (XI.22) AB of the Constitutional Court, cited in paragraph 20 of the judgment
above, deriving from sections 43 and 50 (2) (e), when read in conjunction, a legal
obligation to delete ex officio unnecessary data not only seems forced, but does not really
solve the issue, since no specifics are provided about the competence, timing and procedure
for deletion of data collected for the purposes of Section 7/E (3) of the Police Act.
50
See my separate opinion in Draksas, cited above, page 28, for similar defects in the
Lithuanian law. Paragraph 255 of Roman Zakharov, cited above, censured the automatic
storage for six months of clearly irrelevant data. But the Grand Chamber did not take in
account the interest of the monitored person to invoke the allegedly “irrelevant” data in his
or her defence, as quite rightly argued in Dumitru Popescu v. Romania (no. 2),
no. 71525/01, § 78, 26 April 2007.
 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 63

Association for European Integration and Human Rights and Ekimzhiev51,

since the director’s decision may only be confirmed, or not, by the Minister
of Justice within 72 hours.

The communication of the obtained data to third parties

29. The National Security Act does not set out the conditions to be
fulfilled and the precautions to be taken when the National Security
Services communicate the data obtained to third parties, as paragraph 231 of
Roman Zakharov specifically requests52. The vague reference in section 45
to the transfer of personal data to “foreign data processing authorities within
the framework of laws on protection of personal data” is manifestly
insufficient.

The duty to notify the person under surveillance

30. The National Security Act does not establish the duty to notify the
person under surveillance of the measure taken when it is over, provided
that the interests of national security are not endangered by such disclosure,
as paragraph 234 of Roman Zakharov lays down, here again following
Klass and Others53. Nor are any special guarantees with regard to the
secrecy of lawyer-client, doctor-patient, priest-penitent and journalist-source
privileged communications included in the Hungarian legal regime54.

The lack of effective remedies

31. Section 58 of the National Security Act prohibits appeals against the
Minister of Justice’s decision on any motion for a covert surveillance
measure under section 7/E (3) of the Police Act. The absence of any ex post

51
European Integration and Human Rights and Ekimzhiev v Bulgaria, no. 62540/00,
§ 16,28 June 2007.
52
See also my separate opinion in Draksas, cited above, page 26, point (8).
53
Klass and Others, cited above, §§ 55 and 56. See also my separate opinion in Draksas,
cited above, page 26, point (9), and page 29 for similar defects in the Lithuanian law.
54
See also my separate opinion in Draksas, cited above, page 26, point (10). The
Parliamentary Assembly Resolution 1954 (2013), cited above, reiterated that measures such
as interception orders or actions concerning communication or correspondence of
journalists or their employers or surveillance orders or actions concerning journalists, their
contacts or their employers should not be applied if their purpose is to circumvent the right
of journalists not to disclose information identifying a source. The Venice Commission
underscored very recently the “particularly problematic” nature of interception of
privileged communications by means of covert intelligence of lawyers, priests or journalists
and gave the example of covert surveillance of journalists in order to identify their sources
(Venice Commission Update of the 2007 report, cited above, paragraphs 18 and 106-108).
64 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION

facto notification aggravates the situation of helplessness of the monitored

persons. Hence, the complaint procedure outlined in sections 11 (5) and 14
(4) (c) to (f) of the National Security Act provides a merely virtual defence
possibility to monitored persons55. Consequently, persons under
surveillance in Hungary, as in Russia, have no real possibility of lodging
complaints, requests or appeals against concrete surveillance orders to
which they have been subjected56.
32. In the unlikely event that the individual concerned does learn of the
surveillance measure issued in his or her regard, for example, where he or
she receives leaked information confirming the measure, the domestic
complaint procedure does not ensure an independent and effective
assessment of the submitted grievances. In addition to what has already
been stated about the Parliamentary National Security Committee’s lack of
decision-making powers, it should be added that inquiries about complaints
related to the activities of the national security services are initially
conducted by the Minister of Home Affairs, who must inform the
complainants about the findings of the inquiry and the measures taken
within 30 days. The Minister is evidently not an independent authority. If
not satisfied, the complainant may appeal to the Committee, which may
conduct inquiries if “the weight of the complaint, according to one third of
the votes of the committee members, justifies the inquiry”. The political
nature of the Committee’s decision is enhanced by the discretionary
assessment of the “weight of the complaint” and the majority vote taken in
order to open the inquiry. The Committee may conduct a fact-finding
inquiry, in the course of which it may have access to the relevant documents
kept in the registry of the national security services, and may hear the staff
members of the national security services. If it concludes that the operation
of the national security services is unlawful, or is contrary to their
designated purpose in any manner, the Committee may only call upon the
Minister to take the necessary measures. Hence, the remedial body is neither
obligated to conduct an investigation nor to furnish effective redress, let
alone to order the discontinuance of any ongoing abusive surveillance and
the destruction of unlawful personal data. Ultimately, it is up to the Minister
to decide what action, if any, he or she wishes to take in reply to the
complainant’s grievances.

55
This is confirmed by the inexistence of complaints to the National Security Commission
(annex 1 of the applicants’ observations, confirmed by the Government observations of
14 January 2015).
56
In Russia, the general remedies were only available to persons in the possession of
information about the surveillance measure, and therefore their effectiveness was
undermined by the absence of a requirement to notify the subject of the measure at any
point (see Roman Zakharov, cited above, § 298, and previously, Association for European
integration and Human rights and Ekimdzhiev, cited above, § 100).
 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION 65

33. Furthermore, although section 50 (2) (b) of the National Security Act
mentions the possibility of deletion of personal data “ordered by a court in
data protection proceedings”, and section 48 allows for the “concerned
persons to file a request for the deletion of their personal data” 57, it is not
clear how the monitored individual concerned may request that his or her
personal data be deleted if he or she does not even have a fair possibility of
obtaining information about the collection of that personal data by the
National Security Services.
34. In sum, by depriving the subject of the secret surveillance measure
of any notification of its existence and therefore of the effective possibility
of challenging it retrospectively, Hungarian law eschews the most important
safeguard against improper use of secret surveillance measures 58. Were
Samuel Warren and Louis Brandeis confronted with this law, they would
undoubtedly repeat the words they used to call for their right to privacy:
“The intensity and complexity of life, attendant upon advancing civilization,
have rendered necessary some retreat from the world, and man, under the
refining influence of culture, has become more sensitive to publicity so that
solitude and privacy have become more essential to the individual” 59.

Conclusion

35. As a matter of principle, I would reiterate that “a system of secret

surveillance designed to protect national security entails a risk of
undermining or even destroying democracy on the ground of defending
it”60. With this in mind, the Chamber quite rightly did not tone down its
critique of the Hungarian legal framework on covert and massive
surveillance in order to make it more palatable to the respondent
Government. Yet while the tone is right, the substance of the judgment risks
failing to allay entirely the serious dangers for citizens’ privacy, the rule of

57
See the Constitutional Court’s interpretation of this provision in paragraph 138 of its
Decision no. 32/2013 (XI.22) AB, cited in paragraph 20 of the judgment.
58
I cannot therefore agree with the Constitutional Court’s statement that “Since secret
intelligence gathering does, per definition, exclude the possibility of an effective
remedy…” (see paragraph 72 of the Decision no. 32/2013 (XI.22) AB of the Constitutional
Court, cited in paragraph 20 of the judgment above).
59
Samuel Warren and Louis Brandeis, “The right to privacy”, in Harvard Law Review,
volume IV, no. 5, 15 December 1890, p. 196.
60
Rotaru v. Romania [GC], no. 28341/95,§ 59, 5 May 2000, paraphrasing Klass and
Others, cited above, § 49: “The Court, being aware of the danger such a law poses of
undermining or even destroying democracy on the ground of defending it, affirms that the
Contracting States may not, in the name of the struggle against espionage and terrorism,
adopt whatever measures they deem appropriate.”
66 SZABÓ AND VISSY v. HUNGARY JUDGMENT– SEPARATE OPINION

law and democracy resulting from such a legal framework 61. Worse still, the
choices made by the Chamber introduce a strong dissonant note in the
Court’s case-law. Paragraph 71 of the judgment departs clearly from
paragraphs 260, 262 and 263 of Roman Zakharov and paragraph 51 of
Iordachi and Others v. Moldova, since the Chamber uses a vague, anodyne,
unqualified “individual suspicion” to apply the secret intelligence gathering
measure, while the Grand Chamber uses the precise, demanding, qualified
criterion of “reasonable suspicion”. Judicial authorisation and review is
watered down if coupled with the Chamber’s ubiquitous criterion, because
any kind of “suspicion” will suffice to launch the heavy artillery of State
mass surveillance on citizens, with the evident risk of the judge becoming a
mere rubber-stamper of the governmental social-control strategy. A
ubiquitous “individual suspicion” equates to overall suspicion, i.e., to the
irrelevance of the suspicion test at all. In practice, the Chamber condones
volenti nolenti widespread, non-(reasonable) suspicion-based, “strategic
surveillance” for the purposes of national security, in spite of the
straightforward rebuke that this method of covert intelligence gathering for
“national, military, economic or ecological security” purposes received from
the Grand Chamber in Roman Zakharov. Only the intervention of the Grand
Chamber will put things right again.

61
This is particularly worrying if one considers that over the past few years, several privacy
and digital rights organizations have pointed to evidence that the Hungarian authorities
have purchased potentially invasive surveillance technologies (Freedom House, Freedom
on the Internet, report on Hungary, 2015, page 15).
 computer law & security review 33 (2017) 541–552

Available online at www.sciencedirect.com

ScienceDirect

w w w. c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d c l a w. h t m

Comment

The judgment of the Grand Chamber dated 21

December 2016 in the two joint Tele2 Sverige and
Watson cases: The need for a harmonised legal
framework on the retention of data at EU level

Xavier Tracol *
Data Protection Service, EUROJUST, The Hague, The Netherlands

A B S T R A C T

Keywords:
European Court of Justice
Tele2 Sverige and Watson
Digital Rights Ireland and Seitlinger
Article 15(1) of e-privacy Directive
2002/58/EC of 12 July 2002
Telecommunications metadata
Retention of personal data
Legal validity
Articles 7, 8, 11 and 52(1) of the
Charter of Fundamental Rights
Access to data
Prior review by a court or
independent administrative
authority
As a follow up to the Digital Rights judgment of 8 April 2014 in which the Grand Chamber
invalidated the data retention directive, the Administrative Court of Appeal in Stockholm
and the Court of Appeal in London both referred questions to the Court of Justice for a pre-
liminary ruling. On 21 December 2016, the Grand Chamber rendered a landmark judgment
in which it interpreted Article 15(1) of e-privacy directive 2002/58/EC dated 12 July 2002 in
light of Article 7 on the right to privacy, Article 8 on the protection of personal data, Article
11 on freedom of expression and Article 52(1) on the principle of proportionality of the Charter
of Fundamental Rights. The Grand Chamber ruled that EU law does not allow a general and
indiscriminate retention of all traffic and location data. It also ruled that access of compe-
tent national authorities to retained data must be restricted solely to fighting serious crime
and subject to prior review by a court or an independent administrative authority.
© 2017 Xavier Tracol. Published by Elsevier Ltd. All rights reserved.

“Justice raises her voice, but she has difficulty making herself heard
amid the tumult of the passions.” 1. Introduction

Charles-Louis de Sécondat, Baron of Brède and of In its judgment of 8 April 2014 in Digital Rights, the Grand
Montesquiou a/k/a Montesquieu, Persian Letters, Letter 81, Chamber held data retention directive 2006/24/EC to be invalid
Usbek to Rhedi, in Venice, 1721. ex tunc since it seriously interfered with the fundamental rights

* P.O. Box 16183, 2500 BD, The Hague, The Netherlands.

E-mail address: xtracol@eurojust.europa.eu.
http://dx.doi.org/10.1016/j.clsr.2017.05.003
0267-3649/© 2017 Xavier Tracol. Published by Elsevier Ltd. All rights reserved.
542 computer law & security review 33 (2017) 541–552
to respect for private life and protection of personal data and
exceeded the limits of the principle of proportionality which
are provided for in the Charter of Fundamental Rights. A
harmonised legal framework regulating the retention of data
has consequently been unavailable at EU level since the date
of this judgment. The latter has however not impacted on the
legal validity of national laws adopted by Member States to
enact the invalidated directive.
The two cases at hand of Tele2 Sverige and Watson pre-
cisely dealt with national laws which enacted the invalidated
directive. The landmark judgment of the Grand Chamber ac-
cordingly focused on the results and implications of its earlier
judgment invalidating the data retention directive for the leg-
islative reality in Member States as well as on the compatibility
of national data retention measures with fundamental rights
set out in the Charter.
2. Relevant law
Article 15(1) of e-privacy directive 2002/58/EC gives Member States
an option to retain data in the electronic communications sector.
This provision sets out that traffic and location data may both
be exceptionally retained for a limited period on the basis of
a specific legislative measure taken by Member States. The
retention is only allowed when it “constitutes a necessary, ap-
propriate and proportionate measure within a democratic society
to safeguard national security (i.e. State security), defence, public
security, and the prevention, investigation, detection and pros-
ecution of criminal offences or of unauthorised use of the
electronic communications system.”
3. Procedural background of the cases
The day after the judgment was handed down, Tele2 Sverige
which is a provider of electronic communications services no-
tified the Swedish Post and Telecommunications Authority
(“PTS”) of its decision to cease retaining the data referred to
in Chapter 6 of Law 2003:389 on electronic communications
(“the LEK”) from 14 April 2014. Tele2 Sverige also proposed to
delete the data which had been retained until then in accor-
dance with this chapter.1 Tele2 Sverige had concluded that the
Swedish legislation enacting then invalidated data retention
directive 2006/24 was not in conformity with the Charter.2
By decision of 29 April 2015, the Administrative Court of
Appeal in Stockholm stayed the proceedings and referred the
following question to the Court of Justice for a preliminary ruling:3
“Is a general obligation to retain data in relation to all persons
and all means of electronic communication and extending to
1 5
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 44.
2 6
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 50;
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras 15 and
63.
3
Regarding this decision, see Pam Storr, “Blanket Storage of Com-
munications Data – Proportional or Not? Sweden Asks CJEU for
Clarification on Data Retention”, European Data Protection Law Review,
2015, Volume 1, Issue 3, pp. 230–235.
all traffic data, without any distinction, limitation or excep-
tion being made by reference to the objective of fighting crime
[. . .] compatible with Article 15(1) of Directive 2002/58, taking
into account Articles 7, 8 and 52(1) of the Charter?”4
In the UK, the deputy leader of the Labour party,Tom Watson,
Peter Brice and Geoffrey Lewis brought actions against the rules
provided for in the Data Retention and Investigatory Powers
Act 2014 (“DRIPA”) which authorised the Home Secretary to
require public telecommunications operators to retain all com-
munications data except their content for a maximum period
of 12 months. By judgment of 17 July 2015, the High Court of
Justice in London ruled that the regime of the DRIPA was in-
consistent with EU law in that it did not meet the requirements
laid down in the Digital Rights judgment that it regarded as ap-
plying to the rules in the Member States on the retention of
data relating to electronic communications and on access to
such data.5 The Home Secretary appealed against this judgment.
By judgment of 20 November 2015, the Court of Appeal con-
sidered that the Court of Justice had simply identified and
described protections which were missing in the harmonised
EU regime in the Digital Rights judgment.6 The Court of Appeal
requested the Court of Justice to clarify the impact of its judg-
ment which limited both the collection of and access to data.
The Court of Appeal specifically asked the Court of Justice
whether the Digital Rights judgment and especially para-
graphs 60 to 62 thereof “lay down mandatory requirements of
EU law applicable to a Member State’s domestic regime governing
access to data retained in accordance with national legisla-
tion, in order to comply with Articles 7 and 8 of the [Charter]”.7
The approach of the two referring courts is thus quite dif-
ferent since the relevant national systems of data retention
substantially differ: the Swedish legislation provides for a general
obligation of retention whilst the British legislation is based on
the discretion of the Secretary of State for the Home Department.
In granting the expedited procedure pursuant to Article 105(1)
of the Rules of Procedure of the Court, the president of the Court
of Justice, Judge Koen Lenaerts, considered that the dispute in
the UK was over the Secretary of State’s powers “to require public
telecommunications operators to retain communications data
for a maximum period of 12 months, retention of the content
of the communications concerned being excluded.”8 Regard-
ing Sweden, the judge also noted that “it is clear that national
legislation that permits the retention of all electronic commu-
nications data and subsequent access to that data is liable to
cause serious interference with the fundamental rights laid down
in Articles 7 and 8 of the Charter”.9
The Commission and governments of 15 Member States in-
cluding Sweden and the UK submitted observations. Privacy
International, the Law Society and Open Rights Group inter-
vened in the case.10 The Council did however not intervene.
4
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 55(1).
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 58.
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 59.
7
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 60(1).
8
Order of the President of the Court, Case C-698/15, 1 February
2006, para 3.
9
Order of the President of the Court, Case C-698/15, 1 February
2006, para 10.
10
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 57.
 computer law & security review 33 (2017) 541–552
A high profile hearing took place on 12 April 2016.11 Judge
Rapporteur Thomas von Danwitz was also Judge Rapporteur
in the cases of Digital Rights12 and Schrems.13
4. Analysis of the opinion of Advocate
General Henrik Saugmandsgaard Øe dated
19 July 2016
Advocate General Saugmandsgaard Øe first identified that the
questions referred to the Court concerned the compatibility
of domestic “regimes establishing a general data retention ob-
ligation [. . .] with Directive 2002/58/EC and Articles 7 and 8 of
the Charter”.14 He added that the Court would in particular need
to clarify how its Digital Rights judgment was to be interpreted
in the domestic context to answer those questions.15 The Danish
Advocate General started by strangely expressing his “feeling
that a general data retention obligation imposed by a Member
State may be compatible with the fundamental rights en-
shrined in EU law, provided that it is strictly circumscribed by
a series of safeguards”.16 The latter turned out to form the back-
bone of the whole reasoning of the Advocate General.17
4.1. Applicability of the Charter to general data
retention obligations
Advocate General Saugmandsgaard Øe considered that re-
course by Member States to the option provided for in Article
15(1) of the directive of imposing a general data retention ob-
ligation is “subject to compliance with strict requirements”18
which flow from this provision and the relevant provisions of
the Charter read in light of the Digital Rights judgment.19 He
considered that “the provisions of the Charter are applicable
to national measures introducing such an obligation, in ac-
cordance with Article 51(1) of the Charter”.20 Being subject to
Article 15(1) of the directive, national rules are implementing
EU law which entails the applicability of the Charter.
The Advocate General has surprisingly not relied on the
Pfleger judgment of 30 April 201421 in which the Court of Justice
found that where Member States adopt national measures
11
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 259.
12
See Xavier Tracol, “Legislative genesis and judicial death of a
directive: the European Court of Justice invalidated the data re-
tention directive (2006/24/EC), thereby creating a sustained period
of legal uncertainty about the validity of national laws which
enacted it”, Computer Law & Security Review, Volume 30, Issue 6,
December 2014, pp. 736–746.
13
See XavierTracol,“‘Invalidator’ strikes back:The harbour has never
been safe”, Computer Law & Security Review, April 2016, Volume 32,
Issue 2, p. 346.
14
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 6.
15
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 6.
16
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 7.
17
Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 150,
152, 159, 195, 200–202, 204, 205, 216–221, 224, 226–228, 245, 262 and
263.
18
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 116.
19
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 116.
20
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 122.
21
Case C-390/12, para 36.
543
as exceptions provided for by EU law to the exercise of fun-
damental freedoms and rights, these measures have to comply
with the Charter. He argued that general data retention obli-
gations are “a serious interference with the right to privacy,
enshrined in Article 7 of the Charter, and the right to the pro-
tection of personal data guaranteed by Article 8 of the Charter.”22
4.2. Test of strict necessity
Advocate General Saugmandsgaard Øe went on to detail the
necessary elements of the test of “strict requirements”.23 First,
he recommended that the general obligation to retain data and
the accompanying guarantees must be “laid down by legisla-
tive or regulatory measures possessing the characteristics of
accessibility, foreseeability and adequate protection against ar-
bitrary interference.”24 Second, the obligation must respect the
essence of the right to respect for private life and the right to
the protection of personal data provided for in the Charter.25
Third, the Advocate General noted that any interference with
fundamental rights should be in the pursuit of an objective in
the general interest.26 He deemed that “the requirement of pro-
portionality within a democratic society prevents the combating
of ordinary offences and the smooth conduct of proceedings
other than criminal proceedings from constituting justifica-
tions for a general data retention obligation. The considerable
risks that such obligations entail outweigh the benefits they
offer in combating ordinary offences and in the conduct of pro-
ceedings other than criminal proceedings.”27
In what is arguably the main consideration of his opinion,
Advocate General Saugmandsgaard Øe further deemed that
solely the fight against serious crime is an objective in the
general interest which is capable of justifying a general obli-
gation to retain data whereas combating ordinary offences and
the smooth conduct of proceedings other than criminal pro-
ceedings are not.28 Fourth, the general obligation to retain data
“must be strictly necessary in the fight against serious crime,
which means that no other measure or combination of mea-
sures could be as effective [. . .] while at the same time
interfering to a lesser extent”29 with fundamental rights and
must comply with all the safeguards set out by the Grand
Chamber in the Digital Rights judgment regarding “access to the
data, the period of retention and the protection and security
of the data”.30 Last, the general obligation to retain data must
be proportionate which means that the serious risks engendered
by this obligation within a democratic society must not be dis-
proportionate “to the advantages it offers in the fight against
serious crime.”31
22
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 128.
23
Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras
131–248.
24
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 153.
25
Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 159
and 160.
26
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 184.
27
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 172.
28
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 173.
29
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 263,
emphasis added.
30
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 263.
31
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 262.
544 computer law & security review 33 (2017) 541–552
4.3. Respect for the essence of the fundamental right to
privacy and access to communications metadata
Advocate General Saugmandsgaard Øe reiterated that the Grand
Chamber held in the Digital Rights judgment that “Directive 2006/
24 did not adversely affect the essence of the right to privacy
or of the other rights enshrined in Article 7 of the Charter, since
it did not permit the acquisition of knowledge of the content
of the electronic communications as such.”32 He expressed the
view that this “finding could equally apply to the national regimes
at issue in the main proceedings, since they also do not permit
the acquisition of knowledge of the content of the electronic
communications as such.”33 The Advocate General however
emphasised that the risks associated with access to commu-
nications metadata “may be as great or even greater than those
arising from access to the content of communications”.34 On the
basis of specific examples,35 he added that metadata “facili-
tate the almost instantaneous cataloguing of entire populations,
something which the content of communications does not.”36
The Advocate General found that the general obligation to
retain data must be strictly necessary to the fight against serious
crime.37 He did state that certain sensitive data such as data
which is subject to professional privilege or makes it pos-
sible to identify the source of a journalist should be excluded
from the scope of the retention obligation.38
4.4. Adequate controls on geographical safeguards:
retention and storage of personal data within the EU
Advocate General Saugmandsgaard Øe’s interpretation of para-
graph 68 of the Digital Rights judgment contributes to the
development of EU personal data law. In this paragraph, the
Grand Chamber noted that the data retention directive did not
require the data to be retained within the EU “with the result
that it cannot be held that the control, explicitly required by
Article 8(3) of the Charter, by an independent authority of com-
pliance with the requirements of protection and security [. . .]
is fully ensured.”39 The Grand Chamber thus noted this missing
requirement as one of the reasons why the data retention di-
rective did not “provide for sufficient safeguards [. . .] to ensure
effective protection of the data retained against the risk of abuse
and against any unlawful access and use of that data.”40
In his opinion, Advocate General Saugmandsgaard Øe
however stated that in paragraph 68 of the Digital Rights judg-
ment, the Grand Chamber “established that service providers
are under an obligation to retain data”41 within the EU. He thus
turned the finding of the Grand Chamber about a missing
32
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 156.
33
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 157.
34
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 259.
35
Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 257
and 258.
36
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 259.
37
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 205.
38
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 212.
39
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] para 68.
40
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] para 66.
41
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 238.
requirement into a positive obligation and “requirement”42 to
retain data within the EU.43
The Advocate General considered that all the guarantees
described by the Grand Chamber in paragraphs 60 to 68 of the
Digital Rights judgment “are mandatory and consequently must
accompany any general data retention obligation in order to
limit the interference [with the fundamental rights] to what
is strictly necessary.”44 In addition, this obligation must be pro-
portionate, within a democratic society, to the objective of
fighting serious crime.45
Last but not least, domestic courts bear the onus to deter-
mine, in light of all the relevant characteristics of the national
regimes, whether the requirements are met and sufficient safe-
guards are in place for data retention.46 Advocate General
Saugmandsgaard Øe thus questionably left it to domestic courts
to make their own assessment of proportionality in indi-
vidual cases.
5. Analysis of the judgment of the Grand
Chamber dated 21 December 2016
On 21 December 2016, the Court of Justice sitting in the Grand
Chamber composed of 15 judges47 rendered its judgment in the
two joint Tele2 Sverige and Watson cases. It ruled that EU law
does not allow a “general and indiscriminate retention of all
traffic and location data”.48 The Grand Chamber also ruled that
access of competent national authorities to retained data must
be “restricted solely to fighting serious crime”49 and “subject
to prior review by a court or an independent administrative
authority”.50
5.1. National legislation on the retention of data falls
within the scope of EU law
The Grand Chamber first considered that “the legislative mea-
sures that are referred to in Article 15(1) of Directive 2002/58
concern activities characteristic of States or State authori-
ties, and are unrelated to fields in which individuals are active”.51
42
Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 240
and 241.
43
See Xavier Tracol, “Legislative genesis and judicial death of a
directive: the European Court of Justice invalidated the data re-
tention directive (2006/24/EC), thereby creating a sustained period
of legal uncertainty about the validity of national laws which
enacted it”, Computer Law & Security Review, volume 30, issue 6,
December 2014, pp. 744 and 745.
44
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 244.
45
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 247.
46
Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 160,
209, 211, 215, 245 and 261.
47
See Composition of the Grand Chamber, Official Journal of the
European Union, C 296, 16 August 2016, p. 2.
48
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para
134(1).
49
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para
134(2).
50
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para
134(2).
51
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 72.
 computer law & security review 33 (2017) 541–552
Whilst Articles 1(3) and 15(1) of the directive seem to overlap,
it does not mean that matters permitted on the basis of Article
15(1) of the directive fall outside its scope since “otherwise that
provision would be deprived of any purpose. Indeed, Article 15(1)
necessarily presupposes that the national measures referred
to therein [. . .] fall within the scope of that directive, since it
expressly authorises the Member States to adopt them only
if the conditions laid down in the directive are met.”52 By adopt-
ing measures which are expressly excluded from the scope
of EU law, States continue being paradoxically regarded as
implementing EU law. The scope of the latter thus depends on
the purpose of Article 15(1) of the directive.
The Grand Chamber held that retention and access both
lay within the field of the directive.53 It ruled that “a legisla-
tive measure whereby a Member State, on the basis of Article
15(1) of Directive 2002/58, requires providers of electronic com-
munications services, for the purposes set out in that provision,
to grant national authorities, on the conditions laid down in
such a measure, access to the data retained by those provid-
ers, concerns the processing of personal data by those providers,
and that processing falls within the scope of that directive.”54
The Charter as interpreted by the Grand Chamber in its
Digital Rights judgment accordingly applies to national regimes
about both retention of data and access thereto by public au-
thorities on security grounds.
5.2. Interpretation of Article 15(1) of the directive
The Grand Chamber noted that “as a general rule, any person
other than the users is prohibited from storing, without the
consent of the users concerned, the traffic data”.55 It noted that:
Under Article 6 of that directive, the processing and storage of
traffic data are permitted only to the extent necessary and for the
time necessary for the billing and marketing of services and
the provision of value added services. As regards, in particular,
the billing of services, that processing is permitted only up to the
end of the period during which the bill may be lawfully chal-
lenged or legal proceedings brought to obtain payment. Once that
period has elapsed, the data processed and stored must be erased
or made anonymous.56
In addition, recital 30 of the directive sets out the prin-
ciple of data minimisation.57 Whilst Article 15(1) of the directive
permits exceptions, they must be interpreted strictly so that the
exception does not become the rule. The latter would other-
wise “be rendered largely meaningless.”58 The Grand Chamber
emphasised that the list of objectives provided for in Article
15(1) of the directive is exhaustive.59 In fine, this provision re-
quires that all the measures referred to in Article 15(1) of the
directive including the retention of data be in accordance with
52
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 73.
53
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 76.
54
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 78.
55
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 85.
56
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 86.
57
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 87.
58
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 89
in fine.
59
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 90.
545
general principles of EU law. The latter encompass the Charter
in light of which this provision must be interpreted.60
The Grand Chamber emphasised that the obligation to retain
traffic data raises questions on the compatibility with Ar-
ticles 7, 8 and 11 of the Charter on freedom of expression and
information.61 Contrary to the Digital Rights judgment,62 the
Grand Chamber emphasised that Article 15 of the directive
provided further detail in the context of communications whilst
recital 11 requires measures to be “‘strictly’ proportionate to
the intended purpose”.63
5.3. A very far-reaching and particularly
serious interference
The scope of the judgment dealt with the Swedish legisla-
tion which “provides for a general and indiscriminate retention
of all traffic and location data of all subscribers and regis-
tered users relating to all means of electronic communication,
and [. . .] imposes on providers of electronic communications
services an obligation to retain that data systematically and
continuously, with no exceptions.”64
The Grand Chamber considered that communications
metadata described in detail65 allows “very precise conclu-
sions to be drawn concerning the private lives of the persons
whose data has been retained”.66 They make the profiling of
data subjects possible, as observed by Advocate General
Saugmandsgaard Øe in his opinion that the Grand Chamber
expressly approved, which is as sensitive information as the
actual content of communications. The interference by na-
tional legislation which provides for the retention of traffic and
location data “in the fundamental rights enshrined in Ar-
ticles 7 and 8 of the Charter is very far-reaching and must be
considered to be particularly serious. The fact that the data is
retained without the subscriber or registered user being in-
formed is likely to cause the persons concerned to feel that
their private lives are the subject of constant surveillance”67
which are the same terms as the Digital Rights judgment.68 The
Grand Chamber however considered that the relevant legis-
lation did not affect the essence of fundamental rights since
the retention did not include the content of communications.69
The Grand Chamber justified the different findings on freedom
of expression made in this case and in the Digital Rights judg-
ment by holding that the retention of traffic and location data
could “have an effect on the use of means of electronic com-
munication and, consequently, on the exercise by the users
thereof of their freedom of expression, guaranteed in Article
11 of the Charter”.70 Accordingly, “only the objective of fighting
60
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 91.
61
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 92.
62
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] paras 28 and 70.
63
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 95.
64
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 97.
65
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 98.
66
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 99.
67
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 100.
68
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] para 37.
69
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 101.
70
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 101.
546 computer law & security review 33 (2017) 541–552
serious crime is capable of justifying such a measure”.71 Al-
though the Grand Chamber did not cross-refer to the opinion
of Advocate General Saugmandsgaard Øe, it agreed with him
that the seriousness of the interference implied that the re-
tention of communications data should be restricted to “serious
crime”.72
Even in this case, the Grand Chamber found that “while the
effectiveness of the fight against serious crime, in particular
organised crime and terrorism, may depend to a great extent
on the use of modern investigation techniques, such an ob-
jective of general interest, however fundamental it may be,
cannot in itself justify that national legislation providing for
the general and indiscriminate retention of all traffic and lo-
cation data should be considered to be necessary for the
purposes of that fight”.73 In line with its Digital Rights judgment,74
the Grand Chamber acknowledged that the use of modern in-
vestigation techniques may contribute to this fight.
The Grand Chamber emphasised that the directive re-
quires the retention of traffic and location data to be the
exception and not the rule as in the Swedish legislation.75 It
applied the same logic as in its Digital Rights judgment and re-
iterated its essential finding that:
National legislation such as that at issue in the main proceed-
ings, which covers, in a generalised manner, all subscribers and
registered users and all means of electronic communication
as well as all traffic data, provides for no differentiation, limita-
tion or exception according to the objective pursued. It is
comprehensive in that it affects all persons using electronic
communication services, even though those persons are not, even
indirectly, in a situation that is liable to give rise to criminal pro-
ceedings. It therefore applies even to persons for whom there
is no evidence capable of suggesting that their conduct might
have a link, even an indirect or remote one, with serious
criminal offences. Further, it does not provide for any ex-
ception, and consequently it applies even to persons whose
communications are subject, according to rules of national law,
to the obligation of professional secrecy.76
The Swedish legislation thus provides for generalised mass
processing and surveillance of metadata which infringes upon
the fundamental right to respect for private life77 and is out-
lawed in the EU. As in the Digital Rights judgment,78 the Grand
Chamber noted that the Swedish legislation does not require
71
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 102.
72
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 262.
73
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 103.
74
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] para 51.
75
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 104.
76
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 105,
emphasis added.
77
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] paras 57 and 58; Case C-362/14 Maximillian
Schrems v Data Protection Commissioner [2014] paras 93 and 94. See
Xavier Tracol, “‘Invalidator’ strikes back: The harbour has never been
safe”, Computer Law & Security Review, Volume 32, Issue 2, April 2016,
p. 355.
78
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] para 59.
“any relationship between the data which must be retained
and a threat to public security.”79 It also noted that this legis-
lation is not limited to retention of “(i) data pertaining to a
particular time period and/or geographical area and/or a group
of persons likely to be involved, in one way or another, in a
serious crime, or (ii) persons who could, for other reasons, con-
tribute, through their data being retained, to fighting crime”.80
5.4. “Targeted retention” of both traffic and location data
is permitted
The Swedish legislation “therefore exceeds the limits of what
is strictly necessary and cannot be considered to be justified,
within a democratic society, as required by Article 15(1) of Di-
rective 2002/58, read in the light of Articles 7, 8 and 11 and
Article 52(1) of the Charter.”81
The Grand Chamber however found that:
Article 15(1) of Directive 2002/58, read in the light of Articles 7,
8 and 11 and Article 52(1) of the Charter, does not prevent a
Member State from adopting legislation permitting, as a pre-
ventive measure, the targeted retention of traffic and location
data, for the purpose of fighting serious crime, provided that the
retention of data is limited, with respect to the categories of data
to be retained, the means of communication affected, the persons
concerned and the retention period adopted, to what is strictly
necessary.82
Importantly, the Grand Chamber did therefore not ques-
tion or challenge the appropriateness and effectiveness of
targeted retention of traffic and location data which remains
a lawful purpose for both preventing and fighting serious crime
subject to compliance with requirements to be met by domes-
tic law. In addition, the findings of the Grand Chamber went
against the opinion of Advocate General Saugmandsgaard Øe
who felt that “a general data retention obligation imposed by
a Member State may be compatible with the fundamental rights
enshrined in EU law, provided that it is strictly circumscribed
by a series of safeguards”.83
The Grand Chamber set out two cumulative requirements,
i.e., first, “clear and precise rules governing the scope and ap-
plication of such a data retention measure and imposing
minimum safeguards, so that the persons whose data has been
retained have sufficient guarantees of the effective protec-
tion of their personal data against the risk of misuse.”84 National
data retention laws “must, in particular, indicate in what cir-
cumstances and under which conditions a data retention
measure may, as a preventive measure, be adopted, thereby
ensuring that such a measure is limited to what is strictly
necessary”.85 Second, the Grand Chamber observed that while
“conditions may vary according to the nature of the measures
79
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 106.
80
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 106.
81
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 107.
82
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 108,
emphasis added.
83
Opinion in Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015]
para 7.
84
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 109.
85
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 109.
 computer law & security review 33 (2017) 541–552
taken for the purposes of prevention, investigation, detection
and prosecution of serious crime, the retention of data must
continue nonetheless to meet objective criteria, that estab-
lish a connection between the data to be retained and the objective
pursued. In particular, such conditions must be shown to be such
as actually to circumscribe, in practice, the extent of that
measure and, thus, the public affected.”86
5.5. Scope of data retention
The Grand Chamber specified that “the national legislation must
be based on objective evidence which makes it possible to iden-
tify a public whose data is likely to reveal a link, at least an
indirect one, with serious criminal offences, to contribute in
one way or another to fighting serious crime or to prevent a
serious risk to public security.”87 The Grand Chamber ac-
cepted that a geographical criterion could be used to set limits
on the basis of objective evidence that “there exists, in one or
more geographical areas, a high risk of preparation for or com-
mission of such offences.”88 The Grand Chamber thus repeatedly
required that national legislation be based on objective evi-
dence to meet the standards of proportionality and the test
of strict necessity although its analysis about their meaning
is far from being as detailed and structured as that of Advo-
cate General Saugmandsgaard Øe.89 In addition, the Grand
Chamber required objective evidence for competent national
authorities to consider the level of risk and prevent it if as-
sessed as serious or high.
In contradiction to the opinion of the Advocate General,90
the Grand Chamber found concerning the first question in Tele2
Case C-203/15 that:
Article 15(1) of Directive 2002/58, read in the light of Articles 7,
8 and 11 and Article 52(1) of the Charter, must be interpreted as
precluding national legislation which, for the purpose of fighting
crime, provides for the general and indiscriminate retention of all
traffic and location data of all subscribers and registered users
relating to all means of electronic communication.91
5.6. Criteria for national legislation about access of
national authorities to retained data
Regarding the second question in Tele2 Case C-203/15 and the
first question in Watson Case C-698/15, the Grand Chamber
86
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 110,
emphasis added.
87
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 111
as rectified by Order of the Grand Chamber dated 16 March 2017
in Joined Cases C-203/15 REC and C-698/15 REC, emphasis added.
88
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 111
in fine.
89
Opinion in Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015]
paras 186–263. See also Report of the Special Rapporteur on the
right to privacy, Joseph A. Cannataci, A/HRC/34/60, 24 February 2017,
p. 8, para 17.
90
Opinion in Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015]
para 116.
91
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras
112 and 134(1).
547
found that the scope of access to retained data must be re-
stricted to the purpose of “fighting serious crime”.92 As in
the Digital Rights judgment,93 it framed the obligation to retain
data94 and to make it accessible to national law enforcement
authorities95 as two distinct interferences with fundamental
rights.
A data retention measure must “lay down clear and precise
rules indicating in what circumstances and under which con-
ditions the providers of electronic communications services
must grant the competent national authorities access to the
data. Likewise, a measure of that kind must be legally binding
under domestic law.”96 Although the Grand Chamber did not
expressly cross-refer to the opinion of Advocate General
Saugmandsgaard Øe on the latter issue, the Advocate General
made this specific point and relied on codes of practice or in-
ternal guidelines.97 The national legislation must “lay down the
substantive and procedural conditions governing the access of the
competent national authorities to the retained data”.98
The Grand Chamber emphasised that “the national legis-
lation concerned must be based on objective criteria in order
to define the circumstances and conditions under which the
competent national authorities are to be granted access to the
data of subscribers or registered users.”99 As Advocate General
Saugmandsgaard Øe,100 the Grand Chamber referred to the judg-
ment of the Grand Chamber of the European Court of Human
Rights (“ECHR”) dated 4 December 2015 in the case of Roman
Zakharov v. Russia.101 Regarding the scope of access in relation
to the persons whose data can be accessed, the Grand Chamber
specified that:
Access can, as a general rule, be granted, in relation to the ob-
jective of fighting crime, only to the data of individuals suspected
of planning, committing or having committed a serious crime or
of being implicated in one way or another in such a crime.102
The Grand Chamber however lowered the bar for terrorist
activities: Access to the personal data of other data subjects
might be granted where there is “objective evidence”103 that
the data might effectively contribute to combat them.
92
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 115.
93
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] paras 34 and 35.
94
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras
100 and 102.
95
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 115.
96
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 117,
emphasis added.
97
Opinion in Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015]
para 150.
98
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 118,
emphasis added.
99
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 119.
100
Opinion in Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015]
para 243.
101
CE:ECHR:2015:1204JUD004714306, para 260.
102
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 119,
emphasis added.
103
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 119.
548 computer law & security review 33 (2017) 541–552
The Grand Chamber also followed the opinion of Advo-
cate General Saugmandsgaard Øe104 in requiring that “access
of the competent national authorities to retained data should,
as a general rule, except in cases of validly established urgency,
be subject to a prior review carried out either by a court or by
an independent administrative body, and that the decision of
that court or body should be made following a reasoned request
by those authorities submitted, inter alia, within the frame-
work of procedures for the prevention, detection or prosecution
of crime”.105 The Grand Chamber did not only refer to its own
Digital Rights judgment but also to the judgment of the ECHR
in Szabó and Vissy v. Hungary.106 The Grand Chamber consid-
ered that data subjects should be notified by competent national
authorities that access has been granted to their own re-
tained personal data “as soon as that notification is no longer
liable to jeopardise the investigations being undertaken by those
authorities”.107 The United Nations Special Rapporteur on the
promotion and protection of human rights and fundamental
freedoms while countering terrorism welcomed these spe-
cific findings of the judgment.108
5.7. Data location and destruction
The Grand Chamber listed the mandatory requirements for the
lawfulness of relevant data retention that it had already enu-
merated in its Digital Rights judgment, i.e., the notification of
data subjects so that they may exercise their right to a legal
remedy, rules relating to the security and effective protection
of retained data by providers of electronic communications
services who must ensure “a particularly high level of protec-
tion and security by means of appropriate technical and
organisational measures”,109 the retention of the latter within
the territory of the EU – which raises the issue of cloud
computing110 – and “the irreversible destruction of the data at
the end of the retention period”.111
104
Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 205,
234 and 236.
105
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 120,
emphasis added.
106
CE:ECHR:2016:0112JUD003713814.
107
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 121.
108
Report of the Special Rapporteur on the promotion and pro-
tection of human rights and fundamental freedoms while
countering terrorism, Ben Emmerson, A/HRC/34/61, 27 January 2017,
p. 12, para 34.
109
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 122.
110
Regarding cloud computing, see Xavier Tracol, “Legislative genesis
and judicial death of a directive: the European Court of Justice in-
validated the data retention directive (2006/24/EC), thereby creating
a sustained period of legal uncertainty about the validity of na-
tional laws which enacted it”, Computer Law & Security Review, volume
30, issue 6, December 2014, p. 745; “‘Invalidator’ strikes back: The
harbour has never been safe”, Computer Law & Security Review, April
2016, Volume 32, Issue 2, p. 360. On 27 January 2017, an industry
body of Cloud Infrastructure Services Providers operating in Europe
has established and signed up to a new data protection code of
conduct available at https://cispe.cloud/wp-content/uploads/2017/
02/CISPE-CodeOfConduct-27012017.pdf.The code requires providers
to offer customers the option to process and store personal data
entirely within the European Economic Area (pp. 7 and 14).
111
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 122.
5.8. Prior review by either a court or an independent body
Member States must also ensure that an independent author-
ity controls compliance with applicable rules on the protection
of personal data as required by Article 8(3) of the Charter and
previously noted in both the Digital Rights and Schrems judg-
ments (strict legality scrutiny).112 Unlike Advocate General
Saugmandsgaard Øe,113 the Grand Chamber did not specifi-
cally examine whether the safeguards that it had laid down
in the Digital Rights judgment114 were mandatory require-
ments of EU law applicable to a Member State’s domestic regime
for access to data retained in accordance with national legis-
lation to comply with Articles 7 and 8 of the Charter.115
The Grand Chamber however considered that referring
courts bear the onus “to determine whether and to what extent
the national legislation at issue in the main proceedings sat-
isfies the requirements stemming from Article 15(1) of Directive
2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1)
of the Charter, as set out in paragraphs 115 to 123 of this judg-
ment, with respect to both the access of the competent national
authorities to the retained data and the protection and level
of security of that data.”116
The Grand Chamber then summed up its findings and held
that Article 15(1) of the directive read in light of Articles 7, 8,
11 and Article 52(1) of the Charter
Must be interpreted as precluding national legislation governing
the protection and security of traffic and location data and, in par-
ticular, access of the competent national authorities to the retained
data, where the objective pursued by that access, in the context
of fighting crime, is not restricted solely to fighting serious crime,
where access is not subject to prior review by a court or an in-
dependent administrative authority, and where there is no
requirement that the data concerned should be retained within
the European Union.117
The retention of personal data must accordingly not only
be targeted but access by the authorities to retained data must
be limited to the purpose of fighting against serious crime, be
subject to a prior review carried out either by a court or by an
independent administrative body and personal data must
remain on the territory of the EU.
6. Comments
For the first time, the judgment of the Grand Chamber set EU
standards about the retention of personal data for surveil-
lance purposes that Member States need to comply with. The
Grand Chamber applied Article 7 of the Charter on the respect
for private life and Article 8 of the Charter on the protection
112
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 123.
113
Opinion in Joined Cases C-203/15 and C-698/15 [2015] paras 221,
226, 244 and 262.
114
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] paras 60–68.
115
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 59(1).
116
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 124.
117
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 125.
 computer law & security review 33 (2017) 541–552
of personal data together in its analysis of the consequences
of domestic measures which provide for retention of per-
sonal data118 as it had already done in the Google Spain case.119
The Grand Chamber has however clearly distinguished the ap-
plication of these two different provisions in the Digital Rights120
and Schrems121 judgments. In the judgment rendered in the
two joint Dutch immigration cases,122 the Court of Justice also
applied Article 8 of the Charter but not Article 7 of the Charter.
In this case, the Grand Chamber thus regrettably blurred the
different scopes of the two provisions which had however been
clearly distinguished in the three Digital Rights, Schrems and joint
Dutch immigration judgments.
6.1. Legal effects of the judgment
6.1.1. Effect ex tunc
The interpretation of Article 15(1) of the directive by the Grand
Chamber in its judgment delivered on a reference for a pre-
liminary ruling clarifies the meaning and scope of this provision
as it must be or ought to have been understood and applied
from the date when it entered into force.123 Pursuant to Article
20 of this directive, it entered into force on the day of its pub-
lication in the Official Journal, i.e. 31 July 2002. The judgment
of the Grand Chamber is purely declaratory with the conse-
quence that it takes effect from this date.124
6.1.2. Effect erga omnes
The judgment of the Grand Chamber has an effect erga
omnes. The consequences of the interpretation of Article 15(1)
of the directive as well as Articles 7, 8, 11 and 52(1) of the Charter
apply to the parties to the proceedings before the two refer-
ring courts, all other national courts, third parties, institutions
and Member States as well as to all situations covered by these
five provisions.125
118
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras
53, 92 and 100.
119
Case C-131/12 Google Spain and Google [2013] paras 69, 74, 81, 97,
99 and 100(4).
120
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] paras 29, 30, 34 to 36, 39, 40, 53, 66 and
68.
121
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2014] paras 39, 47, 53, 54, 58, 65, 72, 94 and 99.
122
Joined Cases C-141/12 and C-372/12 YS v. Minister voor Immigratie,
Integratie en Asiel and Minister voor Immigratie, Integratie en Asiel v.
M, S [2013], paras 58–60. See Xavier Tracol, “Back to basics: The
European Court of Justice further defined the concept of personal
data and the scope of the right of data subjects to access it”, Com-
puter Law & Security Review, Volume 31, Issue 1, February 2015,
pp. 112–119.
123
Case C-453/00 Kühne & Heitz [2003] paras 21 and 22.
124
Case C-2/06 Kempter [2007] para 35; Cases C-89/10 and C-96/10
Q-Beef and Bosschaert [2010] para 48; Case C-429/12 Pohl [2013] para
30.
125
Case 69/85 Wünsche v. Germany [1985] para 13: “a judgment in
which the Court gives a preliminary ruling on the interpretation
[. . .] of an act of a Community institution conclusively deter-
mines [. . .] questions of Community law”; C-231/06 to C-233/06
Jonkman [2006] para 38.
549
6.2. Plea raised ex officio
Although the two referring courts had not asked any ques-
tion about the compliance of national measures on the retention
of data with Article 11 of the Charter for a preliminary ruling,
the Grand Chamber examined the compatibility of the data re-
tention obligation imposed on providers with this provision in
light of “the particular importance accorded to that freedom
in any democratic society.”126 It characterised this fundamen-
tal right as “one of the essential foundations of a pluralist,
democratic society, and is one of the values on which, under
Article 2 TEU, the Union is founded”.127
The Court of Justice thus raised this plea ex officio for the
first time concerning the substance of the case where funda-
mental rights set out in the Charter are involved. This precedent
stands in stark contrast to the traditional reluctance of the Court
of Justice to raise pleas ex officio.128
6.3. Distinction between content and metadata
The reasoning of the Grand Chamber that communications
metadata “is no less sensitive, having regard to the right to
privacy, than the actual content of communications”129 but that
the Swedish legislation does not “affect adversely the essence”
of both Articles 7 and 8 of the Charter since it “does not permit
retention of the content of a communication”130 is rather dif-
ficult to follow. It is even more challenging to reconcile the views
of Advocate General Saugmandsgaard Øe that the risks
associated with access to communications metadata may
be greater than those arising from access to the content of
communications131 with those that national regimes which
provide for general data retention obligations do not ad-
versely affect the essence of the right to privacy since they do
not permit the acquisition of knowledge of the content of elec-
tronic communications as such.132
Beyond the merged and confused application of the two dif-
ferent fundamental rights to respect for private life and
protection of personal data which has already been pointed
out, metadata about communications contain “very sensitive,
valuable and extensive information.”133 They “can provide a very
detailed profile of an individual and processing it can be just
as intrusive as processing ‘content’ of communications.”134 The
UNESCO report on human rights and encryption of 2016 noted
“the pervasive availability of metadata and the possibility to
use metadata to make inferences about people and user
126
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 93.
127
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 93.
128
René Barents, Remedies and Procedures before the EU Courts, Wolters
Kluwer, Alphen aan den Rijn, 2016, p. 880, § 24.12.
129
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 99.
130
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 101.
131
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 259.
132
Opinion in Joined Cases C-203/15 and C-698/15 [2015] para 157.
133
United Nations, Summary of the Human Rights Council panel
discussion on the right to privacy in the digital age, A/HRC/28/39,
19 December 2014, p. 9, para 28. See also ibidem, p. 4, para 9.
134
Preliminary European Data Protection Supervisor Opinion 2/2016
on the review of the ePrivacy Directive (2002/58/EC), 22 July 2016,
p. 17.
550 computer law & security review 33 (2017) 541–552
behavior”.135 A study by Stanford University of 12 March 2014
showed that medical, financial and legal information could be
obtained from metadata.136 It has been shown that “intimate
details about a person’s lifestyle and beliefs, such as political
leanings and associations, medical issues, sexual orientation,
habits of religious worship, and even marital infidelities can
be discovered through mobile phone traffic data”.137 A “trend
towards increased protection of metadata”138 has already been
noted. For instance, the International Association of Lawyers
stated that metadata “deserves strong privacy protections and
at least same protection than the content” (sic).139
The Grand Chamber has already held in the Digital Rights
judgment that the essence of the fundamental right to private
life was not adversely affected since the data retention direc-
tive did not permit the acquisition of content data.140 The Grand
Chamber thus examined whether the interference with this
right was justified141 and applied the tests of proportionality142
and strict necessity.143 In the subsequent Schrems judgment, the
Grand Chamber consistently found that “legislation permit-
ting the public authorities to have access on a generalised
basis to the content of electronic communications must be
regarded as compromising the essence of the fundamental
right to respect for private life, as guaranteed by Article 7 of the
Charter”.144 The Grand Chamber did accordingly not examine
whether the interference with this right was justified and
did not apply the tests of proportionality and strict necessity
either.
The distinction drawn by the Grand Chamber between re-
tention and access to content data, which does not respect the
essence of the fundamental right to private life provided for
in Article 7 of the Charter and to telecommunications metadata
which does, is far from being persuasive. The Court of Justice
should accordingly depart from the two Digital Rights and Tele2
Sverige judgments and consider that both retention of and
access to telecommunications metadata do not respect the
essence of the fundamental right to respect for private life
135
Wolfgang Schulz and Joris van Hoboken, Human rights and en-
cryption, UNESCO Series on Internet Freedom, 2016, available at
http://unesdoc.unesco.org/images/0024/002465/246527E.pdf, p. 23.
136
Jonathan Mayer and Patrick Mutchler, “MetaPhone: The Sensi-
tivity of Telephone Metadata”, available at http://webpolicy.org/
2014/03/12/metaphone-the-sensitivity-of-telephone-metadata/.
137
Preliminary European Data Protection Supervisor Opinion 2/2016
on the review of the ePrivacy Directive (2002/58/EC), 22 July 2016,
p. 13.
138
United Nations, Summary of the Human Rights Council panel
discussion on the right to privacy in the digital age, A/HRC/28/39,
19 December 2014, p. 9, para 28 in fine.
139
Resolution on “Privacy in the Digital Communications”, Valen-
cia Congress 2015, available at http://www.uianet.org/en/content/
resolution-privacy-digital-communications-valencia.
140
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] para 39.
141
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] para 60.
142
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] para 61.
143
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2013] paras 61, 62, 64 and 65.
144
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2014] para 94.
within the meaning of Article 52(1) of the Charter and conse-
quently infringe upon Article 7 of the Charter.
6.4. Notion of serious crime
The Grand Chamber repeatedly referred to the notion of serious
crime145 and ruled that “only the objective of fighting serious
crime is capable of justifying”146 the retention of both traffic
and location data and that access of competent national au-
thorities to retained data must be “restricted solely to fighting
serious crime”.147 The latter notion should accordingly become
an autonomous concept of EU law.
The exhaustive list of ten “areas of crimes” set out in Article
83(1) of the Treaty on the Functioning of the EU (“TFEU”)148 may
provide guidance in this respect. These ten areas of crime should
meet the two cumulative and undefined requirements of “par-
ticularly serious crimes” and “cross-border dimension” resulting
from three alternative criteria, i.e. “nature or impact of such
offences or from a special need to combat them on a common
basis.”149
6.5. Consequences and impact on national data
retention laws
The two cases were remitted back to the Administrative Court
of Appeal of Stockholm and the UK Court of Appeal which had
referred the questions to the Court of Justice for a prelimi-
nary ruling and must now rule on the legal challenges to the
relevant Swedish and British legislation. The situation of the
UK is especially complex.
The judgment of the Grand Chamber relates to the DRIPA
which expired on 31 December 2016. The decision to be ren-
dered by the UK Court of Appeal will consequently be academic.
New legislation, the Investigatory Powers Act 2016 (“IPA”), has
however been in force since 1 January 2017. This very contro-
versial law substantially extended the powers of government
and its demands on firms. It requires telecommunications op-
erators, providers of Internet access, social media companies
and data storage firms to collect and retain communications
data such as the Web browsing history of users for a year and
give free access to public authorities including the police and
security services. The IPA also allows State hacking of tele-
phones and computers. The judgment of the Grand Chamber
may trigger legal challenges to the IPA. Even though the British
government is not legally bound to amend the IPA, it may elect
145
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras
102, 103, 106, 108, 110, 111, 114, 115, 118, 119, 125 and 134(2).
146
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para 102.
147
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] para
134(2).
148
“[T]errorism, trafficking in human beings and sexual exploita-
tion of women and children, illicit drug trafficking, illicit arms
trafficking, money laundering, corruption, counterfeiting of means
of payment, computer crime and organised crime.”
149
Perrine Simon, “The Criminalisation Power of the European
Union after Lisbon and the Principle of Democratic Legitimacy”,
New Journal of European Criminal Law, 2012, Volume 3, Issue 3–4,
pp. 247 and 248.
 computer law & security review 33 (2017) 541–552
to do so in light of the judgment of the Grand Chamber since
some of its findings may be difficult to reconcile with it.
The judgment of the Grand Chamber may compel other
Member States to reconsider, adjust and revise rules pro-
vided for in their national legislation to make sure that they
comply with its requirements. For instance, Articles L. 34-1 III
and R. 10–13 of the French Code of Posts and Electronic Com-
munications both set out a general and indiscriminate retention
by electronic communications operators including Internet
access providers of all communications metadata of users for
a year. In addition, Law No. 2015-912 of 24 July 2015150 estab-
lished a commission which may however carry out judicial or
administrative review only after national authorities have
already been granted access to intelligence.
Coming back to the UK, the latter may continue applying
the General Data Protection Regulation (“GDPR”)151 after Brexit.
If the UK however elects not to do so, transferring personal data
to non EU countries will be subject to certification by the EU
about the adequate level of protection of personal data in the
UK. In this case, the judgment of the Grand Chamber could
negatively impact on the ability of the UK to meet the require-
ment of essential equivalence and to obtain adequacy status
for the purposes of foreign data transfers under the post-
Brexit data protection regime. Transfers of personal data from
the EU to the UK could then be challenged on the basis that
British law is insufficiently adequate in comparison to EU stan-
dards. The judgment of the Grand Chamber may also provide
an authority to support this challenge.
6.6. Need for a harmonised legal framework on data
retention at EU level
The judgment of the Grand Chamber shows that the legisla-
tion in force in two Member States, i.e. Sweden and the UK,
substantially differ. This situation is not surprising since the
Grand Chamber did not invalidate national laws enacting the
data retention directive in the Digital Rights judgment since it
was not seized of the matter and does not have the jurisdic-
tion to rule on their legal validity, pursuant to Article 267 of
the TFEU. National laws consequently remain valid and
applicable.
In the last three years, some Member States such as Sweden
did accordingly not amend their national law enacting the ju-
dicially invalidated data retention directive. Other Member
States such as the UK adopted a new law. National legisla-
tion of yet other Member States has been legally challenged
before domestic courts. For instance, the Constitutional Court
of Belgium has repealed the domestic law by judgment of 11
July 2015.
As a result, a mosaic if not a patchwork of inconsistent na-
tional legislation on the retention of data is currently in force.
A harmonised legal framework on data retention at EU level
is necessary to create a level-playing field on the issue.
150
Published in the Official Journal of 26 July 2015, p. 12735.
151
Regarding an analysis of the GDPR, see Xavier Tracol, “The regu-
lation and the directive on the protection of personal data”, Europe,
October 2016, No. 10, pp. 5–10.
551
On 11 January 2017, the Commission proposed a new
e-privacy regulation which would replace the directive.152 The
draft regulation aims to align the applicable regime to that of
the GDPR. The draft regulation does no longer contain a pro-
vision similar to Article 15(1) of the directive on the retention
of data. It however includes Article 11 which is similar to Article
23 of the GDPR and leaves the option of targeted retention mea-
sures for the EU and Member States subject to compliance with
the Charter as interpreted in the case law of the Court of
Justice.153 As the directive, Articles 6(2)(b) and 7(3) of the draft
regulation also allow providers of electronic communications
to process and retain metadata if necessary for billing and cal-
culating interconnection payments.
After the Digital Rights judgment, the Commission had to
determine whether it intended to propose the adoption of a
new data retention directive which would have needed to take
account and address the findings contained in the judgment.154
The Commission has elected not to do so more than three years
later. In the meantime, the situation has evolved. If the Com-
mission were to propose a new data retention directive, national
legislation adopted by Member States to enact the directive
would need to comply with all the requirements set out by the
Grand Chamber in the Tele2 judgment.
The current trend is however for the Commission to propose
the adoption of regulations instead of directives in the area
of personal data protection. For instance, the GDPR replaces
directive 95/46/EC whilst the e-privacy regulation would replace
the e-privacy directive. Regulations are directly applicable in
the legal order of Member States without any need to adopt
national legislation enacting them. If the Commission were
to propose the adoption of a regulation on data retention, the
latter would need to comply with the findings of the Digital
Rights judgment. The adoption of a regulation on data reten-
tion would however avoid the need for Member States to
adopt national legislation which would have to comply with
the requirements set out by the Grand Chamber in the Tele2
judgment.
7. Conclusion
The Grand Chamber showed by this new judgment its firm will-
ingness to scrupulously monitor compliance with Article 7 on
respect for private life, Article 8 on protection of personal data,
152
Proposal for a regulation of the European Parliament and of the
Council concerning the respect for private life and the protection
of personal data in electronic communications and repealing
Directive 2002/58/EC (Regulation on Privacy and Electronic Com-
munications), COM(2017) 10 final.
153
Proposal for a regulation of the European Parliament and of the
Council concerning the respect for private life and the protection
of personal data in electronic communications and repealing
Directive 2002/58/EC (Regulation on Privacy and Electronic Com-
munications), COM(2017) 10 final, p. 3, Section 1.3.
154
See Xavier Tracol, “Legislative genesis and judicial death of a
directive: the European Court of Justice invalidated the data re-
tention directive (2006/24/EC), thereby creating a sustained period
of legal uncertainty about the validity of national laws which
enacted it”, Computer Law & Security Review, Volume 30, Issue 6,
December 2014, p. 746.
552 computer law & security review 33 (2017) 541–552

Article 11 on freedom of expression and Article 52(1) on the draft EU-Canada passenger name record (“PNR”) agreement
principle of proportionality of the Charter. This judgment thus about data directly transferred by companies to law enforce-
represents a new step in the process of reconciling legisla- ment authorities in third countries with no limit.157
tion of Member States against serious crime and terrorism with
fundamental rights. The Grand Chamber is increasingly build-
ing up a real and effective privacy shield155 to protect European
values which are increasingly eroded by domestic legislation
of Member States aiming to organise the fight against serious
Acknowledgement
crime and terrorism.
Last, the Court of Justice may refer back to the list of re- The views expressed herein are those of the author in his per-
quirements for access by competent national authorities to sonal capacity and do not necessarily reflect those of EUROJUST
retained personal data156 when it renders its opinion on the or the EU in general.

155
See Xavier Tracol, “EU-U.S. Privacy Shield: The saga contin-
ues”, Computer Law & Security Review, Volume 32, Issue 5, October
2016, pp. 775–777.
156 157
Joined Cases C-203/15 and C-698/15 Tele2 Sverige [2015] paras Request for an opinion submitted by the European Parlia-
119–121 and 125. ment, draft EU-Canada PNR agreement (opinion 1/15).
 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6

Available online at www.sciencedirect.com

ScienceDirect

www.compseconline.com/publications/prodclaw.htm

Comment

Legislative genesis and judicial death of a directive:

The European Court of Justice invalidated the data
retention directive (2006/24/EC) thereby creating a
sustained period of legal uncertainty about the
validity of national laws which enacted it*

Xavier Tracol*
Senior Legal Officer, Data Protection Service, EUROJUST, The Hague, The Netherlands

abstract

Keywords:
European Court of Justice
Digital Rights Ireland and Seitlinger
E-privacy directive
Data retention directive 2006/24/EC
Telecommunications metadata
Retention of personal data
Legal validity
Articles 7, 8, 11 and 52(1) of the
Charter of fundamental rights
Data security and cross-border
transfers
Cloud computing
The Grand Chamber has ruled that the data retention directive was invalid ex tunc since it
seriously interfered with the fundamental rights to respect for private life and protection of
personal data and exceeded the limits of the principle of proportionality which are pro-
vided for in the Charter. The scope and temporal effects of this ruling should be clarified,
especially its legal impacts on national laws of Member States which enacted the directive.
In addition, the findings of the Grand Chamber on geographical safeguards have far-
reaching implications on the retention and storage of personal data in the EU.
© 2014 Xavier Tracol. Published by Elsevier Ltd. All rights reserved.

*
The views expressed herein are those of the author in his personal capacity and do not necessarily reflect those of EUROJUST or the
EU in general.
* Data Protection Service, EUROJUST, P.O. Box 16183, 2500 BD, The Hague, The Netherlands.
E-mail address: xtracol@eurojust.europa.eu.
http://dx.doi.org/10.1016/j.clsr.2014.09.008
0267-3649/© 2014 Xavier Tracol. Published by Elsevier Ltd. All rights reserved.
 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
Past is prologue.
William Shakespeare, The Tempest, Act II, scene I
1. Introduction
In the landmark judgment in the Digital Rights Ireland and
Seitlinger cases which drew a lot of attention,1 the Grand
Chamber invalidated the data retention directive2 on the basis
of the Charter of Fundamental Rights. By adopting the direc-
tive, the Court found that the EU legislature had exceeded the
limits of the principle of proportionality in light of Article 7 on
respect for private life, Article 8 on protection of personal data
and Article 52(1) on limitations to their exercise of the
Charter.3
The Court sat in the Grand Chamber of fifteen judges which
includes both the President and the Vice-President of the
Court as well as three Presidents of Chambers of five Judges,
pursuant to Article 16(2) and (3) of the Statute of the Court and
Article 27 of the Rules of Procedure of the Court. The fact that
the Grand Chamber is composed of senior Judges of the Court
shows the importance of the cases.
2. Procedural background of the cases
Digital Rights Ireland, a human rights advocacy group, the
government of the province of Carinthia and more than
11,000 Austrian residents challenged the legal validity of
national laws enacting the directive before the High Court of
Ireland and the Constitutional Court of Austria. The two
national courts requested a preliminary ruling from the Court
of Justice and referred questions about the legal validity of
the directive.
On 9 July 2013, the Grand Chamber invited the European
Data Protection Supervisor (hereinafter the “EDPS”) for the
1 into force in Member States. In March 2006, the Council under
Alexandre Cassart and Jean-François Henrotte, “L'invalidation
de la directive 2006/24 sur la conservation des donne
es de
communication e
lectronique ou la chronique d'une mort
annonce
e”, Revue de jurisprudence de Liege, Mons et Bruxelles, 2014,
p. 954 to 960; Alessandro Spina, “Risk Regulation of Big Data: Has
the Time Arrived for a Paradigm Shift in EU Data Protection
Law?”, European Journal of Risk Regulation, 2014, Volume 5, No. 2, p.
248 to 252; Mark Young and Philippe Bradley, “The dead Directive:
What next for data retention in the UK?”, Privacy Law & Business,
Issue 73, May 2014; Franziska Boehm and Mark D. Cole, Data
Retention after the Judgement of the Court of Justice of the Eu-
ropean Union, 30 June 2014, available at http://www.greens-efa.
eu/fileadmin/dam/Documents/Studies/Data/Boehm_Cole_-_
Data_Retention_Study_-_June_2014.pdf; Mark Hyland, “Data
retention directive declared invalid by CJEU”, Irish Law Society
Gazette, August/September 2014, available at https://www.
lawsociety.ie/Documents/Gazette/Gazette%202014/aug-sept%
20gazette%202014.pdf, p. 56 and 57; Giuseppe Vaciago, “The
Invalidation of the Data Retention Directive”, Computer und Recht,
2014, p. 65 to 69.
2
Directive 2006/24/EC of 15 March 2006 published in the Official
Journal of the European Union L 105 of 13 April 2006, p. 54 to 63.
3 10
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 69.
737
first time to answer specific questions at a hearing in a
preliminary ruling procedure,4 pursuant to Article 24(2) of
the Statute of the Court of Justice on requests for
information.
3. Relevant law
3.1. E-privacy directive
Article 5 of the e-privacy directive5 sets out the general prin-
ciple of confidentiality of electronic communications and
related traffic data. Article 6(1) thereof also provides for the
general obligation to erase traffic data which are no longer
needed.
Article 15(1) of the directive however provides for a
broadly formulated derogation6 on the retention of data.
This provision sets out that traffic and location data may
both be exceptionally retained for a limited period on the
basis of a specific legislative measure taken by Member
States. The retention is only allowed when it “constitutes a
necessary, appropriate and proportionate measure within a
democratic society to safeguard national security (i.e. State
security), defence, public security, and the prevention,
investigation, detection and prosecution of criminal of-
fences or of unauthorised use of the electronic communi-
cations system.”
3.2. Data retention directive
3.2.1. Background of the directive
After the terrorist attacks of the trains in Madrid on 11 March
2004 and the tube in London on 7 July 2005, law enforcement
agencies became even more interested than before in gaining
access to both traffic and location data as part of the fight
against terrorism and serious crime.7 Inconsistent provisions
on “the retention of data for the purpose of prevention, inves-
tigation, detection and prosecution of criminal offences”8 came
the British presidency9 and Parliament consequently adopted
the data retention directive by qualified majority in the context
of the heightened risk of imminent terrorist attacks. Ireland
and Slovakia both voted against it.10 The amendments finally
4
See Hielke Hijmans, Pleading of the EDPS, Public hearing in
Joint Cases C-293/12 and C-594/12 (9 July 2013).
5
Directive 2002/58/EC of 12 July 2002 published in the Official
Journal of the European Union L 201 of 31 July 2002, p. 37 to 47 as
amended by directive 2009/136/EC of 25 November 2009 published
in the Official Journal of the European Union L 337 of 18 December
2009, p. 11 to 36.
6
Lee A. Bygrave, Data Privacy Law, Oxford University Press,
Oxford, 2014, p. 66.
7
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], paras 14(8) and (10).
8
Directive 2006/24/EC of 15 March 2006 published in the
Official Journal of the European Union L 105 of 13 April 2006,
recital 6.
9
ST 6598 2006 ADD 1 of 27 February 2006.
PRES/2006/38 of 21 February 2006 and ST 6598 2006 INIT of 4
May 2006.
738 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
adopted by Parliament11 unusually differed in some key points
to the draft directive initially adopted by the Committee on
Civil Liberties, Justice and Home Affairs.12
3.2.2. Scope of the directive
The data retention directive constituted an exception to the
general principle of confidentiality of electronic communi-
cations and to the general obligation to erase data which are
no longer needed set out in the e-privacy directive. The
scope of the data retention directive covered the retention
of telecommunications metadata which was necessary to
identify the subscriber or user but only provided an
abstraction of the real communication. Article 5(1) of the
directive provided for an exhaustive list of both traffic and
location data which had to be retained. This provision
defined them as including inter alia data on the source, date,
time, duration and recipient of a communication as well as
location of the communication device. It also included data
on unsuccessful call attempts.
Article 5(2) of the directive did not permit the retention of
content data of communications. For instance, the subject line
or header of an e-mail message, information consulted using
an electronic communications network such as the destina-
tion IP address and the URL of an Internet site, the list of all
recipients of e-mail messages in copy (“cc” mode) at the
destination mail server and the port number allocated to users
by the Internet service provider13 were excluded from the
scope of the directive.
3.2.3. Challenge to the legal basis of the directive
The directive “ranks among the most controversial pieces of
counter-terrorism legislation the EU has ever adopted and
fierce debate as to its legitimacy and effectiveness has raged
since the earliest stages of its drafting to the present day.”14
Ireland, joined by Slovakia, requested the annulment of the
directive by the Court of Justice. The two Member States
11
European Parliament legislative resolution on the proposal
for a directive of the European Parliament and of the Council on
the retention of data processed in connection with the provision
of public electronic communication services and amending
Directive 2002/58/EC (COM(2005)0438 - C6-0293/2005 - 2005/
0182(COD)), published in the Official Journal of the European Union
C 286 E of 23 November 2006, p. 264 to 273; Position of the Eu-
ropean Parliament adopted at first reading on 14 December 2005
with a view to the adoption of Directive 2006/…/EC of the Eu-
ropean Parliament and of the Council on the retention of data
generated or processed in connection with the provision of
publicly available electronic communications services or of
public communications networks and amending Directive 2002/
58/EC, 14 December 2005, 2005/0182(COD), P6_TC1-COD(2005)
0182.
12
Report on the proposal for a directive of the European
Parliament and of the Council on the retention of data processed
in connection with the provision of public electronic communi-
cation services and amending Directive 2002/58/EC (2005/
0182(COD)), 28 November 2005, PE 364.679v02-00, A6-0365/2005.
13
Report 01/2010 on the second joint enforcement action, WP
172 of 13 July 2010, p. 9.
14
Chris Jones and Ben Hayes (Statewatch), The EU Data Reten-
tion Directive: a case study in the legitimacy and effectiveness of
EU counter-terrorism policy, Securing Europe through Counter-
Terrorism: Impact, Legitimacy and Effectiveness, 2013, p. 4.
challenged its legal basis and validity. They both submitted
that Council and Parliament had legally erred in adopting
the directive pursuant to then Article 95 of the former EC
Treaty (now Article 114 of the Treaty on the Functioning of
the European Union, hereinafter the “TFEU”) which dealt
with the ex-first pillar legal basis. Ireland and Slovakia
further submitted that the main or predominant purpose of
the directive was to combat crime and to fight against
terrorism and that the purpose of data retention was the
prevention, investigation, detection and prosecution of
serious crime. The Council and Parliament should conse-
quently have adopted a framework decision on the legal
basis of then title VI of the Treaty on the EU which dealt
with the ex-third pillar legislative procedure as proposed
inter alia by Ireland and Slovakia.
The Grand Chamber dismissed the action and found that
the directive generally dealt with the functioning of the inter-
nal market and specifically aimed at ensuring that harmonised
requirements of data retention apply to communication ser-
vice providers in Member States. The directive was thus
correctly based on the former first pillar. The Grand Chamber
stated that the scope of the action related solely to the choice of
legal basis and not to any possible infringement of funda-
mental rights arising from interference with the exercise of the
right to privacy contained in the directive.15
3.2.4. Content of the directive
Articles 1(1) and 4 of the directive mentioned key phrases
such as “serious crime” and “competent national author-
ities” without harmonizing them. These two provisions
cross-referred to national laws of Member States which
were given discretion in defining them. The absence of
consistent definitions in all Member States provided legal
uncertainty.
Article 4 of the directive emphasised that national rules
should be in accordance with the requirements of necessity and
proportionality which are particularly provided for in the Euro-
pean Convention on Human Rights. Article 6 of the directive
allowed the retention of both traffic and location data for a
period of six months to two years for law enforcement purposes.
3.2.5. Enactment of the directive in Member States
Commenting that the directive has always been highly
controversial in many Member States would be an under-
statement. First, national laws enacting the directive have
been the subject of several legal challenges before domestic
courts.16 Five high courts of Member States (Bulgarian Su-
preme Administrative Court in 2008,17 Romanian Constitu-
15
Case C-301/06 Ireland v. Parliament and Council [2009] ECR I-593
paras 57, 72, 73, 82 to 85 and 91. See Christopher Docksey, “The
European Court of Justice and the decade of surveillance”, Data
Protection Anno 2014: How to Restore Trust?, Hielke Hijmans and
Herke Kranenborg (eds), Intersentia, Cambridge d Antwerp d
Portland, 2014, p. 107 and 108.
16
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], footnote 102.
17
Varhoven administrativen sad, decision No. 13627 of 11
December 2008.
 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
tional Court in 2009,18 German Constitutional Court in 2010,19
Cypriot Supreme Court also in 201120 and Czech Constitu-
tional Court in both 2011 and 2012)21 found that domestic laws
or some provisions of such laws which enacted the directive
infringed upon constitutional rights.
Second, the implementation of the directive has been slow.
The Court of Justice declared that Ireland,22 Greece,23 Austria24
and Sweden25 had all failed to fulfil their obligations under the
directive because they had not enacted it within the pre-
scribed period. In addition, the Court of Justice ordered Swe-
den to pay a lump sum of V 3,000,000 to the Commission for
delaying implementation of the directive.26 Sweden complied
with the order of the court and paid this amount to the
Commission.
Third, the enactment of the directive has been uneven.27
The Commission launched a procedure against Germany for
failing to fulfil its obligation to implement the directive, pur-
suant to Article 258 of the TFEU.28 On 11 July 2012, it brought
18
Curtea Constitucionala , decision No. 1.258 of 8 October 2009
available at both http://www.ccr.ro/files/products/D1258_091.pdf
and http://www.legi-internet.ro/en/jurisprudenta-it-romania/
decizii-it/romanian-constitutional-court-decision-regarding-
data-retention.html. See Adrian Bannon, “Romania retrenches on
data retention” (2010), International Review of Law, Computers and
Technology, Volume 24, Issue 2, p. 145 to 152; Cian C. Murphy,
Common Market Law Review, 2010, Volume 47, Issue 3, p. 933 to 941.
19
Bundesverfassungsgericht, 2 March 2010, 1 BvR 256/08, 1 BvR
263/08 and 1 BvR 586/08, available in German at http://www.
bundesverfassungsgericht.de/entscheidungen/rs20100302_
1bvr025608.html, para 1e345. See Anna-Bettina Kaiser, “German
Federal Constitutional Court: German data retention provisions
unconstitutional in their present form; Decision of 2 March 2010,
NJW 2010, p. 833”, European Constitutional Law Review, 2010, Vol-
ume 6, Issue 3, p. 503 to 517; Katja de Vries et al., “The German
Constitutional Court Judgment on Data Retention: Proportionality
Overrides Unlimited Surveillance (Doesn't It?)”, Computers, Privacy
and Data Protection: an Element of Choice, Serge Gutwirth et al. (eds),
Springer, Dordrecht, 2011, p. 3 to 24, available at http://works.
bepress.com/cgi/viewcontent.cgi?article ¼ 1052&context ¼ serge_
gutwirth; Dominik Hanf, “Vers une pre
cision de la Euro-
parechtsfreundlichkeit de la loi fondamentale: l’apport de l’arre ^t
‘re
tention des donne
es’ et de la de
cision Honeywell du BVerfG”,
Cahiers de droit europ
een, 2010, Volume 46, No. 3-4, p. 519 to 549.
20
Anotato Dikastirio tis Kypriakis Dimokratias, decision of 1
February 2011 on civil requests 65/2009, 78/2009, 82/2009 and 15/
2010-22/2010. See Christiana Markou, “The Cyprus and other EU
court rulings on data retention: the Directive as a privacy bomb”,
Computer Law and Security Review, 2012, Volume 28, Issue 4, p. 468
to 475.
21
Ústavnı́ Sound, decision of 22 March 2011, translation by the
court available in English and published at http://www.usoud.cz/
en/decisions/?tx_ttnews[tt_news]¼
40&cHash¼bbaa1c5b1a7d6704af6370fdfce5d34c. See Pavel Molek,
“Czech Constitutional Court”, European Constitutional Law Review,
2012, Volume 8, Issue 2, p. 338 to 353; decision of 4 January 2012.
22
Case C-202/09, Commission v. Ireland [2009], ECR I-00203*.
23
Case C-211/09, Commission v. Greece [2009], ECR I-00204*.
24
Case C-189/09 Commission v. Austria [2010], ECR 2010 I-00099.
25
Case C-185/09 Commission v. Sweden [2010], ECR I-00014*.
26
Case C-270/11 Commission v. Sweden [2013], ECR I-0000.
27
Report from the Commission to the Council and the European
Parliament, Evaluation report on the Data Retention Directive
(Directive 2006/24/EC), COM(2011) 225 final, 18 April 2011.
28
http://ec.europa.eu/eu_law/eulaw/decisions/dec_20110616.
htm.
739
an action requesting that the Court of Justice impose a penalty
payment of V 315,036.54 per day under Article 260(3) of the
TFEU.29
3.2.6. Criticisms of both the Article 29 Working Party and the
EDPS
The Article 29 Working Party heavily criticised the imple-
mentation of the directive in national laws and its imple-
mentation in the procedures of national communication
service providers as a breach of privacy rights. It shrewdly
requested that “safeguards be introduced at least with regard
to purpose specification, access limitation, data minimisation,
prohibition on data mining, judicial/independent scrutiny of
authorised access, ban on the use by providers of the data that
is retained solely for public order purposes under the DR
Directive e which led to the request for system separation and
the definition of minimum standards for the security mea-
sures to be taken by providers.”30
Peter Hustinx, the EDPS, characterised the directive as
“without doubt the most privacy invasive instrument ever
adopted by the EU in terms of scale and the number of people
it affects”.31 The EDPS issued an opinion reiterating that “[t]he
retention of telecommunications data clearly constitutes an
interference with the right to privacy of the persons con-
cerned as laid down by Article 8 of the European Convention of
Human Rights [ … ] and Article 7 of the EU Charter of Funda-
mental Rights.”32
4. Analysis of the opinion of the Advocate
General
The Advocate General proposed that the directive as a whole
was incompatible with Article 52(1) of the Charter. He also
proposed that Article 6 of the directive was incompatible with
both Articles 7 and 52(1) of the Charter.
First, the Advocate General mentioned that the directive
pursued a legitimate objective, i.e. ensuring the availability of
the collected and retained data for the purpose of the inves-
tigation, detection and prosecution of serious crime.33
Second, the Advocate General recognised that data protection
is subject to an “autonomous regime”34 since specific EU sec-
ondary legislation governs it. He viewed protection of personal
data as a right which applies to the “personal sphere” rather than
29
Case C-329/12 Commission v. Germany.
30
Report 01/2010 on the second joint enforcement action, WP
172 of 13 July 2010, p. 4.
31
Speech about “The moment of truth for the Data Retention
Directive” of 3 December 2010 published and available on the
Internet site of the EDPS at https://secure.edps.europa.eu/
EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/
Publications/Speeches/2010/10-12-03_Data_retention_speech_
PH_EN.pdf, p. 1.
32
Opinion of the European Data Protection Supervisor on the
Evaluation report from the Commission to the Council and the
European Parliament on the Data Retention Directive (Directive
2006/24/EC), 31 May 2011, para 6.
33
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], para 136.
34
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], para 55.
740 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
the “private sphere”, unlike the right to respect for private life.
The Advocate General distinguished between “data that are
personal as such [ … ] to which the structure and guarantees of
[the right to protection of personal data] are best suited”35 and
“data which are in a sense more personal”.36 He submitted that
use of “special” personal data may “make it possible to create
both a faithful and exhaustive map of a large portion of a person's
conduct strictly forming part of his private life; or even a com-
plete and accurate picture of his private identity”.37
Whilst the two rights under Articles 7 and 8 of the Charter
should be clearly distinguished, there is however no legal
basis for the distinction drawn by the Advocate General be-
tween these categories of personal data. Personal data pro-
tection law equally applies to all personal data including
telecommunications metadata.
Third, the Advocate General submitted that Article 7 of the
Charter applied to both the collection and retention of data
whilst Article 8 of the Charter applied to their subsequent use.
Since the directive did not deal with the latter, the Advocate
General submitted that it was necessary to assess the legal
validity of the directive “primarily from the perspective of
interference with the right to privacy.”38
Fourth, the directive should have defined safeguards which
must govern access to retained data and their use in light of
the serious interference with private life.39 The Advocate
General took the opportunity to outline a non-exhaustive list
of safeguards.
Fifth, the Advocate General considered that the directive
was incompatible with the principle of proportionality to the
extent that it required Member States to ensure that the data
were retained for a period the upper limit of which was set at
two years. The Advocate General has not found any sufficient
justification for not limiting the retention period of data to be
established by Member States to less than a year.40
Last, the Advocate General referred to “the right to infor-
mational self-determination”41 of the individual. The German
Constitutional Court recognised this new constitutional right
(informationelles Selbstbestimmungsrecht) in the population
census decision of 1983.42 This German constitutional
construct guarantees “the authority of the individual in prin-
ciple to decide for himself whether or not his personal data
35
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], para 64.
36
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], para 65.
37
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], para 74.
38
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], paras 55 to 67.
39
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], para 113.
40
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], para 149.
41
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], para 57 in fine.
42
Bundesverfassungsgericht, 65,1 vom 15.12.1983 (Volksza €hlungs-
Urteil), Human Rights Law Journal, 1984, 5, p. 94 to 116. See Gerrit
Hornung and Christoph Schnabel, “Data Protection in Germany I:
The population census decision and the right to informational
self-determination”, Computer Law and Security Review, 2009, Vol-
ume 25, Issue 1, p. 84 to 88.
should be divulged or processed.”43 It “implies an increased
participation of the citizens in the processing of their personal
information and an advanced empowerment of the citizens
that can be realised via the introduction and strengthening of
the importance of his consent.”44 The reference by the Advo-
cate General to this right shows the influence of the German
legal system on EU personal data protection law.45
5. Analysis of the judgment of the Grand
Chamber dated 8 April 2014
The reasoning of the Grand Chamber resembles that of the
Advocate General. Holding its office of protecting funda-
mental rights and referring quasi exclusively to the Charter of
Fundamental Rights, the Grand Chamber turns out to be a
resolute guarantor of individual rights. To a question of
principle, it provided a reply of the same nature.
5.1. Relevant provisions of the Charter
The Court first narrowed the numerous questions referred by
the Irish and Austrian courts down to a single overarching
issue, i.e. whether the directive was legally valid in light of
Articles 7, 8 and 11 of the Charter. It noted that the data “may
allow very precise conclusions to be drawn concerning the
private lives”46 of individuals, thereby recognising the dangers
posed by aggregated telecommunications metadata. Where
the personal data in question enable a precise intrusion in
private life, the protection of personal data thus attracts the
protection of privacy. The Court then conducted its consid-
erations in three parts.
First, the Court examined the relevance of the three above-
mentioned provisions with regard to the legal validity of the
directive. Although the Court recognised that data retention
may have a chilling effect on individual freedom of expres-
sion,47 it selected not to examine the legal validity of the
directive in light of Article 11 of the Charter. This effect
consequently remains merely potential.
The Court followed the European Court of Human Rights in
considering that “[t]he retention of data for the purpose of
possible access to them by the competent national authorities
[ … ] directly and specifically affects private life”.48 It therefore
found that the directive must be considered in light of Article 7
of the Charter.
43
Eleni Kosta, Consent in European Data Protection Law, Martinus
Nijhoff Publishers, Leiden-Boston, 2013, p. 134.
44
Eleni Kosta, Consent in European Data Protection Law, Martinus
Nijhoff Publishers, Leiden-Boston, 2013, p. 108.
45
See the decision of the Czech Constitutional Court dated 22
March 2011 finding that the Czech law which enacted the direc-
tive infringed upon the right to informational self-determination,
translation by the court available in English and published at
http://www.usoud.cz/en/decisions/?tx_ttnews[tt_news]¼
40&cHash¼bbaa1c5b1a7d6704af6370fdfce5d34c.
46
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 27.
47
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 28.
48
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 29.
 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
The Court also considered that the mere retention of com-
munications metadata constitutes the processing of personal
data within the meaning of Article 8 of the Charter. The re-
quirements for the protection of personal data set out in this
provision must therefore be met.49 These two findings differ
from the opinion of the Advocate General on this specific
issue.50
The Grand Chamber applied a similar reasoning to the
European Court of Human Rights by first establishing an
interference (5.2) before considering whether the interference
is justified (5.3) since the two fundamental rights to respect for
private life and protection of personal data relied upon are not
absolute.
5.2. Interference with the fundamental rights to respect
for private life and protection of personal data
Second, the Court considered whether there was an interfer-
ence with the rights laid down in Articles 7 and 8 of the
Charter. It found that the directive required the retention of
the listed telecommunications metadata but also allowed
competent national authorities to access the data.51 The Court
noted that the directive derogated from the system of pro-
tection provided for in both the data protection directive and
the e-privacy directive.52 It held that the obligations to retain
data imposed by the data retention directive constituted an
interference with the right to respect for private life53 as did
the access of competent authorities to that data.54 The Court
also held that the directive interfered with the right to pro-
tection of personal data for the simple reason that “it provides
for the processing of personal data.”55 Following again the
opinion of the Advocate General, it stated that these in-
terferences were both wide-ranging and particularly serious.56
The Court evocatively considered that “the fact that data are
retained and subsequently used without the subscriber or
registered user being informed is likely to generate in the
minds of the persons concerned the feeling that their private
lives are the subject of constant surveillance.”57
5.3. Justification of the interference
Third, the Court considered whether the interferences with
the rights to respect for private life and protection of
49
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], paras 29 and 30.
50
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], paras 55 to 67.
51
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 32.
52
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 32.
53
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 34.
54
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 35.
55
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 36.
56
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 37.
57
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 37.
741
personal data were justified. It reiterated that Article 52(1) of
the Charter provides that three requirements must be met
to justify limitations to fundamental rights, i.e. limitations
must be provided for by law; respect the essence of the
rights; and limitations must be genuinely necessary to meet
objectives of general interest, subject to the principle of
proportionality. The Court held that the essence of the
fundamental right to privacy was respected since the
directive did not permit the acquisition of content data.58
This finding is questionable at best because a structural
analysis of telecommunications metadata precisely permits
the acquisition of in-depth knowledge about data subjects,
thereby adversely affecting the essence of the fundamental
right to privacy as the Court itself somehow contradictorily
found.59 As the Office of the United Nations High Commis-
sioner for Human Rights observed, the “aggregation of in-
formation commonly referred to as ‘metadata’ may give an
insight into an individual's behaviour, social relationships,
private preferences and identity that go beyond even that
conveyed by accessing the content of a private communi-
cation.”60 The Court also held that the essence of the right
to protection of personal data was respected since the
directive required Member States to ensure that “appro-
priate technical and organisational measures are adopted
against accidental or unlawful destruction, accidental loss
or alteration of data”.61
5.4. Objective of general interest
When considering whether the interference satisfied an
objective of general interest, the Court drew a distinction
between the aim and material objective of the directive. It
noted that the directive aimed at harmonising provisions of
Member States about obligations on data retention whilst
the Court found that the material objective of the directive
was “to ensure that the data are available for the purpose of
the investigation, detection and prosecution of serious
crime, as defined by each Member State in its national law.
The material objective of that directive is, therefore, to
contribute to the fight against serious crime and thus, ulti-
mately, to public security.”62 The Court interestingly noted
that “Article 6 of the Charter lays down the right of any
person not only to liberty, but also to security.”63 It therefore
held that the directive “genuinely satisfies an objective of
general interest”64 and proceeded to examine the propor-
tionality of the directive.
58
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 39.
59
Ibidem, para 27. Regarding the essence of the fundamental
right to private and family life, see Case C-400/10 J. McB. v. L.E.
[2010], ECR I-8965, paras 55 and 57.
60
Report on the right to privacy in the digital age, A/HRC/27/37,
30 June 2014, p. 7.
61
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 40.
62
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 41.
63
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 42 in fine.
64
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 44.
742 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
5.5. Proportionality
The Court adopted a two-pronged test of proportionality,
considering whether the measure was appropriate to ach-
ieve its objectives and did not go beyond what was neces-
sary to achieve them.65 Similarly to the European Court of
Human Rights, the Court examined the balance of interests
at stake.66 It referred by analogy to Article 8 of the European
Convention and to the landmark judgment of the European
Court of Human Rights in the case of S. and Marper v. the
UK.67 It accordingly considered that “the extent of the EU
legislature's discretion may prove to be limited, depending
on a number of factors, including, in particular, the area
concerned, the nature of the right at issue guaranteed by
the Charter, the nature and seriousness of the interference
and the object pursued by the interference”.68 In this case,
“in view of the important role played by the protection of
personal data in the light of the fundamental right to
respect for private life and the extent and seriousness of the
interference with that right caused by Directive 2006/24, the
EU legislature's discretion is reduced, with the result that
review of that discretion should be strict.”69 The Court held
that the data retained pursuant to the directive allowed
national authorities “to have additional opportunities to
shed light on serious crime” and are “a valuable tool for
criminal investigations”.70 Importantly, it did therefore not
question or challenge the appropriateness and effectiveness
of massively retaining, storing and using telecommunica-
tions metadata as a tool to both prevent and investigate
serious crime,71 like the opinion of the Advocate General.
The Court found that the directive was suitable to achieve
its purposes.
Regarding necessity, the Court noted that limitations to
fundamental rights should apply to the extent that they are
strictly necessary only72 and that EU law must lay down clear
and precise rules governing the scope of limitations and the
safeguards for individuals.73 It held that the directive did not
set out clear and precise rules about the extent of the inter-
ference.74 The Court underscored several elements of the
directive which fell short in this respect. By applying to all
traffic data of all users of all means of electronic communi-
cations, the directive entailed “an interference with the
65
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 46.
66
See also Case C-131/12 Google Spain and Google [2014], para 81.
67
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 47 in fine.
68
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 47.
69
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 48.
70
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 49.
71
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 24.
72
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 52.
73
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 54.
74
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 65.
fundamental rights of practically the entire European popu-
lation”75 and did not require a relationship between the
retained data and serious crime or public security.76 In addi-
tion, no substantive condition such as an objective criterion by
which the number of persons authorised to access data could
be limited or procedural condition such as a review by an
administrative authority or a court prior to access determined
the limits of access and use to the retained data by competent
national authorities. The directive did not provide for an
objective and consistent definition of serious crime either.77
Nor did the directive determine the time period for which
data were retained on the basis of objective criteria.78
5.6. Data security and cross-border transfers: protection
of the retained personal data and control by independent
authorities
The Court held that the directive “does not provide for sufficient
safeguards, as required by Article 8 of the Charter, to ensure
effective protection of the data retained against the risk of abuse
and against any unlawful access and use of that data.”79 It “does
not lay down rules which are specific and adapted” to:
(1) the vast quantity of data the retention of which is
required by the directive,
(2) the sensitive nature of the data and
(3) the risk of unlawful access to that data, “rules which
would serve, in particular, to govern the protection and
security of the data in question in a clear and strict
manner in order to ensure their full integrity and
confidentiality.”80
The directive rather allowed providers to take into account
economic considerations when determining the technical and
organisational means to secure the data.81 The fact that na-
tional rules should be in accordance with requirements of
necessity and proportionality which are particularly provided
for in the European Convention on Human Rights does
therefore not suffice. The judgment of the Grand Chamber
shows the evolution of the case law of the Court of Justice on
fundamental rights in the last 25 years. In the Wachauf judg-
ment, the Court of Justice found that the regulations in
question left “the competent national authorities a suffi-
ciently wide margin of appreciation to enable them to apply
those rules in a manner consistent with the requirements of
the protection of fundamental rights”. The Court accordingly
75
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 56.
76
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], paras 58 and 59.
77
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], paras 60 to 62.
78
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], paras 64 and 65.
79
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 66.
80
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 66. See also Case C-131/12 Google
Spain and Google [2014], para 81.
81
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 67.
 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
rejected the “submission that the rules in question conflict
with the requirements of the protection of fundamental rights
in the Community legal order”.82 The Charter which applies to
EU organisations pursuant to Article 51(1) thereof subse-
quently entered into force on 1 December 2009. The judgment
of the Grand Chamber which is based on the Charter thus
reflects its deep impact on the case law of the Court.83
Even more importantly, the Court added that the “directive
does not require the data in question to be retained within the
European Union”. As a result, “an independent authority”
cannot control compliance with applicable provisions of data
protection and requirements of data security in the EU
“explicitly required by Article 8(3) of the Charter”. The Court
characterised this control as “an essential component of the
protection of individuals with regard to the processing of
personal data”.84 The legal risks for privacy thus outweighed
the potential use of intelligence.
The Grand Chamber ruled that the directive was invalid. It
did not follow the opinion of the Advocate General who, out of
concern for pragmatism, for overriding considerations of legal
certainty85 and the fact that Member States had generally
exercised their powers with moderation with respect to the
maximum period of data retention, had proposed “to suspend
the effects of the finding that Directive 2006/24 is invalid
pending adoption by the European Union legislature of the
measures necessary to remedy the invalidity found to exist”.86
6. Comments
The finding of the Court that the directive interfered with the
right to protection of personal data since “it provides for the
processing of personal data”87 is simplistic and unpersuasive.
The latter fact shows that the directive falls within the scope
82
Case 5/88 Wachauf v. Bundesamt für Erna €hrung und For-
stwirthschaft [1989], ECR 02609, paras 22 and 23.
83
See 2013 Report on the Application of the EU Charter of
Fundamental Rights, COM(2014) 224 final, 14 April 2014.
84
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 68.
85
See Case 13/61 Bosch v. van Rijn [1962], in which the Court
established the notion of legal certainty as a general principle of
EU law (p. 52). See also Case 48/69 Imperial Chemical Industries Ltd v.
Commission [1972], ECR 619, para 49; Case C-63/93 Duff and Others
[1996], ECR I-569, para 20; Case C-199/03 Ireland v. Commission
[2005], para 69; Case F-125/10 Mendes v. Commission [2013], para 71
finding that the principle of legal certainty requires that legal
rules be clear and precise and aims to ensure that situations and
legal relationships governed by EU law remain foreseeable.
Regarding legal certainty, see Paul Craig, EU Administrative Law,
Oxford University Press, New York, Second Edition, 2012, p. 549 to
556; Takis Tridimas, The General Principles of EU Law, Oxford Uni-
versity Press, New York, Second Edition, 2007, section 6.1, p. 242
to 251; Jürgen Schwarze, European Administrative Law, Sweet &
Maxwell, London, 2010, p. 870 to 873 and 938 to 1172; Leonard
Besselink et al. (eds), The Eclipse of the Legality Principle in the Eu-
ropean Union, Kluwer Law International, Alphen aan den Rijn,
2011.
86
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014], para 158. See also ibidem,
paras 156 and 157.
87
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 36.
743
of protection of personal data and thus justifies the applica-
bility of Article 8 of the Charter. It does however not demon-
strate any interference with the fundamental right to the
protection of personal data. This shortcoming of the judgment
does not imply that the finding of the Grand Chamber is le-
gally erroneous but simply shows the weakness of its
reasoning on this specific point.
The implications of the ruling of invalidity and the
adequate controls on geographical safeguards of the judg-
ment need to be clarified.
6.1. Effects of the ruling of invalidity
6.1.1. Scope
The finding of invalidity deals with the whole directive. The
general and radical nature of the ruling is unprecedented. The
Grand Chamber has already invalidated two provisions of a
Council regulation which breached the fundamental right to
protection of personal data provided for in Article 8 of the
Charter.88 In addition, the Grand Chamber has already ruled
that a specific provision of a directive was invalid. For instance,
it invalidated Article 5(2) of Council directive 2004/113/EC of 13
December 2004 implementing the principle of equal treatment
between men and women in the access to and supply of good
and services with effect from 21 December 2012 because it was
incompatible with Article 21 on non-discrimination and Article
23 on equality between men and women of the Charter.89 As a
result of the entire invalidation of the directive in this case, no
applicable directive currently in force mandates the retention
of telecommunications metadata.
6.1.2. Temporal effects of the judgment
Since the Court did not limit the temporal effect of its ruling,
the finding of invalidity takes effect ex tunc, i.e. from the date on
which the directive entered into force, as clarified by a mere
footnote of the press release published by the Court.90 Article
16 of the directive provided that it “shall enter into force on the
twentieth day following that of its publication in the Official
Journal of the European Union.” The directive was published on 13
April 2006. It therefore entered into force on 3 May 2006. The
ruling of invalidity thus takes effect from this date.
6.1.3. National legislation
Digital Rights Ireland, the government of the province of Car-
inthia and Austrian citizens challenged the validity of national
legislations which enacted the directive before domestic
courts. The latter referred the legal validity of the underlying
directive to a preliminary ruling of the Court of Justice. The
ruling of the Grand Chamber about the invalidity of the
directive ex tunc raises in turn interesting questions about the
status of all national laws which enacted the directive.
The judgment of the Grand Chamber legally binds both the
referring Constitutional Court of Austria and the High Court of
Ireland, pursuant to Article 91(1) of the Rules of Procedure of the
88
Joined Cases C-92/09 and C-93/09 Volker and Markus Scheke
[2010], ECR I-11063.
89
Case C-236/09 Test-Achats and Others v. Council [2011], ECR
I-00773, para 32.
90
Press release No 54/14 of 8 April 2014, footnote 2.
744 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
Court of Justice. By decision of 27 June 2014,91 the Constitu-
tional Court of Austria invalidated the domestic data retention
law. The Court ruled that it was unconstitutional since it
infringed upon the fundamental right to data protection as well
as Article 8 of the European Convention on Human Rights
which deals with the right to respect of private life. The
reasoning of the Austrian Constitutional Court is thus in line
with that of the Grand Chamber. Similarly to the latter, the
Court also ruled that although regulations such as the data
retention law could be used to fight serious crime, they must
comply with data protection requirements and the European
Convention of Human Rights. In this case, the Court found that
the challenged data retention provisions excessively interfere
with and infringe upon the fundamental right to the protection
of personal data. The referring High Court of Ireland must now
also apply the judgment of the Grand Chamber to the on-going
legal proceedings about the national law before it.
Regarding Sweden, the Commission will reimburse to its
government the sum of V 3,000,00092 that it paid for delaying
implementation of the directive, pursuant to the order of the
Court of Justice.93
On 8 April 2014, the Commission quickly published
frequently asked questions about the directive, stating that
“[n]ational legislation needs to be amended only with regard to
aspects that become contrary to EU law after a judgment by the
European Court of Justice. Furthermore, a finding of invalidity
of the Directive does not cancel the ability for Member States
under the e-Privacy Directive (2002/58/EC) to oblige retention of
data.”94 The legal service of Parliament similarly considered
that the judicial invalidation of the directive “in principle did
not affect national legislation.”95 These opinions are legally
correct. The Grand Chamber did not invalidate national laws
enacting the directive since it was not seized of the matter and
does not have the jurisdiction to rule on their legal validity,
pursuant to Article 267 of the TFEU. National laws remain valid
and applicable. Obligations to retain telecommunications
metadata stand on these legal bases despite the invalidation of
the directive by the Grand Chamber. This situation is legally
clumsy since domestic laws were precisely adopted pursuant
to the now invalidated directive. Depending on their content,
national legislation enacting the directive may be legally chal-
lenged before national courts for breaches of the fundamental
rights to respect for private life and protection of personal data,
applying the criteria laid down by the Grand Chamber in this
case. Regarding the scope of the Charter, the Court of Justice
ruled in the Pfleger judgment of 30 April 2014 that it applies to
national derogations from EU law. Importantly, the use by
Member States of fundamental rights provided for by EU law to
91
Verfassungsgerichtshof, decision No. G 47/2012, the press
release is available in German only at: http://www.vfgh.gv.at/
cms/vfgh-site/attachments/5/0/0/CH0003/CMS1403853653944/
presseinformation_verkuendung_vorratsdaten.pdf.
92
Plenary session of Parliament, debates of 16 April 2014, dec-
larations of the Commissioner for Home Affairs.
93
Case C-270/11 Commission v. Sweden [2013] ECR I-0000.
94
Available at http://europa.eu/rapid/press-release_MEMO-14-
269_en.htm.
95
Summary of the meeting of the European Parliament Com-
mittee on Civil Liberties, Justice and Home Affairs, held in Brus-
sels on 10 April 2014, document 8940/14, 11 April 2014, p. 5.
justify an obstruction of a fundamental freedom guaranteed by
the Treaty must be regarded as “implementing Union law”
within the meaning of Article 51(1) of the Charter.96 Domestic
courts may therefore invalidate national laws for breaches of
the Charter as the Court of Justice invalidated the directive. For
instance, the Constitutional Court of Slovenia abrogated eight
provisions of the domestic law on retention of data as dispro-
portionate by judgment of 3 July 2014 following the judgment of
the Grand Chamber.97 It instructed operators of electronic
communications to delete retained data immediately after the
date when the judgment is published in the Official Gazette.
Alternatively, governments of Member States may pro-actively
examine their national legislation in light of the judgment of
the Grand Chamber98 and accordingly make appropriate de-
cisions including amendments thereto. For instance, the
British Parliament passed on 17 July 2014 the controversial Data
Retention and Investigatory Powers Bill99 which provides for
emergency powers to ensure that police and security services
can continue to access phone and internet records. Accompa-
nying the new powers are provisions to “increase transparency
and oversight” including the creation of a new Privacy and Civil
Liberties Oversight Board to scrutinise the impact of the law. In
any event, this situation creates a sustained period of legal
uncertainty about the impact of the judgment on national laws
of Member States which enacted the directive.
Last, Germany which has not adopted any national law to
enact the directive no longer bears the obligation to do so. In
addition, the Commission no longer had any legal basis to
continue the action brought against Germany for failing to
fulfil its obligation to enact the directive and requesting the
Court of Justice to impose the penalty payment of V 315,036.54
per day.100 It accordingly stated that it would terminate this
procedure.101 The Commission withdrew its action except for
the costs and the President of the Court of Justice ordered the
case to be removed from the register by order of 5 June 2014,102
pursuant to Article 148 of the Rules of Procedure of the Court
of Justice. All Member States may however adopt and apply
specific legislative measures, pursuant to Article 15(1) of the e-
privacy directive on the exceptional retention of both traffic
and location data for a limited period.
6.2. Adequate controls on geographical safeguards:
retention and storage of personal data within the EU
The Court criticised both Council and Parliament for failing to
impose an obligation to retain telecommunications metadata
96
Case C-390/12, paras 31 to 36.
97
Judgment U-I-65/13-19. See the press release of the Informa-
tion Commissioner of 11 July 2014 available at https://www.ip-rs.
si/index.php?id¼272&tx_ttnews%5btt_news%
5d¼1256&cHash¼2885f4a56e6ff9d8abc6f94da098f461.
98
For instance, see press release, ministry of justice of
Luxembourg, 8 April 2014, announcing that a detailed analysis of
possible implications for the domestic law will be undertaken,
available at http://www.gouvernement.lu/3641093/08-cjue.
99
Available at https://www.gov.uk/government/uploads/
system/uploads/attachment_data/file/328939/draft-drip-bill.pdf.
100
Case C-329/12 Commission v. Germany.
101
Plenary session of Parliament, debates of 16 April 2014, dec-
larations of the Commissioner for Home Affairs.
102
Case C-329/12 Commission v. Germany [2014].
 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6
within the EU. It emphasised the need to store retained data
within the EU to ensure oversight by an independent EU au-
thority about compliance with applicable provisions on pro-
tection of personal data and requirements of data security, in
accordance with Article 8(3) of the Charter. The Court found
that data storage facilities must be subject to “control, carried
out on the basis of EU law” by “an independent authority”.103 It
thus made clear that personal data of European data subjects
must remain and be held and managed in the EU under EU
laws and safeguards.
These findings indicate the position of the Court towards
international transfers of personal data. It is consistent with
the restrictions inserted by Parliament in Article 36 of the draft
proposal for a directive on the protection of personal data in
the area of law enforcement to tighten up transfers of per-
sonal data to third states which are not members of the EU.104
Regarding cloud computing, the implications of these
findings for EU data controllers are that retained personal data
may only be stored where necessary safeguards such as the
control carried out by an independent data protection au-
thority on the basis of EU law are in place. The findings of the
Grand Chamber are consistent with the opinion of the Article
29 Data Protection Working Party which stated that
103
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014], para 68.
104
Texts adopted at the sitting of Wednesday 12 March 2014, part
I, PE 531.357.
105
Article 29 Data Protection Working Party, Opinion 05/2012 on
Cloud Computing, 1 July 2012, p. 23 and 24. This opinion is taken from
the recommendation of the European Network and Information
Security Agency (ENISA), Security & Resilience in Governmental
Clouds, January 2011, p. 9. See also ENISA, Cloud Computing. Bene-
fits, risks and recommendations for information security, November
2009; Opinion of the European Data Protection Supervisor on the
Commission's Communication on “Unleashing the potential of
Cloud Computing in Europe”, 16 November 2012; Information Com-
missioner's Office, Guidance on the use of cloud computing, 2012. See
also Paolo Balboni, “Contracting with the cloud: analyzing the EU
position”, Data Protection Law & Policy, 2012, Volume 9, Issue 10; Paolo
Balboni and Enrico Pelino, “Law Enforcement Agencies' Activities in
the Cloud Environment: a European Legal Perspective”, Information &
Communications Technology Law, Volume 22, Issue 2, 2013, p. 165 to
190; Paolo Balboni, Security and Privacy in Cloud Computing: The
European Regulatory Approach. Executive Action Report, No. 335,
The Conference Board, October 2010; W. Kuan Hon et al., “Could
Accountability: The Likely Impact of the Proposed EU Data Protection
Regulation”, Queen Mary School of Law Legal Studies Research Paper No.
172/2014, Tilburg Law School Research Paper No. 07/2014, available at
http://papers.ssrn.com/sol3/papers.cfm?abstract_id¼2405971#;
Simon Bradshaw et al., “Contracts for Clouds: Comparison and
Analysis of the Terms and Conditions of Cloud Computing Services”,
Queen Mary University of London, School of Law Legal Studies Research
Paper No. 63/2010, 1 September 2010, available at http://papers.ssrn.
com/sol3/papers.cfm?abstract_id¼1662374. Regarding B2B cloud
computing, see Paolo Balboni, “Data Protection and Data Security
Issues Related to Cloud Computing in the EU”, Norbert Pohlmann
et al. (eds), ISSE 2010 Securing Electronic Business Processes, Vieweg,
Wiesbaden, 2011, p. 163 to 172, available at https://archive.org/
details/ISSE_2010_Securing_Electronic_Business_Processes.
Regarding B2C cloud computing, see Yves Poullet et al., Cloud
computing and its implications on data protection, Council of
Europe, 5 March 2010, available at http://www.coe.int/t/dghl/
cooperation/economiccrime/cybercrime/Documents/Reports-
Presentations/2079_reps_IF10_yvespoullet1b.pdf.
745
“consideration might be given by national governments and
European Union institutions to further investigate the concept
of a European Governmental cloud as a supra national virtual
space where a consistent and harmonised set of rules could be
applied. [ … ] Transferring personal data to a European cloud
provider, sovereignly governed by European data protection
law, could bring great data protection advantages to cus-
tomers [ … ] as well as legal certainty.”105
7. Concluding remarks
The judgment of the Grand Chamber shows that personal data
protection law can adapt to the challenges provided by the
evolutions of telecommunication technology. It also shows
the increasing legal importance and weight of the Charter in
the case law of the Court of Justice106 including that on per-
sonal data protection law, computer law and cloud
computing.107 The Grand Chamber has played the role of an
EU Constitutional Court108 which has applied and interpreted
Articles 7, 8 and 11 of the Charter as well as checked and
controlled the compliance of the directive with its two pro-
visions about fundamental rights to respect for private life and
protection of personal data. The judges thus appeared as
resolute defenders of individual rights on the basis of the
Charter in the area of personal data protection, which is of
acute public interest.
The EU legislature should however learn lessons from this
debacle which may now have a snowball effect on national
legislation of Member States. The Council and Parliament both
adopted a directive which seriously interfered with two
fundamental rights. One and a half months before the dates of
the European elections, this situation specifically poses
intriguing questions on the exact role played by Parliament
about their protection.109 The directive remained in force
nearly eight years before the Grand Chamber finally invali-
dated it. Had an Irish advocacy group, a provincial govern-
ment and Austrian residents not taken the initiative to
challenge the legal validity of national laws enacting the
directive and had the two domestic courts not requested a
preliminary ruling of the Court of Justice, the Grand Chamber
would not have been seized of the matter and had the op-
portunity to invalidate the directive. The latter would there-
fore remain in force. Ireland and Slovakia regrettably could
not submit to the Grand Chamber that the directive infringed
upon fundamental rights provided for in two provisions of the
Charter in 2006110 since they brought the action for annulment
three years before the date when the Charter entered into
force on 1 December 2009. The Grand Chamber could not raise
this plea ex officio in light of the traditional case law of the
106
See Xavier Tracol, “The new rules of procedure on the review
procedure and the application of general principles in EU civil
service law and litigation: Strack”, Common Market Law Review,
Volume 51, No. 3, June 2014, p. 993 to 1014.
107
See Case C-131/12 Google Spain and Google [2014], para 81.
108
See Case C-131/12 Google Spain and Google [2014], para 81.
109
See the debates during the plenary session of Parliament on
16 April 2014.
110
Case C-301/06 Ireland v. Parliament and Council [2009] ECR I-593,
para 57.
746 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 3 6 e7 4 6

Court of Justice on this issue.111 As a result, all data subjects of
the EU were unfortunately left in a state of legal uncertainty
on a matter of fundamental rights which led to additional
litigation to resolve the matter four years later.
In addition, the judgment in this case shows the growing
impact of preliminary rulings rendered by the Grand Chamber
on the development of EU personal data protection law. In just
over a month, it rendered another ground-breaking judgment
on the legal responsibility of an Internet search engine oper-
ator for the processing of personal data contained on Web-
sites112 as well as a judgment on the independence of national
supervisory authorities.113 In all three judgments, the Grand
Chamber adopted a strict approach to the protection of per-
sonal data with the manifest intent to ensure a high level of
protection of this fundamental right for data subjects.
Furthermore, this judgment shows the impact of personal
data protection law on criminal justice. It may be considered
by supreme courts of non-Member States such as the US Su-
preme Court if they are seized of the lawfulness of retaining
metadata in the context of law enforcement.114
Last, the new Commission will have to determine whether
it intends to propose the adoption of a new data retention
directive. If it does, the proposal will need to take account and
address the findings contained in the judgment of the Grand
Chamber.

111
Fernando Castillo de la Torre, “Le releve
d’office par la juri-
diction communautaire”, Cahiers de droit europ
een, 2005, No. 3-4, p.

d’office devant le juge com-
395 to 463; Bo Vesterdof, “Le releve
munautaire”, Une communaut
e de droit, Festschrift für Gil Carlos
Rodriguez Iglesias, Ninon Colneric et al. (eds), Berliner
Wissenschafts-Verlag, Berlin, 2003, p. 551 to 568.
112 114
Case C-131/12 Google Spain and Google [2014]. Regarding searches and privacy, see the recent case of Riley v.
113
Case C-288/12 Commission v. Hungary [2014]. California, US Supreme Court, 25 June 2014.
L 291/40 EN Official Journal of the European Union 7.11.2009

III
(Acts adopted under the EU Treaty)

ACTS ADOPTED UNDER TITLE V OF THE EU TREATY

COUNCIL DECISION 2009/820/CFSP

of 23 October 2009
on the conclusion on behalf of the European Union of the Agreement on extradition between the
European Union and the United States of America and the Agreement on mutual legal assistance
between the European Union and the United States of America

THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on European Union, and in
particular Articles 24 and 38 thereof,
(5) On 19 February 2009 the General Secretariat of the
Council notified the United States of America of the
designations pursuant to Articles 2(3) and 10(2) of the
Agreement on extradition and pursuant to Articles 4(3)
and 8(2)(b) of the Agreement on mutual legal assistance,
as well as of limitations invoked under Article 4(4) of the
Agreement on mutual legal assistance,

Whereas:

(1) Following the authorisation given by the Council on HAS DECIDED AS FOLLOWS:
26 April 2002 to the Presidency, assisted by the
Commission, to enter into negotiations with the United
States of America, two Agreements on international
cooperation in criminal matters, one on extradition and
one on mutual legal assistance, have been negotiated
with the United States of America. Article 1
The Agreement on extradition between the European Union
and the United States of America and the Agreement on
(2) In accordance with Council Decision 2003/516/EC of mutual legal assistance between the European Union and the
6 June 2003 (1), the Agreement on extradition between United States of America are hereby approved on behalf of the
the European Union and the United States of America (2) European Union.
and the Agreement on mutual legal assistance between
the European Union and the United States of America (3)
have been signed on behalf of the European Union on
25 June 2003.

(3) The Agreements should now be approved.
(4) The Agreements provide in their Article 3(2) that written
instruments be exchanged between the USA and the
Member States of the Union on the application of
bilateral treaties. Article 3(3) of the Agreement on
mutual legal assistance provides a similar obligation for
those Member States that do not have a bilateral mutual
legal assistance treaty with the United States. These
written instruments have been exchanged between all
Member States and the United States of America.
(1) OJ L 181, 19.7.2003, p. 25.
(2) OJ L 181, 19.7.2003, p. 27.
(3) OJ L 181, 19.7.2003, p. 34.
Article 2
The President of the Council is hereby authorised to designate
the person empowered, on behalf of the European Union, to
exchange the instruments of approval provided for in Article 22
of the Agreement on extradition between the European Union
and the United States of America and in Article 18 of the
Agreement on mutual legal assistance between the European
Union and the United States of America, in order to express
the consent of the European Union to be bound.
Article 3
This Decision shall be published in the Official Journal of the
European Union.
7.11.2009 EN Official Journal of the European Union L 291/41

Done at Luxembourg, 23 October 2009.

For the Council

The President
T. BILLSTRÖM
19.7.2003 EN Official Journal of the European Union L 181/25

II
(Acts whose publication is not obligatory)

COUNCIL

COUNCIL DECISION
of 6 June 2003
concerning the signature of the Agreements between the European Union and the United States of
America on extradition and mutual legal assistance in criminal matters

(2003/516/EC)

THE COUNCIL OF THE EUROPEAN UNION, needed, through revision of the Agreements. The
Union states that Article 10 does not constitute a
precedent for negotiations with third states.’
Having regard to the Treaty on European Union, and in parti-
cular Articles 24 and 38 thereof,
(5) The Agreements foresee in their Article 3(2) that written
instruments be exchanged between the United States of
Whereas: America and the Member States of the Union on the
application of bilateral treaties. Article 3(3) of the Agree-
ment on mutual legal assistance provides a similar obli-
(1) The Member States of the European Union cooperate in gation for those Member States that do not have a bilat-
criminal matters with the United States of America on eral mutual legal assistance treaty with the United States.
the basis of bilateral agreements, conventions, treaties, With a view to the drawing up of such written instru-
national law and arrangements. ments the Member States should coordinate their action
within the Council,
(2) The European Union is determined to improve this
cooperation in order to be able to combat, in particular,
transnational crime and terrorism in a more effective
way.
HAS DECIDED AS FOLLOWS:

(3) The Council decided on 26 April 2002 to authorise the

Presidency, assisted by the Commission, to enter into
negotiations with the United States of America, and the
Presidency negotiated two Agreements on international
cooperation in criminal matters, one on mutual legal
assistance and one on extradition, with the United States
of America.
Article 1
1. The President of the Council is hereby authorised to
designate the person(s) empowered to sign the Agreements on
behalf of the European Union, subject to their later conclusion.

(4) The Agreements should be signed on behalf of the 2. The text of the Agreements and the accompanying Expla-
European Union, subject to their subsequent conclusion. natory Notes, the latter recording an understanding between
The European Union will, at the time of the signature the European Union and the United States of America, are
make the following declaration: annexed to this Decision.

‘The European Union states that it is in a process of

development of an area of freedom, security and
justice, which may have consequences that affect the
Agreements with the United States. These develop-
ments will be considered carefully by the Union in
particular as regards Article 10(2) of the Extradition
Agreement. The Union will wish to consult with the
United States in order to find solutions to any devel-
opments affecting the Agreements, including, if
Article 2
1. The Member States shall take the necessary steps with a
view to the drawing up of written instruments between them
and the United States of America as contemplated in Article
3(2) of the Agreement on Extradition and Article 3(2) and (3)
of the Agreement on Mutual Legal Assistance.
L 181/26 EN Official Journal of the European Union 19.7.2003

2. The Member States shall coordinate their actions pursuant Article 4

to paragraph 1 within the Council.
This Decision and its annexes shall be published in the Official
Journal of the European Union.
Article 3

In case of extension of the territorial application of the Agree- Done at Luxembourg, 6 June 2003.
ments in accordance with Article 20(1)(b), second indent, of
the Agreement on Extradition or Article 16(1)(b), second For the Council
indent, of the Agreement on Mutual Legal Assistance, the
Council shall decide by unanimity on behalf of the European The President
Union. M. CHRISOCHOÏDIS
L 138/14 EN Official Journal of the European Union 4.6.2009

III
(Acts adopted under the EU Treaty)

ACTS ADOPTED UNDER TITLE VI OF THE EU TREATY

COUNCIL DECISION 2009/426/JHA

of 16 December 2008
on the strengthening of Eurojust and amending Decision 2002/187/JHA setting up Eurojust with a
view to reinforcing the fight against serious crime

THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on European Union, and in
particular Articles 31(2) and 34(2)(c) thereof,
Having regard to the initiative of the Kingdom of Belgium, the
Czech Republic, the Republic of Estonia, the Kingdom of Spain,
the French Republic, the Italian Republic, the Grand Duchy of
Luxembourg, the Kingdom of the Netherlands, the Republic of
Austria, the Republic of Poland, the Portuguese Republic, the
Republic of Slovenia, the Slovak Republic and the Kingdom of
Sweden,
(4) In order to ensure continuous and effective contribution
from the Member States to the achievement by Eurojust
of its objectives, the national member should be required
to have his regular place of work at the seat of Eurojust.
(5) It is necessary to define a common basis of powers
which every national member should have in his
capacity as a competent national authority acting in
accordance with national law. Some of these powers
should be granted to the national member for urgent
cases where it is not possible for him to identify or to
contact the competent national authority in a timely
manner. It is understood that these powers will not
have to be exercised in so far as it is possible to
identify and to contact the competent authority.

Having regard to the Opinion of the European Parliament (1), (6) This Decision does not affect the manner in which the
Member States organise their internal judicial system or
administrative procedures for the designation of the
national member and the setting up of the internal
Whereas: working of the national desks at Eurojust.

(1) Eurojust was set up by Council Decision
2002/187/JHA (2) as a body of the European Union
with legal personality to stimulate and to improve coor­
dination and cooperation between competent judicial
authorities of the Member States.
(7) The setting up of an On-Call Coordination (OCC) within
Eurojust is necessary to make Eurojust available around
the clock and to enable it to intervene in urgent cases. It
should be the responsibility of each Member State to
ensure that their representatives in the OCC are able to
act on a 24-hour/7-day basis.

(2) On the basis of an assessment of the experience gained
by Eurojust, a further enhancement of its operational
effectiveness is needed by taking account of that
experience.
(8) Member States should ensure that competent national
authorities respond without undue delay to requests
made under this Decision, even if competent national
authorities refuse to comply with requests made by the
national member.

(3) The time has come to ensure that Eurojust becomes

more operational and that the status of national (9) The role of the College should be enhanced in cases of
members is approximated. conflict of jurisdiction and in cases of recurrent refusals
or difficulties concerning the execution of requests for,
(1) Opinion delivered on 2 September 2008 (not yet published in the and decisions on, judicial cooperation, including
Official Journal). regarding instruments giving effect to the principle of
(2) OJ L 63, 6.3.2002, p. 1. mutual recognition.
4.6.2009 EN Official Journal of the European Union
(10) Eurojust national coordination systems should be set up
in the Member States to coordinate the work carried out
by the national correspondents for Eurojust, the national
correspondent for Eurojust for terrorism matters, the
national correspondent for the European Judicial
Network and up to three other contact points of the
European Judicial Network, as well as representatives in
the Networks for Joint Investigation Teams, War Crimes,
Asset Recovery and Corruption.
(11) The Eurojust national coordination system should ensure
that the Case Management System receives information
related to the Member State concerned in an efficient and
reliable manner. However, the Eurojust national coordi­
nation system should not have to be responsible for
actually transmitting information to Eurojust. Member
States should decide on the best channel to be used for
the transmission of information to Eurojust.
(12) In order to enable the Eurojust national coordination
system to fulfil its tasks, a connection to the Case
Management System should be ensured. The connection
to the Case Management System should be made taking
due account of national information technology systems.
Access to the Case Management System at national level
should be based on the central role played by the
national member who is responsible for the opening
and management of temporary work files.
(13) Council Framework Decision 2008/977/JHA of
27 November 2008 on the protection of personal data
processed in the framework of police and judicial coop­
eration in criminal matters (1) is applicable to the
processing by the Member States of the personal data
transferred between the Member States and Eurojust.
The relevant set of data protection provisions of
Decision 2002/187/JHA will not be affected by
Framework Decision 2008/977/JHA and contains
specific provisions on the protection of personal data
regulating these matters in more detail because of the
particular nature, functions and competences of Eurojust.
(14) Eurojust should be authorised to process certain personal
data on persons who, under the national legislation of
the Member States concerned, are suspected of having
committed or having taken part in a criminal offence
in respect of which Eurojust is competent, or who
have been convicted of such an offence. The list of
such personal data should include telephone numbers,
e-mail addresses, vehicle registration data, DNA profiles
established from the non-coding part of DNA, photo­
graphs and fingerprints. The list should also include
(1) OJ L 350, 30.12.2008, p. 60.
L 138/15
traffic data and location data and the related data
necessary to identify the subscriber or user of a
publicly available electronic communications service;
this should not include data revealing the content of
the communication. It is not intended that Eurojust
carry out an automated comparison of DNA profiles or
fingerprints.
(15) Eurojust should be given the opportunity to extend the
deadlines for storage of personal data in order to achieve
its objectives. Such decisions should be taken following
careful consideration of particular needs. Any extension
of deadlines for processing personal data, where prose­
cution is statute barred in all Member States concerned,
should be decided only where there is a specific need to
provide assistance under this Decision.
(16) The Rules on the Joint Supervisory Body should facilitate
its functioning.
(17) With a view to increasing the operational effectiveness of
Eurojust, transmission of information to Eurojust should
be improved by providing clear and limited obligations
for national authorities.
(18) Eurojust should implement priorities set by the Council,
in particular those set on the basis of the Organised
Crime Threat Assessment (OCTA), as referred to in the
Hague Programme (2).
(19) Eurojust is to maintain privileged relations with the
European Judicial Network based on consultation and
complementarity. This Decision should help clarify the
respective roles of Eurojust and the European Judicial
Network and their mutual relations, while maintaining
the specificity of the European Judicial Network.
(20) Nothing in this Decision should be construed to affect
the autonomy of the secretariats of the networks
mentioned in this Decision when they discharge their
function as Eurojust staff in accordance with the Staff
Regulations of Officials of the European Communities
laid down by Regulation (EEC, Euratom, ECSC) No
259/68 of the Council (3).
(21) It is also necessary to strengthen Eurojust’s capacity to
work with external partners, such as third States, the
European Police Office (Europol), the European Anti-
Fraud Office (OLAF), the Council’s Joint Situation
Centre and the European Agency for the Management
of Operational Cooperation at the External Borders of
the Member States of the European Union (Frontex).
(2) OJ C 53, 3.3.2005, p. 1.
(3) OJ L 56, 4.3.1968, p. 1.
L 138/16 EN Official Journal of the European Union
(22) Provision should be made for Eurojust to post liaison
magistrates to third States in order to achieve objectives
similar to those assigned to liaison magistrates seconded
by the Member States on the basis of Council Joint
Action 96/277/JHA of 22 April 1996 concerning a
framework for the exchange of liaison magistrates to
improve judicial cooperation between the Member
States of the European Union (1).
(23) This Decision allows the principle of public access to
official documents to be taken into account,
HAS DECIDED AS FOLLOWS:
Article 1
Amendments to Decision 2002/187/JHA
Decision 2002/187/JHA is hereby amended as follows:
1. Article 2 shall be replaced by the following:
‘Article 2
Composition of Eurojust
1. Eurojust shall have one national member seconded by
each Member State in accordance with its legal system, who
is a prosecutor, judge or police officer of equivalent
competence.
2. Member States shall ensure continuous and effective
contribution to the achievement by Eurojust of its
objectives under Article 3. To fulfil those objectives:
(a) the national member shall be required to have his
regular place of work at the seat of Eurojust;
(b) each national member shall be assisted by one deputy
and by another person as an assistant. The deputy and
the assistant may have their regular place of work at
Eurojust. More deputies or assistants may assist the
national member and may, if necessary and with the
(1) OJ L 105, 27.4.1996, p. 1.
4.6.2009
agreement of the College, have their regular place of
work at Eurojust.
3. The national member shall have a position which
grants him the powers referred to in this Decision in
order to be able to fulfil his tasks.
4. National members, deputies and assistants shall be
subject to the national law of their Member State as
regards their status.
5. The deputy shall fulfil the criteria provided for in
paragraph 1 and be able to act on behalf of or to substitute
the national member. An assistant may also act on behalf
of or substitute the national member if he fulfils the criteria
provided for in paragraph 1.
6. Eurojust shall be linked to a Eurojust national coor­
dination system in accordance with Article 12.
7. Eurojust shall have the possibility of posting liaison
magistrates in third States in accordance with this Decision.
8. Eurojust shall, in accordance with this Decision, have
a Secretariat headed by an Administrative Director.’;
2. Article 3 shall be amended as follows:
(a) in paragraph 1(b), the words ‘international mutual legal
assistance and the implementation of extradition
requests’ shall be replaced by ‘requests for, and
decisions on, judicial cooperation, including regarding
instruments giving effect to the principle of mutual
recognition;’;
(b) in paragraph 2, the words ‘Article 27(3)’ shall be
replaced by ‘Article 26a(2)’;
3. Article 4(1) shall be amended as follows:
(a) point (a) shall be replaced by the following:
‘(a) the types of crime and the offences in respect of
which Europol is at all times competent to act;’ (2);
(2) At the time of adoption of this Decision, the competence of Europol
is set out in Article 2(1) of the Convention of 26 July 1995 on the
establishment of a European Police Office (Europol Convention) (OJ
C 316, 27.11.1995, p. 2), as amended by the 2003 Protocol (OJ C
2, 6.1.2004, p. 1), and in the Annex thereto. However, once the
Council Decision establishing the European Police Office (Europol)
enters into force, the competence of Eurojust will be as set out in
Article 4(1) of that Decision and in the Annex thereto.
4.6.2009 EN Official Journal of the European Union
(b) point (b) shall be deleted;
(c) in point (c), the words ‘in points (a) and (b)’ shall be
replaced by ‘in point (a)’;
4. the following Article shall be inserted:
‘Article 5a
On-Call Coordination
1. In order to fulfil its tasks in urgent cases, Eurojust
shall put in place an On-Call Coordination (OCC) able to
receive and process at all times requests referred to it. The
OCC shall be contactable, through a single OCC contact
point at Eurojust, on a 24-hour/7-day basis.
2. The OCC shall rely on one representative (OCC rep­
resentative) per Member State who may be either the
national member, his deputy, or an assistant entitled to
replace the national member. The OCC representative
shall be able to act on a 24-hour/7-day basis.
3. When in urgent cases a request for, or a decision on,
judicial cooperation, including regarding instruments giving
effect to the principle of mutual recognition, needs to be
executed in one or more Member States, the requesting or
issuing competent authority may forward it to the OCC.
The OCC contact point shall immediately forward it to the
OCC representative of the Member State from which the
request originates and, if explicitly requested by the trans­
mitting or issuing authority, to the OCC representatives of
the Member States on the territory of which the request
should be executed. These OCC representatives shall act
6. Article 7 shall be amended as follows:
without delay, in relation to the execution of the request
in their Member State, through the exercise of tasks or
powers available to them and referred to in Article 6 and
Articles 9a to 9f.’;
5. Article 6 shall be amended as follows:
(a) the existing paragraph shall become paragraph 1;
(b) paragraph 1(a) shall be replaced by the following:
‘(a) may ask the competent authorities of the Member
States concerned, giving its reasons, to:
L 138/17
(i) undertake an investigation or prosecution of
specific acts;
(ii) accept that one of them may be in a better
position to undertake an investigation or to
prosecute specific acts;
(iii) coordinate between the competent authorities
of the Member States concerned;
(iv) set up a joint investigation team in keeping
with the relevant cooperation instruments;
(v) provide it with any information that is
necessary for it to carry out its tasks;
(vi) take special investigative measures;
(vii) take any other measure justified for the inves­
tigation or prosecution;’;
(c) paragraph 1(g) shall be deleted;
(d) the following paragraph shall be added:
‘2. The Member States shall ensure that competent
national authorities respond without undue delay to
requests made under this Article.’;
(a) the existing paragraph shall become paragraph 1;
(b) the following paragraphs shall be added:
‘2. Where two or more national members can not
agree on how to resolve a case of conflict of juris­
diction as regards the undertaking of investigations or
prosecution pursuant to Article 6 and in particular
Article 6(1)(c), the College shall be asked to issue a
written non-binding opinion on the case, provided
the matter could not be resolved through mutual
agreement between the competent national authorities
concerned. The opinion of the College shall be
promptly forwarded to the Member States concerned.
This paragraph is without prejudice to paragraph
1(a)(ii).
L 138/18 EN Official Journal of the European Union
3. Notwithstanding the provisions contained in any
instruments adopted by the European Union regarding
judicial cooperation, a competent authority may report
to Eurojust recurrent refusals or difficulties concerning
the execution of requests for, and decisions on, judicial
cooperation, including regarding instruments giving
effect to the principle of mutual recognition, and
request the College to issue a written non-binding
opinion on the matter, provided it could not be
resolved through mutual agreement between the
competent national authorities or through the invol­
vement of the national members concerned. The
opinion of the College shall be promptly forwarded
to the Member States concerned.’;
7. Articles 8 and 9 shall be replaced by the following:
‘Article 8
Follow up to requests and opinions of Eurojust
If the competent authorities of the Member States
concerned decide not to comply with a request referred
to in Article 6(1)(a) or Article 7(1)(a) or decide not to
follow a written opinion referred to in Article 7(2) and
(3), they shall inform Eurojust without undue delay of
their decision and of the reasons for it. Where it is not
possible to give the reasons for refusing to comply with a
request because to do so would harm essential national
security interests or would jeopardise the safety of indi­
viduals, the competent authorities of the Member States
may cite operational reasons.
Article 9
National members
1. The length of a national member’s term of office shall
be at least four years. The Member State of origin may
renew the term of office. The national member shall not
be removed before the end of a term without informing the
Council before the removal and indicating to it the reason
therefor. Where a national member is President or Vice-
President of Eurojust, his term of office as a member
shall at least be such that he can fulfil his function as
President or Vice-President for the full elected term.
2. All information exchanged between Eurojust and
Member States shall be directed through the national
member.
3. In order to meet Eurojust’s objectives, the national
member shall have at least equivalent access to, or at
least be able to obtain the information contained in, the
following types of registers of his Member State as would
be available to him in his role as a prosecutor, judge or
police officer, whichever is applicable, at national level:
4.6.2009
(a) criminal records;
(b) registers of arrested persons;
(c) investigation registers;
(d) DNA registers;
(e) other registers of his Member State where he deems this
information necessary for him to be able to fulfil his
tasks.
4. A national member may contact the competent auth­
orities of his Member State directly.’;
8. the following Articles shall be inserted:
‘Article 9a
Powers of the national member granted to him at
national level
1. When a national member exercises the powers
referred to in Articles 9b, 9c and 9d, he does so in his
capacity as a competent national authority acting in
accordance with national law and subject to the conditions
laid down in this Article and Articles 9b to 9e. In the
performance of his tasks the national member shall,
where appropriate, make it known whenever he is acting
in accordance with the powers granted to national
members under this Article and Articles 9b, 9c and 9d.
2. Each Member State shall define the nature and extent
of the powers it grants its national member as regards
judicial cooperation in respect of that Member State.
However, each Member State shall grant its national
member at least the powers described in Article 9b and,
subject to Article 9e, the powers described in Articles 9c
and 9d, which would be available to him as a judge,
prosecutor or police officer, whichever is applicable, at
national level.
3. When appointing its national member and at any
other time if appropriate, the Member State shall notify
Eurojust and the General Secretariat of the Council of its
decision regarding the implementation of paragraph 2 so
that the latter can inform the other Member States. The
Member States shall undertake to accept and recognise the
prerogatives thus granted in so far as they are in
conformity with international commitments.
4. Each Member State shall define the right for a
national member to act in relation to foreign judicial auth­
orities, in accordance with its international commitments.
4.6.2009 EN Official Journal of the European Union
Article 9b
Ordinary powers
1. National members, in their capacity as competent
national authorities, shall be entitled to receive, transmit,
facilitate, follow up and provide supplementary information
in relation to the execution of requests for, and decisions
on, judicial cooperation, including regarding instruments
giving effect to the principle of mutual recognition.
When powers referred to in this paragraph are exercised,
the competent national authority shall be informed
promptly.
2. In case of partial or inadequate execution of a request
for judicial cooperation, national members, in their capacity
as competent national authorities, shall be entitled to ask
the competent national authority of their Member State for
supplementary measures in order for the request to be fully
executed.
Article 9c
Powers exercised in agreement with a competent
national authority
1. National members may, in their capacity as
competent national authorities, in agreement with a
competent national authority, or at its request and on a
case-by-case basis, exercise the following powers:
(a) issuing and completing requests for, and decisions on,
judicial cooperation, including regarding instruments
giving effect to the principle of mutual recognition;
(b) executing in their Member State requests for, and
decisions on, judicial cooperation, including regarding
instruments giving effect to the principle of mutual
recognition;
(c) ordering in their Member State investigative measures
considered necessary at a coordination meeting
organised by Eurojust to provide assistance to
competent national authorities concerned by a
concrete investigation and to which competent
national authorities concerned with the investigation
are invited to participate;
(d) authorising and coordinating controlled deliveries in
their Member State.
2. Powers referred to in this Article shall, in principle, be
exercised by a competent national authority.
L 138/19
Article 9d
Powers exercised in urgent cases
In their capacity as competent national authorities, national
members shall, in urgent cases and in so far as it is not
possible for them to identify or to contact the competent
national authority in a timely manner, be entitled:
(a) to authorise and to coordinate controlled deliveries in
their Member State;
(b) to execute, in relation to their Member State a request
for, or a decision on, judicial cooperation, including
regarding instruments giving effect to the principle of
mutual recognition.
As soon as the competent national authority is identified or
contacted, it shall be informed of the exercise of powers
referred to in this Article.
Article 9e
Requests from national members where powers
cannot be exercised
1. The national member, in his capacity as a competent
national authority, shall be at least competent to submit a
proposal to the authority competent for the carrying out of
powers referred to in Articles 9c and 9d when granting
such powers to the national member is contrary to:
(a) constitutional rules;
or
(b) fundamental aspects of the criminal justice system:
(i) regarding the division of powers between the
police, prosecutors and judges;
(ii) regarding the functional division of tasks between
prosecution authorities;
or
(iii) related to the federal structure of the Member State
concerned.
2. Member States shall ensure that, in cases referred to
in paragraph 1, the request issued by the national member
be handled without undue delay by the competent national
authority.
L 138/20 EN Official Journal of the European Union
Article 9f
Participation of national members in joint investigation
teams
National members shall be entitled to participate in joint
investigation teams, including in their setting up, in
accordance with Article 13 of the Convention on Mutual
Assistance in Criminal Matters between the Member States
of the European Union or Council Framework Decision
2002/465/JHA of 13 June 2002 on joint investigation
teams (*), concerning their own Member State. However,
Member States may make the participation of the
national member subject to the agreement of the
competent national authority. National members, their
deputies or their assistants, shall be invited to participate
in any joint investigation team involving their Member
State and for which Community funding is provided
under the applicable financial instruments. Each Member
State shall define whether the national member participates
in the joint investigation team as a national competent
authority or on behalf of Eurojust.
___________
(*) OJ L 162, 20.6.2002, p. 1.’;
9. Article 10 shall be amended as follows:
(a) in paragraph 2, the first sentence shall be replaced by
the following:
‘2. The Council shall, acting by qualified majority,
approve Eurojust’s Rules of Procedure on a proposal
from the College. The College shall adopt its proposal
by a two-thirds majority after consulting the Joint
Supervisory Board provided for in Article 23 as
regards the provisions on the processing of personal
data.’;
(b) in paragraph 3, the words ‘in accordance with
Article 7(a)’ shall be replaced by ‘in accordance with
Article 7(1)(a), (2) and (3)’;
10. Article 12 shall be replaced by the following:
‘Article 12
Eurojust national coordination system
1. Each Member State shall designate one or more
national correspondents for Eurojust.
2. Each Member State shall, before 4 June 2011, set up
a Eurojust national coordination system to ensure coordi­
nation of the work carried out by:
4.6.2009
(a) the national correspondents for Eurojust;
(b) the national correspondent for Eurojust for terrorism
matters;
(c) the national correspondent for the European Judicial
Network and up to three other contact points of the
European Judicial Network;
(d) national members or contact points of the Network for
Joint Investigation Teams and of the networks set up by
Council Decision 2002/494/JHA of 13 June 2002
setting up a European network of contact points in
respect of persons responsible for genocide, crimes
against humanity and war crimes (*), Council Decision
2007/845/JHA of 6 December 2007 concerning coop­
eration between Asset Recovery Offices of the Member
States in the field of tracing and identification of
proceeds from, or other property related to, crime (**)
and by Council Decision 2008/852/JHA of 24 October
2008 on a contact-point network against
corruption (***).
3. The persons referred to in paragraphs 1 and 2 shall
maintain their position and status under national law.
4. The national correspondents for Eurojust shall be
responsible for the functioning of the Eurojust national
coordination system. When several correspondents for
Eurojust are designated, one of them shall be responsible
for the functioning of the Eurojust national coordination
system.
5. The Eurojust national coordination system shall
facilitate, within the Member State, the carrying out of
the tasks of Eurojust, in particular by:
(a) ensuring that the Case Management System referred to
in Article 16 receives information related to the
Member State concerned in an efficient and reliable
manner;
(b) assisting in determining whether a case should be dealt
with with the assistance of Eurojust or of the European
Judicial Network;
(c) assisting the national member to identify relevant auth­
orities for the execution of requests for, and decisions
on, judicial cooperation, including regarding
instruments giving effect to the principle of mutual
recognition;
(d) maintaining close relations with the Europol National
Unit.
4.6.2009 EN Official Journal of the European Union
6. In order to meet the objectives referred to in
paragraph 5, persons referred to in paragraph 1 and
paragraph 2(a), (b) and (c) shall, and persons referred to
in paragraph 2(d) may, be connected to the Case
Management System in accordance with this Article and
Articles 16, 16a, 16b and 18 as well as with the Rules
of Procedure of Eurojust. The connection to the Case
Management System shall be at the charge of the general
budget of the European Union.
7. Nothing in this Article shall be construed to affect
direct contacts between competent judicial authorities as
provided for in instruments on judicial cooperation, such
as Article 6 of the Convention on Mutual Assistance in
Criminal Matters between the Member States of the
European Union. Relations between the national member
and national correspondents shall not preclude direct
contacts between the national member and his competent
authorities.
___________
(*) OJ L 167, 26.6.2002, p. 1.
(**) OJ L 332, 18.12.2007, p. 103.
(***) OJ L 301, 12.11.2008, p. 38.’;
11. Article 13 shall be replaced by the following:
‘Article 13
Exchanges of information with the Member States and
between national members
1. The competent authorities of the Member States shall
exchange with Eurojust any information necessary for the
performance of its tasks in accordance with Articles 4 and
5 as well as with the rules on data protection set out in this
Decision. This shall at least include the information referred
to in paragraphs 5, 6 and 7.
2. The transmission of information to Eurojust shall be
interpreted as a request for the assistance of Eurojust in the
case concerned only if so specified by a competent
authority.
3. The national members of Eurojust shall be
empowered to exchange any information necessary for
the performance of the tasks of Eurojust, without prior
authorisation, among themselves or with their Member
State’s competent authorities. In particular national
members shall be promptly informed of a case which
concerns them.
4. This Article shall be without prejudice to other obli­
gations regarding the transmission of information to
Eurojust, including Council Decision 2005/671/JHA of
L 138/21
20 September 2005 on the exchange of information and
cooperation concerning terrorist offences (*).
5. Member States shall ensure that national members are
informed of the setting up of a joint investigation team,
whether it is set up under Article 13 of the Convention on
Mutual Assistance in Criminal Matters between the Member
States of the European Union or under Framework
Decision 2002/465/JHA, and of the results of the work
of such teams.
6. Member States shall ensure that their national
member is informed without undue delay of any case in
which at least three Member States are directly involved
and for which requests for or decisions on judicial cooper­
ation, including regarding instruments giving effect to the
principle of mutual recognition, have been transmitted to at
least two Member States and
(a) the offence involved is punishable in the requesting or
issuing Member State by a custodial sentence or a
detention order for a maximum period of at least five
or six years, to be decided by the Member State
concerned, and is included in the following list:
(i) trafficking in human beings;
(ii) sexual exploitation of children and child porno­
graphy;
(iii) drug trafficking;
(iv) trafficking in firearms, their parts and components
and ammunition;
(v) corruption;
(vi) fraud affecting the financial interests of the
European Communities;
(vii) counterfeiting of the euro;
(viii) money laundering;
(ix) attacks against information systems;
or
(b) there are factual indications that a criminal organisation
is involved;
or
(c) there are indications that the case may have a serious
cross-border dimension or repercussions at European
Union level or that it might affect Member States
other than those directly involved.
L 138/22 EN Official Journal of the European Union
7. Member States shall ensure that their national
member is informed of:
(a) cases where conflicts of jurisdiction have arisen or are
likely to arise;
(b) controlled deliveries affecting at least three States, at
least two of which are Member States;
(c) repeated difficulties or refusals regarding the execution
of requests for, and decisions on, judicial cooperation,
including regarding instruments giving effect to the
principle of mutual recognition.
8. National authorities shall not be obliged in a
particular case to supply information if this would mean:
(a) harming essential national security interests; or
(b) jeopardising the safety of individuals.
9. This Article shall be without prejudice to conditions
set in bilateral or multilateral agreements or arrangements
between Member States and third countries including any
conditions set by third countries concerning the use of
information once supplied.
10. Information transmitted to Eurojust pursuant to
paragraphs 5, 6 and 7 shall at least include, where
available, the types of information contained in the list
provided for in the Annex.
11. Information referred to in this Article shall be trans­
mitted to Eurojust in a structured way.
12. By 4 June 2014 (*), the Commission shall establish,
on the basis of information transmitted by Eurojust, a
report on the implementation of this Article, accompanied
by any proposal it may deem appropriate, including with a
view to considering an amendment of paragraphs 5, 6 and
7 and the Annex.
___________
(*) OJ L 253, 29.9.2005, p. 22.’;
4.6.2009
12. the following Article shall be inserted:
‘Article 13a
Information provided by Eurojust to competent
national authorities
1. Eurojust shall provide competent national authorities
with information and feedback on the results of the
processing of information, including the existence of links
with cases already stored in the Case Management System.
2. Furthermore, where a competent national authority
requests Eurojust to provide it with information, Eurojust
shall transmit it in the timeframe requested by that
authority.’;
13. Article 14 shall be amended as follows:
(a) in paragraph 3, the words ‘in accordance with Articles
13 and 26’ shall be replaced by ‘in accordance with
Articles 13, 26 and 26a’;
(b) paragraph 4 shall be deleted;
14. Article 15(1) shall be amended as follows:
(a) in the introductory phrase the words ‘are the subject of
a criminal investigation or prosecution for one or more
of the types of crime and the offences defined in
Article 4’ shall be replaced by ‘are suspected of
having committed or having taken part in a criminal
offence in respect of which Eurojust is competent or
who have been convicted of such an offence’;
(b) the following points shall be added:
‘(l) telephone numbers, e-mail addresses and data
referred to in Article 2(2)(a) of Directive
2006/24/EC of the European Parliament and of
the Council of 15 March 2006 on the retention
of data generated or processed in connection with
the provision of publicly available electronic
communications services or of public communi­
cations networks (*);
(m) vehicle registration data;
(n) DNA profiles established from the non-coding part
of DNA, photographs and fingerprints.
___________
(*) OJ L 105, 13.4.2006, p. 54.’;
4.6.2009 EN Official Journal of the European Union
15. Article 16 shall be replaced by the following:
‘Article 16
Case Management System, index and temporary work
files
1. In accordance with this Decision, Eurojust shall
establish a Case Management System composed of
temporary work files and of an index which contain
personal and non-personal data.
2. The Case Management System shall be intended to:
(a) support the management and coordination of investi­
gations and prosecutions for which Eurojust is
providing assistance, in particular by the cross-refer­
encing of information;
(b) facilitate access to information on ongoing investi­
gations and prosecutions;
(c) facilitate the monitoring of lawfulness and compliance
with the provisions of this Decision concerning the
processing of personal data.
3. The Case Management System, in so far as this is in
conformity with rules on data protection contained in this
Decision, may be linked to the secure telecommunications
connection referred to in Article 9 of Council Decision
2008/976/JHA of 16 December 2008 on the European
Judicial Network (*).
4. The index shall contain references to temporary work
files processed within the framework of Eurojust and may
contain no personal data other than those referred to in
Article 15(1)(a) to (i), (k) and (m) and in Article 15(2).
5. In the performance of their duties in accordance with
this Decision, the national members of Eurojust may
process data on the individual cases on which they are
working in a temporary work file. They shall allow the
Data Protection Officer to have access to the work file.
The Data Protection Officer shall be informed by the
national member concerned of the opening of each new
temporary work file that contains personal data.
6. For the processing of case related personal data,
Eurojust may not establish any automated data file other
than the Case Management System.
___________
(*) OJ L 348, 24.12.2008, p. 130.’;
L 138/23
16. the following Articles shall be inserted:
‘Article 16a
Functioning of temporary work files and the index
1. A temporary work file shall be opened by the
national member concerned for every case with respect
to which information is transmitted to him in so far as
this transmission is in accordance with this Decision or
with instruments referred to in Article 13(4). The
national member shall be responsible for the management
of the temporary work files which he has opened.
2. The national member who has opened a temporary
work file shall decide, on a case-by-case basis, whether to
keep the temporary work file restricted or to give access to
it or to parts of it, where necessary to enable Eurojust to
carry out its tasks, to other national members or to
authorised Eurojust staff.
3. The national member who has opened a temporary
work file shall decide which information related to this
temporary work file shall be introduced in the index.
Article 16b
Access to the Case Management System at national
level
1. Persons referred to in Article 12(2) in so far as they
are connected to the Case Management System in
accordance with Article 12(6) may only have access to:
(a) the index, unless the national member who has decided
to introduce the data in the index expressly denied such
access;
(b) temporary work files opened or managed by the
national member of their Member State;
(c) temporary work files opened or managed by national
members of other Member States and to which the
national member of their Member States has received
access unless the national member who opened or
manages the temporary work file expressly denied
such access.
2. The national member shall, within the limitations
provided for in paragraph 1, decide on the extent of
access to the temporary work files which is granted in
his Member State to persons referred to in Article 12(2)
in so far as they are connected to the Case Management
System in accordance with Article 12(6).
L 138/24 EN Official Journal of the European Union
3. Each Member State shall decide, after consultation
with its national member, on the extent of access to the
index which is granted in that Member State to persons
referred to in Article 12(2) in so far as they are connected
to the Case Management System in accordance with
Article 12(6). Member States shall notify Eurojust and the
General Secretariat of the Council of their decision
regarding the implementation of this paragraph so that
the latter can inform the other Member States.
However, persons referred to in Article 12(2), in so far as
they are connected to the Case Management System in
accordance with Article 12(6), shall at least have access
to the index to the extent necessary to access the
temporary work files to which they have been granted
access in accordance with paragraph 2 of this Article.
4. By 4 June 2013, Eurojust shall report to the Council
and the Commission on the implementation of paragraph
3. Each Member State shall consider, on the basis of that
report, the opportunity to review the extent of access
provided in accordance with paragraph 3.’;
17. Article 17 shall be amended as follows:
(a) in paragraph 1, the words ‘take instructions from no-
one’ shall be replaced by ‘act independently’;
(b) in paragraphs 3 and 4, the words ‘the Officer’ shall be
replaced by ‘the Data Protection Officer’;
18. Article 18 shall be replaced by the following:
‘Article 18
Authorised access to personal data
Only national members, their deputies and their assistants
referred to in Article 2(2), persons referred to in
Article 12(2) in so far as they are connected to the Case
Management System in accordance with Article 12(6) and
authorised Eurojust staff may, for the purpose of achieving
Eurojust’s objectives and within the limits provided for in
Articles 16, 16a and 16b, have access to personal data
processed by Eurojust.’;
19. in Article 19(4)(b), the words ‘which Eurojust is assisting’
shall be deleted;
20. Article 21 shall be amended as follows:
(a) paragraph 2 shall be amended as follows:
(i) in the introductory phrase the words ‘the first
applicable date among the following dates’ shall
be inserted after the word ‘beyond’;
(ii) the following point shall be inserted:
4.6.2009
‘(aa) the date on which the person was acquitted
and the decision became final;’
(iii) point (b) shall be replaced by the following:
‘(b) three years after the date on which the judicial
decision of the last of the Member States
concerned by the investigation or prosecutions
became final;’
(iv) in point (c), the words ‘, unless there is an obli­
gation to provide Eurojust with this information in
accordance with Article 13(6) and (7) or with
instruments referred to in Article 13(4)’ shall be
added after the word ‘prosecutions’;
(v) the following point shall be added:
‘(d) three years after the date on which data were
transmitted in accordance with Article 13(6)
and (7) or with the instruments referred to
in Article 13(4).’
(b) paragraph 3 shall be amended as follows:
(i) in points (a) and (b) the words ‘in paragraph 2’ shall
be replaced by ‘in paragraph 2(a), (b), (c) and (d)’;
(ii) in point (b) the following sentence shall be added:
‘However, once prosecution is statute barred in all
Member States concerned as referred to in
paragraph 2(a), data may only be stored if they
are necessary in order for Eurojust to provide
assistance in accordance with this Decision.’;
21. Article 23 shall be amended as follows:
(a) paragraph 1 shall be amended as follows:
(i) in the first subparagraph, the words ‘in Articles 14
to 22’ shall be replaced by ‘in Articles 14 to 22,
26, 26a and 27’;
(ii) the second subparagraph shall be replaced by the
following:
‘The Joint Supervisory Body shall meet at least once
in each half year. It shall also meet within the three
months following the lodging of an appeal referred
to in Article 19(8) or within three months
following the date when a case was referred to it
in accordance with Article 20(2). The Joint Super­
visory Body may also be convened by its chairman
when at least two Member States so request.’;
4.6.2009 EN Official Journal of the European Union
(iii) in the third subparagraph, second sentence, the
words ‘eighteen months’ shall be replaced by
‘three years’;
23. the following Article shall be inserted:
(b) paragraph 3 shall be replaced by the following:
‘3. A judge appointed by a Member State shall
become a permanent member after being elected by
the plenary meeting of the persons appointed by the
Member States in accordance with paragraph 1, and
shall remain a permanent member for three years.
Elections shall be held yearly for one permanent
member of the Joint Supervisory Body by means of
secret ballot. The Joint Supervisory Body shall be
chaired by the member who is in his third year of
mandate after elections. Permanent members may be
re-elected. Appointees wishing to be elected shall
present their candidacy in writing to the Secretariat of
the Joint Supervisory Body 10 days before the meeting
in which the election is to take place.’;
(c) the following paragraph shall be inserted:
‘4a. The Joint Supervisory Body shall adopt in its
rules of procedure measures necessary to implement
paragraphs 3 and 4.’;
(d) in paragraph 10, the following sentence shall be added:
‘The Secretariat of the Joint Supervisory Body may rely
upon the expertise of the secretariat established by
Decision 2000/641/JHA (*).
___________
(*) Council Decision 2000/641/JHA of 17 October
2000 establishing a secretariat for the joint super­
visory data-protection bodies set up by the
Convention on the Establishment of a European
Police Office (Europol Convention), the Convention
on the Use of Information Technology for Customs
Purposes and the Convention implementing the
Schengen Agreement on the gradual abolition of
checks at the common borders (Schengen
Convention) (OJ L 271, 24.10.2000, p. 1).’;
22. Article 25 shall be amended as follows:
(a) paragraph 1 shall be replaced by the following:
‘1. The national members, their deputies and their
assistants referred to in Article 2(2), Eurojust staff,
national correspondents and the Data Protection
Officer shall be bound by an obligation of confiden­
tiality, without prejudice to Article 2(4).’;
L 138/25
(b) in paragraph 4, the words ‘Article 9(1)’ shall be
replaced by ‘Article 2(4)’.
‘Article 25a
Cooperation with the European Judicial Network and
other networks of the European Union involved in
cooperation in criminal matters
1. Eurojust and the European Judicial Network shall
maintain privileged relations with each other, based on
consultation and complementarity, especially between the
national member, the European Judicial Network contact
points of the same Member State and the national corre­
spondents for Eurojust and the European Judicial Network.
In order to ensure efficient cooperation, the following
measures shall be taken:
(a) national members shall, on a case-by-case basis, inform
the European Judicial Network contact points of all
cases which they consider the Network to be in a
better position to deal with;
(b) the Secretariat of the European Judicial Network shall
form part of the staff of Eurojust. It shall function as a
separate unit. It may draw on the administrative
resources of Eurojust which are necessary for the
performance of the European Judicial Network’s tasks,
including for covering the costs of the plenary meetings
of the Network. Where plenary meetings are held at the
premises of the Council in Brussels, the costs may only
cover travel expenses and costs for interpretation.
Where plenary meetings are held in the Member State
holding the Presidency of the Council, the costs may
only cover part of the overall costs of the meeting;
(c) European Judicial Network contact points may be
invited on a case-by-case basis to attend Eurojust
meetings.
2. Without prejudice to Article 4(1), the Secretariat of
the Network for Joint Investigation Teams and of the
network set up by Decision 2002/494/JHA shall form
part of the staff of Eurojust. These secretariats shall
function as separate units. They may draw on the admin­
istrative resources of Eurojust which are necessary for the
performance of their tasks. Coordination between the secre­
tariats shall be ensured by Eurojust.
This paragraph shall apply to the secretariat of any new
network set up by a decision of the Council where that
decision provides that the secretariat shall be provided by
Eurojust.
L 138/26 EN Official Journal of the European Union
3. The network set up by Decision 2008/852/JHA may
request that Eurojust provide a secretariat to the network. If
such request is made, paragraph 2 shall apply.’;
24. Article 26 shall be replaced by the following:
‘Article 26
Relations with Community or Union related
institutions, bodies and agencies
1. In so far as is relevant for the performance of its
tasks, Eurojust may establish and maintain cooperative
relations with the institutions, bodies and agencies set up
by, or on the basis of, the Treaties establishing the
European Communities or the Treaty on European Union.
Eurojust shall establish and maintain cooperative relations
with at least:
(a) Europol;
(b) OLAF;
(c) the European Agency for the Management of Opera­
tional Cooperation at the External Borders of the
Member States of the European Union (Frontex);
(d) the Council, in particular its Joint Situation Centre.
Eurojust shall also establish and maintain cooperative
relations with the European Judicial Training Network.
2. Eurojust may conclude agreements or working
arrangements with the entities referred to in paragraph 1.
Such agreements or working arrangements may, in
particular, concern the exchange of information, including
personal data, and the secondment of liaison officers to
Eurojust. Such agreements or working arrangements may
only be concluded after consultation by Eurojust with the
Joint Supervisory Body concerning the provisions on data
protection and after the approval by the Council, acting by
qualified majority. Eurojust shall inform the Council of any
plans it has for entering into any such negotiations and the
Council may draw any conclusions it deems appropriate.
3. Prior to the entry into force of an agreement or
arrangement as referred to in paragraph 2, Eurojust may
directly receive and use information, including personal
data, from the entities referred to in paragraph 1, in so
far as this is necessary for the legitimate performance of
its tasks, and it may directly transmit information,
4.6.2009
including personal data, to such entities, in so far as this
is necessary for the legitimate performance of the recipient’s
tasks and in accordance with the rules on data protection
provided in this Decision.
4. OLAF may contribute to Eurojust’s work to coor­
dinate investigations and prosecution procedures
regarding the protection of the financial interests of the
European Communities, either on the initiative of
Eurojust or at the request of OLAF where the competent
national authorities concerned do not oppose such partici­
pation.
5. For purposes of the receipt and transmission of infor­
mation between Eurojust and OLAF, and without prejudice
to Article 9, Member States shall ensure that the national
members of Eurojust shall be regarded as competent auth­
orities of the Member States solely for the purposes of
Regulation (EC) No 1073/1999 and Council Regulation
(Euratom) No 1074/1999 of 25 May 1999 concerning
investigations conducted by the European Anti-Fraud
Office (OLAF) (*). The exchange of information between
OLAF and national members shall be without prejudice
to the information which must be given to other
competent authorities under those Regulations.
___________
(*) OJ L 136, 31.5.1999, p. 8.’;
25. the following Article shall be inserted:
‘Article 26a
Relations with third States and organisations
1. In so far as is required for the performance of its
tasks, Eurojust may establish and maintain cooperative
relations with the following entities:
(a) third States;
(b) organisations such as:
(i) international organisations and their subordinate
bodies governed by public law;
(ii) other bodies governed by public law which are
based on an agreement between two or more
States; and
(iii) the International Criminal Police Organisation
(Interpol).
4.6.2009 EN Official Journal of the European Union
2. Eurojust may conclude agreements with the entities
referred to in paragraph 1. Such agreements may, in
particular, concern the exchange of information, including
personal data, and the secondment of liaison officers or
liaison magistrates to Eurojust. Such agreements may only
be concluded after consultation by Eurojust with the Joint
Supervisory Body concerning the provisions on data
protection and after the approval by the Council, acting
by qualified majority. Eurojust shall inform the Council of
any plans it has for entering into any such negotiations and
the Council may draw any conclusions it deems appro­
priate.
3. Agreements referred to in paragraph 2 containing
provisions on the exchange of personal data may only be
concluded if the entity concerned is subject to the Council
of Europe Convention of 28 January 1981 or after an
assessment confirming the existence of an adequate level
of data protection ensured by that entity.
4. Agreements referred to in paragraph 2 shall include
provisions on the monitoring of their implementation,
including implementation of the rules on data protection.
5. Prior to the entry into force of the agreements
referred to in paragraph 2, Eurojust may directly receive
information, including personal data in so far as this is
necessary for the legitimate performance of its tasks.
6. Prior to the entry into force of the agreements
referred to in paragraph 2, Eurojust may under the
conditions laid down in Article 27(1), directly transmit
information, except for personal data, to these entities, in
so far as this is necessary for the legitimate performance of
the recipient’s tasks.
7. Eurojust may, under the conditions laid down in
Article 27(1), transmit personal data to the entities
referred to in paragraph 1, where:
(a) this is necessary in individual cases for the purposes of
preventing or combating criminal offences for which
Eurojust is competent; and
(b) Eurojust has concluded an agreement as referred to in
paragraph 2 with the entity concerned which has
entered into force and which permits the transmission
of such data.
8. Any subsequent failure, or substantial likelihood of
failure, on the part of the entities referred to in
paragraph 1 to meet the conditions referred to in
paragraph 3, shall immediately be communicated by
Eurojust to the Joint Supervisory Body and the Member
States concerned. The Joint Supervisory Body may
prevent the further exchange of personal data with the
relevant entities until it is satisfied that adequate remedies
have been provided.
L 138/27
9. However, even if the conditions referred to in
paragraph 7 are not fulfilled, a national member may,
acting in his capacity as a competent national authority
and in conformity with the provisions of his own
national law, by way of exception and with the sole aim
of taking urgent measures to counter imminent serious
danger threatening a person or public security, carry out
an exchange of information involving personal data. The
national member shall be responsible for the legality of
authorising the communication. The national member
shall keep a record of communications of data and of
the grounds for such communications. The communication
of data shall be authorised only if the recipient gives an
undertaking that the data will be used only for the purpose
for which they were communicated.’
26. Article 27 shall be replaced by the following:
‘Article 27
Transmission of data
1. Before Eurojust exchanges any information with the
entities referred to in Article 26a, the national member of
the Member State which submitted the information shall
give his consent to the transfer of that information. In
appropriate cases the national member shall consult the
competent authorities of the Member States.
2. Eurojust shall be responsible for the legality of the
transmission of data. Eurojust shall keep a record of all
transmissions of data under Articles 26 and 26a and of
the grounds for such transmissions. Data shall only be
transmitted if the recipient gives an undertaking that the
data will be used only for the purpose for which they were
transmitted.’;
27. the following Articles shall be inserted:
‘Article 27a
Liaison magistrates posted to third States
1. For the purpose of facilitating judicial cooperation
with third States in cases in which Eurojust is providing
assistance in accordance with this Decision, the College
may post liaison magistrates to a third State, subject to
an agreement as referred to in Article 26a with that third
State. Before negotiations are entered into with a third
State, the Council, acting by qualified majority, shall give
its approval. Eurojust shall inform the Council of any plans
it has for entering into any such negotiations and the
Council may draw any conclusions it deems appropriate.
2. The liaison magistrate referred to in paragraph 1 is
required to have experience of working with Eurojust and
adequate knowledge of judicial cooperation and how
Eurojust operates. The posting of a liaison magistrate on
behalf of Eurojust shall be subject to the prior consent of
the magistrate and of his Member State.
L 138/28 EN Official Journal of the European Union
3. Where the liaison magistrate posted by Eurojust is
selected among national members, deputies or assistants:
(i) he shall be replaced in his function as a national
member, deputy or assistant, by the Member State;
(ii) he ceases to be entitled to exercise the powers granted
to him in accordance with Articles 9a to 9e.
4. Without prejudice to Article 110 of the Staff Regu­
lations of Officials of the European Communities laid down
by Regulation (EEC, Euratom, ECSC) No 259/68 (*), the
College shall draw up rules on the posting of liaison magis­
trates and adopt the necessary implementing arrangements
in this respect in consultation with the Commission.
5. The activities of liaison magistrates posted by Eurojust
shall be the subject of supervision by the Joint Supervisory
Body. The liaison magistrates shall report to the College,
which shall inform the European Parliament and the
Council in the annual report and in an appropriate
manner of their activities. The liaison magistrates shall
inform national members and national competent auth­
orities of all cases concerning their Member State.
6. Competent authorities of the Member States and
liaison magistrates referred to in paragraph 1 may
contact each other directly. In such cases, the liaison
magistrate shall inform the national member concerned
of such contacts.
7. The liaison magistrates referred to in paragraph 1
shall be connected to the Case Management System.
Article 27b
Requests for judicial cooperation to and from third
States
1. Eurojust may, with the agreement of the Member
States concerned, coordinate the execution of requests for
judicial cooperation issued by a third State where these
requests are part of the same investigation and require
execution in at least two Member States. Requests
referred to in this paragraph may also be transmitted to
Eurojust by a competent national authority.
2. In case of urgency and in accordance with Article 5a,
the OCC may receive and process requests referred to in
paragraph 1 of this Article and issued by a third State
which has concluded a cooperation agreement with
Eurojust.
3. Without prejudice to Article 3(2), where requests for
judicial cooperation, which relate to the same investigation
4.6.2009
and require execution in a third State, are made, Eurojust
may also, with the agreement of the Member States
concerned, facilitate judicial cooperation with that third
State.
4. Requests referred to in paragraphs 1, 2 and 3 may be
transmitted through Eurojust if it is in conformity with the
instruments applicable to the relationship between that
third State and the European Union or the Member
States concerned.
Article 27c
Liability other than liability for unauthorised or
incorrect processing of data
1. Eurojust’s contractual liability shall be governed by
the law applicable to the contract in question.
2. In the case of non-contractual liability, Eurojust shall,
independently of any liability under Article 24, make good
any damage caused through the fault of the College or the
staff of Eurojust in the performance of their duties in so far
as it may be imputed to them and regardless of the
different procedures for claiming damages which exist
under the law of the Member States.
3. Paragraph 2 shall also apply to damage caused
through the fault of a national member, a deputy or an
assistant in the performance of his duties. However, when
he is acting on the basis of the powers granted to him
pursuant to Articles 9a to 9e, his Member State of origin
shall reimburse Eurojust the sums which Eurojust has paid
to make good such damage.
4. The injured party shall have the right to demand that
Eurojust refrain from taking, or cease, any action.
5. The national courts of the Member States competent
to deal with disputes involving Eurojust’s liability as
referred to in this Article shall be determined by
reference to Council Regulation (EC) No 44/2001 of
22 December 2000 on jurisdiction and the recognition
and enforcement of judgments in civil and commercial
matters (**).
___________
(*) OJ L 56, 4.3.1968, p. 1.
(**) OJ L 12, 16.1.2001, p. 1.’;
28. in the second sentence of Article 28(2), the words ‘acting
by qualified majority,’ shall be inserted after ‘the Council’;
4.6.2009 EN Official Journal of the European Union
29. Article 29 shall be amended as follows:
(a) in paragraph 1:
(i) the words ‘unanimously’ shall be replaced by ‘by
two-thirds majority’;
(ii) the following sentence shall be added:
‘The Commission shall be entitled to participate in
the selection process and to sit on the selection
board.’;
(b) in paragraph 2, the second sentence shall be replaced
by the following:
‘It may be extended once without a need for a call for
applications, provided that the College so decides by a
three-fourths majority and appoints the Administrative
Director with the same majority.’;
(c) in paragraph 5, the following sentence shall be added:
‘To that end, he shall be responsible for establishing
and implementing, in cooperation with the College,
an effective monitoring and evaluation procedure
relating to the performance of Eurojust’s administration
in terms of achieving its objectives. The Administrative
Director shall report regularly to the College on the
results of that monitoring.’;
30. Article 30 shall be amended as follows:
(a) in paragraph 2:
(i) in the fourth sentence, the words ‘who may also
assist the national member’ shall be added;
(ii) the last sentence shall be replaced by the following:
‘The College shall adopt the necessary implementing
arrangements for seconded national experts.’;
(b) in paragraph 3, the words ‘without prejudice to
Article 25a(1)(c) and (2)’ shall be added;
31. Article 32 shall be amended as follows:
(a) the title shall be replaced by the following:
L 138/29
‘Informing the European Parliament, the Council and
the Commission’;
(b) the following paragraph shall be added:
‘3. The Commission or the Council may seek
Eurojust’s opinion on all draft instruments prepared
under Title VI of the Treaty.’;
32. Article 33 shall be replaced by the following:
‘Article 33
Finance
1. The salaries and emoluments of the national
members, deputies and assistants referred to in
Article 2(2) shall be borne by their Member State of origin.
2. Where national members, deputies and assistants act
within the framework of Eurojust’s tasks, the relevant
expenditure related to these activities shall be regarded as
operational expenditure within the meaning of
Article 41(3) of the Treaty.’;
33. Article 35(1) shall be amended as follows:
(a) the words ‘31 March’ shall be replaced by ‘10 February’;
(b) the following sentence shall be added:
‘The European Judicial Network and networks referred
to in Article 25a(2) shall be informed on the parts
related to the activities of their secretariats in due
time before the forwarding of the estimate to the
Commission.’;
34. Article 36 shall be amended as follows:
(a) in paragraph 2, the first sentence shall be replaced by
the following:
‘2. By 1 March at the latest following each financial
year, the accounting officer of Eurojust shall commu­
nicate the provisional accounts to the Commission’s
accounting officer and the Court of Auditors together
with a report on the budgetary and financial
management for that financial year.’;
L 138/30 EN Official Journal of the European Union
(b) paragraph 3 shall be replaced by the following:
‘3. Eurojust shall send the report on the budgetary
and financial management for the financial year to the
European Parliament and the Council by 31 March of
the following year.’;
(c) in paragraph 10, the words ‘30 April’ shall be replaced
by ‘15 May’;
35. the following Article shall be inserted:
‘Article 39a
EU classified information
Eurojust shall apply the security principles and minimum
standards set out in Council Decision 2001/264/EC of
19 March 2001 adopting the Council’s security regu­
lations (*) in the management of EU classified information.
___________
(*) OJ L 101, 11.4.2001, p. 1.’;
36. Article 41 shall be replaced by the following:
‘Article 41
Reporting
1. Member States shall notify Eurojust and the General
Secretariat of the Council of the designation of national
members, deputies, assistants as well as persons referred
to in Article 12(1) and (2) and of any change to this
designation. The General Secretariat of the Council shall
keep an updated list of these persons and shall make
their names and contact details available to all Member
States and to the Commission.
2. The definitive appointment of a national member can
not take effect before the day on which the General Secre­
tariat of the Council receives the official notifications
referred to in paragraph 1 and Article 9a(3).’;
37. the following Article shall be inserted:
‘Article 41a
Evaluation
1. Before 4 June 2014 and every five years thereafter,
the College shall commission an independent external
4.6.2009
evaluation of the implementation of this Decision as well
as of the activities carried out by Eurojust.
2. Each evaluation shall assess the impact of this
Decision, Eurojust’s performance in terms of achieving
the objectives referred to in this Decision as well as the
effectiveness and efficiency of Eurojust. The College shall
issue specific terms of reference in consultation with the
Commission.
3. The evaluation report shall include the evaluation
findings and recommendations. This report shall be
forwarded to the European Parliament, the Council and
the Commission and shall be made public.’;
38. the Annex whose text appears in the Annex to this
Decision shall be added.
Article 2
Transposition
1. If necessary the Member States shall bring their national
law into conformity with this Decision at the earliest oppor­
tunity and in any case no later than 4 June 2011.
2. The Commission shall at regular intervals examine the
implementation by the Member States of Decision
2002/187/JHA as amended and shall submit a report thereon
to the European Parliament and to the Council together with, if
appropriate, necessary proposals to improve judicial cooper­
ation and the functioning of Eurojust. This shall in particular
apply to Eurojust’s capacities to support Member States in
fighting terrorism.
Article 3
Taking of effect
This Decision shall take effect on the day of its publication in
the Official Journal of the European Union.
Done at Brussels, 16 December 2008.
For the Council
The President
R. BACHELOT-NARQUIN
4.6.2009 EN Official Journal of the European Union L 138/31

ANNEX

‘ANNEX

List referred to in Article 13(10) setting out the minimum types of information to be transmitted, where
available, to Eurojust pursuant to Article 13(5), (6) and (7)

1. For situations referred to in Article 13(5):

(a) participating Member States;

(b) type of offences concerned;

(c) date of the agreement setting up the team;

(d) planned duration of the team, including modification of this duration;

(e) details of the leader of the team for each participating Member State;

(f) short summary of the results of the joint investigation teams.

2. For situations referred to in Article 13(6):

(a) data which identify the person, group or entity that is the object of a criminal investigation or prosecution;

(b) Member States concerned;

(c) the offence concerned and its circumstances;

(d) data related to the requests for, or decisions on, judicial cooperation including regarding instruments giving effect
to the principle of mutual recognition, which are issued, including:

(i) date of the request;

(ii) requesting or issuing authority;

(iii) requested or executing authority;

(iv) type of request (measures requested);

(v) whether or not the request has been executed, and if not on what grounds.

3. For situations referred to in Article 13(7)(a):

(a) Member States and competent authorities concerned;

(b) data which identify the person, group or entity that is the object of a criminal investigation or prosecution;

(c) the offence concerned and its circumstances.

4. For situations referred to in Article 13(7)(b):

(a) Member States and competent authorities concerned;

(b) data which identify the person, group or entity that is the object of a criminal investigation or prosecution;
L 138/32 EN Official Journal of the European Union 4.6.2009

(c) type of delivery;

(d) type of offence in connection with which the controlled delivery is carried out.

5. For situations referred to in Article 13(7)(c):

(a) requesting or issuing State;

(b) requested or executing State;

(c) description of the difficulties.’

 computer law & security review 32 (2016) 345–362

Available online at www.sciencedirect.com

ScienceDirect

w w w. c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d c l a w. h t m

Comment

“Invalidator” strikes back: The harbour has

never been safe

Xavier Tracol *
Senior Legal Officer, Data Protection Service, EUROJUST, The Hague, The Netherlands

A B S T R A C T

Keywords:
European Court of Justice
Maximillian Schrems v Data Protection
Commissioner
Facebook
Directive 95/46/EC of 24 October
1995
Commission decision 2000/520/EC
of 26 July 2000
“Safe harbour”
National data protection authorities
Adequate level of protection
Requirements and derogations
Content of communications
Legal validity
Articles 7, 8, 11 and 47 of the
Charter of Fundamental Rights
“Umbrella agreement”
The Grand Chamber ruled that Commission decision 2000/520 on “safe harbour” was invalid
since Article 1 thereof failed to comply with the requirements laid down in Article 25(6) of
Directive 95/46 read in the light of the Charter; the Commission had exceeded the power
which was conferred upon it in the same provision in adopting Article 3 of the decision;
and Articles 1 and 3 and the decision of the Commission in its entirety were accordingly
invalid. The Grand Chamber made critical observations about the safe harbour framework.
The legal effects of this ruling should be clarified. In addition, the findings of the Grand
Chamber on the powers of national data protection authorities and on transfers of per-
sonal data to the US have far-reaching legal implications for organisations in both the US
and the EU.1
© 2016 Xavier Tracol. Published by Elsevier Ltd. All rights reserved.

“One might say that the old world was ending, and the new
beginning.” 1. Introduction

François-René, viscount of Chateaubriand, Mémoires d’Outre- In the ground-breaking judgment in the Maximillian Schrems v
Tombe, Book XLII: Chapter 18, 1848 Data Protection Commissioner case which led to diverse

The views expressed herein are those of the author in his personal capacity and do in no way reflect those of EUROJUST or the EU in
general.
* P.O. Box 16183, 2500 BD The Hague, The Netherlands.
E-mail address: xtracol@eurojust.europa.eu.
1
In the specific context of this commentary, the term “EU” also covers Member States of the European Economic Area (hereinafter the
“EEA”), which include the 28 Member States of the EU as well as Iceland, Liechtenstein and Norway.
http://dx.doi.org/10.1016/j.clsr.2016.01.011
0267-3649/© 2016 Xavier Tracol. Published by Elsevier Ltd. All rights reserved.
346 computer law & security review 32 (2016) 345–362
comments,2 the Grand Chamber invalidated the decision of the
Commission in which it declared that the implementation of
the “safe harbour” framework ensured an adequate level of pro-
tection in the US. The Grand Chamber found that the decision
of the Commission infringed upon the directive read in the light
of the Charter of Fundamental Rights and that the Commis-
sion infringed upon the authority granted to it by the EU
legislature.
The Court sat in the Grand Chamber of fifteen judges, which
includes both the President and the Vice-President of the Court
as well as three Presidents of Chambers of five Judges, pursu-
ant to Article 16(2) and (3) of the Statute of the Court and Article
27 of the Rules of Procedure of the Court. The fact that the Grand
Chamber is composed of senior Judges of the Court shows the
importance of the case.
Judge Rapporteur Thomas von Danwitz was also Judge Rap-
porteur in the case of Digital Rights Ireland.
2. Procedural background of the case
The background of the case originates from a complaint lodged
on 25 June 2013 by Maximillian (Max) Schrems as an EU Face-
book user since 2008 with the Irish Data Protection
Commissioner which is the Irish Data Protection Authority
(hereinafter “DPA”). Max Schrems complained that some or all
of the data that he provided to Facebook were transferred by
Facebook’s Irish subsidiary to servers located in the US where
it was processed and kept. In light of the disclosures made by
Edward Snowden in 2013 about the activities of the US intel-
ligence services in general, and the National Security Agency
(hereinafter the “NSA”) in particular, he submitted that the law
and practices of the US did not offer sufficient protection of
the personal data transferred to this country and kept there
against surveillance by public authorities. Max Schrems has
however not formally challenged the legal validity of the Com-
mission decision.
By a letter of 25 July 2013, the then Commissioner, Billy
Hawkes, refused to investigate the complaint and rejected it
on the ground that there was “no evidence of a contravention
in this case” and “no evidence – and you have not asserted –
that your personal data has been disclosed to the US authori-
ties.”The Commissioner considered that Max Schrems had not
shown that data that he had placed on Facebook Ireland had
been compromised when it was thereafter transferred and stored
in the US, and that he consequently suffered some particularised
harm. By a letter of 26 July 2013, the Commissioner added that
“the ‘Safe Harbour’ agreement stands as a formal decision of
the EU Commission [. . .] under Article 25(6) of the Data Pro-
tection Directive 95/46/EC that the agreement provides adequate
protection for personal data transferred from the EU to the USA.”
The agreement includes principles on the protection of per-
sonal data that US undertakings may voluntarily subscribe to.
2
Sarah Cadiot and Laura De Boel, “Safe Harbor invalid: What to
expect after the ruling ?”, Privacy Laws & Business – International Report,
Issue 137, October 2015, p. 1, 3 and 4; Sylvie Peyrou, “La Cour de
justice de l’Union européenne, à l’avant-garde de la défense des
droits numériques”, Journal de droit européen, 2015, p. 395 to 398.
Any question relating to the adequacy of the protection of that
data in the US had to be settled in accordance with that de-
cision which prevented him from examining the problem raised
by the complaint.The Commissioner considered himself legally
barred from investigating the complaint. This finding of legal
impediment triggered the whole court case.
Max Schrems challenged the decision of the Commis-
sioner before the High Court of Ireland. He submitted that the
decision was unlawful and that the disclosures made by Edward
Snowden demonstrated that there was no effective data pro-
tection regime in the US. Although Max Schrems has not directly
challenged the legal validity of the Commission decision, he
objected in reality to the terms of the safe harbour regime itself.
By judgment of 18 June 2014,3 Judge Gerard Hogan of the
High Court considered that the data protection rights of ordi-
nary citizens “have been seriously compromised by mass and
largely unsupervised surveillance programmes.”4 He found that
it was “irrelevant that Mr. Schrems cannot show that his own
personal data was accessed in this fashion by the NSA, since
what matters is the essential inviolability of the personal data
itself.”5 Judge Hogan also considered that “the essential ques-
tion [. . .was] whether, as a matter of European Union law, the
Commissioner [was. . .] absolutely bound by that finding of the
European Commission as manifested in the 2000 Decision in
relation to the adequacy of data protection in the law and prac-
tice of the United States having in particular to the subsequent
entry into force of Article 8 of the Charter, the provisions of Article
25(6) of the 1995 Directive notwithstanding.”6 The judge con-
sequently referred the case to the Court of Justice for a
preliminary ruling. He asked the Court of Justice whether the
decision of the Commission had the effect of preventing a na-
tional supervisory authority from investigating a complaint
which alleged that the third country did not ensure an ad-
equate level of protection and, where appropriate, from
suspending the contested transfer of personal data. Judge Hogan
specifically requested an interpretation but not a ruling on the
legal validity of the Commission decision.
On 24 March 2015, the Grand Chamber held an oral hearing
in which the Commission made submissions defending the
legal validity of its own decision.7 Parliament and the Euro-
pean Data Protection Supervisor (hereinafter the “EDPS”), that
the Grand Chamber invited for the second time in a prelimi-
nary procedure8 to appear in the case, also made submissions.9
3
Ireland, High Court, Maximillian Schrems v Data Protection Com-
missioner [2014] IEHC 310, available at http://www.courts.ie/
Judgments.nsf/0/481F4670D038F43380257CFB004BB125
4
Ireland, High Court, Maximillian Schrems v Data Protection Com-
missioner [2014] IEHC 310, para 8.
5
Ireland, High Court, Maximillian Schrems v Data Protection Com-
missioner [2014] IEHC 310, para 75. See also ibidem, para 42.
6
Ireland, High Court, Maximillian Schrems v Data Protection Com-
missioner [2014] IEHC 310, para 70.
7
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 224.
8
The first time was in the case of Digital Rights Ireland, see Xavier
Tracol, “Legislative genesis and judicial death of a directive: the Eu-
ropean Court of Justice invalidated the data retention directive (2006/
24/EC), thereby creating a sustained period of legal uncertainty about
the validity of national laws which enacted it”, Computer Law and
Security Review, Volume 30, Issue 6, December 2014, p. 737.
 computer law & security review 32 (2016) 345–362
Unlike Digital Rights Ireland, which participated in the pro-
ceedings as amicus curiæ, Facebook and the US government did
not request to intervene and to make direct submissions to
the Grand Chamber.
3. Relevant law
3.1. Directive 95/46/EC
The relevant provisions of the applicable directive clearly dis-
tinguish between transfers of personal data to third countries,
i.e. countries outside of the EU, which ensure an adequate level
of protection (Article 25) and to third countries, which have not
been found to ensure an adequate level of protection (Article
26). Personal data of EU data subjects can only be transferred
from the EU to countries with an adequate level of protec-
tion, pursuant to Article 25(1) of the directive. Pursuant to Article
25(6) of the directive, the Commission may find that a country
ensures an adequate level of protection by reason of its do-
mestic law or of the international commitments that it has
entered into for the protection of the private lives and basic
freedom and rights of individuals. Only 11 countries satisfy this
requirement, i.e. Andorra, Argentina, Canada, Faroe Islands,
Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzer-
land and Uruguay.10 Recital 57 of the directive specifies that
transfers of personal data to third countries where an ad-
equate level of protection has not been established in a decision
of the Commission pursuant to Article 25(6) of the directive
are prohibited. These third countries include the US.
3.2. Safe harbour
The EU and the US negotiated and established a framework –
the “safe harbour” – to transfer personal data from the EU to
organisations established in the US. On 26 July 2000, the Com-
mission adopted executive decision 2000/52011 based on Article
25(6) of the directive in which it declared that the implemen-
tation of the safe harbour framework ensured an adequate level
of protection. The unilateral decision of the Commission then
entered into force, thereby allowing transfers of personal data
from the EU to the US.
The US Department of Commerce issued seven privacy prin-
ciples set out in Annex I appended to the decision of the
Commission and the FAQs in Annex II thereto.12 Pursuant to
Article 1(3) of the Commission decision, organisations had to
9
EDPS Pleading before the Court of Justice. Case C-362/14, Schrems
v Data Protection Commissioner. Luxembourg, 24 March 2015, avail-
able on the Internet site of the EDPS at: https://secure.edps
.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/
Consultation/Court/2015/15-03-24_EDPS_Pleading_Schrems
_vs_Data_Commissioner_EN.pdf
10
See http://ec.europa.eu/justice/data-protection/international-
transfers/adequacy/index_en.htm
11
Available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri
=CELEX:32000D0520:EN:HTML
12
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 79.
347
self-certify with the US Department of Commerce their “ad-
herence to the Principles implemented in accordance with the
FAQs” and bore the legal obligation to renew the self-certification
annually.
Under Article 3(1) of the Commission decision, the na-
tional supervisory authorities may “[w]ithout prejudice to their
powers to take action to ensure compliance with national pro-
visions adopted pursuant to provisions other than Article 25”
of the directive “[. . .] suspend data flows to an organisation that
has self-certified its adherence” to the principles under re-
strictive conditions establishing a high threshold for
intervention.
The safe harbour was unusual to the extent that it pro-
vided for a voluntary system based on self-regulation, trust and
public disclosure by private organisations and on their will-
ingness to comply with its principles. The safe harbour
attempted at bridging cultural and legal differences between
the EU where the protection of personal data is a fundamen-
tal right and the US where it is mainly considered in terms of
consumer protection leaving room for trade-offs.
3.2.1. Scope of the privacy principles
The second paragraph of Annex I to the Commission deci-
sion provided that the safe harbour principles were “intended
for use solely by US organisations receiving personal data from
the European Union for the purpose of qualifying for the safe
harbour and the presumption of ‘adequacy’ it creates”. The prin-
ciples legally bound private organisations and not US public
authorities.
Annex I to the decision of the Commission however pro-
vided that adherence to the privacy principles may be limited
“to the extent necessary to meet national security, public in-
terest, or law enforcement requirements”. Regarding the limits
to which the safe harbour principles’ applicability is subject,
Part B of Annex IV to the decision of the Commission stated
that “[c]learly, where US law imposes a conflicting obligation,
US organisations whether in the safe harbour or not must
comply with the law”.
On 26 September 2013, 3246 private organisations, such as
Apple Inc., Microsoft Corp., Google Inc., Yahoo! Inc., Adobe,
Weight Watchers and pharmaceutical giant Merck, but also
many small organisations,13 were safe harbour self-certified.14
Pursuant to the decision of the Commission, some EU
organisations such as the Commission and the European
Central Bank transferred personal data collected for surveys
and pensions of former staff members to the US. 15 A
13
Center for Strategic & International Studies, “The Safe Harbor:
Data Protection or Protectionism?” 10 June 2014, available at
http://csis.org/event/safe-harbor-data-protection-or-protectionism
14
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 19. See Department of Commerce, U.S.–EU Safe
Harbor List, available at http://safeharbor.export.gov/list.aspx
15
See EDPS, Position paper on the transfer of personal data to third
countries and international organisations by EU institutions and
bodies, 14 July 2014, available at https://secure.edps.europa.eu/
EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/
Papers/14-07-14_transfer_third_countries_EN.pdf
348 computer law & security review 32 (2016) 345–362
considerable quantity of personal data transferred from the EU
to the US on the basis of the Commission decision dealt with
human resources documents concerning the organisations’ own
European employees,16 social media or pay-roll information.
3.2.2. Weak enforcement of the safe harbour
FAQ 11 described the powers of the US Federal Trade Com-
mission (hereinafter the “FTC”), which is a purely civil law
enforcement agency.17 Its powers were limited to commercial
disputes18 if organisations infringed upon the safe harbour or
falsely stated that they were certified.
On 17 August 2015, the FTC stated that it had “brought more
than two dozen cases alleging false claims regarding Safe
Harbor compliance.”19 Seven companies falsely claimed to hold
up-to-date certifications although they had not renewed
them.
Galexia, an Australian-based consulting company on Inter-
net law and privacy, however, conducted a research in which
it found 206 false claims of membership in 2008.20 On 7 October
2013, Christopher Connolly, a director at Galexia, informed the
Committee on Civil Liberties, Justice and Home Affairs of Par-
liament that this figure had increased to 427.21
3.2.3. Criticisms of Parliament
On 5 July 2000, Parliament expressed its reluctance in a reso-
lution on the Draft Commission Decision on the adequacy of
the protection provided by the Safe Harbour Privacy Prin-
ciples and related Frequently Asked Questions issued by the
US Department of Commerce.22 In its report filed on 8 January
2014, the Investigation Committee created by Parliament called
for the suspension by the Commission of the safe harbour
decision.23 On 12 March 2014, Parliament adopted a compre-
hensive and very critical resolution in which it called for the
16
Center for Strategic & International Studies, “The Safe Harbor:
Data Protection or Protectionism?” 10 June 2014, available at
http://csis.org/event/safe-harbor-data-protection-or-protectionism
17
Commissioner Julie Brill, “Transatlantic Privacy After Schrems:
Time for An Honest Conversation”, Keynote Address at the Am-
sterdam Privacy Conference, 23 October 2015, available at https://
www.ftc.gov/public-statements/2015/10/transatlantic-privacy-after-
schrems-time-honest-conversation, p. 8.
18
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 89.
19
Federal Trade Commission, “U.S.-EU Safe Harbor compliance:
Don’t run aground”, Lesley Fair, 17 August 2015.
20
The US Safe Harbor – Fact or Fiction? (2008) available at http://
www.galexia.com/public/research/assets/safe_harbor_fact_or
_fiction_2008/safe_harbor_fact_or_fiction.pdf, p. 4, 5, 8 and 17.
21
“Hundreds of US companies make false data protection claims”,
EU Observer, available at https://euobserver.com/justice/121695
22
C5-0280/2000 – 2000/2144(COS) available at http://
www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2F%2FEP
%2F%2FTEXT%2BTA%2BP5-TA-2000-0306%2B0%2BDOC%2BXML
%2BV0%2F%2FEN&language=EN
23
Draft report on the US NSA surveillance programme, surveil-
lance bodies in various Member States and their impact on EU
citizens’ fundamental rights and on transatlantic cooperation in
Justice and Home Affairs, 2013/2188(INI), 8 January 2014.
suspension of the Commission decision and the promotion of
the wide use of encryption.24
3.2.4. Two highly critical Communications of the Commission
In 2013, the Commission issued two Communications, which
identified a number of shortcomings. The Commission stated
that “[t]he personal data of EU citizens sent to the US under
the Safe Harbour may be accessed and further processed by
US authorities in a way incompatible with the grounds on which
the data was originally collected in the EU and the purposes
for which it was transferred to the US”25 and that “[a] major-
ity of the US internet companies that appear to be more directly
concerned by [the surveillance] programmes are certified under
the Safe Harbour scheme”.26
The Commission noted a number of weaknesses in the ap-
plication of the decision. First, it stated that some certified US
companies did not comply with the principles referred to in
Article 1(1) of Decision 2000/520 (“the safe harbour prin-
ciples”) and that improvements had to be made to that decision
regarding “structural shortcomings related to transparency and
enforcement, the substantive Safe Harbour principles and the
operation of the national security exception.”27 Second, the Com-
mission observed that “Safe Harbour also acts as a conduit for
the transfer of the personal data of EU citizens from the EU
to the US by companies required to surrender data to US in-
telligence agencies under the US intelligence collection
programmes.”28 The Commission concluded that whilst, “[g]iven
the weaknesses identified, the current implementation of Safe
Harbour cannot be maintained, [. . .] its revocation would
[however] adversely affect the interests of member compa-
nies in the EU and in the US.”29 Last, the Commission added
that it would “engage with the US authorities to discuss the
shortcomings identified”.30
24
European Parliament resolution of 12 March 2014 on the US NSA
surveillance programme, surveillance bodies in various Member
States and their impact on EU citizens’ fundamental rights and on
transatlantic cooperation in Justice and Home Affairs (2013/
2188(INI)), available at http://www.europarl.europa.eu/sides/
getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0230
25
Communication from the Commission to the European Parlia-
ment and the Council, “Restoring Trust in EU-US data flows”,
COM(2013) 846 final, 27 November 2013, available at http://eur-
lex.europa.eu/resource.html?uri=cellar:4d874331-784a-11e3-b889-
01aa75ed71a1.0001.01/DOC_1&format=PDF, section 2.
26
Communication from the Commission to the European Parlia-
ment and the Council, “Restoring Trust in EU-US data flows”,
COM(2013) 846 final, 27 November 2013, section 2.
27
Communication from the Commission to the European Parlia-
ment and the Council, “Restoring Trust in EU-US data flows”,
COM(2013) 846 final, 27 November 2013, section 3.2.
28
Communication from the Commission to the European Parlia-
ment and the Council, “Restoring Trust in EU-US data flows”,
COM(2013) 846 final, 27 November 2013, section 3.2.
29
Communication from the Commission to the European Parlia-
ment and the Council, “Restoring Trust in EU-US data flows”,
COM(2013) 846 final, 27 November 2013, section 3.2.
30
Communication from the Commission to the European Parlia-
ment and the Council, “Restoring Trust in EU-US data flows”,
COM(2013) 846 final, 27 November 2013, section 3.2. See also the
related Memorandum “Restoring Trust in EU-US data flows – Fre-
quently Asked Questions”, MEMO/13/1059, 27 November 2013.
 computer law & security review 32 (2016) 345–362
The Commission noted that a significant number of self-
certified companies did not comply or did not fully comply with
the Safe Harbour principles.31 In addition, the Commission
stated that “all companies involved in the PRISM programme
[a large-scale intelligence collection programme], and which
grant access to US authorities to data stored and processed in
the US, appear to be Safe Harbour certified”32 and that “[t]his
has made the Safe Harbour scheme one of the conduits through
which access is given to US intelligence authorities to collect-
ing personal data initially processed in the EU.”33 In that regard,
the Commission noted that “a number of legal bases under US
law allow large-scale collection and processing of personal data
that is stored or otherwise processed [by] companies based in
the US” 34 and that the “large-scale nature of these pro-
grammes may result in data transferred under Safe Harbour
being accessed and further processed by US authorities beyond
what is strictly necessary and proportionate to the protec-
tion of national security as foreseen under the exception
provided in the Safe Harbour Decision.”35
In section 7.2 of this communication, headed “Limitations
and redress possibilities”, the Commission noted that “safe-
guards that are provided under US law are mostly available to
US citizens or legal residents” and that “[m]oreover, there are
no opportunities for either EU or US data subjects to obtain
access, rectification or erasure of data, or administrative or ju-
dicial redress with regard to collection and further processing
of their personal data taking place under the US surveillance
programmes”. The certified companies included “Web com-
panies such as Google, Facebook, Microsoft, Apple, Yahoo”,36
which had “hundreds of millions of clients in Europe”37 and
transferred personal data to the US for processing. The Com-
mission concluded that “the large-scale access by intelligence
31
Communication from the Commission to the European Parlia-
ment and the Council on the Functioning of the Safe Harbour from
the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, available at http://eur-
lex.europa.eu/resource.html?uri=cellar:551c0723-784a-11e3-b889-
01aa75ed71a1.0001.01/DOC_1&format=PDF, sections 3 to 5 and 8.
32
Communication from the Commission to the European Parlia-
ment and the Council on the Functioning of the Safe Harbour from
the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, section 7.
33
Communication from the Commission to the European Parlia-
ment and the Council on the Functioning of the Safe Harbour from
the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, section 7.
34
Communication from the Commission to the European Parlia-
ment and the Council on the Functioning of the Safe Harbour from
the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, section 7.1.
35
Communication from the Commission to the European Parlia-
ment and the Council on the Functioning of the Safe Harbour from
the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, section 7.1.
36
Communication from the Commission to the European Parlia-
ment and the Council on the Functioning of the Safe Harbour from
the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, section 8.
37
Communication from the Commission to the European Parlia-
ment and the Council on the Functioning of the Safe Harbour from
the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, section 8.
349
agencies to data transferred to the US by Safe Harbour certi-
fied companies raises additional serious questions regarding
the continuity of data protection rights of Europeans when their
data is transferred to the US.”38
The Commission made thirteen recommendations. The last
two dealt with access to data by US authorities, i.e. excep-
tions for national security, public interest or law enforcement
requirements.39 At the end of 2013, the Commission prompted
negotiations with the US Department of Commerce to improve
the transparency and enforcement of the programme and
enhance dispute resolution.
3.2.5. Additional recommendations of the Article 29 Working
Party
The Article 29 Working Party is an independent influential EU
advisory body to the Commission, which is legally based on
Article 29 of the directive, hence its name. The Working Party
is composed of DPAs of all Member States and the EDPS who
was established on the basis of Regulation 45/2001 to monitor
EU organisations. Although the opinions of the Working Party
do not legally bind EU courts,40 they provide helpful guidance
on concepts such as controllers and processors.41 On 10 April
2014, the Working Party made additional recommendations to
the Commission about weaknesses in the safe harbour
framework.42
4. Analysis of the opinion of the Advocate
General dated 23 September 2015
In a highly anticipated, detailed and controversial opinion, Ad-
vocate General Yves Bot who was Advocate General in the
challenge to the legal basis of the data retention directive43 went
further than simply suggesting replies to the two specific ques-
tions posed by the High Court of Ireland in the request for a
preliminary ruling.44 Both questions were limited to the legally
binding nature of the Commission decision on DPAs and their
powers in relation to complaints under the decision of the Com-
mission. Although the request did not expressly refer the legal
validity of the Commission decision to the Court of Justice, the
38
Communication from the Commission to the European Parlia-
ment and the Council on the Functioning of the Safe Harbour from
the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, section 8.
39
Communication from the Commission to the European Parlia-
ment and the Council on the Functioning of the Safe Harbour from
the Perspective of EU Citizens and Companies Established in the
EU, COM(2013) 847 final, 27 November 2013, p. 19 in fine.
40
Opinion in Joined Cases C-141/12 and C-372/12, footnote 40.
41
Opinion 1/2010 of 16 February 2010 on the concepts of “con-
troller” and “processor”, available at http://ec.europa.eu/justice/
policies/privacy/docs/wpdocs/2010/wp169_en.pdf
42
Available at http://ec.europa.eu/justice/data-protection/article-
29/documentation/other-document/files/2014/20140410_wp29
_to_ec_on_sh_recommendations.pdf
43
Case C-301/06 Ireland v Parliament and Council [2009] ECR I-593.
44
Reference for a preliminary ruling from High Court of Ireland
made on 25 July 2014 – Maximillian Schrems v Data Protection Com-
missioner (Case C-362/14), Official Journal of the European Union, 6
October 2014, C 351/5.
350 computer law & security review 32 (2016) 345–362
Advocate General considered that it should determine it because
both Max Schrems and the High Court of Ireland indirectly had
cast doubts on it.45 This reason was a weak basis on which to
justify examining the legal validity of a Commission deci-
sion. Even though Max Schrems did not request the invalidation
of such decision, Advocate General Bot proposed that the Grand
Chamber should invalidate it. Advocate General Cruz Villalón
had already made a similar submission about the invalidity
of the data retention directive in the case of Digital Rights
Ireland.46
In addition, the Advocate General proposed that the Grand
Chamber should find that DPAs may investigate a complaint
alleging that a third country does not ensure an adequate level
of protection and suspend the transfer of personal data. The
Irish Commissioner would accordingly have been required to
examine the complaint of Max Schrems.47 Advocate General
Bot relied on the case law of EU courts about the indepen-
dence of DPAs, which legally characterises them as guardians
of fundamental rights48 to support his submission that DPAs
are totally independent even from the Commission.49 Conse-
quently, if “on completion of its investigations, a national
supervisory authority considers that the contested transfer of
data undermines the protection which citizens of the Union
must enjoy with regard to the processing of their data, it has
the power to suspend the transfer of data in question, irre-
spective of the general assessment made by the Commission
in its decision.”50 The Advocate General observed that Article
25 of the directive provides that Member States or the Com-
mission may alternatively find that a third country ensures an
adequate level of protection.51 A decision adopted by the Com-
mission pursuant to Article 25(6) of the directive can therefore
not eliminate or reduce the powers expressly granted to the
national supervisory authorities by Article 8(3) of the Charter
and Article 28 of the directive.52
Where the legal validity of a Commission decision adopted
pursuant to Article 25(6) of the directive is examined, account
must be taken of the circumstances that have arisen after the
date when this decision was adopted.53 (French) Advocate
General Bot implicitly relied on the phrasing used in the case
law of the French Council of State about inferences drawn from
45
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 123 in fine, 124, 126 and 128.
46
Opinion in Joined Cases C-293/12 and C-594/12 Digital Rights
Ireland and Seitlinger and Others [2014] Section VI.
47
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 39 in fine.
48
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 70. See Case C-518/07 Commission v Germany
para 23, Case C-614/10 Commission v Austria para 52 and C-288/12
Commission v Hungary para 53.
49
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 73.
50
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 81.
51
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 86.
52
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 61, 93 and 116.
53
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 134 and 135.
the circumstances of a case.54 He considered that “a third
country ensures an adequate level of protection only where”55
the Commission can “establish that that third country offers
a level of protection that is essentially equivalent to that
afforded”56 by the directive. However, the latter does not provide
for any test to define the practical meaning of “an adequate
level of protection”. The Advocate General accordingly inter-
preted the phrase “adequate level of protection” and set the
bar quite high by contending that adequacy not only means
equivalence in practice, but requires essential equivalence.
The Advocate General harshly criticised the safe harbour.
He referred to “a mass and indiscriminate surveillance and in-
terception” of personal data by the NSA57 and “the large-
scale collection of the personal data of citizens of the Union,
which is transferred under the safe harbour scheme”.58 Advo-
cate General Bot submitted that the problem primarily arose
from the excessive use of derogations permitted under the de-
cision of the Commission59 and the absence of any independent
authority capable of verifying that the implementation of the
derogations from the safe harbour principles is limited to what
is strictly necessary.60 He analysed that since Facebook acted
in compliance with US law and the decision of the Commis-
sion provided for disclosures in this case, “the question of the
compatibility of such derogations with primary EU law”61 was
in reality raised in this case. The Advocate General thus as-
sessed the legitimacy of US surveillance.
Advocate General Bot considered that the “access enjoyed
by the United States intelligence services to the transferred data
therefore also constitutes an interference with the fundamen-
tal right to protection of personal data guaranteed in Article
8 of the Charter, since such access constitutes a processing of
that data.”62 The Advocate General also considered that “the
interference thus identified is wide-ranging and must be con-
sidered to be particularly serious, given the large number of
users concerned and the quantities of data transferred. Those
factors, associated with the secret nature of the United States
authorities’ access to the personal data transferred to the un-
dertakings established in the United States, make the interference
54
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 137: the Commission “confirms implic-
itly, but necessarily, the initial assessment.” See for instance Council
of State, Judgments No. 369808 of 21 September 2015, 366498 of 23
June 2014, 343705 of 21 October 2013, 343837 of 26 July 2011 and
305314 of 24 July 2009.
55
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 141.
56
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 141.
57
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 155.
58
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 158.
59
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 164.
60
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 208.
61
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 168.
62
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 170 in fine.
 computer law & security review 32 (2016) 345–362
extremely serious.”63 The characterisation of the interferences
by the Advocate General as “extremely serious” therefore goes
further than the “particularly serious interferences” with the
fundamental rights to privacy and to the protection of per-
sonal data found by the Grand Chamber in its judgment
invalidating the data retention directive.64
The Advocate General further submitted that the US “in-
telligence services’ access to the data transferred seems to
extend to the content of the electronic communications, which
would compromise the essence of the fundamental right to respect
for privacy and the other rights enshrined in Article 7 of the
Charter. [. . .I]t could be considered that those limitations com-
promise the essence of the fundamental right to protection of personal
data.”65 The fact that Advocate General Bot hedged is disap-
pointing and even more incomprehensible since he later
considered that “the access which the United States intelli-
gence authorities may have to the personal data transferred
covers, in a generalised manner, all persons and all means of
electronic communication and all the data transferred, includ-
ing the content of the communications, without any differentiation,
limitation or exception according to the objective of general
interest pursued.”66 The opinion is consistent with the judg-
ment invalidating the data retention directive in which the
Grand Chamber found no infringement upon the fundamen-
tal right to the respect of privacy because the data retention
directive did “not permit the acquisition of knowledge of the
content of the electronic communications as such”.67
As in the case of Digital Rights Ireland,68 the discretion of the
EU legislature was limited due to the importance of the rights
at stake and the extent of the interference with them.69 In ad-
dition, the Advocate General considered that the “mass,
indiscriminate surveillance is inherently disproportionate and
constitutes an unwarranted interference with the rights guar-
anteed by Articles 7 and 8 of the Charter.”70 The approach of
Advocate General Bot is consistent with the judgment of the
Grand Chamber in the case of Digital Rights Ireland.71 Follow-
ing the latter judgment which stressed the crucial importance
of guarantees for the protection of personal data,72 the US
system did not suffice.73 In particular, no independent authority
63
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 171, emphasis added.
64
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014] paras 39 and 65.
65
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 177, emphasis added.
66
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 198, emphasis added.
67
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014] para 39.
68
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014] paras 47 and 48.
69
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 187 and 189.
70
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 200.
71
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014] para 37.
72
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014] para 54.
73
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 207 and 224.
351
effectively monitored and controlled compliance with the re-
quirements for the protection and security of personal data
provided for in Article 8(3) of the Charter.74 Procedures before
the FTC and the private dispute resolution mechanisms dealt
with compliance by the US undertakings with the safe harbour
principles and could not be applied in disputes on the legal-
ity of interference with fundamental rights, which resulted from
measures originating from the State.75 The Advocate General
considered that the reference in the fourth paragraph of Annex
I “to limits to the application of the safe harbour principles
ought to have been accompanied by the establishment of a
control mechanism operated by an independent authority
specialising in personal data protection.”76
Advocate General Bot roundly criticised the Commission and
submitted that by “adopting Decision 2000/520 and then main-
taining it in force, the Commission therefore exceeded the limits
imposed by compliance with the principle of proportionality
in the light of Articles 7, 8 and 52(1) of the Charter.”77 The as-
sessment is dynamic and continuous and the “Commission
ought to have suspended the application of Decision 2000/520.”78
The Advocate General concluded that “[s]uch a failure to act
on the part of the Commission, which directly impairs the fun-
damental rights protected by Articles 7, 8 and 47 of the Charter,
is to my mind an additional ground on which to declare De-
cision 2000/520 invalid in the context of the present reference
for a preliminary ruling.”79 The harsh opinion of the Advo-
cate General thus sent a loud and clear message to the
Commission.
5. Challenges to the factual basis contained
in the opinion of the Advocate General
That same day, the Director General of DIGITALEUROPE, John
Higgins, expressed his concern “about the potential disrup-
tion to international data flows if the Court follows today’s
Opinion”.80 On 28 September 2015, the US mission to the EU
issued a statement hoping that the judgment of the Grand
Chamber takes note of the “inaccuracies and far-reaching con-
sequences of the Advocate General’s opinion, as well as the
significant harm to the protection of individual rights and the
74
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 72, 145 and 207 to 210.
75
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 204 to 206.
76
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 209 in fine.
77
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 215.
78
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 226.
79
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 236.
80
DIGITALEUROPE reaction to the Advocate General’s opinion in
the case Schrems Vs the Irish Data Protection Commissioner, available
at http://www.digitaleurope.org/DesktopModules/Bring2mind/DMX/
Download.aspx?Command=Core_Download&EntryId=1015&PortalId
=0&TabId=353
352 computer law & security review 32 (2016) 345–362
free flow of information that would occur if it were to follow
the Advocate General’s opinion.”81
That same day, the Electronic Privacy Information Center
issued a statement in which it noted “the growing impor-
tance of Articles 7 and 8 of the Charter of Fundamental Rights”
and legal certainty as “a key element of trust that promotes
trade and commerce.” On 29 September 2015, the American
Chamber of Commerce to the EU also issued a reactive state-
ment. Last, Professor Peter Swire published a critical
commentary of the opinion.82
6. Analysis of the judgment of the Grand
Chamber dated 6 October 2015
The Grand Chamber largely affirmed in substance the opinion
of Advocate General Bot delivered only a fortnight earlier. The
fact that the term of office of the President of the Court who
sat in the Grand Chamber ended the day after the date of the
judgment83 probably explains the unusual fast procedure.
The pithy reasoning of the Grand Chamber closely fol-
lowed the opinion of the Advocate General. The Grand Chamber
heavily relied on its own judgment rendered one and a half
year earlier in Digital Rights Ireland.84 The latter extensively relied
on the case law of the European Court of Human Rights (here-
inafter the “ECHR”) although the Grand Chamber did not cite
any case law of the ECHR in the Schrems judgment.
6.1. Applicable law, exclusive jurisdiction of the Court of
Justice and powers of national data protection authorities
The Grand Chamber highlighted the importance of reading all
the provisions of the directive “in the light of the fundamen-
tal rights guaranteed by the Charter”,85 notably the right to
respect for private life. The directive must accordingly be in-
terpreted in line with the Charter.
Regarding the relationship between fundamental rights and
international agreements, the Charter must always be com-
plied with even in international agreements.86 The Commission
can accordingly not sign an international agreement, which
infringes upon the provisions of the Charter. The Grand
Chamber thus applied fundamental rights to international
relations.
81
“Safe Harbor Protects Privacy and Provides Trust in Data Flows
that Underpin Transatlantic Trade”, available at: http://useu
.usmission.gov/st-09282015.html
82
“Don’t Strike Down the Safe Harbor Based on Inaccurate Views
About U.S. Intelligence Law, 5 October 2015, available at https://
iapp.org/news/a/dont-strike-down-the-safe-harbor-based-on-
inaccurate-views-on-u-s-intelligence-law
83
See Press Release No 121/15 of 8 October 2015, available at http://
curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/
cp150121en.pdf
84
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] paras 58, 78 and 91 to 94.
85
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 38. See also ibidem, paras 64, 65, 66, 67, 73, 74, 78,
98, 99, 104 and 107(1).
86
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] paras 72 to 74 and 78.
The Grand Chamber held that DPAs have the power over
transfers of personal data from a Member State to a third
country on the basis that transfers constitute processing carried
out in the territory despite the wording of Article 28(1) and (6)
of the directive, which do not grant powers over processing in
a third country.87
The Grand Chamber clarified that adequacy decisions
adopted by the Commission on the basis of Article 25(6) of the
directive legally bind all Member States and their organs.88 The
Grand Chamber found that until such time as the Court of
Justice declared the decision of the Commission invalid,
“Member States and their organs, which include their inde-
pendent supervisory authorities, admittedly cannot adopt
measures contrary to that decision, such as acts intended to
determine with binding effect that the third country covered
by it does not ensure an adequate level of protection.”89
The Court of Justice alone has ultimately the task of ex-
amining whether an EU act such as a decision of the
Commission is valid and the exclusive jurisdiction to declare
it invalid for “guaranteeing legal certainty by ensuring that EU
law is applied uniformly”.90
Regarding the role of DPAs in handling complaints of data
subjects on the protection of their personal data, the Grand
Chamber found that an obligation to investigate rests on DPAs.
The latter need to examine complaints with “complete
independence”91 and “with all due diligence”92 to determine
whether the processing operation complies with the require-
ments laid down in the directive. DPAs bear the legal obligation
to refuse a transfer of data to an unsafe country for the pro-
tection of personal data even though an assessment performed
by the Commission may have led to a contrary decision. The
heavy burden on DPAs to investigate complaints of data sub-
jects implies the ability to choose. In the inspired words of the
Commissioner for Justice, Consumers and Gender Equality, Věra
Jourová, “where the personal data travels, the protection has
to travel with it.”93 There is however a tension if not an incon-
sistency between the complete independence of DPAs and the
ultimate purpose of guaranteeing legal certainty by ensuring
the uniform application of EU law. DPAs of the 28 Member States
may order the suspension of data flows from the EU to third
countries if they consider erroneous an adequacy decision of
the Commission that the Court of Justice has the exclusivity
to invalidate.
In addition, Member States must provide for the possibil-
ity to bring a case before a domestic court which may in turn
87
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] paras 44 and 45.
88
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 51.
89
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 52.
90
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 61.
91
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] paras 40 and 57.
92
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 63 in fine.
93
Speech by Commissioner Jourová: The future of U.S.–EU data
transfer arrangements at the Brookings Institution, Washington,
16 November 2015.
 computer law & security review 32 (2016) 345–362 353

trigger the exclusive jurisdiction of the Court of Justice by way accordingly determine whether they may sign agreements with
of a request for a preliminary ruling, pursuant to Article 267 them to exchange personal data. The standard set in the judg-
of the Treaty on the Functioning of the EU. If a DPA examines ment is however imprecise.
a complaint and finds it well founded, it has to bring the case The Grand Chamber interpreted Article 25(6) of the direc-
to a domestic court, which may request the Court of Justice tive as requiring that “the legal order of the third country [. . .]
for a preliminary ruling on the legal validity of the Commis- must ensure an adequate level of protection.”100 The Grand
sion adequacy decision. DPAs and domestic courts may however Chamber followed the opinion of Advocate General Bot101 and
not invalidate the adequacy decision of the Commission. The found that where the legal validity of a Commission decision
Court of Justice has exclusive jurisdiction to invalidate it. From adopted pursuant to Article 25(6) of the directive is exam-
the perspective of data subjects, the judicial architecture of ined, account must be taken of the circumstances which have
DPAs, domestic courts and the Court of Justice94 implies lengthy arisen after the date when this decision was adopted. It thus
procedures. provided for a continuous obligation to examine an ad-
equacy decision. The latter is a living document, which must
6.2. Adequate level of protection for transfers of personal
be periodically reviewed in light of developments in the third
data to third countries, adequacy decisions of the
country. The Grand Chamber thus criticised the passivity of the
Commission and consequences of the judgment on them
Commission. Article 41(3) of the Proposal for a General Data
Protection Regulation similarly provides for a systematic and
In reply to the specific question asked by the High Court of
periodic review of adequacy decisions.102
Ireland, the Grand Chamber interpreted Article 25(6) of the di-
As in the case of Digital Rights Ireland,103 the Grand Chamber
rective read in light of Articles 7, 8 and 47 of the Charter as
stated that the discretion of the Commission was reduced in
meaning that a decision adopted pursuant to that provision
view of the important role played by the protection of per-
by which the Commission finds that a third country ensures
sonal data in light of the fundamental right to respect for private
an adequate level of protection does not prevent a supervi-
life and the large number of persons whose fundamental rights
sory authority of a Member State, within the meaning of Article
are liable to be infringed where personal data are transferred
28 of that directive, from examining the complaint of a data
to a third country not ensuring an adequate level of
subject on the protection of his rights and freedoms about the
protection.104 This finding is similar to the opinion of the Ad-
processing of personal data relating to him which has been
vocate General105 to which the Grand Chamber did not refer.
transferred from a Member State to that third country when
The Commission is thus subject to a strict control of compli-
such data subject contends that the law and practices in force
ance with applicable fundamental rights.
in the third country do not ensure an adequate level.95
The Grand Chamber acknowledged that the directive does
not define the concept of “an adequate level of protection.”96
6.3. Legal invalidity of the Commission decision
It followed the opinion of Advocate General Bot97 and inter-
preted the phrase “adequate level of protection” “as requiring
The Grand Chamber considered that the request related “in
the third country in fact to ensure, by reason of its domestic
essence, to the validity” of the Commission decision106 and
law or its international commitments, a level of protection of
shared the opinion of Advocate General Bot about the doubts
fundamental rights and freedoms that is essentially equiva-
expressed by both Max Schrems and Judge Hogan of the Irish
lent to that guaranteed within the European Union by virtue
High Court on the legal validity of the Commission decision.107
of Directive 95/46 read in the light of the Charter.”98 In broad,
The Grand Chamber thus re-characterised the request for an
sweeping language, the Grand Chamber thus established a high
interpretation into a request for a ruling on the legal validity
standard of protection. The scope of this important finding is
of the Commission decision and went beyond the specific ques-
clearly limited to the directive. It does therefore not apply to
tion asked by Judge Hogan. In an implicit reply to the statement
EU organisations such as Eurojust99 and Europol which imple-
issued by the US mission to the EU on 28 September 2015 about
ment their own legal frameworks to assess whether third
the alleged inaccuracies contained in the opinion of Advocate
countries ensure an adequate level of data protection and

94
Case C-362/14 Maximillian Schrems v Data Protection Commis-
100
sioner [2015] paras 64 and 65. Case C-362/14 Maximillian Schrems v Data Protection Commis-
95
Case C-362/14 Maximillian Schrems v Data Protection Commis- sioner [2015] para 74. See also ibidem, para 71.
101
sioner [2015] para 66 in fine and disposition, para 1. Case C-362/14 Maximillian Schrems v Data Protection Commis-
96
Case C-362/14 Maximillian Schrems v Data Protection Commis- sioner [2015] paras 134 and 135.
102
sioner [2015] para 70. Inter-institutional File: 2012/0011 (COD), 17 December 2015.
97 103
Opinion in Case C-362/14 Maximillian Schrems v Data Protection Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Commissioner [2015] para 141. Seitlinger and Others [2014] paras 47 and 48.
98 104
Case C-362/14 Maximillian Schrems v Data Protection Commis- Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 73. sioner [2015] para 78.
99 105
Article 26a(3) of the Eurojust decision provides that agree- Opinion in Case C-362/14 Maximillian Schrems v Data Protection
ments “containing provisions on the exchange of personal data may Commissioner [2015] paras 187 and 189.
106
only be concluded if the entity concerned is subject to the Council Case C-362/14 Maximillian Schrems v Data Protection Commis-
of Europe Convention of 28 January 1981 or after an assessment sioner [2015] para 1.
107
confirming the existence of an adequate level of data protection Case C-362/14 Maximillian Schrems v Data Protection Commis-
ensured by that entity.” sioner [2015] para 67.
354 computer law & security review 32 (2016) 345–362
General Bot,108 the Grand Chamber heavily relied on the two
Communications of the Commission as evidence to establish
the facts of the judgment.109 The Grand Chamber could also
have relied on the report of Pieter Omtzigt to the Committee
on Legal Affairs and Human Rights of the Parliamentary As-
sembly of the Council of Europe110 and on resolution 2045 (2015)
about mass surveillance of the Parliamentary Assembly of the
Council of Europe. In the latter, the Assembly stated that mass
surveillance practices by US intelligence services “endanger fun-
damental human rights, including the rights to privacy [and]
a fair trial” (para 4).
The Grand Chamber found that recourse by a third country
to a system based on self-certification, such as the Safe Harbour
Privacy Principles, did not exclude an adequacy finding pur-
suant to Article 25(6) of the directive and was acceptable,
provided there were “effective detection and supervision
mechanisms”111 which made it possible in practice to iden-
tify and sanction any infringement upon the applicable rules
for the protection of personal data.
Regarding the scope of the safe harbour principles, the Grand
Chamber critically found that they are “applicable solely to self-
certified United States organisations receiving personal data
from the European Union, and United States public authori-
ties are not required to comply with them. 112 The Grand
Chamber noted that the decision of the Commission laid down
that “‘national security, public interest, or law enforcement re-
quirements’ have primacy over the safe harbour principles,
primacy pursuant to which self-certified United States
organisations receiving personal data from the European Union
are bound to disregard those principles without limitation where
they conflict with those requirements and therefore prove in-
compatible with them.”113
In light of the general nature of the derogation set out in
the fourth paragraph of Annex I to the decision of the Com-
mission, the Grand Chamber found that such decision enabled
“interference, founded on national security and public inter-
est requirements or on domestic legislation of the United States,
with the fundamental rights of the persons whose personal
data is or could be transferred from the European Union to the
United States.”114 The Grand Chamber referred to its judg-
ment in the case of Digital Rights Ireland115 and reiterated that
whether the data subjects have suffered any adverse conse-
quence on account of an interference with the fundamental
right to respect for private life was irrelevant to establish the
108
“Safe Harbor Protects Privacy and Provides Trust in Data Flows
that Underpin Transatlantic Trade”, available at: http://useu
.usmission.gov/st-09282015.html
109
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] paras 14 to 16 and 20 to 25.
110
Doc. 13734 of 18 March 2015.
111
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 81.
112
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 82 in fine.
113
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 86.
114
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 87.
115
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014] para 33.
existence of such interference.116 Reiterating this finding was
important in light of the background of the case since the Irish
Commissioner had refused to investigate the complaint of Max
Schrems and rejected it on the ground that no evidence was
available that his personal data had been disclosed to the US
authorities.
In addition, the Grand Chamber noted that the decision of
the Commission did not contain any finding on “the exis-
tence, in the United States, of rules adopted by the State
intended to limit any interference, with the fundamental rights
of the persons whose data is transferred from the European
Union to the United States, interference which the State en-
tities of that country would be authorised to engage in when
they pursue legitimate objectives, such as national security.”117
The Grand Chamber added that the decision of the Commis-
sion did not “refer to the existence of effective legal protection
against interference of that kind.”118 It followed the opinion of
Advocate General Bot119 and found that the scope of proce-
dures before the FTC and the private dispute resolution
mechanisms was limited to compliance by the United States
undertakings with the safe harbour principles”120 and could not
be applied in disputes on the legality of interference with fun-
damental rights, which resulted from measures originating from
the State. However, the Grand Chamber did not examine such
procedures and mechanisms in light of Article 8(3) of the
Charter and regrettably, did not consider their compatibility
with this provision unlike the Advocate General.121
The Grand Chamber applied the test on the requirements
of proportionality and strict necessity122 that it had set out in
its judgment in the case of Digital Rights Ireland by analogy to
international transfers of personal data to assess whether the
laws of third countries provide an adequate level of protec-
tion. The Grand Chamber considered that the Commission had
found in its two Communications of 2013 that the US authori-
ties could access “the personal data transferred from the
Member States to the United States and process it in a way
incompatible, in particular, with the purposes for which it was
transferred, beyond what was strictly necessary and propor-
tionate to the protection of national security.”123 The Grand
116
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 87. See Roman Zakharov v Russia, application no.
47143/06, 4 December 2015 in which the Grand Chamber consid-
ered that given that the domestic system did not afford an effective
remedy to the person who suspected that he or she was sub-
jected to secret surveillance, the very existence of the contested
legislation amounted in itself to an interference with Mr Zakharov’s
rights under Article 8 of the European Convention.
117
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 88.
118
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 89.
119
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 204 to 206.
120
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 89, emphasis added.
121
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 205 and 209.
122
See Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014] paras 46, 52, 54, 61, 62, 64 and 65.
123
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 90.
 computer law & security review 32 (2016) 345–362
Chamber also considered that the Commission had “noted that
the data subjects had no administrative or judicial means of
redress enabling, in particular, the data relating to them to be
accessed and, as the case may be, rectified or erased.”124
Regarding the level of protection of fundamental rights and
freedoms which is guaranteed within the EU, EU legislation in-
volving interference with the fundamental rights guaranteed
by Articles 7 and 8 of the Charter must “lay down clear and
precise rules governing the scope and application of a measure
and imposing minimum safeguards, so that the persons whose
personal data are concerned have sufficient guarantees en-
abling their data to be effectively protected against the risk of
abuse and against any unlawful access and use of that data.”125
The Grand Chamber then reiterated the principles about the
legitimacy of surveillance measures that it had established in
this judgment.
First, the Grand Chamber found that “[l]egislation is not
limited to what is strictly necessary where it authorises, on a
generalised basis, storage of all the personal data of all the
persons whose data has been transferred from the European
Union to the United States without any differentiation, limi-
tation or exception being made in the light of the objective
pursued and without an objective criterion being laid down by
which to determine the limits of the access of the public au-
thorities to the data, and of its subsequent use, for purposes
that are specific, strictly restricted and capable of justifying the
inference, which both access to that data and its use entail.
In particular, legislation permitting the public authorities to
have access on a generalised basis to the content of electronic
communications must be regarded as compromising the essence
of the fundamental right to respect for private life, as guaranteed
by Article 7 of the Charter.”126 The tortuous phrase “access on
a generalised basis to the content of electronic communica-
tions” should be contrasted to the much more straightforward
terminology of “generalised surveillance”,127 “mass, indiscrimi-
nate surveillance”128 and “extremely serious interference”129 used
by Advocate General Bot.130 Mass surveillance however inher-
ently and intrinsically infringes upon Article 7 of the Charter,
regardless of the safeguards put in place to limit the abuse.
This finding is in line with the judgment of the Grand Chamber
in the case of Digital Rights Ireland.131 The Grand Chamber thus
found that mass surveillance breaches this fundamental right
twice in one and a half year. The judgment shows differences
124
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 90.
125
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 91.
126
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] paras 93 and 94, emphasis added.
127
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 167.
128
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 200.
129
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 171 in fine.
130
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 167 and 200.
131
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014] paras 57 to 61.
355
between legal cultures of respect for private life in the EU and
the concept of privacy in the US.
Second, the Grand Chamber considered that “legislation not
providing for any possibility for an individual to pursue legal
remedies in order to have access to personal data relating to
him, or to obtain the rectification or erasure of such data, does
not respect the essence of the fundamental right to effective judi-
cial protection, as enshrined in Article 47 of the Charter.”132 These
clear considerations of the Grand Chamber went further than
the cautious ones of Advocate General Bot.133
The Grand Chamber did however not consider Article 8 of
the Charter. The reasons for this omission are unknown. This
omission is even more regrettable since Advocate General Bot
considered that the Commission had “exceeded the limits
imposed by compliance with the principle of proportionality
in the light of Articles 7, 8 and 52(1) of the Charter”134 by adopt-
ing decision 2000/520 and then maintaining it in force and that
the failure of the Commission to act directly impaired “the fun-
damental rights protected by Articles 7, 8 and 47 of the
Charter”.135 The Advocate General thus considered that the Com-
mission had failed in its legal obligations to comply with Article
8 of the Charter. Although the judgment of the Grand Chamber
contains many references to personal data,136 it does not really
consider the right to the protection of personal data as a dis-
tinct fundamental right.
In Article 1 of its decision, the Commission merely exam-
ined the safe harbour scheme. It did not find as it was required
to find that the US in fact ensures a level of protection of fun-
damental rights essentially equivalent to that guaranteed within
the EU under Article 25(6) of the directive read in light of the
Charter by reason of its domestic law or its international
commitments.137 The Grand Chamber thus moved the focus
from the assessment of the legitimacy of US surveillance in
the opinion of Advocate General Bot138 to the analysis in its judg-
ment of the compliance by the Commission decision with
Article 25(6) of the directive read in light of the Charter. The
Grand Chamber did not assess the US legal system including
the national intelligence activities139 and examined neither the
US surveillance programmes nor the legal basis thereof. Im-
portantly, it did not find that the US lacked the protections
required by applicable EU law either. As the newly elected
132
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 95, emphasis added.
133
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 177.
134
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 215.
135
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] para 236.
136
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] paras 1, 2, 3, 4, 6, 7, 8, 11 to 15, 22 to 24, 27 to 33, 36(1),
37 to 42, 44 to 51, 53 to 59, 63, 65, 66, 68, 72, 73, 75, 78, 79, 81, 82,
86, 87, 90 to 93, 95 and 99.
137
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] paras 73, 74, 83, 96 and 97.
138
Opinion in Case C-362/14 Maximillian Schrems v Data Protection
Commissioner [2015] paras 155, 157, 167, 173, 200, 201, 211, 212 and
223.
139
See Commissioner Jourová’s remarks on Safe Harbour EU Court
of Justice judgement before the Committee on Civil Liberties, Justice
and Home Affairs (Libe), Strasbourg, 26 October 2015.
356 computer law & security review 32 (2016) 345–362
President of the Court of Justice, Koen Lenaerts, who was sitting
in the Grand Chamber as then Vice-President of the Court
stated, the Grand Chamber was “not judging the US system
here; we are judging the requirements of EU law in terms of
the conditions to transfer data to third countries, whatever they
may be.”140 The Grand Chamber considered that the Commis-
sion did not address the central issue, i.e. whether the legal
order of the third country ensures an adequate level of pro-
tection. It thus maligned the Commission, which had not
examined the applicable legal framework of data protection
in the US in its decision. The Commission however knew that
the protection of personal data was problematic in the US since
most of the reasons given by the Grand Chamber about the
deficient protection in the US were based on the communi-
cations of the Commission. The Grand Chamber criticised the
Commission both for having adopted the decision and for
having failed to suspend it. The Grand Chamber thus ensured
the equal treatment of all third countries for the adequate level
of personal data protection and pointed out that the US is not
“more equal” than other third countries. Since Article 1 of the
Commission decision failed to comply with Article 25(6) of the
directive, the Grand Chamber found this provision invalid and
considered that it did not even need to examine the content
of the safe harbour principles.141 The strongly worded find-
ings of the Grand Chamber are based on reasons which are
particularly harsh for the Commission. In addition, the judg-
ment of the Grand Chamber drives a wedge into the EU–US
relation.
Last, the executive decision on safe harbour is an imple-
menting act. The Commission may only adopt its content to
the extent that the EU legislature has granted it the author-
ity to do so. The EU legislature fell short of granting the
Commission the authority to limit the powers of DPAs to at
least investigate the complaints of data subjects. The EU leg-
islature itself determined such powers in Article 28 of the
directive. The Grand Chamber accordingly held that the Com-
mission did not have the authority to restrict the powers of
national supervisory authorities.142 The Commission thus acted
ultra vires. The Grand Chamber further held that the Commis-
sion had exceeded the power that is conferred upon it in Article
25(6) of the directive read in light of the Charter in adopting
Article 3 of the decision and that this provision was there-
fore invalid.143 The Commission must accordingly comply with
the authority granted to it and act according to such author-
ity. The judgment of the Grand Chamber is a scathing call to
order for the Commission. The Grand Chamber concluded that
the decision of the Commission was invalid in its entirety.144
140
Valentina Pop, “European Court Chief Defends Decision to Strike
Down Data-Transfer Agreement”, The Wall Street Journal, 13 October
2015, available at http://www.wsj.com/articles/european-court-
chief-defends-decision-to-strike-down-data-transfer-agreement-
1444768419
141
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 98.
142
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 103.
143
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 104.
144
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] paras 105 and 106 and disposition, para 2.
Transfers of personal data between the EU and the US can
thus no longer be carried out on the basis of the Commission
decision. Transfers of personal data to the US will only be lawful
if the data exporter may rely on one of the alternative tools.
In the absence of an adequacy decision, the data exporter is
responsible for ensuring that the requirements to rely on one
of these tools are fulfilled with regard to the transfer of per-
sonal data under the control of DPAs.
The scope of the judgment is limited to the decision of the
Commission on safe harbour. However, the 11 adequacy de-
cisions adopted about Andorra, Argentina, Canada, Faroe Islands,
Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzer-
land and Uruguay145 all contain a restriction on the powers of
DPAs, which is identical to Article 3 of the Commission deci-
sion that the Grand Chamber invalidated.
The Commission stated that it would draw the necessary
consequences from the judgment by “preparing a decision, to
be adopted pursuant to the applicable comitology procedure,
replacing that provision in all existing adequacy decisions.”146
The Commission also stated that it would “engage in a regular
assessment of existing and future adequacy decisions, includ-
ing through the periodic joint review of their functioning
together with the competent authorities of the third country
in question.”147
7. Comments
After the judgment on the data retention directive of 8 April
2014, the Grand Chamber invalidated for the second time an
instrument that the Commission had spent years defending.
This bold judgment shows that the Grand Chamber scruti-
nised the legal validity of EU acts in light of the Charter and
took the fundamental rights to respect for privacy and effec-
tive judicial protection very seriously. It also scrutinised the
way in which US law treats personal data that it receives from
the EU. The Grand Chamber took a strong stance in affirming
a robust level of data protection within the EU as set out in
its judgment in the case of Digital Rights Ireland and in estab-
lishing a high standard in transfers of personal data to third
countries on the basis of both the directive and the Charter.
This judgment thus confirms the major role played by the
Grand Chamber in the protection of personal data after its two
famous judgments in the cases of Google Spain148 and Digital
Rights Ireland. These three judgments show the willingness of
145
See http://ec.europa.eu/justice/data-protection/international-
transfers/adequacy/index_en.htm
146
Communication from the Commission to the European Parlia-
ment and the Council on the Transfer of Personal Data from the
EU to the United States of America under Directive 95/46/EC fol-
lowing the Judgment by the Court of Justice in Case C-362/14
(Schrems), COM(2015) 566 final, 6 November 2015, p. 15.
147
Communication from the Commission to the European Parlia-
ment and the Council on the Transfer of Personal Data from the
EU to the United States of America under Directive 95/46/EC fol-
lowing the Judgment by the Court of Justice in Case C-362/14
(Schrems), COM(2015) 566 final, 6 November 2015, p. 15.
148
Case C-131/12 Google Spain and Google [2014].
 computer law & security review 32 (2016) 345–362
the Grand Chamber to behave as a Constitutional Court of the
EU149 in charge of ensuring compliance with the Charter.
The Grand Chamber legally based its clear and persuasive
findings on provisions of EU primary law such as Articles 7, 8
and 47 of the Charter and on the provisions of the directive
as well as examined compliance by the Commission with Ar-
ticles 25(6) of the directive. The entry into force of the General
Data Protection Regulation,150 which will replace the direc-
tive will therefore not impact on the judgment of the Grand
Chamber.
7.1. Strengthened role and powers of DPAs
The judgment of the Grand Chamber significantly strength-
ens the central role and the powers of DPAs. As the main
enforcers of the fundamental rights of data subjects, DPAs are
both responsible for and empowered to supervise transfers of
personal data from the EU to third countries in full indepen-
dence. The judgment rendered by the Court of Justice in the
Weltimmo case151 five days before the date of the judgment of
the Grand Chamber seems to indicate that the Court of Justice
is willing to make it easier for DPAs to tackle companies. Article
47 of the General Data Protection Regulation152 will probably
confirm and even enhance or strengthen the powers and in-
dependence of supervisory authorities or DPAs.
7.2. Legal effects of the judgment
The judgment of the Grand Chamber is retroactive. It takes
effect from the date when the decision of the Commission came
into force. This situation implies that the decision of the Com-
mission has never been legally valid. All transfers of personal
data from the EU to the US pursuant to the decision of the Com-
mission without any other legal basis have consequently been
illegal since 2000.
The Commission and governments of Member States, which
were parties to the proceedings did not request the Grand
Chamber to limit the temporal effects of its judgment if it in-
validated the decision of the Commission.153 Had they done
so, the Grand Chamber would have had to rule on this
request.154 The Grand Chamber could not raise this plea ex officio
in light of the traditional case law of the Court of Justice on
149
See also Xavier Tracol, “Legislative genesis and judicial death
of a directive: the European Court of Justice invalidated the data
retention directive (2006/24/EC), thereby creating a sustained period
of legal uncertainty about the validity of national laws which
enacted it”, Computer Law and Security Review, Volume 30, Issue 6,
December 2014, p. 745.
150
Inter-institutional File: 2012/0011 (COD), 17 December 2015.
151
Case C-230/14.
152
Inter-institutional File: 2012/0011 (COD), 17 December 2015.
153
Case C-333/07 Société Régie Networks v Direction de contrôle fiscal
Rhône-Alpes Bourgogne [2008] paras 118 and 119.
154
Case C-333/07 Société Régie Networks v Direction de contrôle fiscal
Rhône-Alpes Bourgogne [2008] paras 121 to 128.
357
this issue.155 It could accordingly not exercise its discretion-
ary power to suspend the effects of invalidity pending the
adoption of a new decision by the Commission.156
A preliminary ruling of the Court of Justice, which invali-
dates an EU act such as the decision of the Commission legally
binds all the institutions of the EU and domestic courts of all
Member States.157 The effects of the judgment are thus erga
omnes.
7.3. Distinction between content and metadata
Access to content compromises the essence of the fundamen-
tal right to respect for private life158 without any need for the
Grand Chamber to apply the test of proportionality since the
interference cannot be justified. This finding stands in stark
contrast to the judgment of the Grand Chamber in the case
of Digital Rights Ireland in which the invalidation of the data
retention directive was based on the application by the Grand
Chamber of compliance with the principle of proportionality.159
The distinction drawn by the Grand Chamber between
content and metadata has already been criticised.160 The pro-
filing potential of accurately combined and contextualised
metadata should not be overlooked.161
7.4. Legal implications of the judgment
The challenge of Max Schrems to seek an investigation into
which of his personal data Facebook had sent to the US was
referred back to the High Court of Ireland, which is required
to examine his complaint, but is legally bound by the judg-
ment of the Grand Chamber. On 20 October 2015, Judge Gerard
Hogan of the Irish High Court held that the Irish Commis-
sioner was then obliged to investigate the complaint lodged
by Max Schrems with all due diligence and to determine at the
conclusion of its investigation whether the transfer of the
155
Fernando Castillo de la Torre, “Le relevé d’office par la juridiction
communautaire”, Cahiers de droit européen, 2005, No. 3–4, p. 395 to
463; Bo Vesterdof, “Le relevé d’office devant le juge communautaire”,
Une communauté de droit, Festschrift für Gil Carlos Rodriguez Iglesias,
Ninon Colneric et al. (eds), Berliner Wissenschafts-Verlag, Berlin,
2003, p. 551 to 568.
156
Case C-333/07 Société Régie Networks v Direction de contrôle fiscal
Rhône-Alpes Bourgogne [2008] para 129.
157
Case C-453/00 Kühne and Heitz NV v Produktschap voor Pluimvee
en Eieren [2014] ECR I-00837.
158
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 94.
159
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and
Seitlinger and Others [2014] para 69.
160
See Xavier Tracol, “Legislative genesis and judicial death of a
directive: the European Court of Justice invalidated the data re-
tention directive (2006/24/EC), thereby creating a sustained period
of legal uncertainty about the validity of national laws which
enacted it”, Computer Law and Security Review, Volume 30, Issue 6,
December 2014, p. 741. See also Claude Castelluccia and Daniel Le
Métayer, “Renseignement: le traitement massif de données est aussi
dangereux qu’inefficace”, Pour la Science, No. 453, July 2015.
161
Hal Roberts and John Palfrey, “The EU Data Retention Direc-
tive in an Era of Internet Surveillance”, Ronald Deibert et al. (eds),
Access Controlled: The Shaping of Power, Rights, and Rule in Cyber-
space, The MIT Press, Cambridge, 2010, p. 35 to 54.
358 computer law & security review 32 (2016) 345–362
personal data of Facebook’s European subscribers to the US
should be suspended on the ground that the US does not ensure
an adequate level of protection of personal data.
On 9 October 2015, the US Department of Commerce stated
that it would “continue to administer the Safe Harbor program,
including processing submissions for self-certification to the
Safe Harbor Framework.”162
The judgment of the Grand Chamber does not focus on the
practices of Facebook as the subject of this case. This issue of
the judgment goes far beyond the case of Facebook and has
major legal implications not only for Facebook, but also for other
US Internet companies such as Google, Apple, Microsoft and
Yahoo as well as many small companies.163
The judgment of the Grand Chamber created a legal vacuum.
Processing operations of personal data, which were lawful before
the judgment of the Grand Chamber have become unlawful
since the date of the judgment. The US is in the same situa-
tion as other third countries without any adequacy decision.
7.4.1. Overview of the available legal tools for transatlantic
transfers of personal data under the directive in the absence of
an adequacy decision
The 3246 companies that are safe harbour self-certified can use
alternative legal mechanisms for lawfully transferring per-
sonal data to the US under Article 26 of the directive. First, they
can legally rely on the exhaustive list of exceptions provided for
in Article 26(1) of the directive.
The Article 29 Working Party considered that the interpre-
tation of Article 26(1) of the directive “must necessarily be
strict”164 since this provision sets out exemptions from a general
principle and exceptions should not become the rule. The
Working Party has issued several non-legally binding guid-
ance documents on the application of Article 26(1) of the
directive.165 They include best practices which are devised to
assist the enforcement action of DPAs.166
Derogations, such as unambiguous prior consent of the data
subject for the particular transfer or a particular category of
transfers, may be relied on in limited instances. Pursuant to
Article 2(h) of the directive, consent must be freely given, spe-
cific and informed. According to the Article 29 Working Party,
the first requirement means that any “pressure” may invali-
date the consent. This is particularly relevant to the employment
context where the relationship of subordination and inher-
ent dependency of employees calls into question reliance on
162
Available at http://export.gov/safeharbor/
163
Center for Strategic & International Studies, “The Safe Harbor:
Data Protection or Protectionism?” 10 June 2014, available at
http://csis.org/event/safe-harbor-data-protection-or-protectionism
164
Working Document on a common interpretation of Article 26(1)
of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005,
p. 7. See also ibidem, p. 2 and 17.
165
Working Document: Transfers of personal data to third coun-
tries: Applying Articles 25 and 26 of the EU data protection directive,
WP 12, 24 July 1998; Working document on a common interpreta-
tion of Article 26(1) of Directive 95/46/EC of 24 October 1995, WP
114, 25 November 2005.
166
Working document on a common interpretation of Article 26(1)
of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005,
p. 8 to 10.
consent.167 According to the Working Party, reliance on consent
should be confined to cases where the worker has a genuine
free choice and can subsequently withdraw the consent without
detriment.168 Regarding its scope, consent is consequently not
generally regarded as freely given in an employment context.
It can accordingly not provide a proper legal basis to transfer
personal data of employees to the US.
Data subjects must be properly informed in advance that
the personal data may be transferred outside the EU, to which
third country and under which conditions (purpose, identity
and details of the recipients). This information should include
the specific risk that their personal data will be transferred to
a third country, which lacks an adequate level of protection.169
As pointed out by the Working Party, withdrawal of consent
by the data subject should prevent any further processing of
personal data as a matter of principle although it is not
retroactive.170 In light of these limits, the Working Party sug-
gested that consent is unlikely to provide data controllers with
an adequate long-term framework for repeated or even struc-
tural transfers.171
The Working Party recommended that transfers of per-
sonal data, which might be legally characterised as repeated,
massive or structural should be carried out, where possible,
within a specific legal framework such as Standard Contrac-
tual Clauses (hereinafter “SCCs”) or Binding Corporate Rules
(hereinafter “BCRs”).172 They may only be carried out on the basis
of a derogation where recourse to SCCs or BCRs is impossible
in practice and where the risks to data subjects are small such
as international money transfers.173
Article 44(1)(a) of the Proposal for a General Data Protec-
tion Regulation however provides that “[i]n the absence of an
adequacy decision [. . .] or of appropriate safeguards [. . .] in-
cluding binding corporate rules, a transfer or a set of transfers
of personal data to a third country or an international
organisation may take place only on condition that [. . .] the
data subject has explicitly consented to the proposed trans-
fer, after having been informed of the possible risks of such
transfers for the data subject due to the absence of an ad-
equacy decision and appropriate safeguards”.174
167
Opinion 8/2001 on the processing of personal data in the em-
ployment context, WP 28, 13 September 2001, p. 3, 23 and 26.
168
Working document on a common interpretation of Article 26(1)
of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005,
p. 11.
169
Working Document: Transfers of personal data to third coun-
tries: Applying Articles 25 and 26 of the EU data protection directive,
WP 12, 24 July 1998, p. 24.
170
Opinion 15/2011 on the definition of consent, WP 187, 13 July
2011, p. 9.
171
Working document on a common interpretation of Article 26(1)
of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005,
p. 11; Working Document on surveillance of electronic communi-
cations for intelligence and national security purposes, WP 228, 5
December 2014, p. 49.
172
Working document on a common interpretation of Article 26(1)
of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005,
p. 9.
173
See Commission, Frequently Asked Questions Relating to Trans-
fers of Personal Data from the EU/EEA to Third Countries (FAQ D.1),
p. 49.
174
Interinstitutional File: 2012/0011 (COD), 17 December 2015.
 computer law & security review 32 (2016) 345–362
Second, companies may legally rely on adequate safeguards
provided for in Article 26(2) of the directive. The Commission pre-
pared model agreements or standard data protection clauses in
contracts between companies exchanging personal data.175 In
accordance with Article 26(4) of the directive, the Commis-
sion has approved four sets of SCCs regarded as meeting the
requirements provided for in Article 26(2) of the directive.176
In Member States such as Belgium and Spain, SCCs need to
be notified to the DPA prior to the transfer of any personal data.
In a few Member States such as Austria, France, Ireland,
Romania and Slovenia, the DPA needs to approve SCCs prior
to use. In addition, DPAs have the power to examine these
clauses in light of the requirements set out in the judgment
of the Grand Chamber. Most contracts currently used by com-
panies to transfer personal data are based on SCCs approved
by the Commission.177 The problem of SCCs is however their
lack of enforcement. Companies may also rely on other legal
instruments such as ad hoc contractual arrangements to show that
they transfer personal data to the US with sufficient safe-
guards within the meaning of Article 26(2) of the directive. DPAs
need to approve such arrangements on a case-by-case basis,
pursuant to the same provision.
Companies may also develop BCRs. The latter may be defined
as internal rules such as codes of conduct adopted by multi-
national companies for international transfers of personal
data within the same corporate group from the EU to entities
located in countries which do not provide an adequate level
of protection. Regarding their purpose, multi-national compa-
nies use them to adduce adequate safeguards for the protection
of the privacy and fundamental rights and freedoms of indi-
viduals within the meaning of Article 26(2) of the directive
for all transfers of personal data protected under European
law. To that extent, BCRs ensure that all transfers made within
a corporate group benefit from an adequate level of protec-
tion. BCRs thus present the advantage of preventing the risks
which result from transfers of personal data to third coun-
tries. DPAs need to approve BCRs.178 The Article 29 Working
Party has spelled out both the substantive and procedural
requirements for BCRs based on EU data protection standards.179
175
See Article 29 Working Party, “Transfers of personal data to third
countries: Applying Articles 25 and 26 of the EU data protection
directive”, WP 12, 24 July 1998.
176
Communication from the Commission to the European Parlia-
ment and the Council on the Transfer of Personal Data from the
EU to the United States of America under Directive 95/46/EC fol-
lowing the Judgment by the Court of Justice in Case C-362/14
(Schrems), COM(2015) 566 final, 6 November 2015, p. 6.
177
See Article 29 Working Party, “Working Document Setting Forth
a Co-Operation Procedure for Issuing Common Opinions on ‘Con-
tractual clauses’ Considered as compliant with the EC Model Clause”,
WP 226, 26 November 2014, p. 2.
178
See the overview on BCRs available at http://ec.europa.eu/
justice/data-protection/international-transfers/binding-corporate-
rules/index_en.htm
179
Working Document setting up a table with the elements and
principles to be found in Binding Corporate Rules, WP 153, 24 June
2008; Working Document on Frequently Asked Questions (FAQs)
related to Binding Corporate Rules, WP 155, 24 June 2008.
359
Regarding their scope, these rules are enforceable in the EU.
They therefore have implications for the rights of data sub-
jects since data subjects whose personal data is being processed
by an entity of the group are entitled as third-party benefi-
ciaries to enforce compliance with BCRs by lodging a complaint
before a DPA and bringing an action before the Court of a
Member State. In addition, BCRs must designate an entity
within the EU which accepts liability for infringement upon
the rules by any member of the group outside the EU which
is legally bound by these rules. The Article 29 Working Party
has established a standardised application form180 and a spe-
cific co-operation procedure between relevant DPAs,181 which
includes the designation of a “lead authority” responsible for
handling the approval procedure. Regarding transparency, com-
panies with approved BCRs are listed on the Internet site of
the Commission.182 The specific terms of the rules that each
company creates for itself are however not public except if
the company publishes them.183
The approval process for SCCs and BCRs can be both lengthy
and expensive, making them potentially unsuitable for all, but
the largest companies.
SCCs and BCRs both provide that if the data importer has
reasons to believe that the legislation that applies to the re-
cipient country may prevent it from fulfilling its legal obligations,
it must promptly inform the data exporter in the EU. In such
a situation, the exporter bears the onus to consider taking the
appropriate measures necessary to ensure the protection of
personal data.184 These may range from technical, organisational,
business-model related or legal measures185 to the suspen-
sion of personal data transfers and the termination of
contracts.
7.4.2. Way forward
SCCs, ad hoc contractual arrangements and BCRs should all
provide for the implementation of strong and secure encryption
as a security practice which “aims to provide the confidenti-
ality of a communication channel between identified parties
(human beings, devices, or pieces of software/hardware) to avoid
180
Standard Application for Approval of Binding Corporate Rules
for the Transfer of Personal Data, WP 133, 10 January 2007.
181
Working Document Setting Forth a Co-Operation Procedure for
Issuing Common Opinions on Adequate Safeguards Resulting from
“Binding Corporate Rules”, WP 107, 14 April 2005.
182
List of companies for which the EU BCR procedure is closed,
available at http://ec.europa.eu/justice/data-protection/international-
transfers/binding-corporate-rules/bcr_cooperation/index_en.htm
183
See for instance the BCRs of eBay Inc., available at http://
www.ebayprivacycenter.com/sites/default/files/user_corporate
_rules_11-2-09_v1-01.pdf
184
See Clause 5 of the Annex to the Commission decision 2010/
87/EU and Article 29 Working Party, “Working Document setting up
a framework for the structure of Binding Corporate Rules, WP 154,
24 June 2008, p. 8.
185
See guidance issued by the European Network and Informa-
tion Security Agency, available at https://resilience.enisa.europa.eu/
article-13/guideline-for-minimum-security-measures/Article
_13a_ENISA_Technical_Guideline_On_Security_Measures_v2_0.pdf
360 computer law & security review 32 (2016) 345–362
eavesdropping or unintended disclosure.”186 Strengthening en-
cryption of content as called for by Parliament in its resolution
of 12 March 2014187 to reduce the level of risk that US authori-
ties including the NSA may access the data “on a generalised
basis”188 may thus assist and be part of the equation even
though it somewhat goes against the current trend.189
DPAs must ultimately assess compliance with such require-
ments on a case-by-case basis as part of the exercise of their
supervision and enforcement functions, encompassed in the
context of the approval of contractual arrangements and BCRs
or on the basis of individual complaints.
The Grand Chamber however considered that legislation per-
mitting the public authorities to access on a generalised basis
the content of electronic communications compromises “the
essence of the fundamental right to respect for private life, as
guaranteed by Article 7 of the Charter”.190 The Grand Chamber
also considered that “legislation not providing for any possi-
bility for an individual to pursue legal remedies in order to have
access to personal data relating to him, or to obtain the rec-
tification or erasure of such data, does not respect the essence
of the fundamental right to effective judicial protection, as en-
shrined in Article 47 of the Charter.”191 These considerations
apply to both Articles 25 and 26 of the directive. They accord-
ingly apply to alternative legal bases for transfers of personal
data to the US, which offer no greater protection against access
by public authorities to such data than the now invalidated de-
cision of the Commission and no mechanism to override
surveillance. Even if companies use the SCCs or BCRs as legal
bases for transferring personal data to the US, there is accord-
ingly no guarantee that intelligence services such as the NSA
and law enforcement agencies of the US will not access such
data. There is therefore no logical reason why they would
provide acceptable legal alternatives to the invalidated deci-
sion of the Commission. Organisations should accordingly
evaluate legal risks and benefits of SCCs and BCRs and
re-evaluate their collection and transfer of personal data where
186
Article 29 Data Protection Working Party, Opinion 05/2014 on
Anonymisation Techniques, 10 April 2014, WP 216, p. 29. Regard-
ing encryption, see Parliament resolution of 8 September 2015 on
“Human rights and technology: the impact of intrusion and sur-
veillance systems on human rights in third countries” (2014/
2232(INI)), P8_TA-PROV(2015)0288, available at http://www
.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML
+TA+P8-TA-2015-0288+0+DOC+PDF+V0//EN
187
European Parliament resolution of 12 March 2014 on the US NSA
surveillance programme, surveillance bodies in various Member
States and their impact on EU citizens’ fundamental rights and on
transatlantic cooperation in Justice and Home Affairs (2013/
2188(INI)), available at http://www.europarl.europa.eu/sides/
getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0230, paras
36, 93, 95, 97, 98, 101, 106, 107 and 109.
188
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 94.
189
See the official document of the Dutch government dated 4
January 2016, Kabinetsstandpunt encryptie, available at http://
www.tweedekamer.nl/kamerstukken/brieven_regering/detail?id
=2016Z00009&did=2016D00015
190
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 94.
191
Case C-362/14 Maximillian Schrems v Data Protection Commis-
sioner [2015] para 95.
possible. Organisations that rely on them should expect future
legal challenges.
In the short term, organisations may consider keeping per-
sonal data in the EU and avoiding transfers to the US. Some
US companies offer cloud customers the option to store per-
sonal data in Europe so that it is not sent for storage elsewhere.192
For instance, Amazon announced on 6 November 2015 that it
would be building data centres in the UK in 2016.193 A few days
later, the CEO of Microsoft, Satya Nadella, also announced that
Microsoft was opening data centres in the UK for the first time.
The new data centres will enable UK users of Microsoft’s cloud
services, Azure and Office 365, to keep their data within Europe
at all times.194 Companies that provide cloud services within
the EU and rely on data centres in the US may invest in data
centres within the EU provided they sign contracts with Eu-
ropean companies only. European based cloud providers that
ensure compliance with EU law could thus benefit from the
situation. A note on surveillance requested by the Commit-
tee on Civil Liberties, Justice and Home Affairs of Parliament
has advocated the creation and proposed the development of
a “European cloud”,195 which would require all data from Eu-
ropean data subjects to be stored or processed on servers within
the EU to alleviate concerns of data security and data
sovereignty.
In the longer term, the most satisfying solution would
involve important changes to US legislation to offer adequate legally
binding protection to the personal data of EU data subjects and
introduce effective judicial remedies for EU data subjects in
all sectors including national security. The effective and ad-
equate protection of personal data in the US is the core question
of this judgment. The latter thus represents a historical turn
for transatlantic transfers of data. The message provided by
the Grand Chamber to the US is to better control the NSA and
to establish adequate safeguards. The question then becomes
whether the US government will be willing to amend its ap-
plicable legal framework to meet all the requirements set by
the Grand Chamber in the findings of the judgment.
In the meantime, knowing the positions of DPAs provides
legal predictability for both data subjects and companies. The
practical implication of the judgment is the need to ensure a
co-ordinated and uniform European approach in the frame-
work of the Article 29 Working Party and legal clarity for
companies.
192
See Karlin Lillington, “Oracle keeps European data within its EU-
based data centres”, Irish Times, 28 October 2015, available at http://
www.irishtimes.com/business/technology/oracle-keeps-european-
data-within-its-eu-based-data-centres-1.2408505?ot=example
.AjaxPageLayout.ot&mode=print
193
Tim Anderson, “Amazon’s chomping at the Brits: UK to get AWS
data center region”, The Register, 6 November 2015, available at
http://www.theregister.co.uk/2015/11/06/aws_to_build_uk_data
_centers/
194
Leo Kelion, “Microsoft to open UK data centres”, BBC, 10 No-
vember 2015, available at http://www.bbc.com/news/technology-
34777373
195
The US surveillance programmes and their impact on EU citi-
zens’ fundamental rights, PE 474.405, 28 September 2013, available
at http://www.europarl.europa.eu/meetdocs/2009_2014/documents/
libe/dv/briefingnote_/briefingnote_en.pdf, Section 3.1, p. 28.
 computer law & security review 32 (2016) 345–362
7.4.3. Statement of the Article 29 Working Party dated 16
October 2015
In a concise but important statement,196 the Working Party ac-
knowledged the legal uncertainty created by the judgment of
the Grand Chamber since transfers of personal data could no
longer be legally based on the decision of the Commission. The
Working Party emphasised that “massive and indiscriminate
surveillance is a key element of the Court’s analysis.” It reit-
erated that “it has consistently stated that such surveillance
is incompatible with the EU legal framework and that exist-
ing transfer tools are not the solution to this issue.” The Working
Party stated that “transfers to third countries where the powers
of state authorities to access information go beyond what is
necessary in a democratic society will not be considered as safe
destinations for transfers.”197 The Working Party considered that
companies may use SCCs and BCRs to legitimise transfers of
personal data to the US whilst it continues its assessment and
without prejudice to the powers of DPAs to investigate par-
ticular cases. The Working Party set a deadline of three months
for the EU and the US to conclude negotiations and imple-
ment a new safe harbour regime.
However, the statement of the Working Party does not legally
bind any DPA. In addition, the deadline set by the Working Party
has no legal basis. Last, the Working Party adopted inconsis-
tent positions. It initially recommended that transfers of
personal data that might be legally characterised as re-
peated, massive or structural should be carried out, where
possible, within a specific legal framework such as SCCs or
BCRs.198 In a subsequent document, the Working Party however
considered that SCCs and BCRs contain exceptions which “are
restrictions to a fundamental right and [. . .] could not be a basis
for massive, structural or repetitive transfers.”199
On 6 November 2015, the Commission issued an explana-
tory Communication, which provides guidance on the
implications of the judgment, an overview of alternative tools
to transfer personal data to the US, the conditions under which
they can be used and their limits.200 Most notably, the Com-
mission joined the position of the Working Party that companies
could still use alternative tools authorising data flows to law-
fully transfer personal data to the US. The Commission then
explained each of these alternative tools in more detail. The
196
Available at http://ec.europa.eu/justice/data-protection/article-
29/press-material/press-release/art29_press_material/2015/
20151016_wp29_statement_on_schrems_judgement.pdf
197
See Roman Zakharov v Russia, application no. 47143/06, 4 De-
cember 2015 in which the Grand Chamber found that the domestic
law was incapable of keeping the “interference” to what was “nec-
essary in a democratic society”.
198
Working document on a common interpretation of Article 26(1)
of Directive 95/46/EC of 24 October 1995, WP 114, 25 November 2005,
p. 9.
199
Working Document on surveillance of electronic communica-
tions for intelligence and national security purposes, WP 228, 5
December 2014, executive summary. See also ibidem, p. 45.
200
Communication from the Commission to the European Parlia-
ment and the Council on the Transfer of Personal Data from the
EU to the United States of America under Directive 95/46/EC fol-
lowing the by the Court of Justice in Case C-362/14 (Schrems),
COM(2015) 566 final, 6 November 2015.
361
Working Party and the Commission thus both stressed the need
for uniform application of the judgment in the EU.
7.4.4. Position papers adopted by German DPAs
On 26 October 2015, the Conference of the German Data Pro-
tection Authorities at both Federal and State Levels issued a
joint position paper stressing that the judgment contains strict
substantive requirements that the Commission and DPAs must
all comply with.201 The paper indicates that German DPAs will
assess the lawfulness of personal data transfers based on al-
ternative tools (SCCs, BCRs) and will no longer grant new
authorisations for the use of these tools for transfers of per-
sonal data to the US. The Conference emphasised the limited
validity of consent: consent may be a valid legal basis trans-
ferring personal data of employees in exceptional cases only
and may not a valid legal basis for massive or routine transfers.
In addition, DPAs for the Länder of Schleswig-Holstein202 and
Rheinland-Pfalz203 have both issued clear warnings that the al-
ternative transfer tools are under legal scrutiny. They expressed
doubts about the possibility to use transfer instruments such
as SCCs and BCRs for transatlantic data flows. In its position
paper, the DPA of Schleswig-Holstein stated that a proper ap-
plication of the judgment meant that alternative methods of
legitimising transfers were unsafe and questioning the ability
of companies to rely on SCCs to transfer personal data to the
US. Given the mass surveillance conducted by US intelli-
gence agencies, data subjects cannot provide informed consent
to transfer their personal data to the US, which means that
this legal basis may not be used to legally transfer personal
data from the EU to the US either.204 Although the DPA of
Schleswig–Holstein has not mentioned BCRs, its position implies
that they remain the only available mechanisms to lawfully
transfer personal data to the US.
The position papers of German DPAs contradict the state-
ment made by the Article 29 Working Party since the latter
accepted SCCs and BCRs as legitimate at least for a transi-
tional period. This patchwork of contradicting positions by DPAs
shows that the united European common front fell apart.
A new period of legal uncertainty across the EU conse-
quently started after the judgment of the Grand Chamber. The
legal risks include complaints made by data subjects to con-
trollers, DPAs and Courts as well as orders and injunctions of
DPAs and Courts to stop transfers. They also include differ-
ent interpretations of applicable standards on the protection
of personal data made by the 28 national DPAs and domestic
fragmentation of EU personal data protection law when data
flow to the US originate from multiple Member States and
German Länder. Some DPAs may be more “US friendly” in both
201
Available at https://www.datenschutz.hessen.de/ft-europa
.htm#entry4521
202
Available at https://www.datenschutzzentrum.de/uploads/
internationales/20151014_ULD-PositionPapier-on-CJEU_EN.pdf
203
Available at https://www.datenschutz.rlp.de/de/aktuell/2015/
images/20151026_Folgerungen_des_LfDI_RLP_zum_EuGH-Urteil
_Safe_Harbor.pdf
204
See also the Hamburg Commissioner for Data Protection and
Freedom of Information, Information on the Safe Harbor Ruling of
the Court of Justice, 5 November 215, available at https://
www.datenschutz-hamburg.de/fileadmin/user_upload/documents/
Information_on_the_Safe_Harbor_ruling_of_the_Court_of_Justice.pdf
362 computer law & security review 32 (2016) 345–362

their interpretation and enforcement whilst others may take
a stricter position and simply refuse to authorise data trans-
fers from the EU to the US since they would infringe upon their
domestic law. Last, the legal risks include forum shopping by
international companies that would establish their European
seat in Member States where DPAs provide the most favourable
interpretation and enforcement of applicable standards on the
protection of personal data.
8. Concluding remarks
The watershed judgment of the Grand Chamber originates from
an initially isolated 27 year-old data subject who took the ini-
tiative to lodge a complaint to a national DPA, which refused
to investigate it. The data subject challenged this decision before
the High Court of Ireland and Judge Hogan referred the case
to the Court of Justice for a preliminary ruling in the exercise
of his discretion. Credit must be given to both Max Schrems
and Judge Hogan for their actions against an agreement in-
volving 29 States. Such actions show the extraordinary
asymmetrical power of individuals in the digital world. Con-
versely, the Commission and the Irish Commissioner failed to
protect fundamental rights to the respect of private life and
to an effective remedy.205
Globalised relations need trust and in this case, trust was
breached. Mutual trust and public confidence between trans-
atlantic partners should now be restored. From a transatlantic
perspective, Eurojust and the US signed an agreement on 6 No-
vember 2006.206 Articles 9 to 11 and 13 to 17 of this agreement
deal with the protection of personal data. Europol and the US
also signed a supplemental agreement on the exchange of per-
sonal data and related information.207 In addition, the EU and
US authorities have now both approved the so called “Um-
brella Agreement” on the Protection of Personal Information
Relating to the Prevention, Investigation, Detection, and Pros-
ecution of Criminal Offenses which deals with law enforcement
co-operation. Its scope includes all personal data of suspects,
victims and witnesses such as names, addresses and crimi-
nal records exchanged between the EU and the US for the
purpose of prevention, detection, investigation and prosecu-
tion of criminal offences including terrorism. The agreement
applies to personal information transferred between the com-
petent authorities of the EU, its Member States and the US. The
scope of the agreement does however not cover access to per-
sonal data by national security authorities that the Grand
Chamber considered in the Schrems judgment and by the Central
Intelligence Agency, which is part of law enforcement. In ad-
dition, the legal framework that applies to the transfer of
personal data from national security authorities to law en-
forcement agencies is unclear. Regarding judicial redress and
205
See Grand Chamber, Roman Zakharov v Russia, application no.
47143/06, 4 December 2015.
206
Available at http://eurojust.europa.eu/doclibrary/Eurojust-
framework/agreements/Agreement%20Eurojust-USA%20(2006)/
Eurojust-USA-2006-11-06-EN.pdf
207
Available at https://www.europol.europa.eu/content/page/
external-cooperation-31
enforceability of rights, EU citizens who do not reside in the
US cannot currently obtain redress before US courts if their in-
correct or unlawfully processed personal data are transferred
to US law enforcement authorities unlike US citizens who may
currently seek redress before European courts. Articles 18 and
19 of the agreement provide for equal treatment of EU citi-
zens who will enjoy the same reciprocal rights of redress as
US citizens. They specifically provide that EU citizens will have
the right to seek judicial redress before US courts if the US au-
thorities have denied access or rectification, or unlawfully
disclosed their personal data. The agreement will be signed and
formally concluded only after the US Congress adopts the US
Judicial Redress Act208 formally introduced on 18 March 2015.
If enacted, this bill would extend the core of the judicial redress
provisions of the US Privacy Act of 1974 to EU citizens who may
then sue the US government to access, amend or correct records
or to seek redress for unlawful disclosure. This bill does however
not deal with the collection and storage of personal data by
US intelligence agencies. It does therefore not address all the
considerations of the Grand Chamber. On 17 September 2015,
the Judiciary Committee of the US House of Representatives
unanimously approved the Judicial Redress Act which was
passed by the House itself on 20 October 2015. The Judiciary
Committee of the US Senate also passed it on 28 January 2016.
It however approved a controversial amendment proposed by
Senator John Cornyn which provides for two cumulative re-
quirements on the extension of US court legal redress to non-
US citizens, i.e. (1) the other country must permit commercial
data transfers with the US and (2) the other country may not
impede the national security interests of the US. The Com-
mission has already rejected the first requirement. On the basis
of a proposal by the Commission, Council will adopt a deci-
sion authorising the signature of the agreement after obtaining
the approval of Parliament, which is required.
The Commission has been negotiating a safer harbour agree-
ment with the US for almost three years. The judgment has
put pressure on negotiators to complete it. The agreement
should aim at creating a transatlantic data transfer mecha-
nism which ensures compliance with the considerations of the
Grand Chamber, thereby protecting the privacy of EU data sub-
jects and providing legal certainty to organisations, which need
to transfer personal data to the US. In the longer term, an in-
ternational solution such as a treaty would be welcome.
Last, the “elephant in the room” is the massive surveil-
lance in Member States of the EU209 and European double
standards on surveillance laws and practices. The judgment
is in line with the approach in the case law of the ECHR. The
latter may apply the reasoning of the Grand Chamber in its
own case law.210 The judgment may thus have ripple effects
on Member States.
208
HR 1428.
209
See EU Agency for Fundamental Rights, Report on surveil-
lance by intelligence services: fundamental rights safeguards and
remedies in the EU, November 2015, available at http://fra.europa.eu/
sites/default/files/fra_uploads/fra-2015-surveillance-intelligence-
services_en.pdf
210
See Szabó and Vissy v Hungary, application no. 37138/14, 12 January
2016, paras 13 and 15.
L 181/34 EN Official Journal of the European Union 19.7.2003

AGREEMENT
on mutual legal assistance between the European Union and the United States of America

CONTENTS

Preamble

Article 1 Object and purpose

Article 2 Definitions

Article 3 Scope of application of this Agreement in relation to bilateral mutual legal assistance treaties
with Member States and in the absence thereof

Article 4 Identification of bank information

Article 5 Joint investigative teams

Article 6 Video conferencing

Article 7 Expedited transmission of requests

Article 8 Mutual legal assistance to administrative authorities

Article 9 Limitations on use to protect personal and other data

Article 10 Requesting State's request for confidentiality

Article 11 Consultations

Article 12 Temporal application

Article 13 Non-derogation

Article 14 Future bilateral mutual legal assistance treaties with Member States

Article 15 Designations and notifications

Article 16 Territorial application

Article 17 Review

Article 18 Entry into force and termination

Explanatory Note

THE EUROPEAN UNION AND THE UNITED STATES OF AMERICA,

DESIRING further to facilitate cooperation between the European Union Member States and the United States of
America,

DESIRING to combat crime in a more effective way as a means of protecting their respective democratic societies and
common values,

HAVING DUE REGARD for rights of individuals and the rule of law,

MINDFUL of the guarantees under their respective legal systems which provide an accused person with the right to a fair
trial, including the right to adjudication by an impartial tribunal established pursuant to law,

DESIRING to conclude an Agreement relating to mutual legal assistance in criminal matters,

HAVE AGREED AS FOLLOWS:

19.7.2003 EN Official Journal of the European Union
Article 1
Object and purpose
The Contracting Parties undertake, in accordance with the
provisions of this Agreement, to provide for enhancements to
cooperation and mutual legal assistance.
Article 2
Definitions
1. ‘Contracting Parties’ shall mean the European Union and the
United States of America.
2. ‘Member State’ shall mean a Member State of the European
Union.
Article 3
Scope of application of this Agreement in relation to bilat-
eral mutual legal assistance treaties with Member States
and in the absence thereof
1. The European Union, pursuant to the Treaty on European
Union, and the United States of America shall ensure that the
provisions of this Agreement are applied in relation to bilateral
mutual legal assistance treaties between the Member States and
the United States of America, in force at the time of the entry
into force of this Agreement, under the following terms:
(a) Article 4 shall be applied to provide for identification of
financial accounts and transactions in addition to any
authority already provided under bilateral treaty provisions;
(b) Article 5 shall be applied to authorise the formation and
activities of joint investigative teams in addition to any
authority already provided under bilateral treaty provisions;
(c) Article 6 shall be applied to authorise the taking of testi-
mony of a person located in the requested State by use of
video transmission technology between the requesting and
requested States in addition to any authority already
provided under bilateral treaty provisions;
L 181/35
(d) Article 7 shall be applied to provide for the use of expe-
dited means of communication in addition to any authority
already provided under bilateral treaty provisions;
(e) Article 8 shall be applied to authorise the providing of
mutual legal assistance to the administrative authorities
concerned, in addition to any authority already provided
under bilateral treaty provisions;
(f) subject to Article 9(4) and (5), Article 9 shall be applied in
place of, or in the absence of bilateral treaty provisions
governing limitations on use of information or evidence
provided to the requesting State, and governing the condi-
tioning or refusal of assistance on data protection grounds;
(g) Article 10 shall be applied in the absence of bilateral treaty
provisions pertaining to the circumstances under which a
requesting State may seek the confidentiality of its request.
2. (a) The European Union, pursuant to the Treaty on
European Union, shall ensure that each Member State
acknowledges, in a written instrument between such
Member State and the United States of America, the
application, in the manner set forth in this Article, of its
bilateral mutual legal assistance treaty in force with the
United States of America.
(b) The European Union, pursuant to the Treaty on
European Union, shall ensure that new Member States
acceding to the European Union after the entry into
force of this Agreement, and having bilateral mutual
legal assistance treaties with the United States of
America, take the measures referred to in subparagraph
(a).
(c) The Contracting Parties shall endeavour to complete the
process described in subparagraph (b) prior to the
scheduled accession of a new Member State, or as soon
as possible thereafter. The European Union shall notify
the United States of America of the date of accession of
new Member States.
3. (a) The European Union, pursuant to the Treaty on
European Union, and the United States of America shall
also ensure that the provisions of this Agreement are
applied in the absence of a bilateral mutual legal assis-
tance treaty in force between a Member State and the
United States of America.
(b) The European Union, pursuant to the Treaty on
European Union, shall ensure that such Member State
acknowledges, in a written instrument between such
Member State and the United States of America, the
application of the provisions of this Agreement.
(c) The European Union, pursuant to the Treaty on
European Union, shall ensure that new Member States
acceding to the European Union after the entry into
force of this Agreement, which do not have bilateral
mutual legal assistance treaties with the United States of
America, take the measures referred to in subparagraph
(b).
L 181/36 EN Official Journal of the European Union
4. If the process described in paragraph 2(b) and 3(c) is not
completed by the date of accession, the provisions of this
Agreement shall apply in the relations between the United
States of America and that new Member State as from the date
on which they have notified each other and the European
Union of the completion of their internal procedures for that
purpose.
5. The Contracting Parties agree that this Agreement is
intended solely for mutual legal assistance between the States
concerned. The provisions of this Agreement shall not give rise
to a right on the part of any private person to obtain, suppress,
or exclude any evidence, or to impede the execution of a
request, nor expand or limit rights otherwise available under
domestic law.
Article 4
Identification of bank information
1. (a) Upon request of the requesting State, the requested State
shall, in accordance with the terms of this Article,
promptly ascertain if the banks located in its territory
possess information on whether an identified natural or
legal person suspected of or charged with a criminal
offence is the holder of a bank account or accounts. The
requested State shall promptly communicate the results
of its enquiries to the requesting State.
(b) The actions described in subparagraph (a) may also be
taken for the purpose of identifying:
(i) information regarding natural or legal persons
convicted of or otherwise involved in a criminal
offence;
(ii) information in the possession of non-bank financial
institutions; or
(iii) financial transactions unrelated to accounts.
2. A request for information described in paragraph 1 shall
include:
(a) the identity of the natural or legal person relevant to
locating such accounts or transactions; and
(b) sufficient information to enable the competent authority of
the requested State to:
(i) reasonably suspect that the natural or legal person
concerned has engaged in a criminal offence and that
banks or non-bank financial institutions in the territory
of the requested State may have the information
requested; and
(ii) conclude that the information sought relates to the
criminal investigation or proceeding;
(c) to the extent possible, information concerning which bank
or non-bank financial institution may be involved, and
other information the availability of which may aid in redu-
cing the breadth of the enquiry.
19.7.2003
3. Requests for assistance under this Article shall be trans-
mitted between:
(a) central authorities responsible for mutual legal assistance in
Member States, or national authorities of Member States
responsible for investigation or prosecution of criminal
offences as designated pursuant to Article 15(2); and
(b) national authorities of the United States responsible for
investigation or prosecution of criminal offences, as desig-
nated pursuant to Article 15(2).
The Contracting Parties may, following the entry into force of
this Agreement, agree by Exchange of Diplomatic Note to
modify the channels through which requests under this Article
are made.
4. (a) Subject to subparagraph (b), a State may, pursuant to
Article 15, limit its obligation to provide assistance
under this Article to:
(i) offences punishable under the laws of both the
requested and requesting States;
(ii) offences punishable by a penalty involving depriva-
tion of liberty or a detention order of a maximum
period of at least four years in the requesting State
and at least two years in the requested State; or
(iii) designated serious offences punishable under the
laws of both the requested and requesting States.
(b) A State which limits its obligation pursuant to subpara-
graph (a)(ii) or (iii) shall, at a minimum, enable identifi-
cation of accounts associated with terrorist activity and
the laundering of proceeds generated from a compre-
hensive range of serious criminal activities, punishable
under the laws of both the requesting and requested
States.
5. Assistance may not be refused under this Article on
grounds of bank secrecy.
6. The requested State shall respond to a request for produc-
tion of the records concerning the accounts or transactions
identified pursuant to this Article, in accordance with the
provisions of the applicable mutual legal assistance treaty in
force between the States concerned, or in the absence thereof,
in accordance with the requirements of its domestic law.
7. The Contracting Parties shall take measures to avoid the
imposition of extraordinary burdens on requested States
through application of this Article. Where extraordinary
burdens on a requested State nonetheless result, including on
banks or by operation of the channels of communications fore-
seen in this Article, the Contracting Parties shall immediately
consult with a view to facilitating the application of this Article,
including the taking of such measures as may be required to
reduce pending and future burdens.
19.7.2003 EN Official Journal of the European Union
Article 5
Joint investigative teams
1. The Contracting Parties shall, to the extent they have not
already done so, take such measures as may be necessary to
enable joint investigative teams to be established and operated
in the respective territories of each Member State and the
United States of America for the purpose of facilitating criminal
investigations or prosecutions involving one or more Member
States and the United States of America where deemed appro-
priate by the Member State concerned and the United States of
America.
2. The procedures under which the team is to operate, such
as its composition, duration, location, organisation, functions,
purpose, and terms of participation of team members of a State
in investigative activities taking place in another State's territory
shall be as agreed between the competent authorities respon-
sible for the investigation or prosecution of criminal offences,
as determined by the respective States concerned.
3. The competent authorities determined by the respective
States concerned shall communicate directly for the purposes
of the establishment and operation of such team except that
where the exceptional complexity, broad scope, or other
circumstances involved are deemed to require more central
coordination as to some or all aspects, the States may agree
upon other appropriate channels of communications to that
end.
4. Where the joint investigative team needs investigative
measures to be taken in one of the States setting up the team, a
member of the team of that State may request its own compe-
tent authorities to take those measures without the other States
having to submit a request for mutual legal assistance. The
required legal standard for obtaining the measure in that State
shall be the standard applicable to its domestic investigative
activities.
Article 6
Video conferencing
1. The Contracting Parties shall take such measures as may
be necessary to enable the use of video transmission technology
between each Member State and the United States of America
for taking testimony in a proceeding for which mutual legal
assistance is available of a witness or expert located in a
requested State, to the extent such assistance is not currently
available. To the extent not specifically set forth in this Article,
the modalities governing such procedure shall be as provided
under the applicable mutual legal assistance treaty in force
between the States concerned, or the law of the requested State,
as applicable.
2. Unless otherwise agreed by the requesting and requested
States, the requesting State shall bear the costs associated with
establishing and servicing the video transmission. Other costs
L 181/37
arising in the course of providing assistance (including costs
associated with travel of participants in the requested State)
shall be borne in accordance with the applicable provisions of
the mutual legal assistance treaty in force between the States
concerned, or where there is no such treaty, as agreed upon by
the requesting and requested States.
3. The requesting and requested States may consult in order
to facilitate resolution of legal, technical or logistical issues that
may arise in the execution of the request.
4. Without prejudice to any jurisdiction under the law of
the requesting State, making an intentionally false statement or
other misconduct of the witness or expert during the course of
the video conference shall be punishable in the requested State
in the same manner as if it had been committed in the course
of its domestic proceedings.
5. This Article is without prejudice to the use of other
means for obtaining of testimony in the requested State avail-
able under applicable treaty or law.
6. This Article is without prejudice to application of provi-
sions of bilateral mutual legal assistance agreements between
Member States and the United States of America that require or
permit the use of video conferencing technology for purposes
other than those described in paragraph 1, including for
purposes of identification of persons or objects, or taking of
investigative statements. Where not already provided for under
applicable treaty or law, a State may permit the use of video
conferencing technology in such instances.
Article 7
Expedited transmission of requests
Requests for mutual legal assistance, and communications
related thereto, may be made by expedited means of communi-
cations, including fax or e-mail, with formal confirmation to
follow where required by the requested State. The requested
State may respond to the request by any such expedited means
of communication.
Article 8
Mutual legal assistance to administrative authorities
1. Mutual legal assistance shall also be afforded to a national
administrative authority, investigating conduct with a view to a
criminal prosecution of the conduct, or referral of the conduct
to criminal investigation or prosecution authorities, pursuant to
its specific administrative or regulatory authority to undertake
such investigation. Mutual legal assistance may also be afforded
to other administrative authorities under such circumstances.
Assistance shall not be available for matters in which the
administrative authority anticipates that no prosecution or
referral, as applicable, will take place.
L 181/38 EN Official Journal of the European Union
2. (a) Requests for assistance under this Article shall be trans-
mitted between the central authorities designated
pursuant to the bilateral mutual legal assistance treaty in
force between the States concerned, or between such
other authorities as may be agreed by the central autho-
rities.
(b) In the absence of a treaty, requests shall be transmitted
between the United States Department of Justice and the
Ministry of Justice or, pursuant to Article 15(1), compar-
able Ministry of the Member State concerned responsible
for transmission of mutual legal assistance requests, or
between such other authorities as may be agreed by the
Department of Justice and such Ministry.
3. The Contracting Parties shall take measures to avoid the
imposition of extraordinary burdens on requested States
through application of this Article. Where extraordinary
burdens on a requested State nonetheless result, the
Contracting Parties shall immediately consult with a view to
facilitating the application of this Article, including the taking
of such measures as may be required to reduce pending and
future burdens.
Article 9
Limitations on use to protect personal and other data
1. The requesting State may use any evidence or information
obtained from the requested State:
(a) for the purpose of its criminal investigations and proceed-
ings;
(b) for preventing an immediate and serious threat to its public
security;
(c) in its non-criminal judicial or administrative proceedings
directly related to investigations or proceedings:
(i) set forth in subparagraph (a); or
(ii) for which mutual legal assistance was rendered under
Article 8;
(d) for any other purpose, if the information or evidence has
been made public within the framework of proceedings for
which they were transmitted, or in any of the situations
described in subparagraphs (a), (b) and (c); and
(e) for any other purpose, only with the prior consent of the
requested State.
2. (a) This Article shall not prejudice the ability of the
requested State to impose additional conditions in a
particular case where the particular request for assis-
tance could not be complied with in the absence of such
conditions. Where additional conditions have been
imposed in accordance with this subparagraph, the
requested State may require the requesting State to give
information on the use made of the evidence or infor-
mation.
19.7.2003
(b) Generic restrictions with respect to the legal standards
of the requesting State for processing personal data may
not be imposed by the requested State as a condition
under subparagraph (a) to providing evidence or infor-
mation.
3. Where, following disclosure to the requesting State, the
requested State becomes aware of circumstances that may cause
it to seek an additional condition in a particular case, the
requested State may consult with the requesting State to deter-
mine the extent to which the evidence and information can be
protected.
4. A requested State may apply the use limitation provision
of the applicable bilateral mutual legal assistance treaty in lieu
of this Article, where doing so will result in less restriction on
the use of information and evidence than provided for in this
Article.
5. Where a bilateral mutual legal assistance treaty in force
between a Member State and the United States of America on
the date of signature of this Agreement, permits limitation of
the obligation to provide assistance with respect to certain tax
offences, the Member State concerned may indicate, in its
exchange of written instruments with the United States of
America described in Article 3(2), that, with respect to such
offences, it will continue to apply the use limitation provision
of that treaty.
Article 10
Requesting State's request for confidentiality
The requested State shall use its best efforts to keep confidential
a request and its contents if such confidentiality is requested by
the requesting State. If the request cannot be executed without
breaching the requested confidentiality, the central authority of
the requested State shall so inform the requesting State, which
shall then determine whether the request should nevertheless
be executed.
Article 11
Consultations
The Contracting Parties shall, as appropriate, consult to enable
the most effective use to be made of this Agreement, including
to facilitate the resolution of any dispute regarding the interpre-
tation or application of this Agreement.
Article 12
Temporal application
1. This Agreement shall apply to offences committed before
as well as after it enters into force.
19.7.2003 EN Official Journal of the European Union
2. This Agreement shall apply to requests for mutual legal
assistance made after its entry into force. Nevertheless, Articles
6 and 7 shall apply to requests pending in a requested State at
the time this Agreement enters into force.
Article 13
Non-derogation
Subject to Article 4(5) and Article 9(2)(b), this Agreement is
without prejudice to the invocation by the requested State of
grounds for refusal of assistance available pursuant to a bilat-
eral mutual legal assistance treaty, or, in the absence of a treaty,
its applicable legal principles, including where execution of the
request would prejudice its sovereignty, security, ordre public
or other essential interests.
Article 14
Future bilateral mutual legal assistance treaties with
Member States
This Agreement shall not preclude the conclusion, after its
entry into force, of bilateral Agreements between a Member
State and the United States of America consistent with this
Agreement.
Article 15
Designations and notifications
1. Where a Ministry other than the Ministry of Justice has
been designated under Article 8(2)(b), the European Union shall
notify the United States of America of such designation prior
to the exchange of written instruments described in Article 3(3)
between the Member States and the United States of America.
2. The Contracting Parties, on the basis of consultations
between them on which national authorities responsible for the
investigation and prosecution of offences to designate pursuant
to Article 4(3), shall notify each other of the national authori-
ties so designated prior to the exchange of written instruments
described in Article 3(2) and (3) between the Member States
and the United States of America. The European Union shall,
for Member States having no mutual legal assistance treaty with
the United States of America, notify the United States of
America prior to such exchange of the identity of the central
authorities under Article 4(3).
3. The Contracting Parties shall notify each other of any
limitations invoked under Article 4(4) prior to the exchange of
written instruments described in Article 3(2) and (3) between
the Member States and the United States of America.
L 181/39
Article 16
Territorial application
1. This Agreement shall apply:
(a) to the United States of America;
(b) in relation to the European Union, to:
— Member States,
— territories for whose external relations a Member State
has responsibility, or countries that are not Member
States for whom a Member State has other duties with
respect to external relations, where agreed upon by
exchange of diplomatic note between the Contracting
Parties, duly confirmed by the relevant Member State.
2. The application of this Agreement to any territory or
country in respect of which extension has been made in accor-
dance with subparagraph (b) of paragraph 1 may be terminated
by either Contracting Party giving six months' written notice to
the other Contracting Party through the diplomatic channel,
where duly confirmed between the relevant Member State and
the United States of America.
Article 17
Review
The Contracting Parties agree to carry out a common review of
this Agreement no later than five years after its entry into force.
The review shall address in particular the practical implementa-
tion of the Agreement and may also include issues such as the
consequences of further development of the European Union
relating to the subject matter of this Agreement.
Article 18
Entry into force and termination
1. This Agreement shall enter into force on the first day
following the third month after the date on which the
Contracting Parties have exchanged instruments indicating that
they have completed their internal procedures for this purpose.
These instruments shall also indicate that the steps specified in
Article 3(2) and (3) have been completed.
2. Either Contracting Party may terminate this Agreement at
any time by giving written notice to the other Party, and such
termination shall be effective six months after the date of such
notice.
L 181/40 EN Official Journal of the European Union 19.7.2003

In witness whereof the undersigned Plenipotentiaries have signed this Agreement

Done at Washington D.C. on the twenty-fifth day of June in the year two thousand and three in duplicate
in the Danish, Dutch, English, Finnish, French, German, Greek, Italian, Portuguese, Spanish and Swedish
languages, each text being equally authentic.

Por la Unión Europea

For Den Europæiske Union
Für die Europäische Union
Για την Ευρωπαϊκή Ένωση
For the European Union
Pour l'Union européenne
Per l'Unione europea
Voor de Europese Unie
Pela União Europeia
Euroopan unionin puolesta
På Europeiska unionens vägnar

Por los Estados Unidos de América

For Amerikas Forenede Stater
Für die Vereinigten Staaten von Amerika
Για τις Ηνωµένες Πολιτείες της Αµερικής
For the United States of America
Pour les États-Unis d'Amérique
Per gli Stati Uniti d'America
Voor de Verenigde Staten van Amerika
Pelos Estados Unidos da América
Amerikan yhdysvaltojen puolesta
På Amerikas förenta staters vägnar
19.7.2003 EN Official Journal of the European Union L 181/41

Explanatory Note on the Agreement on Mutual Legal Assistance between the European Union and
the United States of America

This note reflects understandings regarding the application of certain provisions of the Agreement on
Mutual Legal Assistance between the European Union and the United States of America (hereinafter ‘the
Agreement’) agreed between the Contracting Parties.

On Article 8

With respect to the mutual legal assistance to administrative authorities under Article 8(1), the first
sentence of Article 8(1) imposes an obligation to afford mutual legal assistance to requesting United States
of America federal administrative authorities and to requesting national administrative authorities of
Member States. Under the second sentence of that paragraph mutual legal assistance may also be made
available to other, that is non-federal or local, administrative authorities. This provision however, is avail-
able at the discretion of the requested State.

The Contracting Parties agree that under the first sentence of Article 8(1) mutual legal assistance will be
made available to a requesting administrative authority that is, at the time of making the request,
conducting investigations or proceedings in contemplation of criminal prosecution or referral of the inves-
tigated conduct to the competent prosecuting authorities, within the terms of its statutory mandate, as
further described immediately below. The fact that, at the time of making the request referral for criminal
prosecution is being contemplated does not exclude that, other sanctions than criminal ones may be
pursued by that authority. Thus, mutual legal assistance obtained under Article 8(1) may lead the
requesting administrative authority to the conclusion that pursuance of criminal proceedings or criminal
referral would not be appropriate. These possible consequences do not affect the obligation upon the
Contracting Parties to provide assistance under this Article.

However, the requesting administrative authority may not use Article 8(1) to request assistance where
criminal prosecution or referral is not being contemplated, or for matters in which the conduct under
investigation is not subject to criminal sanction or referral under the laws of the requesting State.

The European Union recalls that the subject matter of the Agreement for its part falls under the provisions
on police and judicial cooperation in criminal matters set out in Title VI of the Treaty on European Union
and that the Agreement has been concluded within the scope of these provisions.

On Article 9

Article 9(2)(b) is meant to ensure that refusal of assistance on data protection grounds may be invoked
only in exceptional cases. Such a situation could arise if, upon balancing the important interests involved
in the particular case (on the one hand, public interests, including the sound administration of justice and,
on the other hand, privacy interests), furnishing the specific data sought by the requesting State would raise
difficulties so fundamental as to be considered by the requested State to fall within the essential interests
grounds for refusal. A broad, categorical, or systematic application of data protection principles by the
requested State to refuse cooperation is therefore precluded. Thus, the fact the requesting and requested
States have different systems of protecting the privacy of data (such as that the requesting State does not
have the equivalent of a specialised data protection authority) or have different means of protecting
personal data (such as that the requesting State uses means other than the process of deletion to protect
the privacy or the accuracy of the personal data received by law enforcement authorities), may as such not
be imposed as additional conditions under Article 9(2a).

On Article 14

Article 14 provides that the Agreement shall not preclude the conclusion, after its entry into force, of bilat-
eral agreements on mutual legal assistance between a Member State and the United States of America
consistent with the Agreement.
L 181/42 EN Official Journal of the European Union 19.7.2003

Should any measures set forth in the Agreement create an operational difficulty for the United States of
America and one or more Member States, such difficulty should in the first place be resolved, if possible,
through consultations between the Member State or Member States concerned and the United States of
America, or, if appropriate, through the consultation procedures set out in the Agreement. Where it is not
possible to address such operational difficulty through consultations alone, it would be consistent with the
Agreement for future bilateral agreements between a Member State and the United States of America to
provide an operationally feasible alternative mechanism that would satisfy the objectives of the specific
provision with respect to which the difficulty has arisen.
8.9.2017 CURIA - Documents

Provisional text

OPINION OF ADVOCATE GENERAL

MENGOZZI
delivered on 8 September 2016 (1)

Opinion 1/15

(Request for an opinion submitted by the European Parliament)

(Request for an opinion — Admissibility — Draft agreement between Canada and the European Union on the
transfer and processing of Passenger Name Record data — ‘Passenger Name Record ()’ data — Compatibility of the
draft agreement with Article 16 TFEU and Articles 7 and 8 and Article 52(1) of the Charter of Fundamental Rights of
the European Union — Legal basis)

Table of contents

I – Introduction

II – Legal framework

III – Background to the agreement envisaged

IV – The procedure before the Court

V – The admissibility of the request for an opinion

VI – The appropriate legal basis for the act concluding the agreement envisaged (second question)

A – Analysis of the arguments of the Parliament and the other interested parties

B – Assessment

1. The purpose and the content of the agreement envisaged

2. The appropriate legal basis

(a) The relevance of Article 82(1)(d) and Article 87(2)(a) TFEU

(b) The need to base the act concluding the agreement envisaged on the first subparagraph of Article 16(2)
TFEU

VII – The compatibility of the agreement envisaged with the provisions of the FEU Treaty and the Charter (first
question)

A – Analysis of the Parliament’s request and observations and also of the observations of the other interested parties

1. Analysis of the Parliament’s request and observations

2. Analysis of the observations of the other interested parties

B – Assessment

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 1/46
8.9.2017 CURIA - Documents
1. Preliminary observations

2. The existence of an interference with the rights guaranteed by Articles 7 and 8 of the Charter

3. The justification for the interference with the rights guaranteed by Articles 7 and 8 of the Charter

(a) An interference ‘provided for by law’, within the meaning of Article 52(1) of the Charter

(b) An interference meeting an objective of general interest

(c) The proportionality of the interference constituted by the agreement envisaged

i) General considerations

ii) The ability of the interference to achieve the ‘public security’ objective pursued by the agreement
envisaged

iii) The strict necessity for the interference

– The categories of PNR data covered by the agreement envisaged

– The sufficiently precise nature of the purpose for which PNR data processing is authorised

– The scope ratione personae of the agreement envisaged

– Identification of the competent authority responsible for processing the PNR data

– The automated processing of the PNR data

– Access to the PNR data

– The retention of the PNR data

– The disclosure and subsequent transfer of the PNR data

– The administrative surveillance and judicial control measures

VIII – Conclusion

I – Introduction

1. In application of Article 218(11) TFEU, the European Parliament has requested the Court to deliver an opinion
on the agreement envisaged between Canada and the European Union on the transfer and processing of Passenger
Name Record data (‘the agreement envisaged’), in order to enable it to answer the Council of the European Union’s
request, of July 2014, that the Parliament should approve the proposal for a decision on the conclusion of the
agreement envisaged. (2)

2. Schematically, the agreement envisaged provides that Passenger Name Record data (‘PNR data’), which is
collected from passengers for the purpose of reserving flights between Canada and the European Union, is to be
transferred to the Canadian competent authorities and then processed and used by those authorities in order to prevent
and detect terrorist offences and other serious transnational criminal offences, while providing a number of
guarantees in relation to privacy and the protection of passengers’ personal data.

3. The request for an opinion, which concerns both the compatibility of the agreement envisaged with primary
EU law and the appropriate legal basis for the Council decision concluding the agreement envisaged, is worded as
follows:

‘Is the [agreement envisaged] compatible with the provisions of the Treaties (Article 16 TFEU) and the Charter of
Fundamental Rights of the European Union (Articles 7, 8 and Article 52(1)) as regards the right of individuals to
protection of personal data?

Do Articles 82(1)(d) and 87(2)(a) TFEU constitute the appropriate legal basis for the act of the Council concluding
the [agreement envisaged] or must that act be based on Article 16 TFEU?’

4. Irrespective of its content, the Court’s answer to that request will necessarily have implications for the
Agreements already in force between the European Union and Australia (3) and the European Union and the United

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 2/46
8.9.2017 CURIA - Documents

States of America, (4) and also on the future Passenger Name Record system, put in place within the Union itself,
which was recently approved by the Parliament, although the present proceedings were still pending. (5)

5. The present request for an opinion requires an examination of questions which are both unprecedented and
delicate.

6. From the aspect of determining the appropriate legal basis for the act concluding the agreement envisaged, this
request must lead the Court, in particular, to examine for the first time the scope of Article 16(2) TFEU, which was
introduced following the adoption of the Treaty of Lisbon, and also the way in which that article interacts with the
Treaty provisions on the area of freedom, security and justice (‘the AFSJ’). In that regard, as I shall show in this
Opinion, (6) the objectives pursued by and the content of the agreement envisaged are interdependent and the act
concluding that agreement must therefore in my view be based on both Article 16 TFEU and Article 87(2)(a) TFEU.

7. This is also the first time that the Court will be required to rule on the compatibility of a draft international
agreement with the fundamental rights enshrined in the Charter of Fundamental Rights of the European Union (‘the
Charter’), and more particularly with those relating to respect for private and family life, guaranteed by Article 7, and
the protection of personal data, guaranteed by Article 8. The examination of that question will thus undoubtedly
benefit from the valuable guidance to be derived from the judgments of 8 April 2014, Digital Rights Ireland and
Others (C‑293/12 and C‑594/12, EU:C:2014:238), and of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650). As
will be more fully explained, I consider that it is indeed appropriate to follow the route outlined by those judgments
and to subject the agreement envisaged to a strict review of compliance with the requirements laid down in Articles 7
and 8 and Article 52(1) of the Charter. Nonetheless, it must be borne in mind that the draft agreement referred to the
Court is the outcome of international negotiations with a third country, which, in the absence of a satisfactory
agreement, may well decline to conclude the agreement envisaged and prefer, as it does now, to apply its system
unilaterally to air carriers established in the EU which provide flights to Canada.

8. That does not mean that the Court must lower the degree of vigilance which it has shown in relation to respect
for the fundamental rights protected in EU law. It is necessary that, at a time when modern technology allows the
public authorities, in the name of combating terrorism and serious transnational crime, to develop extremely
sophisticated methods of monitoring the private life of individuals and analysing their personal data, the Court should
ensure that the proposed measures, even when they take the form of international agreements envisaged, reflect a fair
balance between the legitimate desire to maintain public security and the equally fundamental right for everyone to be
able to enjoy a high level of protection of his private life and his own data.

9. As my subsequent observations will illustrate, it cannot be denied that the contracting parties have attempted,
sometimes insufficiently, to strike a balance between those two objectives inseparably pursued by the agreement
envisaged. To my mind, that effort must be acknowledged. However, without calling in question either the object of
or the need for the agreement envisaged, I consider, as this Opinion will demonstrate, that in order to be compatible
with Articles 7 and 8 and Article 52(1) of the Charter, the agreement envisaged will have to be brought up to date
and/or some of its present terms will have to be deleted so that it does not exceed what is strictly necessary in order to
achieve its security objective.

II – Legal framework

10. Article 16 TFEU provides as follows:

‘1. Everyone has the right to the protection of personal data concerning them.

2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall
lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union
institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the
scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be
subject to the control of independent authorities.

…’

11. Article 82 TFEU, in Chapter 4, entitled ‘Judicial cooperation in criminal matters’, of Title V of Part Three of
that Treaty, provides:

‘1. Judicial cooperation in criminal matters in the Union shall be based on the principle of mutual recognition of
judgments and judicial decisions and shall include the approximation of the laws and regulations of the Member
States in the areas referred to in paragraph 2 …

The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall adopt
measures to:

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 3/46
8.9.2017 CURIA - Documents

(d) facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings
in criminal matters and the enforcement of decisions.

…’

12. Article 87 TFEU, which is part of Chapter 5, entitled ‘Police cooperation’, of Title V of Part Three of that
Treaty, provides as follows:

‘1. The Union shall establish police cooperation involving all the Member States’ competent authorities, including
police, customs and other specialised law enforcement services in relation to the prevention, detection and
investigation of criminal offences.

2. For the purposes of paragraph 1, the European Parliament and the Council, acting in accordance with the
ordinary legislative procedure, may establish measures concerning:

(a) the collection, storage, processing, analysis and exchange of relevant information;

…’

13. Article 7 of the Charter states:

‘Everyone has the right to respect for his or her private and family life, home and communications.’

14. Article 8 of the Charter states:

‘1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person
concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been
collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.’

15. Article 52 of the Charter, entitled ‘Scope and interpretation of rights and principles’, provides as follows:

‘1. Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by
law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may
be made only if they are necessary and genuinely meet objectives of general interest recognised by the or the need to
protect the rights and freedoms of others.

…’

16. Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security
and justice provides as follows, in Articles 1, 3 and 6a:

‘Article 1

Subject to Article 3, the United Kingdom and Ireland shall not take part in the adoption by the Council of proposed
measures pursuant to Title V of Part Three of the [TFEU]. The unanimity of the members of the Council, with the
exception of the representatives of the governments of the and , shall be necessary for decisions of the Council which
must be adopted unanimously.

For the purposes of this Article, a qualified majority shall be defined in accordance with Article 238(3) [TFEU].

Article 3

1. The United Kingdom or Ireland may notify the President of the Council in writing, within three months after a
proposal or initiative has been presented to the Council pursuant to Title V of Part Three of the [TFEU], that it wishes
to take part in the adoption and application of any such proposed measure, whereupon that State shall be entitled to
do so.

Article 6a
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 4/46
8.9.2017 CURIA - Documents

The United Kingdom and Ireland shall not be bound by the rules laid down on the basis of Article 16 [TFEU] which
relate to the processing of personal data by the Member States when carrying out activities which fall within the
scope of Chapter 4 or Chapter 5 of Title V of Part Three of that Treaty where the United Kingdom and Ireland are not
bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which
require compliance with the provisions laid down on the basis of Article 16.’

17. Protocol (No 22) on the position of Denmark provides as follows, in Articles 1, 2 and 2a:

‘Article 1

shall not take part in the adoption by the Council of proposed measures pursuant to Title V of Part Three of the
[TFEU]. The unanimity of the members of the Council, with the exception of the representative of the government of
, shall be necessary for the decisions of the Council which must be adopted unanimously.

For the purposes of this Article, a qualified majority shall be defined in accordance with Article 238(3) of the
[TFEU].

Article 2

None of the provisions of Title V of Part Three of the [TFEU], no measure adopted pursuant to that Title, no
provision of any international agreement concluded by the Union pursuant to that Title, and no decision of the Court
of Justice of the European Union interpreting any such provision or measure or any measure amended or amendable
pursuant to that Title shall be binding upon or applicable in Denmark; and no such provision, measure or decision
shall in any way affect the Community or Union acquis nor form part of Union law as they apply to Denmark. …

Article 2a

Article 2 of this Protocol shall also apply in respect of those rules laid down on the basis of Article 16 [TFEU] which
relate to the processing of personal data by the Member States when carrying out activities which fall within the
scope of Chapter 4 or Chapter 5 of Title V of Part Three of that Treaty.’

III – Background to the agreement envisaged

18. On 18 July 2005, the Council approved the Agreement between the European Community and the Government
of Canada on the processing of Advance Passenger Information and Passenger Name Record data (‘the 2006
Agreement’). (7)

19. In accordance with the preamble thereto, the 2006 Agreement was concluded having regard to the Government
of Canada requirement of air carriers carrying persons to Canada to provide Advance Passenger Information and
Passenger Name Record data (‘API/ data’) to the Canadian competent authorities, to the extent that it is collected and
contained in carriers’ automated reservation systems and departure control systems.

20. According to Article 1 of the 2006 Agreement, the purpose of that agreement was ‘to ensure that / data of
persons on eligible journeys is provided in full respect of fundamental rights and freedoms, in particular the right to
privacy’. The competent authority for Canada was, in accordance with Annex I to the 2006 Agreement, ‘the Canada
Border Services Agency ()’.

21. In the light of that commitment, the European Commission, acting on the basis of Article 25(2) of Directive
95/46/EC, (8) adopted Decision 2006/253/EC, (9) Article 1 of which provided that the was to be considered to ensure
an adequate level of protection for data transferred from the European Community concerning flights bound for
Canada. As Decision 2006/253 expired in September 2009 (10) and the duration of the 2006 Agreement was linked to
the duration of that decision, (11) that agreement therefore also expired in September 2009.

22. On 5 May 2010, the Parliament adopted a Resolution on the launch of negotiations for Passenger Name
Record (PNR) data agreements with the United States, Australia and Canada. (12) In that resolution, the Parliament
called for a coherent approach on the use of data for law enforcement and security purposes, establishing a single set
of principles to serve as a basis for agreements with third countries. To that end, it invited the Commission to present
a proposal for such a single model and a draft mandate for negotiations with third countries, while setting out the
minimum requirements to be met. (13)

23. On 21 September 2010, the Commission adopted three proposals aimed at authorising the initiation of
negotiations with the , and . (14) Subsequently, agreements were signed and concluded with the and , with the
approval of the Parliament. (15) Those agreements entered into force in 2012.

24. Following the close of the negotiations with Canada, the Commission, on 19 July 2013, adopted proposals for
Council decisions relating to the signature and conclusion of the agreement envisaged.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 5/46
8.9.2017 CURIA - Documents

25. The European Data Protection Supervisor (‘the EDPS’) delivered his opinion on those proposals on
30 September 2013. (16) In that opinion, the EDPS raised a number of questions concerning the necessity and
proportionality of schemes and of bulk transfers of data to third countries, cast doubt on the choice of the substantive
legal basis and made various observations and proposals concerning the various provisions of the agreement
envisaged.

26. On 5 December 2013, the Council adopted a decision on the signature of the agreement envisaged, which had
not been amended following the opinion of the EDPS. The agreement envisaged was signed on 25 June 2014, subject
to its conclusion at a later date.

27. By letter dated 7 July 2014, the Council sought the Parliament’s approval of the draft decision relating to the
conclusion, on behalf of the Union, of the agreement envisaged. That draft decisions refers, as legal bases, to
Article 82(1)(d) TFEU and Article 87(2)(a) TFEU read in conjunction with Article 218(6)(a)(v) TFEU.

28. On 25 November 2014, the Parliament decided to request the Court to provide the present opinion, submitting
the questions set out in paragraph 3 of this Opinion.

IV – The procedure before the Court

29. Following the submission of the request by the Parliament, written observations were lodged by the Bulgarian
and Estonian Governments, Ireland, the Spanish, French and United Kingdom Governments and by the Council and
the Commission.

30. The Court put a number of questions to be answered in writing, concerning, in particular, certain practical and
factual aspects of the processing of the data, the legal basis for the agreement envisaged, the scope ratione territoriae
of that agreement and the compatibility of its terms with the provisions of the FEU Treaty and the Charter, in the light
of the guidance to be derived from the case-law, especially the judgments of 8 April 2014, Digital Rights Ireland and
Others (C‑293/12 and C‑594/12, EU:C:2014:238), and of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650).
Furthermore, in application of the second paragraph of Article 24 of the Statute of the Court of Justice of the
European Union, the Court requested the EDPS to answer those questions. The EDPS, and also Ireland, the Spanish,
French and United Kingdom Governments, the Parliament, the Council and the Commission, answered the questions
put to them within the prescribed period.

31. The representatives of the Estonian Government, Ireland, the Spanish, French and United Kingdom
Governments, those of the Parliament, the Council and the Commission, and the representative of the EDPS
presented oral argument at the hearing on 5 April 2016.

V – The admissibility of the request for an opinion

32. While the Bulgarian and Estonian Governments and the Commission share the Parliament’s view that the
request for an opinion is admissible in its entirety, the French Government and the Council question the admissibility
of the second question in the Parliament’s request, which deals with the appropriate legal basis for the Council
decision concluding the agreement envisaged.

33. In essence, the French Government and the Council claim that that question does not relate to either the power
of the European Union to conclude the agreement envisaged or the allocation of powers between the Union and the
Member States. In addition, they maintain that the possible incorrect application of Articles 82 and 87 TFEU would
have no impact on the procedure to be followed in adopting the Council act concluding the agreement envisaged, as
both the application of Article 16 TFEU and the application of Articles 82 and 87 TFEU require compliance with the
ordinary legislative procedure, in particular the approval of the Parliament, pursuant to Article 218(6)(a)(v) TFEU.

34. I suggest that the Court should declare the request for an opinion admissible in its entirety.

35. Generally, it should first of all be borne in mind that, in accordance with Article 218(11) TFEU and the case-
law of the Court, the opinion of the Court may be sought as to whether an ‘agreement envisaged’ (17) is compatible
with the substantive rules of the Treaties or with those which determine the extent of the powers of the European
Union and its institutions, including questions relating to the allocation of powers between the EU and the Member
States to conclude a specific agreement with third States, (18) as confirmed by Article 196(2) of the Rules of
Procedure of the Court of Justice.

36. There can thus be no doubt — as, moreover, all the interested parties acknowledge — that in so far as the
request for an opinion relates to the compatibility of the agreement envisaged with the substantive provisions of EU
primary law, including the provisions of the Charter, which have the same value as the Treaties, it is admissible. (19)

37. I consider that that is also the case of the second question, relating to the determination of the appropriate legal
basis for the act whereby the Council concludes the agreement envisaged.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 6/46
8.9.2017 CURIA - Documents

38. Admittedly, as the French Government and the Council have claimed, none of the interested parties has any
doubt that, in this instance, the European Union has the power to approve the agreement envisaged, nor is that
question the subject matter of the request for an opinion.

39. However, it should be noted that, when examining previous requests for opinions, the Court has already agreed
to answer the question of the appropriate legal basis for the act concluding the proposed agreements at issue. (20)
That position was based, in essence, on two essential considerations, which are closely linked.

40. The choice of the appropriate legal basis for the act concluding an international agreement has ‘constitutional
significance’ (21) since the Union has conferred powers only and must therefore be able to tie the international
agreements which are deemed to come within its legal order to a Treaty provision which empowers it to approve
those acts. The use of an incorrect legal basis is therefore apt to invalidate the act concluding the agreement and thus
to vitiate the European Union’s consent to be bound by that agreement. (22)

41. Furthermore, failure to take the opportunity to examine the choice of the appropriate legal basis for the act
concluding a draft agreement in the procedure for submitting a prior request to the Court might ultimately lead to
complications, both at EU level and in the international legal order, if the act concluding the agreement should
subsequently be declared invalid because of the error in the legal basis. In fact, the preventive procedure laid down in
Article 218(11) TFEU is specifically designed to ensure that such complications cannot arise, in the interest of the
contracting parties. (23)

42. Although they do not deny the existence of that case-law, the French Government and the Council maintain, in
essence, that none of the legal complications to which the Court has referred in its previous opinions could arise in
the present case. Thus, according to those interested parties, in the present case, the choice of Article 16 TFEU as the
substantive legal basis for the agreement envisaged, as defended by the Parliament in its request for an opinion,
would not affect the allocation of powers between the Union and the Member States, nor would it lead to a ‘different
legislative procedure’ from that followed by the Council and the Commission in the present case, within the meaning
of those opinions.

43. That argument lacks conviction.

44. It should be pointed out that the situations to which the Court referred in paragraph 5 of Opinion 2/00 of
6 December 2001 (EU:C:2001:664), and paragraph 110 of Opinion 1/08 of 30 November 2009 (EU:C:2009:739),
respectively, are merely examples of situations in which the use of an incorrect legal basis is liable to vitiate the
European Union’s consent to be bound by the agreement to which it has subscribed or to entail legal difficulties at
internal level or in the Union’s external relations. The two situations referred to in those paragraphs of the two
opinions — namely the situation in which the EU has committed itself although the Treaty does not confer on it
sufficient power to ratify an agreement in its entirety, which calls for an examination of the allocation of powers
between the European Union and the Member States, and the situation in which the appropriate legal basis for the act
concluding the agreement provides for a different legislative procedure from that actually followed by the
institutions — were introduced by the expression ‘that is so in particular where’. Other situations giving rise to legal
difficulties at internal EU level or in the context of international relations cannot therefore be precluded.

45. Next, it must not be forgotten that the opinion procedure is of a non-contentious and preventive nature, (24)
which to my mind justifies a certain flexibility on the part of the Court when it examines the admissibility of a
question relating to the appropriate legal basis for the act concluding an agreement envisaged.

46. Thus, at the admissibility stage, I consider that the Court must simply ask whether, if it declines to answer the
question referred to it, there will be a serious risk that the act concluding the agreement may subsequently be declared
invalid, on the same ground as that raised in the request for an opinion, resulting in a situation giving rise to
difficulties at internal EU level or in the context of external relations that the opinion procedure could have prevented.

47. In the present case, I am convinced that such a risk cannot be precluded.

48. In fact, as I shall examine later in the present Opinion, the grounds which the Parliament puts forward in
support of the argument that Article 16 TFEU constitutes the appropriate substantive legal basis for the act
concluding the agreement envisaged are very serious, to such an extent that I consider them to be well founded in
part.

49. Consequently, failure to answer that argument in the present procedure would be apt to lead the Parliament to
challenge the validity of the act concluding the agreement or, as the case may be, to lead a national court hearing an
action brought by an individual harmed by the transfer of his data to the Canadian competent authority to request the
Court to give a preliminary ruling on the validity of the agreement and the act concluding it.

50. Furthermore, to my mind the French Government and the Council are wrong to play down the consequences of
a declaration that the act concluding the agreement envisaged is invalid if it should eventually transpire that,

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 7/46
8.9.2017 CURIA - Documents

following an action for annulment or a request for a preliminary ruling on validity, that act ought to have been
adopted, as the Parliament maintains, on the sole legal basis of Article 16 TFEU.

51. In fact — and I shall return to this point later —, and as suggested in certain written observations, if Article 16
TFEU were taken as the sole legal basis of the act concluding the agreement envisaged, that would alter the status of
the Kingdom of Denmark, Ireland and the United Kingdom of Great Britain and Northern Ireland, as those Member
States would then be directly and automatically bound by the agreement, contrary to Article 29 of the agreement
envisaged. As regards the Kingdom of Denmark, in particular, any international commitment that it might have
concluded with Canada, alongside the agreement envisaged, would then be unlawful, since that Member State would
no longer have the necessary power to give such a commitment.

52. It therefore seems to me that, all things considered, by analogy with the Court’s observation in paragraph 47 of
Opinion 1/13 of 14 October 2014 (EU:C:2014:2303), it is particularly appropriate that the Court should answer the
second question in the present request for an opinion in order, in particular, to forestall the legal complications that
might be caused by situations in which a Member State enters into international commitments without the requisite
authorisation when, under EU law, it would no longer have the necessary power to enter into or give effect to such a
commitment.

53. I therefore propose that the Court should declare that the second question raised by the Parliament in its
request for an opinion is admissible.

54. Furthermore, as that question relates to the procedural validity of the act concluding the agreement and
requires an analysis of the objectives and the content of the agreement envisaged, I suggest that it should be dealt
with before the question relating to the compatibility of the agreement with the provisions of the FEU Treaty and the
rights enshrined in the Charter.

VI – The appropriate legal basis for the act concluding the agreement envisaged (second question)

A– Analysis of the arguments of the Parliament and the other interested parties

55. The Parliament and all the interested parties who have lodged observations are agreed that, in accordance with
the case-law of the Court, the choice of the legal basis must be founded on objective criteria amenable to judicial
review, and those objective criteria include the purpose and the content of the act at issue.

56. The Parliament emphasises that the agreement envisaged has two purposes, which are set out in Article 1
thereof. However, the main purpose of the agreement envisaged is to ensure the protection of personal data. In the
Parliament’s submission, the agreement envisaged has an effect analogous to an ‘adequacy decision’ and its aim is to
replace Commission Decision 2006/253, adopted under Article 25(6) of Directive 95/46, in which the Commission
established, in the context of the 2006 Agreement, the adequate level of protection of the data transferred to the
CBSA. In addition, the agreement envisaged does not seek to create an obligation for air carriers to transfer data to
the Canadian or European police authorities, which makes it difficult to justify the choice of Article 82(1)(d) and
Article 87(2)(a) TFEU as the substantive legal bases. According to the case-law, those findings justify, in the
Parliament’s view, that the agreement envisaged should be founded on the legal basis corresponding to the main
purpose of the agreement envisaged, namely, in this instance, Article 16 TFEU. The content of the agreement
envisaged confirms that assessment. The Parliament states, last, that Article 16 TFEU permits the adoption of rules
on the protection of personal data in all fields of EU law, including the ‘AFSJ’.

57. In answer to a question put at the hearing before the Court, the Parliament stated that, in the event that the
Court should consider that the agreement envisaged pursues inseparable purposes, it had no objection to the act
concluding the agreement envisaged being based on Article 16, Article 82(1)(d) and Article 87(2)(a) TFEU.

58. With the exception of the Spanish Government and the EDPS and also, in the context of an alternative
observation, the French Government, the other interested parties maintain that the purpose of the agreement
envisaged is to combat terrorism and serious transnational crime, while data protection constitutes, in essence, only
an instrument whereby that purpose may be achieved. In that regard, the Commission observes that, in the judgment
of 30 May 2006, Parliament v Council and Commission (C‑317/04 and C‑318/04, EU:C:2006:346, paragraph 56), the
Court held that the transfer of data to the United States constituted processing operations concerning public security
and the activities of the Member States in areas of criminal law. The choice of the legal basis for the act concluding
the agreement envisaged should be made in accordance with that reasoning.

59. The great majority of those interested parties further submit that, if data protection were to be considered to
constitute an objective of the agreement envisaged, that objective would be merely incidental to the main purpose and
would therefore have no consequence on the actual choice of the legal basis for the act concluding the agreement. In
that regard, the Council and the Commission submit that acts having as their purpose the implementation of sectoral
policies requiring the processing of personal data should be based on the legal basis corresponding to the policy
concerned and not on Article 16 TFEU.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 8/46
8.9.2017 CURIA - Documents

60. As for the possibility of combining Article 16, Article 82(1)(d) and Article 87(2)(a) TFEU as the substantive
legal bases of the act concluding the agreement envisaged, the French Government maintains, in the alternative, in its
written observations, that such a combination is perfectly conceivable. On the other hand, and the Council maintain
the opposite. At the hearing before the Court, the Council submitted that the voting procedure within the Council, as
defined in Protocols (No 21) and (No 22), would preclude such a hypothesis.

B – Assessment

61. According to settled case-law, the choice of the legal basis for a European Union measure, including the
measure adopted for the purpose of concluding an international agreement, must rest on objective factors amenable to
judicial review, which include the purpose and the content of that measure. If examination of the EU measure reveals
that it pursues a twofold purpose or that it has a twofold component, and if one of those is identifiable as the main or
predominant purpose or component, whereas the other is merely incidental, the act must be based on a single legal
basis, namely, that required by the main or predominant purpose or component. (25)

62. However, the Court accepts, ‘by way of exception’, that an act may be founded on various legal bases
corresponding to the number of the objectives or components of that act where those objectives or components are
inseparably linked, without one being incidental in relation to the other. (26) In such a case, the Court further
ascertains whether recourse to more than one legal basis might be precluded on the ground that the procedures laid
down for the different legal bases are mutually incompatible. (27)

63. It is in the light of that case-law that it must be determined whether, having regard to the purpose and the
content of the agreement envisaged, the act concluding that agreement should be based exclusively on Article 82(1)
(d) and Article 87(2)(a) TFEU, as substantive legal bases, as the Council’s draft decision indicates and as most of the
interested parties maintain, or whether it should be based on Article 16 TFEU, whether exclusively or read in
conjunction with those two articles. (28)

64. On the latter point, I would make clear that, contrary to the Council’s contention in its written observations, the
Court is in my view perfectly entitled, in the light of the non-contentious and preventive nature of the opinion
procedure, to examine the second question submitted by the Parliament from the angle of the combination of
substantive legal bases, even though the wording of that question does not envisage it. Furthermore, the interested
parties had the opportunity, both during the written procedure and at the hearing, to express their views on that point.

65. That is all the more important because the examination of the purpose and the content of the agreement
envisaged must in my view lead to the finding that the agreement pursues two objectives and has two components,
although, overall, neither those two objectives nor those different components can be ranked and separated. To my
mind, that justifies the act concluding the agreement envisaged taking as its substantive legal bases Article 16 and
Article 87(2)(a) TFEU, which means that the procedures referred to in those two articles may co-exist.

1. The purpose and the content of the agreement envisaged

66. It is apparent from the second paragraph of the preamble to the agreement envisaged that the contracting
parties recognise ‘the importance of preventing, combating, repressing and eliminating terrorism and terrorist-related
offences, as well as other serious transnational crime, while preserving fundamental rights and freedoms, in particular
rights to privacy and data protection’, while the fourth paragraph further states that the use of data is a critically
important instrument to pursue those goals.

67. The simultaneous pursuit of the objective of combating terrorism and other serious transnational crime and
respecting private life and the protection of personal data is confirmed by the fifth and sixth paragraphs of the
preamble, which emphasise, respectively, the contracting parties’ desire to ‘safeguard public security’ and the
recognition that they ‘share common values with respect to data protection and privacy’.

68. Likewise, it is expressly stated in the 15th paragraph of the preamble that Canada has given a commitment that
its competent authority will process ‘PNR data for the purpose of preventing, detecting, investigating and prosecuting
terrorist offences and serious transnational crime in strict compliance with safeguards on privacy and the protection of
personal data, as set out in [the agreement envisaged]’.

69. The agreement envisaged is therefore intended to allow Canada to process the data of passengers carried by
airlines flying between the European Union and Canada, for the purpose of combating terrorism and other serious
transnational crime while safeguarding the right to respect for privacy and the right to protection of personal data
under the conditions laid down in the agreement envisaged itself.

70. The need to reconcile those two objectives is confirmed out by Article 1 of the agreement envisaged, which
states that the contracting parties are to set out the conditions for the transfer and use of data ‘to ensure the security
and safety of the public and prescribe the means by which the data is protected’.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=&… 9/46
8.9.2017 CURIA - Documents

71. It is also clear on examining the content of the agreement envisaged that the means of combating terrorism and
other serious transnational crime by the transfer and processing of data is authorised only if the data in question
benefits from an adequate level of protection.

72. Thus, in the words of Article 3(1) of the agreement envisaged, Canada is to ensure that the Canadian
competent authority processes data received ‘strictly for the purpose of preventing, detecting, investigating or
prosecuting terrorist offences or serious transnational crime’, while making clear that that processing must be carried
out ‘pursuant to this Agreement’. That means, in particular, that, in application of Article 5 of the agreement
envisaged, ‘subject to compliance with [that agreement], the Canadian Competent Authority is deemed to provide an
adequate level of protection, within the meaning of relevant European Union data protection law’.

73. Likewise, in the context of the retention of data and the gradual depersonalisation of that data by masking,
provided for in Article 16 of the agreement envisaged, paragraph 4 of that article authorises the subsequent
unmasking of that data by the Canadian authorities only where, ‘on the basis of available information, it is necessary
to carry out investigations under the scope of Article 3’ of the agreement envisaged.

74. In addition, Articles 18(1) and 19(1) of the agreement envisaged authorise the subsequent disclosure of the
data to other Canadian government authorities or to government authorities in third countries only in strictly limited
circumstances, including where the authorities in question perform ‘functions [which] are directly related to the scope
of Article 3 [of the agreement envisaged]’ and where those authorities afford ‘protection equivalent to the safeguards
described in [the agreement envisaged]’.

75. However, although the need to reconcile the two objectives is not affected, some of the terms of the agreement
envisaged are more concerned with the aim of combating terrorism and serious transnational crime while others are
more concerned with the aim of safeguarding adequate protection of personal data.

76. Thus, as specifically regards the first objective, under Article 6(2) of the agreement envisaged Canada is
required to share, in specific cases, and at the request of the European Police Office (Europol), the European Union
Judicial Cooperation Unit (Eurojust), within the scope of their respective mandates, or the police or a judicial
authority of a Member State of the European Union, data or analytical information containing data obtained under the
agreement envisaged ‘to prevent, detect, investigate, or prosecute within the European Union a terrorist offence or
serious transnational crime’. Under Article 23(2) of the agreement envisaged, moreover, it is provided that the
contracting parties are to cooperate to pursue the coherence of their respective data processing regimes ‘in a manner
that further enhances the security of citizens of Canada, the European Union and elsewhere’.

77. As for the terms relating rather to the guarantees afforded by the agreement envisaged concerning data
protection, the agreement lays down a number of rules relating to data security and integrity (Article 9 of the
agreement envisaged), access, correction and annotation of data for individuals (Articles 12 and 13 of the agreement
envisaged), oversight of data processing and administrative and judicial redress for the persons concerned
(Articles 10 and 14 of the agreement envisaged).

78. In the light of the aim and the content of the agreement envisaged, that agreement therefore pursues two
objectives and has two essential components, as, in fact, most of the interested parties have acknowledged or at least
conceded.

79. Contrary to what the interested parties assert in support of opposing arguments, it is indeed difficult, in my
view, to determine which of those two objectives prevails over the other.

80. In fact, as the description of the aim and the content of the agreement envisaged tends to show, those two
objectives must be pursued simultaneously and in fact appear to be inseparable. As I have emphasised, the transfer to
and processing of data by the Canadian competent authority for the purposes set out in Article 3 of the agreement
envisaged are authorised only where those operations are accompanied by adequate protection of the data, within the
meaning of European Union data protection law, in accordance with Article 5 of the agreement envisaged. In other
words, if such protection is not ensured, the transfer of the data provided for in the agreement envisaged cannot be
lawfully effected. In addition, the guarantees laid down in the agreement envisaged in terms of protection of personal
data are necessary only because the data must be transferred to the Canadian competent authority under the Canadian
legislation and the terms of the agreement envisaged. As illustrated by a number of provisions of the agreement
envisaged, such as Articles 16, 18 and 19 thereof, the agreement envisaged is therefore designed to reconcile the
security objective with the objective of protecting the fundamental rights of the individuals concerned, particularly
the right to protection of their personal data.

81. All in all, I consider that those two objectives and those two components of the agreement envisaged are
inseparably linked and that neither of them is secondary and indirect by reference to the other.

82. That assessment cannot be undermined by the Commission’s argument, based on paragraph 56 of the judgment
of 30 May 2006, Parliament v Council and Commission (C‑317/04 and C‑318/04, EU:C:2006:346), that the Court

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 10/46
8.9.2017 CURIA - Documents

has held that the transfer of data to the United States constituted processing operations concerning public security and
the activities of the Member States in areas of criminal law.

83. First of all, the present opinion procedure has as its subject matter the agreement envisaged with Canada and
not the first agreement concluded with the United States in 2004 and the Commission adequacy decision adopted in
that year, to which the actions for annulment brought by the Parliament related.

84. Next, and more fundamentally, the Commission is taking out of context the finding made by the Court in
paragraph 56 of the judgment of 30 May 2006, Parliament v Council and Commission (C‑317/04 and C‑318/04,
EU:C:2006:346), which, it must be recalled, was delivered well before the adoption of the Treaty of Lisbon.

85. The Court was asked by the Parliament to determine, in particular, whether the Commission was authorised to
adopt an adequacy decision, based on Article 25 of Directive 95/46 on the adequate protection of personal data
contained in the Passenger Name Record of air passengers transferred to the United States, when Article 3(2) of that
directive expressly excluded from its scope processing operations concerning, in particular, public security and the
activities of the State in areas of criminal law. The Court logically replied in the negative. In fact, the processing of
the data in the context of the agreement with the United States could not be associated with the supply of services, but
fell within a framework established by the public authorities that related to public security, which did not come within
the scope of Directive 95/46. (29)

86. That finding does not mean that the Court made a definitive ruling on the object of agreements, including, for
the purpose of the argument, the object of the agreement envisaged or, a fortiori, that it definitively held that the
exclusive, principal or predominant objective of those agreements is to combat terrorism or serious transnational
crime, as the Commission wrongly implies.

87. Nor, clearly, does the finding of the Court in the judgment of 30 May 2006, Parliament v Council and
Commission (C‑317/04 and C‑318/04, EU:C:2006:346) mean that, in ruling on the scope ratione materiae of
Directive 95/46, the Court on the same occasion defined in advance the limits of the scope ratione materiae of
Article 16 TFEU.

88. In support of the argument that the security objective of the agreement envisaged is predominant and therefore
justifies the legal basis chosen, the Commission also attempts to draw an analogy between the present case and the
case giving rise to the judgment of 6 May 2014, Commission v Parliament and Council (C‑43/12, EU:C:2014:298).

89. In that case, which concerned the determination of the appropriate legal basis for Directive 2011/82/EU of the
European Parliament and of the Council of 25 October 2011 facilitating the cross-border exchange of information on
road safety related traffic offences, (30) the Court, after establishing that the predominant objective of that directive
was to improve road safety (and therefore transport safety), held that the information exchange system set up by the
directive provides ‘the means of pursuing [that] objective’. (31) The directive should therefore have been adopted not
on the basis of Article 87(2) TFEU (Police Cooperation) but on the basis of Article 91(1)(c) TFEU, under the title on
transport policy.

90. While I am prepared to accept that there is a partial analogy between the two situations, that does not alter the
conclusion that the agreement envisaged has two objectives and has two inseparable components. Thus, the fact that
the transfer of data to the Canadian competent authority may constitute the means whereby the contracting parties
pursue the public security objective of the agreement envisaged does not alter the finding that the object of the
agreement envisaged, as stated, in particular, in Article 1 of that agreement, is twofold. Moreover, the specific feature
of the agreement envisaged, which distinguishes it from Directive 2011/82, relates to the fact that the maximum
efficiency sought by the means consisting in the transfer of data in order to achieve the aims set out in Article 3 of the
agreement envisaged, must be weighed against the guarantees afforded to the protection of personal data laid down in
that agreement, which form part of the second objective pursued by that agreement.

91. Also lacking in conviction are the Parliament’s arguments in support of its position that the ‘centre of gravity’
of the agreement envisaged is predominantly situated in the guarantees which its terms afford to passengers in
relation to the protection of their data, which, it claims, means that the decision concluding that act should be based
exclusively on Article 16 TFEU.

92. It is incorrect to claim that the agreement envisaged lays down no obligation for the airlines to transfer the data
to the Canadian competent authority so that the data can be processed according to the purposes listed in Article 3 of
the agreement envisaged. It is true, as the Parliament remarked in its written observations, that Article 4(1) of the
agreement envisaged states that the Union is to ensure only that air carriers ‘are not prevented’ from transferring data
to the Canadian competent authority. However, it follows from the interpretation of that article, entitled ‘Ensuring
data is provided’, in conjunction with that of Articles 5, (32) 20 (33) and 21 (34) of the agreement envisaged, as,
moreover, the Parliament acknowledged in answer to a written question put by the Court, that air carriers are entitled

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 11/46
8.9.2017 CURIA - Documents

and in practice required to provide the Canadian competent authority systematically with access to the data for the
purposes defined in Article 3 of the agreement envisaged.

93. Furthermore, the object of the agreement envisaged cannot principally be treated as equivalent to an adequacy
decision, comparable to the decision which the Commission had adopted under the 2006 Agreement. (35) As already
stated, both the aim and the content of the agreement envisaged show, on the contrary, that that agreement is intended
to reconcile the two objectives which it pursues and that those objectives are inseparably linked.

94. What consequence, therefore, does that assertion have for the determination of the legal basis of the act
concluding the agreement envisaged?

2. The appropriate legal basis

95. As already stated, it is common ground that the draft Council decision concluding the agreement envisaged is
based on Article 82(1)(d) and Article 87(2)(a) TFEU, both of which come under Title V of Part Three of the FEU
Treaty, on the ‘Area of Freedom, Security and Justice’ (‘the AFSJ’).

96. In the light of the two objectives and the two inseparable components of the agreement envisaged described
above, those substantive legal bases seem to me to be relevant, at least in part, but insufficient. I consider it
appropriate and possible, having regard to the case-law, to base the act concluding the agreement envisaged on the
first subparagraph of Article 16(2) TFEU.

(a) The relevance of Article 82(1)(d) and Article 87(2)(a) TFEU

97. As for the first point, namely the relevance of Article 82(1)(d) and Article 87(2)(a) TFEU, it must first of all be
agreed that the construction of an AFSJ requires that the Union be able to exercise its external powers.

98. Except in the case of readmission agreements, provided for in Article 79(3) TFEU, relating to immigration
policy and not relevant in the present case, the EU has not been explicitly granted any general external powers in
relation to the AFSJ. However, Article 216(1) TFEU permits the Union to conclude international agreements,
including in the area of police and/or judicial cooperation in criminal matters, in particular where the conclusion of
such agreements is necessary in order to achieve one of the objectives referred to in the Treaties.

99. None of the interested parties questions that possibility. To my mind, however, the Court cannot merely rely on
that fact, but should devote argument to that question in the opinion which it is called upon to deliver.

100. If it is to be accepted that the Union has external powers in the sphere of the AFSJ, the exercise of those powers
in the sphere of police and judicial cooperation in criminal matters must be firmly fixed in the objectives pursued by
the AFSJ.

101. Those objectives are set out in Article 3(2) TEU and Article 67 TFEU. The first of those provisions states that
‘the Union shall offer its citizens an [AFSJ] without internal frontiers, in which the free movement of persons is
ensured in conjunction with appropriate measures with respect to external border controls … and the prevention and
combating of crime’. Article 67 TFEU, which opens Chapter 1 of Title V of Part Three of the FEU Treaty, provides,
in paragraph 3, that the Union ‘shall endeavour to ensure a high level of security through measures to prevent and
combat crime, racism and xenophobia, and through measures for coordination and cooperation between police and
judicial authorities and other competent authorities …’.

102. As Advocate General Bot correctly argued in his Opinion in Parliament v Council (C‑658/11, EU:C:2014:41,
points 111 and 112), the external dimension of the AFSJ is functional and instrumental having regard to the objectives
set out in those provisions. Accordingly, while the construction of the AFSJ may require external action on the part of
the Union, an agreement must, if it is to be able to be regarded as falling within the AFSJ, have a close link with
freedom, security and justice within the union, that is to say, a direct link between the purpose of safeguarding the
internal security of the Union and the police and/or judicial cooperation which is developed outside the Union. (36)

103. In a different context, but long the same lines, the Court, interpreting Article 87(2) TFEU in the light of
Article 67 TFEU, stated that, in order for an act of the Union, having regard to its purpose and its content, to be able
to be based on the first of those articles, it must be directly linked to the objectives set out in Article 67 TFEU. (37)

104. That, in my view, is indeed the case of the agreement envisaged.

105. In the first place, that agreement applies to the transfer, processing and use of data for the purposes of public
security and the activities of the State in areas of criminal law, (38) that is to say, more particularly, the prevention,
detection, investigation and prosecution of terrorist offences and serious transnational crime. According to Article 1
of the agreement envisaged, that agreement is intended to ‘ensure the security and safety of the public’, which clearly
means the security and safety of citizens of the Union, in particular those flying between Canada and the European

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 12/46
8.9.2017 CURIA - Documents

Union. (39) Furthermore, under Article 6(2) of the agreement envisaged Canada is required, at the request of, among
others, the police or a judicial authority of a Member State of the Union, to share, in specific cases, data or analytical
information containing data obtained under the agreement envisaged in order to prevent or detect ‘within the
European Union’ a terrorist offence or serious transnational crime.

106. In the second place, although the collection and initial transfer of the data are carried out by the air carriers, the
terms of the agreement envisaged constitute a legal framework established by the public authorities for criminal
purposes. (40) As already stated, the agreement envisaged thus establishes rules on access to data and/or analytical
information containing data by the Canadian competent authorities and also the subsequent sharing of such data with,
among others, the competent police and judicial authorities of the Union and its Member States and also with those of
third countries, in particular for the purposes set out in Article 3 of the agreement envisaged. Furthermore, as was
clear from the discussion before the Court, the five-year retention period for the data laid down in Article 16(1) and
(5) of the agreement envisaged was set with a view to enabling and facilitating investigations, prosecutions and
judicial proceedings relating, in particular, to international serious crime networks. In the light of the very open
wording of Article 16(5) of the agreement envisaged, those investigations and prosecutions are perfectly capable of
including those carried out by the police and judicial authorities of the Member States of the Union. Such rules fall, in
principle, within the sphere covered by police and judicial cooperation in criminal matters. (41)

107. I conclude, first, that in so far as it relates to measures which the Parliament and the Council may establish in
connection with ‘the collection, storage, processing, analysis and exchange of relevant information’ for the purposes
of police cooperation ‘in relation to the prevention, detection and investigation of criminal offences’ provided for in
Article 87(1) TFEU, Article 87(2)(a) TFEU constitutes an appropriate legal basis for the act concluding the
agreement envisaged. I would add, for all practical purposes, that that cooperation and those exchanges do not
necessarily have to be between authorities who are specifically defined, in national law, as police services in the strict
sense. Article 87(1) TFEU associates with police cooperation, in a particularly broad manner, ‘all the Member States’
competent authorities, including police, customs and other … law enforcement services’, (42) an expression which
perfectly authorises, in the context of the external dimension of the AFSJ, cooperation with the in order to safeguard
the internal security of the Union.

108. As regards, second, the ‘judicial cooperation in criminal matters’ aspect of the agreement envisaged, in spite of
the matters to which attention was drawn in paragraphs 105 and 106 of this Opinion, I confess to having some
hesitation in considering that the agreement envisaged may constitute a measure which contributes directly to
‘facilitat[ing] cooperation between judicial or equivalent authorities of the Member States in relation to proceedings
in criminal matters and the enforcement of decisions’, within the meaning of Article 82(1)(d) TFEU. As the United
Kingdom Government acknowledged in its reply to one of the written questions put by the Court, it is only in certain
cases that the agreement envisaged might promote such cooperation between Member States’ judicial authorities.
Such cooperation depends, however, on a number of parameters, both factual and legal, which are outside the terms
of the agreement envisaged. Cooperation between the judicial authorities of the Member States therefore appears to
be only an indirect consequence of the framework established by the agreement envisaged. Admittedly, the fact that
Article 6 of the agreement envisaged places an obligation not only on the Canadian competent authority but, more
generally, on ‘Canada’ to share data or analytical information with the judicial authorities of the Member States may
be understood as also imposing such an obligation on the judicial authorities of that third State. On the assumption
that that interpretation is correct and that an exchange of data between the judicial authorities may be envisaged, the
fact nonetheless remains that, as currently drafted, the agreement envisaged does not really seem to contribute to
facilitating cooperation between the judicial or equivalent authorities of the Member States. To my mind, it is only if
the Court were to adopt a more generous interpretation of Article 82(1)(d) TFEU, together, where appropriate, with
Article 67(3) TFEU, which provides that the Union is to ‘endeavour to ensure a high level of security … through
measures for coordination and cooperation between police and judicial authorities and other competent authorities’,
or if the contracting parties were to amend the terms of the agreement envisaged in such a way that the judicial
dimension of the agreement envisaged were taken more directly into account, that Article 82(1)(d) TFEU might
genuinely constitute an additional legal basis for the act concluding that agreement.

109. I would add that the conclusion that Article 82(1)(d) TFEU cannot properly serve as a basis for the act
concluding the agreement envisaged is not affected by the fact, to which certain of the interested parties refer, that the
Council decisions concluding the Agreements with Australia and the United States are based on that provision, read
in conjunction with Article 87(2)(a) TFEU. (43) In fact, it is settled case-law that, in a review of the legal basis for the
act concluding the agreement envisaged in the present case, the legal basis used for the adoption of other Union
measures that might display similar characteristics is irrelevant. (44)

110. In those circumstances, having regard to way in which the agreement envisaged is currently drafted, I am of the
view that Article 87(2)(a) TFEU constitutes an appropriate legal basis for the act concluding the agreement
envisaged.

111. Accordingly, that substantive legal basis, properly set out in the draft act concluding the agreement envisaged,
seems to me to be insufficient to enable the Union to conclude that agreement.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 13/46
8.9.2017 CURIA - Documents

(b) The need to base the act concluding the agreement envisaged on the first subparagraph of Article 16(2) TFEU

112. As the Parliament correctly maintained in its request, Article 87(2)(a) TFEU and, generally, Title V of Part Three
of the FEU Treaty on the AFSJ do not provide for the adoption of rules in the area of personal data protection.

113. As I have shown above, one of the two essential objectives of the agreement envisaged, as stated in Article 1, is
specifically to ‘prescribe the means by which the [] data’ of passengers flying between Canada and the European
Union ‘is protected’. As already pointed out, the content of the agreement envisaged supports that objective, in
particular the terms in the chapter on ‘Safeguards applicable to the processing of data’, consisting of Articles 7 to 21
of the agreement envisaged.

114. In that context, action taken by the Union must necessarily be based, in my view, on the first subparagraph of
Article 16(2) TFEU, which, it will be recalled, confers on the Parliament and the Council the task of laying down the
rules relating to the protection of individuals with regard to the processing of personal data by, inter alia, the Member
States when carrying out activities which fall within the scope of application of EU law and the rules relating to the
free movement of such data. Three main principles underlie that approach.

115. First of all, in line with the reasoning developed above in relation to the external dimension of the AFSJ, the
European Union must be considered, in accordance with Article 216(1) TFEU, to be authorised to conclude an
international agreement with a third country with the object of laying down rules relating to the protection of personal
data where it is necessary to do so in order to achieve one of the objectives referred to in the Treaties, in this instance
the objectives of Article 16 TFEU. That applies to the agreement envisaged, one of the essential purposes of which
consists, in essence, in prescribing the means of safeguarding the protection of the data of passengers flying between
and the European Union. To my mind, moreover, there is no doubt that the terms of the agreement envisaged must be
characterised as ‘rules’ relating to the protection of the data of natural persons, within the meaning of the first
subparagraph of Article 16(2) TFEU, and intended to bind the contracting parties.

116. Next, and unlike the situation of the former Article 286 EC, the first subparagraph of Article 16(2) TFEU, which
is part of Title II of Part One of that Treaty, entitled ‘Provisions having general application’, is intended to constitute
the legal basis for all rules adopted at EU level relating to the protection of individuals with regard to the processing
of their personal data, including the rules coming within the framework of the adoption of measures relating to the
provisions of the FEU Treaty on police and judicial cooperation in criminal matters. As stated in paragraph 2 of that
article, only the rules relating to the protection of personal data adopted in the context of the common foreign and
security policy must be based on Article 39 TEU. That interpretation of the first subparagraph of Article 16(2) TFEU
is confirmed by the omission of any reference to the possible adoption of provisions relating to the protection of
personal data on the basis of Article 87(2)(a) TFEU. It should be borne in mind that, before the entry into force of the
Treaty of Lisbon, Article 30(1)(b) TEU provided, on the contrary, that common action in the field of police
cooperation could cover, inter alia, the processing, analysis and exchange of relevant information, ‘subject to
appropriate provisions on the protection of personal data’, which, moreover, authorised the Council to adopt
Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the
framework of police and judicial cooperation in criminal matters. (45) Furthermore — and I shall return to this point
later — it must be emphasised that the provisions of Protocols (No 21) and (No 22) did indeed envisage the situation
in which rules based on the first subparagraph of Article 16(2) TFEU might be adopted in the context of the exercise
of activities which fall within the chapters of the FEU Treaty on police and judicial cooperation in criminal matters.

117. It follows, and in order to dispel any doubt as to the ambiguity of the position defended by the Commission in its
written observations, that Article 16 TFEU, on the one hand, and Articles 87(2)(a) and 82(1)(d) TFEU, on the other,
cannot maintain relationships of a ‘lex generalis — lex specialis’ hierarchical type. As the abovementioned protocols
illustrate, the High Contracting Parties envisaged the possibility that a Union act might be based on those three
articles at the same time, precisely because those provisions have different and separate scopes.

118. Last, as the Parliament, the Commission and the EDPS, in particular, maintained in their replies to a written
question put by the Court, the relevance of Article 16 TFEU as a legal basis for the act concluding the agreement
envisaged cannot be put in doubt because the protective measures which can be adopted under that article relate to the
processing of data by authorities of the Member States and not, as in this instance, to the transfer of data previously
obtained by private entities (the air carriers) to a third country.

119. In fact, to paraphrase Advocate General Léger, the obligation by which an air carrier is bound under Articles 4,
5, 20 and 21 of the agreement envisaged, when read together, is not ‘fundamentally different from a direct exchange
of data between public authorities’. (46) Furthermore, as the Court has confirmed that the definition of ‘data
processing’, within the meaning of Directive 95/46, covers the transfer of personal data by a private operator from a
Member State to a third country, (47) to put a strictly literal interpretation on the new legal basis constituted by the
first subparagraph of Article 16(2) TFEU would be tantamount to splitting up the system for the protection of
personal data. Such an interpretation would run counter to the intention of the High Contracting Parties to create, in
principle, a single legal basis expressly authorising the EU to adopt rules relating to the protection of the personal
data of natural persons. It would therefore represent a step backwards from the preceding scheme based on the Treaty
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 14/46
8.9.2017 CURIA - Documents

provisions relating to the internal market, which would be difficult to explain. That strictly literal interpretation of
Article 16 TFEU would thus have the consequence of depriving that provision of a large part of its practical effect.

120. Consequently, in the light of the objectives and the components of the agreement envisaged, which are
inseparably linked, the act concluding that agreement must in my view be based on the first subparagraph of
Article 16(2) TFEU and Article 87(2)(a) TFEU as its substantive legal bases.

121. In accordance with the case-law, when multiple legal bases are used when adopting an act of the Union the
procedures referred to in the different legal bases in question must be compatible. (48)

122. In this instance, both the first subparagraph of Article 16(2) and Article 87(2)(a) TFEU provide that, when
adopting the measures envisaged by those two articles, the Parliament and the Council are to act in accordance with
the ordinary legislative procedure. The same applies, moreover, in the case of the measures based on Article 82(1)(d)
TFEU should the Court consider that that article constituted an appropriate substantive legal basis for the act
concluding the agreement envisaged.

123. Accordingly, the procedures specifically referred to in those articles are compatible, within the meaning of the
case-law. They therefore do not preclude the Court accepting a plurality of legal bases for the act concluding the
agreement envisaged.

124. The Council, supported by Ireland, claimed, however, that it is necessary to go further than that finding and to
examine the detailed rules governing the participation of the Kingdom of Denmark, Ireland and the United Kingdom,
within the Council, as provided for in the provisions of Protocols (No 21) and No 22) respectively. According to
those interested parties, those detailed rules preclude the joint application, as substantive legal bases, of Article 16
TFEU and Article 87(2)(a) TFEU. More specifically, the Council explained at the hearing before the Court, not
without some contradictions and inconsistencies, (49) that the provisions of those protocols distinguish the question
of the non-binding nature of the rules established on the basis of Article 16 TFEU concerning the processing of
personal data in the exercise of activities in connection with police and judicial cooperation in criminal matters from
the question of the participation of those three Member States in the vote in the Council when the Council is called
upon to adopt such rules. In the Council’s submission, it follows that, while those three Member States would not
participate in the adoption of measures falling within the scope of police and judicial cooperation in criminal matters,
except where Ireland and the United Kingdom have decided to exercise their right to ‘opt in’, they would still
participate in the adoption of the rules which took Article 16 TFEU as their basis, in spite of the fact that, under those
protocols, those measures would not be binding on those Member States.

125. That argument merits a certain amount of attention, even though, ultimately, I consider that it should be rejected.

126. It will be recalled that the Court has already held that the two protocols in question are not capable of having
‘any effect whatsoever on the question of the correct legal basis’ for the adoption of an EU measure. (50) Thus,
according to that case-law, if, following the analysis of the objective and the content of the agreement envisaged, and
contrary to what I have argued above, the act concluding that agreement had to be based exclusively on the first
subparagraph of Article 16(2) TFEU, the two protocols in question, in spite of the wording of Article 29 of the
agreement envisaged, could not ‘neutralise’ that situation. In other words, the three Member States in question would
have to participate in the act concluding the agreement envisaged and be bound by it.

127. The application of that case-law in a situation in which there are two competing legal bases, which lay down the
same adoption procedure (the ordinary legislative procedure and vote by a qualified majority within the Council), but
which would affect in a different way the participation, within the Council, of the three Member States concerned in
the adoption of the act in question, is more delicate.

128. Since it is a question here of determining the appropriate legal basis for a specific act, namely the act concluding
the agreement envisaged, that question does not need to be resolved so far as Ireland and the United Kingdom are
concerned. In fact, it is common ground that, in accordance with Article 3 of Protocol (No 21), those two Member
States have notified their intention to be bound by the agreement envisaged and will, consequently, participate in the
adoption of the act concluding that agreement. No argument of a procedural nature relating to those two Member
States therefore precludes the act concluding the agreement envisaged being based jointly on the first subparagraph of
Article 16(2) and Article 87(2)(a) TFEU.

129. As for the Kingdom of Denmark’s position, it should be borne in mind that, in accordance with Article 2a of
Protocol (No 22), Article 2 of that protocol, which provides, in particular, that no measure or international agreement
adopted pursuant to Title V of Part Three of the FEU Treaty is to be binding upon the Kingdom of Denmark, also
applies with respect to the rules laid down on the legal basis of Article 16 TFEU which relate to the processing of
personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter
V of Part Three of that Treaty, namely activities which fall within the scope of police and judicial cooperation in
criminal matters.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 15/46
8.9.2017 CURIA - Documents

130. The Kingdom of Denmark will therefore not be bound by the terms of the agreement envisaged. However, the
Council maintains that, in referring only to Article 2 of Protocol (No 22) and not to Article 1, which states that the
Kingdom of Denmark is not to take part in the adoption by the Council of proposed measures pursuant to Title V of
Part Three of the FEU Treaty, Article 2a of that protocol implies, conversely, that the Kingdom of Denmark would
participate in the adoption of the act concluding the agreement envisaged if that act were to be based on Article 16
TFEU.

131. That line of reasoning fails to convince me or, at least, does not have the consequences which the Council
ascribes to it as regards the choice of the legal basis for the act concluding the agreement envisaged.

132. In fact, I do not think that it was the intention of the High Contracting Parties to allow the Kingdom of Denmark
not to be bound by an act having as its legal basis both Article 16 TFEU and one of the provisions of the FEU Treaty
relating to police and judicial cooperation in criminal matters, but to participate in the adoption of that act, with the
inherent risk that the Kingdom of Denmark might join a group of Member States opposed to the actual adoption of
that act, and thereby prevent a qualified majority from being formed within the Council. That seems to me to be
contrary to the object of Protocol (No 22), which is to seek a balance between the need to manage the Kingdom of
Denmark’s specific position and the need to allow the other Member States (including, where appropriate, Ireland and
the United Kingdom) to pursue their cooperation within the sphere of the AFSJ.

133. The objection might be raised, admittedly, that, according to the preamble to Protocol (No 22), the High
Contracting Parties note that the Kingdom of Denmark will not prevent the other Member States from further
developing their cooperation with respect to measures not binding on that Member State. Thus, according to that
argument, although it would be authorised to take part in the adoption of acts falling under Article 2a of that protocol
which are not binding on it, the Kingdom of Denmark has undertaken never to oppose their adoption.

134. If that were the correct interpretation of the relevant provisions of Protocol (No 22), the consequence would be
that the act concluding the agreement envisaged could not be based on Article 16 TFEU in conjunction with
Article 87(2)(a) TFEU, on the ground of an alleged incompatibility between the procedures leading to the adoption of
that act, for the simple reason that the Kingdom of Denmark would participate in a purely formal sense in the
adoption of that act. Consequently, that purely formal participation by the Kingdom of Denmark in the adoption of
the act concluding the agreement envisaged would ‘neutralise’ the objective analysis of the legal basis for that act, an
analysis which, it will be recalled, is based on an examination of the purposes and the components of that agreement.
That consequence would clearly run counter to the case-law according to which it is not the procedure that defines the
legal basis for an act, but the legal basis for an act that determines the procedure to be followed when adopting it. (51)
In my view, that case-law applies a fortiori where the procedure that it was claimed had to be followed would entail,
within the Council, a purely formal participation by the Kingdom of Denmark in the adoption of an act in respect of
which that Member State will not in any way be bound.

135. In the light of the all of the foregoing considerations, I propose that the Court should answer the second question
submitted by the Parliament by stating that the act concluding the agreement envisaged, in the light of the objectives
and the components of that agreement, which are inseparably linked, without some of them being incidental by
comparison with the others, must be based on the first subparagraph of Article 16(2) TFEU and Article 87(2)(a)
TFEU, read in conjunction with Article 218(6)(a)(v) TFEU. (52)

VII – The compatibility of the agreement envisaged with the provisions of the FEU Treaty and the Charter
(first question)

A– Analysis of the Parliament’s request and observations and also of the observations of the other interested
parties

1. Analysis of the Parliament’s request and observations

136. The Parliament maintains that, in the light, in particular, of the Court’s case-law, there is legal uncertainty as to
whether the agreement envisaged is compatible with Article 16 TFEU and Articles 7 and 8 and Article 52(1) of the
Charter.

137. In the Parliament’s submission, it is clear that the collection, transfer, analysis, retention and subsequent transfer
of data provided for in the agreement envisaged constitute different forms of ‘processing’ and different forms of
interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter. In its various forms, that
interference is far-reaching and particularly serious. (53)

138. The Parliament emphasises that, in accordance with Article 52(1) of the Charter, such an interference could be
justified only if it is ‘provided for by law’ and is necessary and proportionate to an objective of general interest
recognised by the Union.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 16/46
8.9.2017 CURIA - Documents

139. As for the first point, the Parliament asks, in essence, whether an international agreement constitutes a ‘law’
within the meaning of that provision and whether it may place limitations on the exercise of the rights guaranteed by
Articles 7 and 8 of the Charter. It observes that, according to the case-law of the European Court of Human Rights
(‘ECtHR’) on the expression ‘provided for by law’ in Article 8 of the European Convention for the Protection of
Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950 (‘ECHR’), any interference should
have a basis ‘in domestic law’. Because the Treaty of Lisbon profoundly changed the Union legal order by
introducing the concept of ‘legislative act’, the expression ‘provided for by law’ coincides, in EU law, with the
concept of ‘legislative act’. In the Parliament’s view, an international agreement does not meet that description.

140. As regards the second point, namely the necessity for the interference, the Parliament maintains that it is for the
Council and the Commission to demonstrate, on the basis of objective factors, that the conclusion of the agreement
envisaged is actually necessary within the meaning of Article 52(1) of the Charter. In its submission, it appears that
such factors are absent.

141. Last, as for the third point, concerning the proportionality of the interference provided for in the agreement
envisaged, the Parliament maintains that the discretion of the EU legislature is reduced, with the consequence that it
is appropriate to carry out a strict review of the requirements laid down in the Charter, including the context in which
an international agreement is concluded. In that regard, the agreement envisaged comes within the category of
‘generalised “strategic monitoring”‘, within the meaning of the case-law of the ECtHR, (54) and the reasoning
followed by the Court in the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12,
EU:C:2014:238) is also applicable in the present case.

142. First, in the Parliament’s view, the agreement envisaged concerns, generally, persons travelling to Canada,
without there being any connection between the persons concerned, their data and a threat to public security.

143. Second, the Parliament is uncertain as to whether the agreement envisaged lays down objective criteria that
make it possible to restrict the Canadian authorities’ access to the data and the subsequent use of that data for the
purposes of preventing, detecting or prosecuting criminal offences which might themselves be regarded as
sufficiently serious. However, the criteria listed in the draft agreement are vague. Thus, the Parliament observes that
the agreement envisaged does not define the ‘Canadian competent authority’ with access to the data and Article 3(2)
of the agreement envisaged refers, with respect to the expression ‘serious crime’, to the Canadian legislation without
any limits recognised by EU law and without any identification of the offences covered by that expression. Likewise,
Article 3(5) of the agreement envisaged allows the data to be processed by ‘Canada’ in areas other than criminal law
and might allow the transfer of data by ‘the Canadian Competent Authority’ to other Canadian authorities, or even to
individuals. Furthermore, Article 16(2) of the agreement envisaged does not specify the number of persons with
access to the data, while access to that data by the Canadian authorities is not subject to any prior control by a court or
by an independent administrative authority.

144. Third, the Parliament asks the Court to declare that the five-year period for the retention of the data laid down in
Article 16(5) of the agreement envisaged is not justified. That period is not based on objective criteria and no
justification has been provided. That period, moreover, was extended by reference to the period provided for under
the 2006 Agreement, and no explanation was provided.

145. Fourth, the Parliament submits that the agreement envisaged does not require that the data be retained within the
Union. Thus, control of compliance with the requirements of protection and security, by an independent authority,
expressly required by Article 8(3) of the Charter and Article 16(2) TFEU, is not fully guaranteed. In that context,
there are serious doubts as to whether the measures to be taken by the Canadian authorities satisfy the essential
requirements of those articles. In particular, Article 10 of the agreement envisaged does not guarantee control by an
independent Canadian authority and does not specify to the requisite legal standard the powers, including the power
to undertake a review in advance, which that authority has in order to verify whether those powers are ‘adequate’
within the meaning of EU law.

146. In answer to the written questions put by the Court, the Parliament stated, in particular, that the guidance to be
derived from the judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650) apply mutatis mutandis to the
assessment of the compatibility of the agreement envisaged. It further states that actual compliance with the
substantive and procedural conditions relating to initial access to the personal data should also apply to the
subsequent transfer of that data and to access to it by other Canadian authorities or the authorities of third States. In
its submission, that is not the case of the conditions laid down in Articles 18 and 19 of the agreement envisaged.
Furthermore, in the Parliament’s view, the wording of Article 14(2) of the agreement envisaged is ambiguous.

2. Analysis of the observations of the other interested parties

147. As regards the other interested parties, while, in essence, the EDPS, in his replies to the written questions put by
the Court and his oral observations, shares the doubts and concerns expressed by the Parliament, the governments
which have participated in the present proceedings and the Council and the Commission maintain that the agreement

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 17/46
8.9.2017 CURIA - Documents

envisaged is compatible with Article 16 TFEU and Articles 7 and 8 and Article 52(1) of the Charter. Their
observations relate essentially to the interference represented by the rules laid down in the agreement envisaged with
the fundamental right of persons to the protection of their personal data and to compliance with the criteria laid down
in Article 52(1) of the Charter (an interference ‘provided for by law’, with the aim of meeting an objective of general
interest recognised by the Union and which is necessary and proportionate in order to meet that objective).

148. In the first place, the Estonian and French Governments expressly acknowledge that the terms of the agreement
envisaged constitute an interference with the fundamental right to protection of personal data, guaranteed by Article 8
of the Charter. The French Government states, however, that the obligation placed on air carriers to transfer the data
does not constitute such an interference since it is provided for not by the agreement envisaged but by the Canadian
legislation. The Court cannot be requested to deliver an opinion on the compatibility of the legislation of a third State
with the Treaties. In addition, the French Government maintains that the interferences contained in the agreement
envisaged are less far-reaching than those at the origin of the case giving rise to the judgment of 8 April 2014, Digital
Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238). Thus, in the French Government’s submission,
less data would be transferred and fewer persons would be concerned by the agreement envisaged than by the
directive at issue in that judgment. In addition, the data does not allow very precise conclusions concerning the
private life of passengers to be drawn. Last, the agreement envisaged imposes, in Article 11, an obligation of
transparency, and it cannot therefore be concluded that the collection of the data and its subsequent use is apt to give
rise in the minds of the persons concerned to the feeling that their private life is under constant surveillance.

149. In the second place, as regards the question of the legal source of such an interference, the Estonian
Government, Ireland, the French and United Kingdom Governments and the Council and the Commission maintain
that that interference meets the condition of being ‘provided for by law’ within the meaning of Article 52(1) of the
Charter.

150. In the third place, as regards the objective pursued by that interference, the Bulgarian and Estonian
Governments, Ireland, the Spanish and French Governments and the Council and the Commission claim that the
transfer and subsequent use of the data is aimed in particular at combating terrorism and thus meets an objective of
general interest.

151. In the fourth place, as regards the necessity for such an interference, the French and United Kingdom
Governments and the Council and the Commission maintain, first of all, that there is an increasing demand from third
countries which consider that the transfer of data is necessary for public security purposes. The Commission accepts
that there are no precise statistics indicating the contribution which data makes to the prevention and detection of
crime and terrorism, and to the investigation and prosecution of offences of those types. However, the essential use of
the data is confirmed by information from third countries and from Member States which already use such data for
law enforcement purposes. The experience acquired in those countries shows that the use of data has enabled
significant progress to be made in combating drug trafficking, people trafficking and terrorism and leads to a better
understanding of the composition and functioning of terrorist networks and other criminal networks. The United
Kingdom Government and the Commission further observe that the information supplied by the shows that the data
has made a decisive contribution to the ability to locate and identify persons potentially suspected of being involved
in terrorist acts or serious transnational crime.

152. In the fifth place, as regards the proportionality of the interference at issue, the Estonian Government, the
Council and the Commission refer, first, to the requirements arising from the case-law of the Court, in particular those
referred to in the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12,
EU:C:2014:238). In particular, the Estonian Government is of the view that the guidance that can be derived from
that judgment concerning the extent of the discretion of the legislature and of the judicial control of the limits of that
discretion is applicable in the present case. , on the other hand, claims that it is necessary to take account of the
international and negotiated nature of the act at issue, while the French Government maintains that the discretion of
the EU legislature cannot be excessively restricted, having regard to the fact that the interference at issue in the
present case is not particularly serious. The United Kingdom Government maintains that public security and safety by
their nature raise questions in respect of which the legislature must be recognised as having a ‘reasonable margin of
discretion’ in order to determine whether a measure is manifestly inappropriate. The agreement envisaged cannot be
characterised as a ‘general surveillance mechanism’, but relates rather to normal border control procedures.

153. Second, the Bulgarian and Estonian Governments, Ireland and the Spanish, French and United Kingdom
Governments, and the Council and the Commission maintain that the agreement envisaged complies with the
principle of proportionality. The United Kingdom Government claims, first of all, that in the absence of the
agreement envisaged, measures taken in relation to passengers arriving from the European Union would be at risk of
being less targeted and more intrusive. The data allows ‘persons of interest’ travelling to particular events or places to
be targeted more effectively, thus reducing security checks and delays for other passengers. Next, those governments
and those institutions are, in essence, of the view that the agreement envisaged can be distinguished from the directive
at the origin of the case of Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238). In particular,
unlike that directive, the agreement envisaged contains strict rules on the conditions for access to and the use of the
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 18/46
8.9.2017 CURIA - Documents

data and rules on data security and monitoring by an independent authority. In addition, the agreement envisaged
makes provision for control of compliance with those rules, for the persons concerned to be informed about the
transfer and processing of their data, a procedure for access to and correction of the data and also for administrative
and judicial remedies in order to ensure that those rights are guaranteed.

154. As regards the Parliament’s argument that the agreement envisaged requires no connection between the data and
a threat to public security, the Estonian, French and United Kingdom Governments and the Commission claim, in
essence, that the use of the data is designed to identify persons hitherto unknown to the competent services as
presenting a potential risk to security, while persons known to present such a risk can be identified on the basis of
advance passenger information (). The objective of prevention could thus not be achieved if only the data of persons
already suspected were transferred.

155. Third, according to those interested parties, the criticisms made by the Parliament and by the EDPS concerning
the redaction and omissions from the agreement envisaged should also be rejected.

156. Thus, according to the Council and the Commission, the fact that Article 3(3) of the agreement envisaged refers
to Canadian law does not permit the conclusion that it is too vague. It is difficult to include in an international
agreement a definition of an act that might be characterised as ‘serious crime’, which is provided for only in EU law.
Likewise, as regards Article 3(5)(b) of the agreement envisaged, the Council and the Commission observe that that
provision reflects the obligation which the Canadian Constitution imposes on all Canadian public authorities to
comply with a court order. In addition, the possibility of access to the data would, in such a case, have been examined
by the judicial authority in the light of the criteria of necessity and proportionality and the reasons would be set out in
the order of the court.

157. In addition, as regards the limits concerning the authorities and individuals having access to the data, the Council
and the Commission maintain that the failure to identify the Canadian competent authority in the agreement
envisaged is a procedural issue which has no impact on the principle of proportionality. In any event, the Canadian
competent authority, within the meaning of Article 2(d) of the agreement envisaged, was notified to the Commission
in June 2014. That authority is the , which alone is authorised to receive and process the data. The ‘limited number of
officials specifically authorised’ in that respect referred to in Article 16(2) of the agreement envisaged means that the
officials concerned must be officials of the and that they must be authorised to process the data. Additional guarantees
are set out in Article 9(2)(a) and (b), (4) and (5) of the agreement envisaged.

158. Furthermore, as regards the absence of prior control of access to the data, the Commission observes that the very
object of the agreement envisaged is to permit the data to be transferred to the for the purpose of access to that data
and that such prior control would alter that object. adds that such prior control is not necessary, since the agreement
envisaged provides that the number of persons authorised to access the data and use it is to be limited to what is
strictly necessary and lays down a range of additional guarantees in Articles 11 to 14, 16, 18 and 20.

159. In addition, as regards the question of the retention of the data, Ireland first of all observed that, in the light of
the fact that, in accordance with Article 5 of the agreement envisaged, the Canadian competent authority is to be
deemed to provide an adequate level of protection of the PNR data, and that there is surveillance by an independent
authority, there is no need, unlike in the situation applicable to the directive at the origin of the judgment in Digital
Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), for the data to be kept within the European
Union. Next, according to the Council and the Commission, the five-year retention period laid down in Article 16 of
the agreement envisaged does not go beyond what is strictly necessary in the light of the public security objective
pursued and cannot therefore be evaluated in the abstract. The period of three and a half years laid down in the 2006
Agreement significantly prevented the Canadian authorities from using the data effectively in order to detect cases
presenting a high risk of terrorism or organised crime since the relevant investigations take time. Furthermore, in the
Council’s submission, the period during which the data is to be retained was fixed by reference to the average
duration of criminal investigations, the average lifetime of serious crime networks and the fact that terrorist cells may
be dormant for a number of years. The Estonian Government, Ireland and the French Government add that, given the
complexity and difficulty of investigations of offences involving terrorism and serious transnational crime, the period
that elapses between the time of travel and the time when the law enforcement authorities need to have access to the
data in order to detect, investigate and prosecute such offences may sometimes be several years. In their respective
replies to the written questions put by the Court, the Spanish and French Governments also provide a number of
specific examples in which the process of checking and cross-checking information has taken around five years and
for which the data was or might have been of great use. The Estonian Government, Ireland and the French
Government and the Council and the Commission, also maintain, in essence, that Article 16 of the agreement
envisaged contains strict rules on the masking (or depersonalisation) and unmasking of the data, which are aimed at
providing more protection for the personal data of airline passengers.

160. Last, as regards the control of compliance with the rules on data protection by an independent authority, required
by Article 8(3) of the Charter and Article 16(2) TFEU, the Council and the Commission maintain that the fact that the
agreement envisaged does not identify the Canadian competent authority does not undermine the adequacy of the
measures to be taken by Canada. The identity of the competent authorities for the purposes of Articles 10 and 14 of
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 19/46
8.9.2017 CURIA - Documents

the agreement envisaged has been communicated to the Commission. The authorities in question are the Privacy
Commissioner of and the Recourse Directorate. Those authorities satisfy the condition of independence enabling
them to carry out their tasks without any outside influence, even though the Recourse Directorate is an ‘authority
created by administrative means’, within the meaning of Articles 10 and 14 of the agreement envisaged. The
Recourse Directorate is, in accordance with the explanations provided by the Canadian authorities, an independent
authority responsible for examining complaints and administrative appeals lodged by aliens not residing in .
Furthermore, the Commission submits that the decisions of that authority may be challenged before the Privacy
Commissioner of through a person residing in .

161. In the sixth place, in their replies to the written questions put by the Court and at the hearing, the United
Kingdom Government, the Council and the Commission provided information about the 19 categories of data in the
annex to the agreement envisaged. In particular, according to the Commission, only the 17th heading, ‘General
remarks including Other Supplementary Information (), Special Service Information (SSI) and Special Service
Request (SSR) information’, contains sensitive information, within the meaning of the agreement envisaged. That
data is transferred only on a voluntary basis, since it is liable to be disclosed only in connection with the booking of
additional services requested by the passenger and, according to the United Kingdom Government, can be consulted
only in exceptional circumstances, according to the terms of the agreement envisaged. In addition, the French
Government stated that the guidance to be derived from the judgment of 6 October 2015, Schrems (C‑362/14,
EU:C:2015:650) is not applicable to the examination of the compatibility of the agreement envisaged with the
Treaties, while Ireland maintains that that judgment provides important guidance as to the adequacy of the level of
protection which a third country must satisfy. As for the Council and the Commission, they share the opinion that
only paragraphs 91 to 93 and 95 of that judgment, which concern the interpretation of the Charter, are applicable in
the context of the examination of the compatibility of the agreement envisaged. On the other hand, those institutions
take the view that the examination of the agreement envisaged should lead to a different conclusion from that reached
by the Court in that judgment. Finally, as regards the subsequent disclosure provided for in Articles 18 and 19 of the
agreement envisaged, Ireland, the Council and the Commission recall that that disclosure is subject to strict
conditions and to compliance with the purposes laid down in Article 3 of the agreement envisaged. Furthermore, the
Commission emphasises that Article 19 of the agreement envisaged should be read in the light of the relevant
Canadian legislation.

B – Assessment

1. Preliminary observations

162. Before I address the central issue of the first question in the Parliament’s request for an opinion, three
preliminary observations must in my view be made regarding the scope of the examination that must be carried out.

163. First of all, as is clear from their observations, the interested parties referred on a number of occasions during the
proceedings to Canadian legislation and practice, in particular in order to explain, or even to supplement, certain
terms of the agreement envisaged. It is clear that, in order to examine the compatibility with an agreement envisaged
with primary EU law in the context of the procedure laid down in Article 218(11) TFEU, the Court cannot express a
view on the legislation or the practice of a third country. The Court’s examination can relate only to the terms of the
agreement envisaged as they were submitted to it.

164. However understandable and logical that substantive limit on judicial review in the context of the opinion
procedure may be, it nonetheless raises certain difficulties. Thus, while it is common ground that the agreement
envisaged must, in particular, provide the Canadian authorities with a legal framework that allows them, on the basis
of the analysis of the data, to apply methods relating to the identification of passengers who have not hitherto been
known to the law enforcement services, on the basis of patterns of behaviour of ‘concern’ or presenting an
‘interest’, (55) none of the terms of the agreement envisaged deals with the establishment of those methods, of the
right of each ‘targeted’ passenger to be informed of the methods used and to be assured that such ‘targeting’ methods
are subject to administrative and/or judicial control, as those questions all seem to be entirely within the discretion of
the Canadian authorities. (56) To my mind, it is permissible to ask whether, having regard to compliance with
Articles 7 and 8 of the Charter, those questions and those guarantees should not be regulated by the terms of the
agreement envisaged themselves. That example shows that one of the difficulties of the present case relates to the fact
that it entails ascertaining, in the light, in particular, of the right to protection of personal data, not merely what the
agreement envisaged makes provision for but also, and above all, what it has failed to make provision for.

165. Next, it is important to observe that the Parliament’s request for an opinion merely referred to certain terms of
the agreement envisaged which in its view indicate, in some cases more clearly and more strongly than in others, that
the agreement envisaged is incompatible with Article 16 TFEU and Articles 7 and 8 and Article 52(1) of the Charter.
Given the preventive purpose and the non-contentious nature of the opinion procedure, the Court cannot be required
to comply with such a delimitation of the request, whether deliberate or not. That position has already been perfectly
illustrated by Opinion 1/00 of 18 April 2002 (EU:C:2002:231, paragraph 1), in which the Court incorporated in its
examination of the compatibility of an agreement envisaged several rules in that agreement which were not expressly
stated to be the subject matter of the request for an opinion submitted by the Commission, and Opinion 1/08 of
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 20/46
8.9.2017 CURIA - Documents

30 November 2009 (EU:C:2009:739, paragraphs 96 to 105), in which the Court rejected the suggestion of the
institution requesting the opinion that it should confine its examination to certain parts of the draft agreement at issue
forming the subject matter of the request for an opinion.

166. In the present procedure, I consider it appropriate that the Court should include in its examination the
compatibility of terms of the agreement envisaged, such as Articles 18 and 19, which were not specifically mentioned
by the Parliament in its request for an opinion, but which deserve the Court’s attention. I would add that the
Parliament and the other interested parties have had the opportunity to comment on those articles, either in their
replies to the written questions put by the Court or at the hearing before the Court.

167. Last, in the light of the discussions before the Court, I consider it useful to point out that, under Article 218(11)
TFEU, the only provisions by reference to which the compatibility of the agreement envisaged may be examined are
the provisions of EU primary law, that is to say, in this instance, the Treaties and the rights set out in the Charter, (57)
to the exclusion of secondary law. In that regard, there is nothing to prevent the Court from including in its
examination of the substantive validity of the agreement envisaged provisions of primary law which are not
mentioned in the question submitted by the Parliament, such as Article 47 of the Charter, should it prove necessary to
do so for the purposes of the opinion procedure and if the interested parties have had the opportunity to submit their
comments on those provisions. That is indeed the case as regards respect for the effective judicial remedy guaranteed
by Article 47 of the Charter.

168. Those observations having been made, the following developments will essentially focus on the criteria for the
application of Articles 7 and 8 and Article 52(1) of the Charter. Although that is not fundamentally disputed, I shall
examine whether the terms of the agreement envisaged constitute an interference with the fundamental rights to
privacy and the protection of personal data and whether that interference may be justified. It is clearly the
examination of the justification for the interference, and in particular its proportionality, that proves to be
controversial.

2. The existence of an interference with the rights guaranteed by Articles 7 and 8 of the Charter

169. Without there being any need to examinee individually and exhaustively the 19 categories of data set out in the
annex to the agreement envisaged, it is common ground that they deal, inter alia, with the passenger’s identity,
nationality and address, all contact information (address of residence, email address, telephone number) available
about the passenger who made the reservation, available payment information, including, where appropriate, the
number of the credit card used to reserve the flight, information relating to luggage, passenger travel habits and habits
relating to additional services requested by the passengers concerning any health problems, including mobility, or
their dietary requirements during the flight, which might provide information concerning, in particular, the health of
one or more passengers, their ethnic origin or their religious beliefs.

170. That data, taken as a whole, touches on the area of the privacy, indeed intimacy, of persons and indisputably
relates to one or more ‘identified or identifiable individual or individuals’. (58) There can therefore be no doubt, in
the light of the Court’s case-law, that the systematic transfer of data to the Canadian public authorities, access to that
data and the use of that data and its retention for a period of five years by those public authorities and also, where
relevant, its subsequent transfer to other public authorities, including those of third countries, under the terms of the
agreement envisaged, are operations which fall within the scope of the fundamental right to respect for private and
family life guaranteed by Article 7 of the Charter and to the ‘closely connected’ (59) but nonetheless distinct right to
protection of personal data guaranteed by Article 8(1) of the Charter and constitute an interference with those
fundamental rights.

171. In fact, the Court has already held, with regard to Article 8 of the ECHR, on which Articles 7 and 8 of the
Charter are based, (60) that the communication of personal data to third parties, in that particular case a public
authority, constitutes an interference within the meaning of that article (61) and that the obligation to retain that data,
required by the public authorities, and subsequent access of the competent national authorities to data relating to a
person’s private life also constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter
. (62) Likewise, an EU act prescribing any form of processing of personal data constitutes an interference with the
fundamental right, laid down in Article 8 of the Charter, to protection of such data. (63) That assessment applies,
mutatis mutandis, with regard to an EU act in the form of an international agreement concluded by the , such as the
agreement envisaged, which is designed, in particular, to enable one or more public authorities of a third country to
process and retain the personal data of air passengers. The lawfulness of such an act depends on its respect for the
fundamental rights protected in the EU legal order, (64) especially those guaranteed by Articles 7 and 8 of the
Charter.

172. The fact, put forward by the United Kingdom Government, that the persons affected by the agreement
envisaged, or at least most of them, will not suffer any inconvenience as a result of that interference is irrelevant for
the purposes of establishing the existence of such an interference. (65)

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 21/46
8.9.2017 CURIA - Documents

173. At the same time, it is irrelevant that the information communicated, or at least most of it, may well not be
sensitive. (66)

174. Moreover, I note that the contracting parties are fully aware of the interference constituted by the
communication, use, retention and subsequent transfer of the data provided for in the agreement envisaged, since, as
expressly stated in the preamble to that agreement, it is specifically because of that interference that the agreement
envisaged attempts to reconcile the requirements relating to public security and respect for the fundamental rights to
protection of private life and of personal data.

175. It is true that the contracting parties’ attempt to reconcile those elements is liable to reduce the intensity or the
gravity of the interference which the agreement envisaged entails in the fundamental rights guaranteed by Articles 7
and 8 of the Charter.

176. The fact nonetheless remains that the interference constituted by the agreement envisaged is of a considerable
size and a not insignificant gravity. It systematically affects all passengers flying between Canada and the Union, that
is to say, several tens of millions of persons a year. (67) Furthermore, as most of the interested parties have
confirmed, no one can fail to be aware that the transfer of voluminous quantities of personal data of air passengers,
which includes sensitive data, requiring, by definition, automated processing, and the retention of that data for a
period of five years, is intended to permit a comparison, which will be retroactive where appropriate, of that data with
pre-established patterns of behaviour that is ‘at risk’ or ‘of concern’, in connection with terrorist activities and/or
serious transnational crime, in order to identify persons not hitherto known to the police or not suspected. Those
characteristics, apparently inherent in the scheme put in place by the agreement envisaged, are capable of giving the
unfortunate impression that all the passengers concerned are transformed into potential suspects. (68)

177. I should add, however, that, unlike the Parliament, I do not consider that that conclusion should extend to the
collection of the data by the air carriers.

178. In fact, the agreement envisaged does not govern the collection of such data, but is based on the presumption of
law and of fact that the air carriers gather the data in any event for their own commercial use. It cannot be denied,
admittedly, that certain terms of the agreement envisaged refer to the collection of the data. Thus, Article 4(2) states
that is not to require an air carrier to provide elements of data which are not already collected or held by the air
carrier. Likewise, Article 11 of the agreement envisaged requires Canada to ensure that the Canadian Competent
Authority makes available on its website, inter alia, ‘the reason for the collection of data’, while the contracting
parties are also to work with, in particular, the air travel sector to promote transparency, by providing information to
passengers, ‘preferably at the time of booking’ flights, about ‘the reasons for data collection’. While such an
obligation to act in a transparent manner could in my view appropriately be reinforced if passengers were
systematically informed individually about the reasons for data collection at the time of booking flights, the fact
nonetheless remains that the agreement envisaged does not regulate the collection operation properly so called any
more than the procedures for collecting the data, which all come within the competence of the air carriers, which, in
that regard, must act in compliance with the relevant national provisions and with EU law.

179. The collection of the data therefore does not constitute a processing of personal data entailing an interference
with the fundamental rights guaranteed by Articles 7 and 8 of the Charter that results from the agreement envisaged
itself. In the light of the limited power of the Court in the context of the opinion procedure, that operation will
therefore not form the subject matter of the following developments.

180. Independently of that observation relating to data collection, the fact nonetheless remains that, for the reasons
stated in paragraphs 169 to 175 of this Opinion, the agreement envisaged entails, in my view, a serious interference
with the fundamental rights guaranteed by Articles 7 and 8 of the Charter. In order to be authorised, that interference
must be justified.

3. The justification for the interference with the rights guaranteed by Articles 7 and 8 of the Charter

181. Neither the right to respect for private and family life nor the right to protection of personal data is an absolute
prerogative.

182. Thus, Article 52(1) of the Charter accepts that limitations may be placed on the exercise of rights such as those
enshrined in Article 7 and Article 8(1) of the Charter, provided that those limitations are provided for by law, that
they respect the essence of those rights and that, subject to the principle of proportionality, they are necessary and
genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms
of others.

183. Furthermore, Article 8(2) of the Charter permits the processing of personal data ‘for specified purposes and on
the basis of the consent of the person concerned or some other legitimate basis laid down by law’.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 22/46
8.9.2017 CURIA - Documents

184. It should be noted at the outset with regard to one of the conditions set out in Article 8(2) of the Charter that the
agreement envisaged does not seek to base the processing of the data communicated to the Canadian competent
authority on the consent of the air passengers. (69) In the light of the obligation placed on air carriers to communicate
the categories of data set out in the annex to the agreement envisaged, those passengers cannot object to that data
being transferred if they wish to travel by air to Canada. In addition, the fact, referred to at the hearing before the
Court, that certain data, containing, where appropriate, sensitive information, may be communicated to the air carrier
only where the passenger requires specific services does not mean that that passenger consented to that data being
processed by the Canadian competent authority for the purposes of Article 3 of the agreement envisaged.

185. In addition, it has not been maintained before the Court, nor is it apparent to me, that the interference contained
in the agreement envisaged is of such a kind as to harm the ‘essence’, within the meaning of Article 52(1) of the
Charter, fundamental right enshrined in Article 7 and Article 8(1) of the Charter.

186. In fact, the nature of the data forming the subject matter of the agreement envisaged does not permit any precise
conclusions to be drawn as regards the essence of the private life of the persons concerned. The data in question
continues to be limited to the pattern of air travel between Canada and the Union. In addition, the agreement
envisaged lays down, in Articles 8, 16, 18 and 19, a series of guarantees relating to the masking and gradual
depersonalisation of the data which has been communicated to, used by and retained by the Canadian authorities and,
where appropriate, subsequently transferred, the essential object of which is to preserve private life.

187. Furthermore, as regards the essence of the protection of personal data, it should be observed that, under Article 9
of the agreement envisaged, Canada is required, in particular, to ‘ensure compliance verification and the protection,
security, confidentiality and integrity of the data’, and also to implement ‘regulatory, procedural or technical measures
to protect data against accidental, unlawful or unauthorised access, processing or loss’. In addition, any breach of data
security must be amenable to effective and dissuasive corrective measures which might include sanctions.

188. It is therefore necessary to ascertain whether the other conditions of justification provided for in Article 8(2) of
the Charter and those laid down in Article 52(1) thereof, which, moreover, overlap in part, are satisfied.

189. I shall not dwell unnecessarily on two of those conditions, namely the condition that the interference must (a) be
‘provided for by law’ and (b) meet objectives of general interest (or have a ‘legitimate basis’, according to the
expression used in Article 8(2) of the Charter), which to my mind are manifestly satisfied. On the other hand, I shall
examine more fully (c) the question of the proportionality of the interference.

(a) An interference ‘provided for by law’, within the meaning of Article 52(1) of the Charter

190. As for the first point, the essentially formal doubts expressed by the Parliament as to the ‘lawful’ origin of the
interference can clearly be dispelled. According to the case-law of the ECtHR, the expression ‘provided for by law’ in
Article 8(2) of the ECHR means, in particular, that the measure in question has a basis in domestic law (70) and must
be understood in its substantive and not its formal sense. (71) The ECtHR thus accepts that unwritten rules satisfy
that condition. (72) In addition, the ECtHR has already held that an international treaty, incorporated into national
domestic law, also satisfies that requirement. (73)

191. Like the ECtHR, the Court confirms the substantive and not the formal meaning of the expression ‘provided for
by law’ in Article 52(1) of the Charter. Thus, the Court has considered that that condition was satisfied in the case of
limitations placed on the rights guaranteed by Articles 7 and 8 of the Charter by provisions of EU regulations,
adopted by the Commission (74) and by the Council, (75) respectively, and therefore without the Parliament having
been involved as ‘co-legislature’ in the adoption of those measures.

192. In this instance, it is common ground that the act concluding the agreement envisaged can be adopted by the
Council only if, pursuant to Article 218(6)(a)(v) TFEU, the agreement envisaged is first approved by the Parliament,
since it covers fields, namely those of police cooperation and the retention of personal data, to which the ordinary
legislative procedure applies. When those procedures have been completed, pursuant to Article 216(2) TFEU the
agreement will be an integral part of the EU legal order and will prevail over acts of secondary law. (76) It follows, in
my view that the interference resulting from the agreement envisaged is indeed ‘provided for by law’, within the
meaning of Article 52(1) of the Charter.

193. Still on that point, I would add, although it has not been discussed between the interested parties in the present
proceedings, that, generally, the agreement envisaged also seems to me to satisfy the second aspect covered by the
expression ‘provided for by law’ within the meaning of Article 8 of the ECHR, as interpreted by the ECtHR, namely
that of the ‘quality of the law’. According to the case-law of the ECtHR, that expression requires, in essence, that the
measure in question be accessible and sufficiently foreseeable, or, in other words, that its terms be sufficiently clear to
give an adequate indication as to the circumstances in which and the conditions on which it allows the authorities to
resort to measures affecting their rights under the ECHR. (77) In fact, once it has been concluded, the agreement
envisaged will be published in full in the Official Journal of the European Union, which clearly satisfies the
‘accessibility’ criterion. As for the ‘foreseeability’ criterion, apart from what are admittedly the rather numerous

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 23/46
8.9.2017 CURIA - Documents

specific considerations relating to the scope and the degree of precision and clarity of a number of terms of the
agreement envisaged, which will be set out below, (78) I also consider that, overall, the agreement envisaged is
drafted in sufficiently clear terms to enable all those concerned to understand, to the requisite standard, the
circumstances in which and the conditions on which the data are transferred to the Canadian authorities, processed,
retained and possibly subsequently disclosed by those authorities, and to regulate their conduct accordingly.
Furthermore, Article 11 of the agreement envisaged lays down a number of additional measures to be adopted by the
contracting parties in order to provide the public with information concerning, in particular, the reasons for collecting
the PNR data and the use and disclosure of those data.

(b) An interference meeting an objective of general interest

194. To my mind, the interference resulting from the agreement envisaged undoubtedly meets an objective of general
interest, within the meaning of Article 52(1) of the Charter, namely the objective of combating terrorism and serious
(transnational) crime, to ensure public security, as is made clear, in particular, in the preamble to and Articles 1 and 3
of the agreement envisaged. None of the interested parties has questioned the legitimacy of the pursuit of such an
objective by the agreement envisaged. In a slightly different form, the ‘general interest’ nature of that objective for
the purposes of the application of Article 52(1) of the Charter has already been recognised by the Court in its case-
law. (79)

195. It is therefore necessary at this stage to ascertain whether the interference with the rights guaranteed by Article 7
and Article 8(1) of the Charter is proportionate to the legitimate objective pursued.

(c) The proportionality of the interference constituted by the agreement envisaged

i) General considerations

196. It has consistently been held that the principle of proportionality requires that acts of the EU institutions be
appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of
what is appropriate and necessary in order to achieve those objectives. (80)

197. In that regard, the interested parties first of all discussed the extent to which compliance with those conditions is
amenable to judicial review. While the Parliament, the Estonian Government and the EDPS support the need for a
strict review of compliance with those conditions, as the Court acknowledged in the judgments of 8 April 2014,
Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), and of 6 October 2015, Schrems
(C‑362/14, EU:C:2015:650), Ireland and the French and United Kingdom Governments defend, in essence, the view
that the Court should limit the scope of its review and allow a broader discretion to the institutions when they adopt
an act forming part of the context of international relations and having regard to the limited nature of the interference
which that act entails.

198. I find the argument put forward by those parties unconvincing.

199. Admittedly, I am prepared to accept that the scope of the institutions’ discretion may differ according to whether
what is envisaged is the adoption of an act of secondary Union law or the conclusion of an international agreement
entailing, by definition, negotiations with one or more third countries. It is clear that, in the particular context of the
data communicated to third countries for processing, it is undoubtedly more appropriate to conclude an international
agreement that affords air passengers, citizens of the Union, sufficient protection of their private life and personal
data, corresponding as much as possible to the requirements of Union law, rather than to leave each of those third
countries entirely free to apply its own national legislation unilaterally as it sees fit.

200. Although those considerations are worth bearing in mind, the Court cannot decline to carry out a strict review of
compliance with the requirements resulting from the principle of proportionality and more particularly from the
adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and
uses the data pursuant to the agreement envisaged.

201. In fact, the need to ensure a strict review of that type is supported by the important role which the protection of
personal data plays in the light of the fundamental right to respect for private life and, moreover, by the extent and
seriousness of the interference with that right, (81) which may include the large number of persons whose
fundamental rights are liable to be infringed where personal data is transferred to a third country. (82) As I have
already stated, the interference constituted by the agreement envisaged with the rights guaranteed by Articles 7 and 8
of the Charter seems to be of a considerable size and a not insignificant seriousness.

202. By the same token, it follows from the judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650,
paragraphs 72 and 78), that the institutions’ discretion as to the adequacy of the level of protection ensured by a third
country to which personal data is transferred is reduced, which entails a strict review of whether the high level of the
protection of personal data provided for in EU law continues to be applied.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 24/46
8.9.2017 CURIA - Documents

203. Although, as I have already indicated, the agreement envisaged cannot be reduced to a decision finding that the
Canadian competent authority guarantees an adequate level of protection, Article 5 of the agreement envisaged does
indeed provide that, subject to compliance with the terms of that agreement, the Canadian Competent Authority is to
be deemed to provide an adequate level of protection, within the meaning of relevant Union data protection law, for
the processing and use of data. The contracting parties’ intention is indeed to ensure that the high level of personal
data protection achieved in the Union may be guaranteed when the data is transferred to Canada. In the light of that
intention, I see no reason why the Court should not carry out a strict review of compliance with the principle of
proportionality.

204. Indeed, as the Court acknowledged in paragraph 74 of the judgment of 6 October 2015, Schrems(C‑362/14,
EU:C:2015:650), I concede that the means to which Canada may have recourse for the purpose of ensuring an
adequate level of protection may differ from those employed within the Union. The fact nonetheless remains that, as
the Court also made clear in the same paragraph of that judgment, those means must nevertheless prove, in practice,
effective in order to ensure protection ‘essentially equivalent’ to that guaranteed within the Union. In that regard, the
Court’s review of whether the level of protection resulting from the terms of the agreement envisaged is ‘essentially
equivalent’ to that guaranteed by Union law cannot be limited.

ii) The ability of the interference to achieve the ‘public security’ objective pursued by the agreement envisaged

205. That point having been clarified, I do not believe that there are any real obstacles to recognising that the
interference constituted by the agreement envisaged is capable of attaining the objective of public security, in
particular the objective of combating terrorism and serious transnational crime, pursued by that agreement. As the
United Kingdom Government and the Commission, in particular, have claimed, the transfer of data for analysis and
retention provides the Canadian authorities with additional opportunities to identify passengers, hitherto not known
and not suspected, who might have connections with other persons and/or passengers involved in a terrorist network
or participating in serious transnational criminal activities. As illustrated by the statistics communicated by the United
Kingdom Government and the Commission concerning the Canadian authorities’ past practice, that data constitutes a
valuable tool for criminal investigations, (83) which is also of such a kind as to favour, notably in the light of the
police cooperation established by the agreement envisaged, the prevention and detection of a terrorist offence or a
serious transnational criminal act within the Union.

206. Although the Kingdom of Denmark’s non-participation is liable to reduce the ability of the measures laid down
in the agreement envisaged to help to strengthen security within the Union, it does not in itself appear to be capable of
rendering the interference inappropriate for attaining the public security objective pursued by that agreement. In fact,
all air carriers providing flights to Canada are required to communicate to the Canadian competent authority the data
which they collect (84) and, moreover, the Canadian competent authority is authorised, under Article 19 of the
agreement envisaged, and subject to compliance with strict conditions, to disclose the data outside Canada, on a case-
by-case basis, to public authorities whose functions are directly related to the purpose stated in Article 3 of that
agreement. (85)

iii) The strict necessity for the interference

207. As to the strict necessity for the interference consisting in the agreement envisaged, its assessment must in my
view entail ascertaining whether the contracting parties have struck a ‘fair balance’ between the objective of
combating terrorism and serious transnational crime and the objective of protecting personal data and respecting the
private life of the persons concerned. (86)

208. Such a fair balance must, in my view, be capable of being reflected in the terms of the agreement envisaged.
Those terms must thus establish clear and precise rules governing the scope and the application of a measure
providing for an interference with the rights guaranteed by Articles 7 and 8 of the Charter and impose a minimum of
requirements, so that the persons concerned have sufficient guarantees that their data will be afforded effective
protection against the risks of abuse and also against any unlawful access to and any unlawful use of that data. (87)
The terms of the agreement envisaged must also consist of the measures least harmful to the rights recognised by
Articles 7 and 8 of the Charter, while making an effective contribution to the public security objective pursued by the
agreement envisaged. (88) That means that it is not sufficient to imagine, in the abstract, the existence of alternative
measures that would be less intrusive in the fundamental rights at issue. Those alternative measures must also be
sufficiently effective, (89) that is to say, their effectiveness must, in my view, be comparable with those provided for
in the agreement envisaged, in order to attain the public security objective pursued by that agreement.

209. In that regard, the interested parties have discussed both the strict necessity for agreements in general and for
certain terms of the agreement envisaged. As those two aspects are in my view intrinsically linked, I consider that
they should be addressed when I examine the different parts of the agreement envisaged.

210. I shall therefore concentrate on the following eight points, which were specifically raised in the request for an
opinion or which were discussed between the interested parties during the proceedings before the Court, namely the
categories of data covered by the agreement envisaged, the sufficiently precise nature of the purpose for which the
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 25/46
8.9.2017 CURIA - Documents

processing of data is authorised, the identification of the competent authority responsible for the processing of data,
the automated processing of data, access to the data, the retention of the data, the subsequent transfer of the data, and,
last, measures of surveillance and judicial review provided for in the agreement envisaged.

– The categories of data covered by the agreement envisaged

211. As already stated, the agreement envisaged provides for the transfer to the Canadian competent authority of 19
categories of data collected by air carriers for flight reservation purposes and listed in the annex to that agreement.

212. Before the Court, the interested parties submitted observations on both the significance of some of those
categories, on the fact that they may be duplicated with the data gathered by the Canadian authorities for border
control purposes or, since 15 March 2016, in order to issue an electronic travel authorisation (‘eTA’), and on the
identification of data apt to contain sensitive data. In that regard, during the proceedings before the Court, the
Commission asserted that only heading 17 in the annex to the agreement envisaged, entitled ‘General remarks
including Other Supplementary Information (), Special Service Information (SSI) and Special Service Request (SSR)
information’, is apt to contain sensitive data, within the meaning of the agreement envisaged. In addition, it emerged
from the discussion before the Court that the information in heading 17 was transferred only when the person
reserving a flight requested certain on-board services, such as assistance, possibly connected to health or mobility
problems or special dietary requirements, which may provide information about the health or reveal the ethnic origin
and religious beliefs of that person or passengers travelling with him.

213. It is common ground that the 19 categories of data the transfer of which to the Canadian competent authority is
provided for in the agreement envisaged correspond to the categories which appear in the airlines’ reservation
systems. Those categories also correspond to the data elements listed in Appendix 1 to the Guidelines on Passenger
Name Record Data adopted by the International Civil Aviation Organisation (ICAO) and published in 2010. (90) The
elements in those categories are therefore perfectly known to operators active in the air sector. Those elements
concern, in fact, all the information necessary to book a flight, whether they relate to the booking methods or payment
methods used, the itinerary chosen or any on-board services requested.

214. Furthermore, as Ireland, the United Kingdom Government and the Commission emphasised, the data, taken as a
whole, contains additional information by comparison with the data gathered for border control purposes by the
Canadian immigration authorities. The advance passenger information (), of a biographical nature and relating to the
flight taken, which is gathered by the air carriers, is mainly intended to facilitate and speed up passenger identity
checks at the border by making it possible, where appropriate, to prevent persons prohibited from residence from
boarding or subjecting certain passengers already identified to enhanced checks at the border. (91) Likewise, in
Canada the new eVA requirement is intended to preserve Canada’s immigration programme since each person
wishing to visit Canada by air who is not required to have a visa is required to obtain, on the basis of biographical
information and information relating to admission to and stay in Canada, by electronic means, prior travel
authorisation valid for a maximum of five years. (92) However, data of that type does not reveal information about
the booking methods, payment methods used and travel habits, the cross-checking of which can be useful for the
purposes of combating terrorism and other serious transnational criminal activities. Independently of the methods
used to process that data, the and the data required for the issue of an eVA are therefore not sufficient to attain with
comparable effectiveness the public security objective pursued by the agreement envisaged.

215. It is the case that those categories of data are transferred to the Canadian authorities for all travellers flying
between Canada and the Union even though there is no indication that their conduct may have a connection with
terrorism or serious transnational crime.

216. However, as the interested parties have explained, the actual interest of schemes, whether they are adopted
unilaterally or form the subject matter of an international agreement, is specifically to guarantee the bulk transfer of
data that will allow the competent authorities to identify, with the assistance of automated processing and scenario
tools or predetermined assessment criteria, individuals not known to the law enforcement services who may
nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently
to more thorough individual checks.

217. Accordingly, I have serious doubts as to whether the wording of certain categories of data in the annex to the
agreement envisaged is sufficiently clear and precise. Some of those categories are formulated in a very, indeed
excessively, open manner, without a reasonably informed person being able to determine either the nature or the
scope of the personal data which those categories might contain. I am thinking, in that regard, especially, of heading
5, on ‘Available frequent flyer and benefit information (free tickets, upgrades, etc.)’; heading 7, entitled ‘all available
contact information (including originator information)’; and heading 17, which has already been mentioned, on
‘General remarks’. The explanations provided by the Commission in its responses to the written questions put by the
Court did not enable those doubts to be dispelled. In particular, as regards heading 7, the Commission acknowledged
that that heading referred, in a non-exhaustive manner, to ‘all details connected with the booking, including, in
particular, the postal or email address and telephone number of the traveller, the person or agency that booked the

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 26/46
8.9.2017 CURIA - Documents

flight’. Likewise, as regards heading 17, the Commission stated that it covers all ‘supplementary information apart
from that listed elsewhere in the annex to the agreement envisaged’.

218. The agreement does indeed lay down certain guarantees with the aim of ensuring that the data transmitted does
not go beyond the list of elements set out in the annex to the agreement envisaged in the possession of the air carriers.
It is apparent from Article 4(3) of the agreement envisaged that no other data must be communicated to the Canadian
competent authority, since Canada is required to delete upon receipt any data transferred to it if it is not listed in the
annex to the agreement envisaged. Thus, although, in accordance with what is stated under heading 8 of that annex,
available payment/billing information must be transferred to the Canadian competent authority, it cannot include
information relating to the payment methods for other services not directly connected with the flight, such as vehicle
rental on arrival.

219. However, in the light of the very, indeed excessively, open nature of certain headings, it is particularly difficult
to understand what data is to be regarded as not having to be transferred to and therefore as having to be deleted by ,
in application of Article 4(3) of the agreement envisaged. Furthermore, it is likely that an air carrier will choose, on
the ground that it will be easier and less expensive to do so, to transfer all the data which it has previously collected,
whether or not it is among the headings listed in the annex to the agreement envisaged.

220. I therefore consider that, in order to ensure the legal security of persons whose personal data is transferred and
processed under the agreement envisaged and the need to establish clear and precise rules governing the scope ratione
materiae of that agreement, the categories of data in the annex to the agreement envisaged should be drafted in a more
concise and more precise manner, without any discretion being left to either the air carriers or the Canadian
competent authorities as regards the actual scope of those categories.

221. Last, I consider that the agreement envisaged goes beyond what is strictly necessary by including in its scope the
transfer of data that is apt to contain sensitive data, which in material terms allows information about the health or
ethnic origin or religious beliefs of the passenger concerned and and/or of those travelling with him to be disclosed.

222. In that regard, it is apparent from the material submitted to the Court that the data apt to contain such sensitive
data will be communicated only on an optional basis, that is to say, only where a passenger requests an additional on-
board service. However, it seems obvious to me that a person who has not yet been ‘identified’ but is collaborating or
participating in an international terrorist or serious crime network will as a matter of prudence avoid requesting such
services which are apt in particular to provide information about his ethnic background or his religious beliefs. The
modern investigative methods employed by the Canadian competent authorities, consisting, according to the
explanations provided to the Court, in cross-checking the data with scenarios or profile types of persons at risk and
which might be based on such sensitive data, since the agreement envisaged does not prohibit it, will in fact allow
only the sensitive data of persons who have legitimately requested one of those on-board assistance services, and on
whom no suspicion lies or in all likelihood will lie, to be processed. The risk of stigmatising a large number of
individuals who are not suspected of any offence which the use of such sensitive data entails strikes me as
particularly worrying and prompts me to propose that the Court should exclude data of that type from the scope of the
agreement envisaged. In addition, I must observe that Article 8 of the Agreement concluded with Australia precludes
any processing of sensitive data. That suggests, in the absence of a fuller explanation in the agreement envisaged of
why the processing of sensitive data is strictly necessary, that the objective of combating terrorism and serious
international crime could be attained just as effectively without such data even being transferred to .

223. I would add that the guarantees offered by Article 8 of the agreement envisaged, on the ‘Use of sensitive data’,
seem to me to be insufficient to justify taking a different approach from that consisting in proposing that sensitive
data be excluded from the scope of the agreement envisaged.

224. In fact, in spite of the measures laid down in Article 8(1) to (4) of the agreement envisaged, Article 8(5) in fine
authorises ‘Canada’ (and not just the Canadian competent authority) to retain the sensitive data in accordance with
Article 16(5) of the agreement envisaged. It follows from that provision that the data may be retained for up to five
years where it is ‘required for any specific action, review, investigation, enforcement action, judicial proceeding,
prosecution, or enforcement of penalties, until concluded’. Article 16(5) of the agreement envisaged, moreover,
makes no reference to the purposes stated in Article 3 of that agreement, unlike the point immediately preceding it. It
follows that sensitive data of a Union citizen who has taken a flight to Canada is liable to be retained for five years
(and, where appropriate, unmasked and analysed during that period) by any Canadian public authority, for any
‘action’ or ‘investigation’ or ‘judicial proceeding’, without being in any way connected to the objective pursued by
the agreement envisaged, for example, as the Parliament has pointed out, in the event of proceedings related to
contract law or family law. The possibility that such a situation will arise prompts the conclusion that on this point the
contracting parties have not struck a fair balance between the objectives pursued by the agreement envisaged.

225. In the light of those considerations, I consider that the categories of data listed in the annex to the agreement
envisaged should be worded more clearly and more precisely and that, in any event, sensitive data should be excluded
from the scope of the agreement envisaged. It follows that the use of sensitive data provided for in Article 8 of the
agreement envisaged is in my view incompatible with Articles 7 and 8 and Article 52(1) of the Charter.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 27/46
8.9.2017 CURIA - Documents

– The sufficiently precise nature of the purpose for which data processing is authorised

226. As already stated, Article 3(1) of the agreement envisaged provides that the Canadian competent authority is to
process data received pursuant to that agreement strictly for the purpose of preventing, detecting, investigating or
prosecuting terrorist offences or serious transnational crime.

227. Article 3(2)(a) of the agreement envisaged provides a precise definition of ‘terrorist offence’, while Article 3(3)
defines ‘serious transnational crime’ as meaning ‘any offence punishable in Canada by a maximum deprivation of
liberty of at least four years or a more serious penalty and as they are defined by the Canadian law, if the crime is
transnational in nature’. The conditions on which a crime is to be regarded as transnational in nature are also set out
in Article 3(3)(a) to (e) of the agreement envisaged.

228. Article 3(5) of the agreement envisaged confers on Canada the right to process data, on a case-by-case basis, in
order to ensure the oversight or accountability of the public administration (Article 3(5)(a)) or to comply with the
subpoena or warrant issued, or an order made, by a court (Article 3(5)(b)).

229. In its request, the Parliament accepts that Article 3 of the agreement envisaged offers certain objective criteria,
but considers that the reference in paragraph 3 to the legislation of a third country and the possibility of further
treatment afforded by paragraph 5 give rise to uncertainty as to whether the agreement is limited to what is strictly
necessary.

230. I am able to subscribe to that argument only in part.

231. First of all, I consider that, unlike the position concerning the measure at issue in Digital Rights Ireland and
Others (C‑293/12 and C‑594/12, EU:C:2014:238), Article 3 of the agreement envisaged lays down objective criteria
in relation to the nature and degree of seriousness of the offences in respect of which the Canadian authorities would
be entitled to process the data. Thus, a terrorist offence is directly defined in Article 3(2) of the agreement envisaged
and the definition also covers the activities defined as constituting such an offence in applicable international
conventions and protocols relating to terrorism. The nature and seriousness of an offence constituting ‘serious
transnational crime’ are also clear from Article 3(3) of the agreement envisaged, since such an offence involves more
than one country and is punishable in Canada by a maximum deprivation of liberty of at least four years. The
definition clearly does not cover minor offences or those the seriousness of which might vary, as was the case in the
act at the origin of the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12,
EU:C:2014:238), according to the domestic law of a number of States, which therefore meant that it was impossible
to consider that the interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter was limited
to what was strictly necessary.

232. However, I accept that the reference to Canadian domestic law does not allow the specific offences that may be
covered by Article 3(3) of the agreement envisaged, if, in addition, they are transnational in nature, to be identified.

233. In that regard, the Commission communicated to the Court a document sent by the Canadian authorities setting
out a non-exhaustive list of offences coming within the definition laid down in Article 3(3) of the agreement
envisaged which, according to those authorities, represent the great majority of offences that may come within that
definition.

234. That list clearly shows the gravity of the infringements concerned, which relate to trafficking of weapons,
ammunition, explosives and humans, the distribution or possession of child pornography, the laundering of the
proceeds of crime, counterfeiting, forgery, murder, kidnapping, sabotage, hostage-taking or aircraft-hijacking.

235. Nonetheless, in order to limit to what is strictly necessary the offences that may entitle the relevant authorities to
process data and ensure the legal security of passengers whose data is transferred to the Canadian authorities, I
consider that the offences coming within the definition in Article 3(3) of the agreement envisaged should be listed
exhaustively, for example, in an annex to the agreement envisaged itself.

236. In addition, I share the Parliament’s concerns about the wording of Article 3(5)(b) of the agreement envisaged,
which extends the purposes for which the processing of the data is authorised. According to that article, the
processing of data is ‘also’ permitted, on a case-by-case basis, in order to comply with the subpoena or warrant
issued, or an order made, by a court, although it is not stated that that court must be acting in the context of the
purposes of the agreement envisaged. That article therefore appears to allow the processing of data for purposes
unconnected with those pursued by the agreement envisaged and/or possibly in connection with conduct or offences
not coming within the scope of that agreement.

237. In the light of those considerations, I consider that, in order to be limited to what is strictly necessary and to
ensure the legal security of passengers, in particular citizens of the Union, the agreement envisaged must be
accompanied by an exhaustive list of the offences coming within the definition of ‘serious transnational crime’,
provided for in Article 3(3) of that agreement. Furthermore, in its current form, Article 3(5) of the agreement
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 28/46
8.9.2017 CURIA - Documents

envisaged is incompatible with Articles 7 and 8 and Article 52(1) of the Charter, in that it allows the possibilities of
processing data to be extended beyond what is strictly necessary, independently of the stated purposes of the
agreement envisaged.

– The scope ratione personae of the agreement envisaged

238. It is common ground that the data transferred under the agreement envisaged concerns all travellers flying
between Canada and the Union, even where there is no suggestion that the conduct of those travellers might be
connected with terrorism or serious transnational crime. The transfer of that data to the Canadian competent authority,
its automated processing and then its retention therefore apply without any distinction based on the possible risk that
certain categories of travellers might present.

239. In the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), it
was quite specifically the undifferentiated and general nature of the retention of the data of any person using
electronic communications in the Union, irrespective of the objective pursued by Directive 2006/24/EC of the
European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in
connection with the provision of publicly available electronic communications services or of public communications
networks and amending Directive 2002/58/EC, (93) of combating serious offences that was held by the Court to go
beyond what was strictly necessary.

240. Although the interference constituted by the agreement envisaged is less extensive than that provided for in
Directive 2006/24, and is also less intrusive into the daily life of everyone, its undifferentiated and generalised nature
raises questions.

241. However, as I have already observed in paragraph 216 of this Opinion, the actual interest of schemes is
specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the
assistance of automated processing and scenario tools or predetermined assessment criteria, individuals hitherto
unknown to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and
who are therefore liable to be subjected subsequently to more thorough individual checks. Those checks must also be
capable of being carried out over a certain period after the passengers in question have travelled.

242. In addition, unlike the persons whose data was subject to the processing provided for in Directive 2006/24, all
those coming under the agreement envisaged voluntarily take a means of international transport to or from a third
country, a means of transport which is itself, repeatedly, unfortunately, an vehicle or a victim of terrorism or serious
transnational crime, which requires the adoption of measures ensuring a high level of security for all passengers.

243. It is indeed possible to imagine a data transfer and processing scheme that distinguished passengers according to,
for example, geographic areas of origin (when they stop over in the Union) or according to passengers’ age, minors,
for example, prima facie representing a lesser risk for public security. However, in so far as they were considered not
to involve prohibited discrimination, such measures, once they became known, might well entail the circumvention of
the terms of the agreement envisaged, which would in any event be prejudicial to the effective attainment of one of its
objectives.

244. As already indicated, however, it is not sufficient to imagine in the abstract alternative measures that would be
less restrictive of individuals’ fundamental rights. To my mind, those measures must also present guarantees of
effectiveness comparable with those the implementation of which is envisaged with the aim of combating terrorism
and serious transnational crime. No other measure which, while limiting the number of persons whose data is
automatically processed by the Canadian competent authority, would be capable of attaining with comparable
effectiveness the public security aim pursued by the contracting parties has been brought to the Court’s attention in
the context of the present proceedings.

245. On balance, it therefore seems to me that, generally, the scope ratione personae of the agreement envisaged
cannot be limited further without harming the very object of the regimes.

– Identification of the competent authority responsible for processing the data

246. According to Article 5 of the agreement envisaged, only ‘the Canadian Competent Authority’ is to be deemed to
provide an adequate level of protection for the processing and use of data, subject to compliance with the agreement
envisaged.

247. As the Parliament has observed, the identity of that authority is not mentioned in the agreement envisaged. There
can be no doubt, however, in the light of the 2006 Agreement, as confirmed in the letter from the Mission of Canada
to the European Union dated 25 June 2014, notified to the Commission pursuant to Article 30(2)(a) of the agreement
envisaged and communicated to the Court in the context of the present proceedings, that the authority in question is
the CBSA.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 29/46
8.9.2017 CURIA - Documents

248. More than the identity of that authority, it is what is frequently the lack of precision of the terms of the
agreement envisaged that, from the aspect of compliance with the principle of proportionality, raises doubts as to the
authorities liable to process the data.

249. Several terms of the agreement envisaged refer generically to ‘Canada’ and not to ‘the Canadian Competent
Authority’, which, nonetheless, is the only authority deemed to provide an adequate level of protection for the
processing and use of data, in application of the agreement envisaged. That applies to Article 3(5) of the agreement
envisaged, which, moreover, as I have examined above, (94) extends the purposes for which the data may be
processed, Article 8 of the agreement envisaged, Article 12(3) of the agreement envisaged, on disclosure to any
person, and Article 16 of the agreement envisaged, on the retention of the data. (95)

250. Contrary to the Commission’s submissions at the hearing, the replacement of the expression ‘the Canadian
Competent Authority’ by the generic term ‘Canada’ casts doubt on the number of authorities authorised to process the
data, a fortiori when Article 18 of the agreement envisaged authorises the Canadian competent authority, provided
that the conditions set out in that article are met, to disclose the data to other government authorities in Canada. (96)

251. The terms of the agreement envisaged therefore do not seem to me to be sufficiently clear and precise as regards
the identification of the authority responsible for processing the data in such a way as to ensure the protection and
security of the data.

– The automated processing of the data

252. It is apparent from the observations submitted to the Court that the main added value of the processing of the
data is the comparison of the data received with scenarios or predetermined risk assessment criteria or databases
which, with the assistance of automated processing, makes it possible to identify ‘targets’ who can subsequently be
subjected to more thorough checks. In practice, according to the data communicated by the to the Commission and
the United Kingdom Government and communicated to the Court by those interested parties, the application of those
techniques allowed around 9 500 ‘targets’ to be identified by the automated processing of data out of the 28 million
passengers who flew between Canada and the Union between April 2014 and March 2015.

253. However, none of the terms of the agreement envisaged relates specifically to either those databases or those
scenarios or assessment criteria, which would therefore continue to be determined and used at the entire discretion of
the Canadian authorities.

254. Admittedly, the agreement envisaged specifies that Canada is to ensure that the safeguards applicable to the
processing of data apply to all passengers on an equal basis without unlawful discrimination (Article 7 of the
agreement envisaged) and that it is not to take any decisions significantly adversely affecting a passenger solely on
the basis of automated processing of PNR data (Article 15 of the agreement envisaged).

255. I am nonetheless convinced that, in the light of the fair balance between the two objectives pursued by the
agreement envisaged and the considerable practical importance of that aspect, a comparison of the data with those
scenarios or those predetermined assessment criteria is liable to lead, as certain of the interested parties have
acknowledged, to false positive ‘targets’ being identified, the agreement envisaged should contain a number of
principles and explicit rules concerning both the scenarios or the predetermined assessment criteria and the databases
with which the data is compared.

256. The precise framing and determination of the scenarios and the predetermined assessment criteria must to a large
extent make it possible to arrive at results targeting individuals who might be under a ‘reasonable suspicion’ of
participating in terrorism or serious transnational crime. (97)

257. It is not strictly necessary for the Court to indicate the principles that should govern the determination of those
scenarios and assessment criteria or the databases with which the data is compared.

258. For my part, I consider that the agreement envisaged should at least expressly state that neither the scenarios or
the predetermined assessment criteria nor the databases used can be based on an individual’s racial or ethnic origin,
his political opinions, his religion or philosophical beliefs, his membership of a trade union, his health or his sexual
orientation. Furthermore, the criteria, scenarios and databases should be expressly confined to the purposes and
offences defined in Article 3 of the agreement envisaged.

259. Furthermore, the agreement envisaged should in my view state more clearly than Article 15 of the agreement
envisaged does at present that, where the comparison of data with the predetermined criteria and scenarios leads to a
positive result, that result must be examined by non-automated means. That guarantee could reduce the number of
persons who might subsequently be subjected to a more thorough physical check.

260. In addition, in order to be limited to what is strictly necessary, those relevant criteria, scenarios and databases,
and their reconsideration, should in my view be the subject of a check by the independent public authority referred to
in the agreement envisaged, namely the Privacy Commissioner of Canada, (98) and be the subject of a report on their
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 30/46
8.9.2017 CURIA - Documents

implementation, communicated to the competent institutions and bodies of the Union, pursuant to Article 26 of the
agreement envisaged, which governs the joint review and evaluation of the implementation of that agreement.

261. Consequently, I consider that, in failing to establish explicit principles and rules relating to the establishment and
use of the predetermined scenarios and criteria and also the databases with which the data is compared by automated
processing, the contracting parties have not struck a fair balance between the two objectives pursued by the
agreement envisaged.

– Access to the data

262. When the passengers whose data has been subject to automated processing and who present a profile
corresponding to predetermined scenarios or criteria are identified, it is apparent from the explanations provided to
the Court that officials access those passengers’ data in order to determine whether they should be subjected to a
more thorough check. In practice, according to the information submitted by the United Kingdom Government and
the Commission, among the 9 500 ‘targets’ identified between April 2014 and March 2015, 1 765 persons were
subjected to thorough checks for reasons connected with national public security or for reasons connected with a
serious transnational criminal offence. Of those persons, 178 were arrested for a serious transnational criminal
offence, connected in particular with drug trafficking.

263. In the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238,
paragraphs 62 and 66), the Court observed that Directive 2006/24 did not lay down any objective criterion by which
to determine the limits of the number of persons authorised to access the personal data in question and did not make
access to that data dependent on a prior review carried out by a court or an independent administrative body.
Furthermore, the directive did not lay down any rules against the risk of abuse and against any unlawful access to or
use of that data.

264. Conversely, it should be observed that the terms of the agreement envisaged satisfy those requirements in part.

265. As already observed, under Article 9(1) and (2) of the agreement envisaged Canada is required to implement
regulatory, procedural or technical measures to protect data against accidental, unlawful or unauthorised access,
processing or loss and to ensure, in particular, the protection, security, confidentiality and integrity of the data, by
applying in particular encryption procedures and holding data in a secure physical environment that is protected with
access controls.

266. Furthermore, both Article 9(2)(b) and Article 16(2) of the agreement envisaged provide that is to restrict access
to data to a limited number of officials specifically authorised by . As regards the retention of the data, Article 16(4)
of the agreement envisaged also states that data depersonalised by masking can be unmasked only if it is necessary to
carry out investigations under the scope of Article 3 of the agreement envisaged and, depending on the length of time
during which the data concerned is retained, either by a limited number of specifically authorised officials or only
with prior permission by the Head of the Canadian Competent Authority or a senior official specifically mandated by
the Head.

267. However, like Directive 2006/24, the agreement envisaged does not specify the objective criteria on the basis of
which the officials with access to the data are to be determined and whether those officials are all in the service of the
CBSA. That information seems to be all the more important because the group of officials having access to that data
in the context of Article 9(2) of the agreement envisaged is, it would appear, wider than the group, described as
‘limited’, who may have access to data retained for more than 30 days in the context of the application of
Article 16(2) of that agreement. The criteria on which the two groups of officials authorised to access the data may be
distinguished is not, however, apparent from the terms of the agreement envisaged and are therefore left to Canada’s
entire discretion. That freedom does not in my view satisfy the requirement laid down in the judgment of 8 April
2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), referred to in paragraph 263 of
this Opinion.

268. Likewise, it should be observed that the agreement envisaged does not provide that access to the data is to be
subject to prior control by an independent authority, such as the Privacy Commissioner of Canada, (99) or by a court
whose decision might limit access to or use of the data and which would deal with the matter following a reasoned
request from the .

269. However, the appropriate balance that must be struck between the effective pursuit of the fight against terrorism
and serious transnational crime and respect for a high level of protection of the personal data of the passengers
concerned does not necessarily require that a prior control of access to the data must be envisaged.

270. In fact, without its even being necessary to ascertain whether such a prior control would in practice be
conceivable and sufficiently effective, given in particular the quantity of data to be examined and the resources
available to the independent control authorities, I observe that, in the context of respect for Article 8 of the ECHR by
the public authorities who have put in place measures for the interception and surveillance of private
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 31/46
8.9.2017 CURIA - Documents

communications, the ECtHR has accepted that, save in exceptional circumstances relating in particular to the
confidentiality of journalists’ sources of information or communications between lawyers and their clients, an ex ante
control of those measures by an independent body or a judge is not an absolute requirement, provided that extensive
post factum judicial oversight of those measures is guaranteed. (100)

271. In that regard, independently of the doubts prompted by the allocation of the CBSA’s surveillance and oversight
powers between the ‘independent public authority’ and the ‘authority created by administrative means that exercises
its functions in an impartial manner and that has a proven record of autonomy’, to which I shall return later, (101) it
must be pointed out that Article 14(2) of the agreement envisaged provides that Canada is to ensure that any
individual who is of the view that their rights have been infringed by a decision or action in relation to their data may
seek effective judicial redress in accordance with Canadian law by way, inter alia, of judicial review. There can be no
doubt, having regard to the wording of Article 14(1) of the agreement envisaged and the explanations provided by the
interested parties, that that remedy is available against any decision relating to access to the data of the persons
concerned, irrespective of their nationality, their domicile or their presence in Canada. In the context of the present
procedure of preventive examination of the compatibility of the terms of the agreement envisaged with Articles 7 and
8 of the Charter, the guarantee of such a remedy, the effectiveness of which has not been called in question by any of
the interested parties, seems to me to satisfy the condition required by those provisions, read in the light of the
interpretation of Article 8 of the ECHR by the ECtHR.

272. Consequently, I consider that the fact that the agreement envisaged has failed to provide that access by the
authorised officials of the to the data is subject to prior control by an independent administrative authority or by a
court is not incompatible with Articles 7 and 8 and Article 52(1) of the Charter, in so far as — as is the case — the
agreement envisaged requires that Canada guarantee that every person concerned will be entitled to an effective post
factum judicial review of the decisions or actions relating to access to his data.

273. On the other hand, I consider that, in order to be limited to what is strictly necessary, the agreement envisaged
must make quite clear that only officials of the are to be authorised to have access to the data and must lay down
objective criteria enabling the number of such officials to be known, having regard to the different situations provided
for in Articles 9 and 16 of the agreement envisaged.

– The retention of the data

274. Before the Court, the interested parties discussed at length the consequences that flow from the judgment of
8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), as regards the strict
necessity for the system of data retention provided for in Article 16 of the agreement envisaged.

275. In that judgment, the Court took issue with the EU legislature for not having required that the data in question be
retained within the Union, with the consequence that the control, explicitly required by Article 8(3) of the Charter, by
an independent authority of compliance with the requirements of protection and security of the data was not fully
ensured. (102)

276. Furthermore, as regards the data retention period of a maximum of two years laid down in Directive 2006/24,
the Court took issue with the fact that the directive did not distinguish between the categories of data on the basis of
their usefulness for the purposes of the objective pursued or according to the persons concerned and that the retention
period was not determined on the basis of objective criteria. (103)

277. As regards the first point, it is clear that the data coming within the terms of the agreement envisaged will not be
kept within the Union. That in itself is not sufficient, however, to render invalid the retention system provided for in
Article 16 of the agreement envisaged, unless the agreement does not fully ensure a review of the requirements of
protection and security by an independent authority. However, as I shall examine below, while the contracting parties’
intention is indeed to observe in full the requirement laid down in Article 8(3) of the Charter, Article 10(1) of the
agreement envisaged is couched in terms that are too ambiguous to ensure, in all circumstances, the existence of such
a review. (104)

278. As for the duration of the data retention period, it is apparent from Article 16(1) of the agreement envisaged that
the maximum duration of that period is five years from the date that the data is received, (105) and that at the end of
that period Canada is required, pursuant to Article 16(6) of the agreement envisaged, to destroy the data.

279. It is common ground that the retention period has been extended by one and a half years by comparison with the
period provided for in the 2006 Agreement. Furthermore, apart from the explanations and examples provided by
certain interested parties during the proceedings before the Court, which are essentially linked to the average lifetime
of international serious crime networks and to the duration and complexity of investigations of those networks, the
agreement envisaged does not indicate the objective reasons that led the contracting parties to increase the data
retention period to a maximum of five years.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 32/46
8.9.2017 CURIA - Documents

280. To my mind those objective reasons must be stated in the agreement envisaged, thus ensuring at the outset that
that period is necessary for the objectives pursued by the agreement envisaged. To be quite clear on this point, that
consideration also applies with respect to Article 16(5) of the agreement envisaged, the scope of which, as I have
already observed in connection with the sensitive data that must be excluded from the scope of that agreement,
should, as regards the retention of the other data for a maximum period of five years, be confined to the purpose
described in Article 3 of the agreement envisaged. (106)

281. It must therefore be stated that the contracting parties have not shown that it is necessary to retain all the data for
a maximum period of five years.

282. The Court might, in the context of these proceedings, confine itself to that assessment, and would therefore not
be required to ascertain whether the five-year retention period for all data for all air passengers travelling between
Canada and the Union exceeds what is strictly necessary to attain the security purpose of the agreement envisaged.

283. In case the Court should nonetheless consider it appropriate to devote some argument to that point, I shall permit
myself to make the following comments.

284. First of all, as regards the amount of data retained, it is permissible in my view to ask whether, after several
years, there is justification for retaining certain categories of data, since the Canadian competent authority has or may
have at its disposal, by means of unmasking, in accordance with the conditions laid down in Article 16(3) of the
agreement envisaged, the data revealing the essential information relating to the identity of the passenger or
passengers on , the date of travel, the payment methods used, all available information, the travel itinerary, details of
the travel agency or travel agent and baggage information. In particular, I wonder whether frequent flyer and benefit
information (heading 5 in the annex to the agreement envisaged), information about the check-in status of the
passenger (heading 13 in the annex), ticketing or ticket price information (heading 14 in the annex) and code sharing
information (heading 11 in the annex) which, according to the Commission, provide information only about the actual
carrier prove, after being retained for some years, to be information having genuine added value by comparison with
the other data which is also retained and which may be unmasked, with the aim of combating terrorism and serious
transnational crime.

285. Next, in addition to the doubts that may be raised about the strict necessity of the retention period of all the data
provided for in the agreement envisaged, the guarantees afforded by Article 16(3) of that agreement, concerning
‘depersonalisation’ by masking, seem to me to be insufficient in any event to ensure the protection and security of the
personal details of the passengers concerned.

286. Admittedly, that article does indeed provide that the names of all passengers are to be masked 30 days after they
are received. It also states that the data in categories 6, 7, 17 and 18, listed in the annex to the agreement
envisaged, (107) is to be masked two years after it is received if, in the case of the last two categories, it is capable of
identifying a natural person.

287. It is precisely the exhaustive nature of that list that seems worrying. In fact, other headings in the annex to the
agreement envisaged are also capable of directly identifying a natural person but do not appear on the list in
Article 16(3) of the agreement envisaged. I am thinking mainly of the available frequent flyer and benefit information
(heading 5 in the annex) and all available payment/billing information (heading 8), which includes, in particular,
details of the payment method or methods used.

288. I therefore consider that, by omitting to ensure the ‘depersonalisation’ by masking of all the data on the basis of
which a passenger may be directly identified, the contracting parties have not struck a fair balance between the
objectives pursued by the agreement envisaged.

289. Last, as regards the rules and procedures applicable to the unmasking of the data, it should be borne in mind that
Article 16(4) of the agreement envisaged states that such an operation can be carried out only if on the basis of
available information it is necessary to carry out investigations under the scope of Article 3 of the agreement
envisaged either, up to two years from initial receipt of the data, by a limited number of specifically authorised
officials or, between two years and five years after receipt, only with prior permission by the Head of the Canadian
Competent Authority or a senior official specifically mandated by the Head.

290. Subject to the observations made above in relation to the objective criteria on which the officials authorised to
access the data may be determined (108) and to those made below in relation to the oversight of the Canadian
competent authority by an independent public authority, (109) I consider that Article 16(4) of the agreement
envisaged does not in itself go beyond what is strictly necessary.

– The disclosure and subsequent transfer of the data

291. Articles 12, 18 and 19 of the agreement envisaged relate directly to the disclosure of the data.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 33/46
8.9.2017 CURIA - Documents

292. Article 12 of the agreement envisaged, entitled ‘Access for individuals’, appears at first sight not to call for
criticism, since it seeks to ensure that everyone has access to his own data.

293. Paragraph 3 of that article seems to me, however, to extend the possibilities of access to the data and information
extracted from it to anyone, without any specific guarantees being laid down. Article 12(3) of the agreement
envisaged authorises Canada to ‘make any disclosure of information subject to reasonable legal requirements and
limitations …, with due regard for the legitimate interests of the individual concerned’. However, neither the
recipients of that ‘information’ nor the use to which it is put is defined in the agreement envisaged. It is therefore
quite possible that that information may be communicated to any natural or legal person, such as a bank, for example,
provided that considers that the disclosure of such information does not exceed ‘reasonable’ legal requirements,
which, moreover, are not defined in the agreement envisaged.

294. Having regard in particular to the particularly vague nature of its wording and to the particularly broad terms in
which it is couched, Article 12(3) of the agreement envisaged therefore seems to me to go beyond what is strictly
necessary to attain the public security objective pursued by the agreement envisaged.

295. As for Articles 18 and 19 of the agreement envisaged, they relate respectively to disclosure of data by the
Canadian competent authority to other government authorities in Canada and to other government authorities of
countries other than Member States of the Union.

296. Like the Parliament, I consider that, in so far as the ‘adequate level of protection’, deemed to satisfy the level
guaranteed in EU law, concerns only compliance by the Canadian competent authority with the terms of the
agreement envisaged, the contracting parties must ensure that that level of protection cannot be circumvented by
personal data being transferred to other Canadian government authorities or to third countries. (110)

297. It cannot be denied that Articles 18 and 19 of the agreement envisaged make the subsequent transfer of data or
the analytical information containing data subject to strict cumulative conditions, four of which are identical. Thus,
that data and that information are communicated only if the government authorities in question have functions
directly related to the scope of Article 3 of the agreement envisaged, on a case-by-case basis and on condition that the
circumstances of the particular case render disclosure necessary for the purposes stated in Article 3. In addition, it is
made clear that only the minimum data or analytical information necessary is to be disclosed. (111)

298. However, the guarantees afforded by those two terms of the agreement envisaged differ from the other
conditions.

299. First of all, while, according to Article 18 of the agreement envisaged, the other Canadian government
authorities to whom the data is disclosed must afford ‘protection equivalent to the safeguards described in [the
agreement envisaged]’, Article 19(1)(e) states that the Canadian Competent Authority must be ‘satisfied’ that the
foreign authority receiving the data applies either standards to protect the data that are equivalent to those set out in
the agreement envisaged, in accordance with agreements and arrangements that incorporate those standards, or the
standards to protect the data that it has agreed with the Union.

300. In both situations, it is common ground that it is solely for the Canadian competent authority, namely the , to
ascertain the adequacy of the protection afforded by the public authority receiving the data. Neither the CBSA’s
examination nor any decision on disclosure of the data is subject to ex ante control by an independent authority or a
judge. Nor does the agreement envisaged provide that the intention to transfer the data of a national of a Member
State of the Union is at least to be notified to the competent authorities of the Member State in question and/or to the
Commission before disclosure actually takes place. Article 18 of the agreement envisaged is silent as to the latter
possibility, while Article 19(2) thereof provides only that the competent authorities of the Member State in question
are to be informed ‘at the earliest appropriate opportunity’.

301. In fact, the additional guarantees referred to in the preceding paragraph should in my view be afforded.

302. A mere post factum review of the disclosure of the data will not make it possible either to counterbalance an
incorrect assessment of the level of protection afforded by a recipient public authority or to restore the privacy and
confidentiality of the data when it has been transferred to and used by the recipient public authority. (112) That is
particularly true in the case of the disclosure of data to a third country, where its subsequent use will even be outside
the post factum competence and review of the Canadian authorities and courts.

303. Furthermore, if the Commission and the competent authorities of the Member State of which the individual
whose data is to be transferred is a national are given prior notification, it will be possible to ensure that the
examination of the ‘equivalent level of protection’ has indeed been carried out. In addition, from a different aspect,
such prior information, in so far as the transfer of data in application of Articles 18 and 19 of the agreement envisaged
will be able to be effected only in duly reasoned cases and specific circumstances and therefore in situations in which
it may be supposed that significant suspicion attaches to the person concerned, is in particular apt to contribute to
reinforcing cooperation between the competent authorities of Canada, the Union and its Member States, in keeping

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 34/46
8.9.2017 CURIA - Documents

with the objective of preventing and detecting terrorism and serious transnational crime pursued by the agreement
envisaged.

304. Next, it should be observed that under Article 18(1)(f) of the agreement envisaged the receiving Canadian
government authority is prohibited from subsequently disclosing the data to another entity unless the disclosure is
authorised by the respecting the conditions laid down in that paragraph. Conversely, Article 19 of the agreement
envisaged does not require the to be satisfied, before the data is transferred, that the receiving public authority of a
third country cannot itself subsequently disclose that data to another entity, as the case may be, of another third
country.

305. As the risk that such a situation, which would have the effect of circumventing the level of protection of personal
data afforded by EU law, may arise has not been excluded, it must be stated that Article 19 of the agreement
envisaged authorises unwarranted interferences with the fundamental rights guaranteed by Articles 7 and 8 of the
Charter. (113)

– The administrative surveillance and judicial control measures

306. Control by an independent authority, which is required by both Article 8(3) of the Charter and the second
subparagraph of Article 16(2) TFEU, is an essential element of respect for the protection of individuals with regard to
the processing of personal data in the Union. (114)

307. It is clear from the terms of the agreement envisaged that the contracting parties are aware of that requirement,
although, and I shall return to this point, the agreement envisaged does not fully satisfy it.

308. With the objective of ensuring that the level of protection afforded by the Canadian competent authority, where it
processes and uses data, is, according to Article 5 of the agreement envisaged, ‘adequate … within the meaning of
relevant EU data protection law’, that authority must, in particular, comply with the measures provided for in
Article 10 of the agreement envisaged, that is to say, control by an ‘overseeing authority’. That authority must have
‘effective powers to investigate compliance with the rules related to the collection, use, disclosure, retention, or
disposal of data’. Those powers also include the power to conduct compliance reviews, make recommendations to the
Canadian Competent Authority and refer violations of law related to the agreement envisaged for prosecution or
disciplinary action. Under Article 14(1) of the agreement envisaged, the overseeing authority is to receive, investigate
and respond to complaints lodged by individuals concerning their request for access to, correction of or annotation of
their data.

309. It follows that it is indeed the contracting parties’ intention to ensure that the processing of personal data by the
is subject to an effective mechanism for the detection and review of any violations of the rules of the agreement
envisaged affording protection of passengers’ privacy and personal data, in order to ensure a level of protection that is
intended to be ‘substantially equivalent’ to that which individuals would enjoy if their personal data were processed
and retained within the Union.

310. It follows that control by an independent authority, required in particular by Article 8(3) of the Charter, is fully
applicable in the present case.

311. In fact, the particular feature of the overseeing authority put in place in the agreement envisaged that attracts
criticism from the Parliament and the EDPS in respect of its complete independence is that it is bicephalous.
Article 10 of the agreement envisaged presents that authority as either an ‘independent public authority’ or an
‘authority created by administrative means that exercises its functions in an impartial manner and that has a proven
record of autonomy’.

312. The first of those authorities, as is clear from the letter of 25 June 2014 from the Mission of Canada to the
European Union (115) and the explanations provided by the Commission during the proceedings before the Court,
designates the Canadian Privacy Commissioner, whose status, mode of appointment, fixed term of office of seven
years, investigative powers, including the power to investigate matters on his own initiative, are laid down in the
Canadian Privacy Act 1985. (116) It should be pointed out that none of the interested parties has cast doubt on the
fact that the Canadian Privacy Commissioner, who reports exclusively to the Chambers of the Canadian Parliament,
enjoys independence and impartiality that allow him to perform his tasks without being subject to any external
influence or directions, in particular from the Executive. (117)

313. It is apparent from the explanations provided to the Court that, under the Privacy Act, the powers of the
Canadian Privacy Commissioner extend to complaints from any individual alleging a breach of the rules on privacy
and personal data protection by a federal public institution in Canada.

314. However, the alternative wording of Article 10(1) of the agreement envisaged gives the impression that the
processing of data by the might also be wholly assumed by the ‘authority created by administrative means that

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 35/46
8.9.2017 CURIA - Documents

exercises its functions in an impartial manner and that has a proven record of autonomy’, that is to say by the
Recourse Directorate of the , which was set up under the 2006 Agreement.

315. However, irrespective of the guarantees referred to in the letter of 25 June 2014 from the Mission of Canada to
the European Union, according to which the Recourse Directorate of the CBSA will receive no directions from the
other operational bodies of the latter, that directorate, like all the other bodies of the , continues to be directly
subordinate to the responsible Minister, from whom it may receive directions. (118) Since it is liable to be subject to
influence of, in particular, a political nature on the part of the authority to which it is responsible or more generally
the Executive, the Recourse Directorate of the cannot be regarded as an independent supervisory authority for the
purposes of Article 8(3) of the Charter.

316. Consequently, in so far as Article 10 of the agreement envisaged provides, in essence, that the supervisory
authority may be either the Canadian Privacy Commissioner or the Recourse Directorate of the , it does not constitute
a clear and precise rule systematically ensuring control by an independent authority, within the meaning of
Article 8(3) of the Charter, of respect for the private life and protection of the personal data of the individuals
concerned by the data processing provided for by the agreement envisaged. It is for the contracting parties to dispel
the ambiguity resulting from the drafting of Article 10(1) of that agreement and to ensure that control of compliance
with the fundamental rights guaranteed by Articles 7 and 8 of the Charter is entrusted to an independent supervisory
authority, within the meaning of Article 8(3) of the Charter.

317. As for Article 14(1) of the agreement envisaged, which concerns administrative redress, it is apparent from the
explanations provided by the Commission that, under the Canadian Privacy Act of 1985, the Canadian Privacy
Commissioner is not competent to hear requests for access, correction or annotation of PNR data from persons not
present in Canada, that is to say, requests submitted by those persons on the basis of Articles 12 and 13 of the
agreement envisaged.

318. According to the explanations provided the Commission, the investigation of requests for access, correction or
annotation, and the replies to those requests submitted by persons not present in Canada, as is undoubtedly the
position of most citizens of the Union, are within the remit of the Recourse Directorate of the CBSA.

319. In its observations, and in its replies to the questions put by the Court, the Commission stated that a person
whose request for access to his data, or for correction or annotation of that data, has been rejected by the Recourse
Directorate of the could, via an agent present in Canada, file a complaint with the Canadian Privacy Commissioner.

320. However, there is no reference in the agreement envisaged to the existence of that administrative appeal to the
Canadian Privacy Commissioner, nor is its existence apparent from any provision of Canadian law brought to the
knowledge of the Court. Provided that it is actually conceivable, I consider that the possibility of such an appeal
should be clearly indicated in the agreement envisaged, in such a way as to enable everyone to be aware of the scope
of the procedural rights recognised to him by that measure. If such a possibility does not in fact exist, the Canadian
Privacy Commissioner should in my view be able to assume directly the task of responding to any request for access,
correction or annotation submitted by an individual not present in Canada. If none of those options is provided for, no
independent supervisory authority would be competent to examine requests of that type, even though it is exclusively
such requests that will be submitted by citizens of the with regard to their own personal data. The possibility that such
a situation may arise means, in my view, that the contracting parties have not struck a fair balance between the
objectives pursued by the agreement envisaged.

321. In any event, Article 14(1) of the agreement envisaged should clearly state that requests for access, correction
and annotation submitted by passengers not present on Canadian territory may be brought, either directly or by means
of an administrative action, before an independent public authority.

322. On the other hand, and in the interest of completeness, it does not appear to me that the criticisms put forward by
the Parliament, namely that Article 14(2) of the agreement envisaged is liable to infringe Article 47 of the Charter, are
well founded.

323. Article 14(2) of the agreement envisaged provides that Canada is to ensure that any individual who is of the view
that their rights have been infringed by a decision or action in relation to their data may seek effective judicial redress
in accordance with Canadian law by way of judicial review, or such other remedy which may include compensation.

324. As the Council has claimed, that provision ensures that individuals, irrespective of their nationality, their
domicile or whether or not they are present in , are able to benefit from effective judicial protection, within the
meaning of Article 47 of the Charter. The fact that Article 14(2) of the agreement envisaged provides that the
‘effective judicial remedy’ may take the form not only of judicial review but also of an action for compensation
shows that Canada undertakes to ensure that all individuals concerned may pursue effective legal remedies.

325. I would add that it follows from Article 14(1) of the agreement envisaged that an authority which has rejected a
request for access, correction or annotation must inform the complainant of the procedure for initiating the legal

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 36/46
8.9.2017 CURIA - Documents

redress referred to paragraph 2 of that article, which ensures that adequate individual information is made available to
the citizens of the Union concerned.

326. Contrary to the Parliament’s suggestion, with reference to paragraph 95 of the judgment of 6 October 2015,
Schrems (C‑362/14, EU:C:2015:650), such a situation is not comparable to the situation that led the Court to find in
that case that there had been a failure to respect the essence of the fundamental right to effective judicial protection.
That case concerned the legislation of a third country which the Commission had regarded as ensuring an adequate
level of protection of fundamental rights but which, in the light of the information subsequently acquired, did not
provide for any possibility for an individual to pursue legal remedies in order to have access to his own personal data
or to obtain the rectification or erasure of such data.

327. The agreement envisaged, which constitutes an international commitment for , does indeed require to ensure that
such remedies are put in place and are effective. To that extent, and having regard to the preventive nature of the
opinion procedure, that fact is sufficient, in my view, to support the conclusion that Article 14(2) of the agreement
envisaged is compatible with Article 47 of the Charter. (119)

VIII – Conclusion

328. In the light of the foregoing, I propose that the Court reply to the Parliament’s request for an opinion along the
following lines:

1. The act of the Council concluding the agreement envisaged between Canada and the European Union on the
transfer and processing of Passenger Name Record () data, signed on 25 June 2014, must be based on the first
subparagraph of Article 16(2) TFEU and Article 87(2)(a) TFEU, read in conjunction with Article 218(6)(a)(v) TFEU.

2. The agreement envisaged is compatible with Article 16 TFEU and Articles 7 and 8 and Article 52(1) of the
Charter of Fundamental Rights of the European Union, provided that:

– the categories of Passenger Name Record (PNR) data of airline passengers listed in the annex to the agreement
envisaged are clearly and precisely worded and sensitive data, within the meaning of the agreement envisaged,
is excluded from the scope of that agreement;

– offences coming within the definition of serious transnational crime, provided for in Article 3(3) of the
agreement envisaged, are listed exhaustively in the agreement or in an annex thereto;

– the agreement envisaged identifies in a sufficiently clear and precise manner the authority responsible for
processing the Passenger Name Record data, in such a way as to ensure the protection and security of those
data;

– the agreement envisaged expressly specifies the principles and rules applicable to both the pre-established
scenarios or assessment criteria and the databases with which the Passenger Name Record data is compared in
the context of the automated processing of that data, in such a way that the number of ‘targeted’ persons can
be limited, to a large extent and in a non-discriminatory manner, to those who can be reasonably suspected of
participating in a terrorist offence or serious transnational crime;

– the agreement envisaged specifies that only the officials of the Canadian competent authority are to be
authorised to access the Passenger Name Record data and lays down objective criteria that enable the number
of those officials to be specified;

– the agreement envisaged indicates, stating the reasons, precisely why it is objectively necessary to retain all
Passenger Name Record data for a maximum period of five years;

– where the maximum five-year retention period for the Passenger Name Record data is considered necessary,
the agreement envisaged ensures that all the Passenger Name Record data that would enable an airline
passenger to be directly identified is ‘depersonalised’ by masking;

– the agreement envisaged makes the examination carried out by the Canadian competent authority relating to the
level of protection afforded by other Canadian public authorities and by those of third countries, and also any
decision to disclose Passenger Name Record data, on a case-by-case basis, to those authorities, subject to ex
ante control by an independent authority or a court;

– the intention to transfer Passenger Name Record data of a national of a Member State of the European Union to
another Canadian public authority or to a public authority of a third country is notified in advance to the
competent authorities of the Member State in question and/or to the European Commission before any
communication takes place;

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 37/46
8.9.2017 CURIA - Documents

– the agreement envisaged systematically ensures, by a clear and precise rule, control by an independent
authority, within the meaning of Article 8(3) of the Charter of Fundamental Rights of the European Union, of
respect for the private life and protection of the personal data of passengers whose Passenger Name Record
data is processed; and

– the agreement envisaged makes clear that requests for access, rectification and annotation made by passengers
not present on Canadian territory may be submitted, either directly or by means of an administrative appeal, to
an independent public authority.

3. The agreement envisaged is incompatible with Articles 7 and 8 and Article 52(1) of the Charter of Fundamental
Rights of the European Union in so far as:

– Article 3(5) of the agreement envisaged allows, beyond what is strictly necessary, the possibilities of processing
Passenger Name Record data to be extended, independently of the purpose, stated in Article 3 of that
agreement, of preventing and detecting terrorist offences and serious transnational crime;

– Article 8 of the agreement envisaged provides for the processing, use and retention by Canada of Passenger
Name Record data containing sensitive data;

– Article 12(3) of the agreement envisaged confers on Canada, beyond what is strictly necessary, the right to
make disclosure of information subject to reasonable legal requirements and limitations;

– Article 16(5) of the agreement envisaged authorises Canada to retain Passenger Name Record data for up to
five years for, in particular, any specific action, review, investigation or judicial proceedings, without a
requirement for any connection with the purpose, stated in Article 3 of that agreement, of preventing and
detecting terrorist offences and serious transnational crime; and

– Article 19 of the agreement envisaged allows Passenger Name Record data to be transferred to a public
authority in a third country without the Canadian competent authority, subject to control by an independent
authority, first being satisfied that the public authority in the third country in question to which the data is
transferred cannot itself subsequently communicate the data to another body, where relevant, in another third
country.

1 Original language: French.

2 Proposal for a Council Decision on the conclusion of the Agreement between Canada and the European Union on the
transfer and processing of Passenger Name Record Data (COM(2013) 528 final).

3 See Council Decision 2012/381/EU of 13 December 2011 on the conclusion of the Agreement between the European
Union and Australia on the processing and transfer of Passenger Name Record () data by air carriers to the Australian
Customs and Border Protection Service (OJ 2012 L 186, p. 3).

4 See Council Decision 2012/472/EU of 26 April 2012 on the conclusion of the Agreement between the United States of
America and the European Union on the use and transfer of passenger name records to the United States Department of
Homeland Security (OJ 2012 L 215, p. 4).

5 See Position of the European Parliament adopted at first reading on 14 April 2016 with a view to the adoption of
Directive (EU) 2016/… of the European Parliament and of the Council on the use of passenger name record (Passenger
Name Record) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (EP-
PETC1-COD(2011) 0023).

6 See paragraphs 65 to 135 of this Opinion. It should be noted that, following the decision of the Court, this is also the
first time that the Court will have the benefit of an ‘Opinion’, presented and published before it delivers its opinion.

7 See Council Decision 2006/230/EC of 18 July 2005 on the conclusion of an Agreement between the European
Community and the Government of Canada on the processing of /Passenger Name Record data (OJ 2006 L 82, p. 14).

8 Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 38/46
8.9.2017 CURIA - Documents

9 Commission Decision of 6 September 2005 on the adequate protection of personal data contained in the Passenger
Name Record of air passengers transferred to the Canada Border Services Agency (OJ 2006 L 91, p. 49).

10 Pursuant to Article 7, Decision 2006/523 expired three years and six months after the date of its notification. It could
have been extended in accordance with the procedure laid down in Article 31(2) of Directive 95/46, but was not.

11 See Article 5 of the 2006 Agreement.

12 OJ 2011 C 81 E, p. 70.

13 See points 7 and 9 of the resolution.

14 (2010) 1082, (2010) 1083 and (2010) 1084 respectively.

15 See, respectively, footnotes 3 and 4 above.

16 The full text of the Opinion of the EDPS in German, English and French is available at the following internet
address: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2013/13-
09-30_Canada_EN.pdf.

17 Although that has not been disputed, I would make clear, for all purposes, that the subject matter of the request for an
opinion does indeed relate to an ‘agreement envisaged’, within the meaning of Article 218(11) TFEU, since although the
agreement at issue in the present case had already been signed by the Council when the matter was referred to the Court, it
has still not been concluded. See, to that effect, Opinion 3/94 of 13 December 1995 (EU:C:1995:436, paragraphs 18 and
19).

18 See, in particular, Opinion 1/75 of 11 November 1975 (EU:C:1975:145); Opinion 1/08 of 30 November 2009
(EU:C:2009:739, paragraphs 108 and 109); and Opinion 1/13 of 14 October 2014 (EU:C:2014:2303, paragraph 43).

19 Although it has not been disputed, I would add, for all practical purposes, that the Court has already held that the fact
that the measure authorising signature of the agreement has not been the subject of an action for annulment does not mean
that a request for an opinion raising the question whether an agreement envisaged is compatible with EU primary law is
inadmissible. See, to that effect, Opinion 2/00 of 6 December 2001 (EU:C:2001:664, paragraph 11).

20 See Opinion 2/00 du 6 December 2001 (EU:C:2001:664) and Opinion 1/08 of 30 November 2009 (EU:C:2009:739).

21 Opinion 2/00 of 6 December 2001 (EU:C:2001:664, paragraph 5) and Opinion 1/08 of 30 November 2009
(EU:C:2009:739, paragraph 110).

22 See, to that effect, Opinion 2/00 of 6 December 2001 (EU:C:2001:664, paragraph 5) and Opinion 1/08 of
30 November 2009 (EU:C:2009:739, paragraph 110).

23 See, to that effect, Opinion 2/00 of 6 December 2001 (EU:C:2001:664, paragraph 6).

24 See Opinion 1/75 of 11 November 1975 (EU:C:1975:145, p. 1362).

25 See judgment of 11 June 2014, Commission v Council(C‑377/12, EU:C:2014:1903, paragraph 34 and the case-law
cited).

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 39/46
8.9.2017 CURIA - Documents

26 See, in particular, judgments of 6 November 2008, Parliament v Council(C‑155/07, EU:C:2008:605, paragraph 36);
of 19 July 2012, Parliament v Council(C‑130/10, EU:C:2012:472, paragraph 44); of 24 June 2014, Parliament v
Council(C‑658/11, EU:C:2014:2025, paragraph 43) and of 14 June 2016, Parliament v Council (C‑263/14, EU:C:2016:453,
paragraph 44). It should be noted that, on this point, the Court’s case-law does not seem entirely consistent, since some
judgments, rather strangely, merely mention the pursuit of a number of indissociably linked objectives, without reference to
the components of the act under examination. See, for example, judgments of 29 April 2004, Commission v
Council(C‑338/01, EU:C:2004:253, paragraph 56), and of 11 June 2014, Commission v Council(C‑377/12,
EU:C:2014:1903, paragraph 34).

27 See, in particular, judgments of 6 November 2008, Parliament v Council(C‑155/07, EU:C:2008:605, paragraphs 76 to

79), and of 19 July 2012, Parliament v Council(C‑130/10, EU:C:2012:472, paragraphs 45 to 49).

28 The chosen procedural legal basis, namely Article 218(6)(a)(v) TFEU, requires that the Council may not adopt the
decision concluding an international agreement without having obtained the consent of the Parliament where that
agreement covers ‘fields to which … the ordinary legislative procedure applies’, does not form the subject matter of the
request submitted by the Parliament and is not the object of controversy between the interested parties. That provision
appears to be the appropriate procedural basis for the act concluding the agreement envisaged.

29 See judgment of 30 May 2006, Parliament v Council and Commission(C‑317/04 and (C‑318/04, EU:C:2006:346,
paragraphs 57 to 59).

30 OJ 2011 L 288, p. 1.

31 Judgment of 6 May 2014, Commission v Parliament and Council(C‑43/12, EU:C:2014:298, paragraph 42).

32 According to the second sentence in that article of the agreement envisaged, ‘an air carrier that provides data to
Canada under this Agreement is deemed to comply with European Union legal requirements for data transfer from the
European Union to Canada’.

33 Article 20 of the agreement envisaged states, in particular, that the contracting parties ‘shall ensure that air carriers
transfer data to the Canadian Competent Authority exclusively on the basis of the push method …’ (emphasis added).

34 Article 21(1) of the agreement envisaged, concerning the frequency of data transfer, states that ‘Canada shall ensure
that the Canadian Competent Authority requires an air carrier to transfer the data …’ (emphasis added).

35 See paragraph 21 of this Opinion.

36 See also, along similar lines, Opinion of Advocate General Kokott in Parliament v Council(C‑263/14,
EU:C:2015:729, point 67).

37 See judgment of 6 May 2014, Commission v Parliament and Council(C‑43/12, EU:C:2014:298, paragraphs 48 and
49).

38 See, by analogy, judgment of 30 May 2006, Parliament v Counciland Commission(C‑317/04 and C‑318/04,
EU:C:2006:346, paragraph 56).

39 Article 23(2) of the agreement envisaged confirms the importance ascribed to the security of citizens of the Union
when it states that the contracting parties are to cooperate to pursue the coherence of their respective data processing
regimes in a manner that ‘further enhances the security of citizens of Canada [and] the European Union’.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 40/46
8.9.2017 CURIA - Documents

40 See, to that effect, by analogy, judgment of 30 May 2006, Parliament v Council and Commission(C‑317/04 and
C‑318/04, EU:C:2006:346, paragraph 59).

41 See, to that effect, judgment of 10 February 2009, Ireland v Parliament and Council(C‑301/06, EU:C:2009:68,
paragraph 83).

42 Emphasis added.

43 See the citations of Decision 2012/381 and Decision 2012/472, cited in footnotes 3 and 4, respectively, above.

44 See, in particular, judgments of 10 January 2006, Commission v Council(C‑94/03, EU:C:2006:2, paragraph 50); of
24 June 2014, Parliament v Council(C‑658/11, EU:C:2014:2025, paragraph 48); and of 18 December 2014, United
Kingdom v Council(C‑81/13, EU:C:2014:2449, paragraph 36).

45 OJ 2008 L 350, p. 60.

46 See Opinion of Advocate General Léger in Joined Cases Parliament v Council and Commission(C‑317/04 and
C‑318/04, EU:C:2005:710, point 160).

47 See judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650, paragraphs 28 and 45 and the case-law cited).

48 See the case-law cited in footnote 27 of this Opinion.

49 Thus, at the hearing, in answer to a number of questions put by the Court, the Council’s representative acknowledged
that the three Member States concerned would not be able to vote on the adoption of an act by which they would not be
bound. It seems to me, moreover, to be inconsistent on the Council’s part to argue, as I have emphasised above, that the
second question in the request for an opinion is inadmissible on the ground that the choice of Article 16 TFEU as the
substantive legal basis for the act concluding the agreement envisaged, would have no impact, since the procedure for the
adoption of measures based on that provision is the same as those procedures laid down in Articles 82(1)(a) and 87(2)(d)
TFEU respectively, and to maintain, as regards the examination of the substance of that question, that those procedures are
incompatible.

50 See judgments of 22 October 2013, Commission v Council(C‑137/12, EU:C:2013:675, paragraph 73), and of
18 December 2014, United Kingdom v Council(C‑81/13, EU:C:2014:2449, paragraph 37).

51 See judgment of 19 July 2012, Parliament v Council(C‑130/10, EU:C:2012:472, paragraph 80).

52 On the latter article, see footnote 28 of this Opinion.

53 In that regard, the Parliament draws a parallel with the approach taken in the judgment of 8 April 2014, Digital
Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 37).

54 ECtHR, 1 July 2008, Liberty and others v. United Kingdom (CE:ECHR:2008:0701JUD005824300, paragraph 63).

55 These expressions being used, respectively, by Ireland and the United Kingdom Government in their replies to the
written question put by the Court.
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 41/46
8.9.2017 CURIA - Documents

56 Likewise, verification of the degree of independence of the ‘overseeing authority’ established by the agreement
envisaged requires that the Canadian legislation be taken into consideration: see points 311 to 316 below.

57 I would point out, by way of reminder, that in accordance with Article 6(1) TEU the Charter is to have ‘the same
legal value as the Treaties’.

58 See, on this criterion for the application of Articles 7 and 8 of the Charter, judgments of 9 November 2010, Volker
und Markus Schecke and Eifert(C‑92/09 and C‑93/09, EU:C:2010:662, paragraph 52); of 24 November 2011, Asociación
Nacional de Establecimientos Financieros de Crédito(C‑468/10 and C‑469/10, EU:C:2011:777, paragraph 42); and of
17 October 2013, Schwarz(C‑291/12, EU:C:2013:670, paragraph 26).

59 See, in particular, judgments of 9 November 2010 in Volker und Markus Schecke and Eifert(C‑92/09 and C‑93/09,
EU:C:2010:662, paragraph 47), and of 24 November 2011, Asociación Nacional de Establecimientos Financieros de
Crédito(C‑468/10 and C‑469/10, EU:C:2011:777, paragraph 41).

60 According to the Explanations relating to the Charter of Fundamental Rights (OJ 2007 C 303, p. 17), the rights
guaranteed in Article 7 of the Charter ‘correspond’ to those guaranteed by Article 8 of the ECHR, while Article 8 of the
Charter is ‘based’ on both Article 8 ECHR and Council of Europe Convention (No 108) of 28 January 1981 for the
Protection of Individuals with regard to Automatic Processing of Personal Data, which has been ratified by all the Member
States.

61 Judgment of 20 May 2003, Österreichischer Rundfunk and Others(C‑465/00, C‑138/01 and C‑139/01,
EU:C:2003:294, paragraph 74).

62 Judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 34
and 35).

63 Judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 29
and 36).

64 See, to that effect, judgment of 3 September 2008, Kadi and Al Barakaat International Foundation v Council and
Commission(C‑402/05 P and C‑415/05 P, EU:C:2008:461, paragraphs 284 and 285).

65 See, to that effect, judgments of 20 May 2003, Österreichischer Rundfunk and Others(C‑465/00, C‑138/01 and
C‑139/01, EU:C:2003:294, paragraph 75); of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 33); and of 6 October 2015, Schrems(C‑362/14, EU:C:2015:650, paragraph 87).

66 See, to that effect, judgments of 20 May 2003, Österreichischer Rundfunk and Others(C‑465/00, C‑138/01 and
C‑139/01, EU:C:2003:294, paragraph 75); of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 33); and of 6 October 2015, Schrems(C‑362/14, EU:C:2015:650, paragraph 87).

67 According to the information supplied to the Court, 28 million passengers took flights between Canada and the Union
between April 2014 and March 2015.

68 It should be noted that, in the judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 37), the Court considered that the impressions or sentiments generated in the minds of the

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 42/46
8.9.2017 CURIA - Documents

public affected by rules on the processing and retention of personal data assumed a certain importance in the assessment of
the gravity of the interference with the fundamental rights safeguarded by Articles 7 and 8(1) of the Charter.

69 As stated above, Article 11(1) of the agreement envisaged refers only to the information available on the Canadian
competent authority’s website, while paragraph 2 mentions only a rather vague obligation to work to promote transparency,
preferably at the time of booking, consisting in informing passengers of, in particular, the reasons for data collection and
use.

70 See, in particular, ECtHR, 24 April 1990, Kruslin v. France (CE:ECHR:1990:0424JUD001180185, paragraph 27),
and ECtHR, 1 July 2008, Liberty and others v. United Kingdom (CE:ECHR:2008:0701JUD005824300, paragraph 59).

71 See ECtHR, 1 December 2015, Brito Ferrinho Bexiga Villa-Nova v. Portugal (CE:ECHR:2015:1201JUD006943610,
paragraph 47).

72 See ECtHR, 2 August 1984, Malone v. United Kingdom (CE:ECHR:0802JUD000869179, paragraph 66).

73 See ECtHR, 6 July 2010, Neulinger and Shuruk v. Switzerland (CE:ECHR:2010:0706JUD004161507, paragraph 99),
and ECtHR, 12 June 2014, Fernández Martínez v. Spain (CE:ECHR:2014:0612JUD005603007, paragraph 118).

74 Judgment of 9 November 2010, Volker und Markus Schecke and Eifert(C‑92/09 and C‑93/09, EU:C:2010:662,
paragraph 66).

75 Judgment of 17 October 2013, Schwarz(C‑291/12, EU:C:2013:670, paragraph 35).

76 See, in particular, judgments of 3 June 2008, Intertanko and Others(C‑308/06, EU:C:2008:312, paragraph 42), and of
13 January 2015, Council and Others v Vereniging Milieudefensie and Stichting Stop Luchtverontreiniging
Utrecht(C‑401/12 P to C‑403/12 P, EU:C:2015:4, paragraph 52).

77 See in particular, to that effect, ECtHR, 12 June 2014, Fernández Martínez v. Spain
(CE:ECHR:2014:0612JUD005603007, paragraph 117 and the case-law cited).

78 See, generally, the reasoning in points 217 to 320 of this Opinion.

79 See judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238,
paragraph 42).

80 See, in particular, judgments of 9 November 2010, Volker und Markus Schecke and Eifert(C‑92/09 and C‑93/09,
EU:C:2010:662, paragraph 74), and of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 46).

81 See judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238,
paragraph 48).

82 See judgment of 6 October 2015, Schrems(C‑362/14, EU:C:2015:650, paragraph 78).

83 See, by analogy, judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 49).

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 43/46
8.9.2017 CURIA - Documents

84 According to the interested parties, only Air Canada provides flights between Denmark and Canada.

85 As the Kingdom of Denmark is not participating in the agreement envisaged, it must therefore be regarded as a third
country for the purposes of that agreement, whose cooperation relationship between the Canadian competent authority and
its own authorities is governed by Article 19 of the agreement envisaged.

86 See, to that effect, by analogy, judgment of 9 November 2010, Volker und Markus Schecke and Eifert(C‑92/09 and
C‑93/09, EU:C:2010:662, paragraph 77).

87 See, to that effect, judgments of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 54), and of 6 October 2015, Schrems(C‑362/14, EU:C:2015:650, paragraph 91).

88 See, to that effect, judgments of 9 November 2010, Volker und Markus Schecke and Eifert(C‑92/09 and C‑93/09,
EU:C:2010:662, paragraph 86), and of 17 October 2013, Schwarz(C‑291/12, EU:C:2013:670, paragraph 46).

89 See, to that effect, judgment of 17 October 2013, Schwarz(C‑291/12, EU:C:2013:670, paragraph 53).

90 See Document 9944, approved by the Secretary General of the ICAO and published under his authority. The English
version of this document is available at the following internet address: www.iata.org/iata/passenger-data-
toolkit/assets/doc_library/04-pnr/New Doc 9944 1st Edition .pdf.

91 See, in that regard, paragraph 3.8 of the Guidelines on Advance Passenger Information () drawn up in 2010 under the
aegis of the World Customs Organisation, the International Air Transport Association and the ICAO, available at the
following internet address:
http://www.icao.int/Security/FAL/Documents/2010%20%20Guidelines%20Final%20Version.ICAO.2011%20full%20x2.pdf.
In the Union, the collection of is governed by Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers
to communicate passenger data (OJ 2004 L 261, p. 24).

92 See, in particular, the information on the website of the Canadian Ministry of Citizenship and Immigration
(Citizenship and Immigration Canada): www.cic.gc.ca/english/visit/apply-who.asp.

93 OJ 2006 L 105, p. 54.

94 See paragraph 236 of this Opinion.

95 I shall examine the last two provisions in greater detail below. See paragraphs 292 to 294 and 274 to 290,
respectively, of this Opinion.

96 See, on Article 18 of the agreement envisaged, paragraphs 295 to 304 of this Opinion.

97 In the context of the application of Article 8 of the ECHR, the ECtHR applies the ‘reasonable suspicion’ test, which
may justify the interception of an individual’s private communications for reasons linked with the protection of public
security. See, in that regard, ECtHR, 4 December 2015, Zakharov v. Russia (CE:ECHR:2015:1204JUD004714306,
paragraph 260).

98 See concerning that authority, paragraphs 311 to 313 of this Opinion.

99 See concerning that authority, paragraphs 311 to 313 of this Opinion.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 44/46
8.9.2017 CURIA - Documents

100 See ECtHR, 12 January 2016, Szabó and Vissy v. Hungary (CE:ECHR:2016:0112JUD003713814, paragraph 77
and the case-law cited).

101 See paragraphs 306 to 321 of this Opinion.

102 Judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238,
paragraph 68).

103 Judgment of 8 April 2014, Digital Rights Ireland and Others(C‑293/12 and C‑594/12, EU:C:2014:238,
paragraphs 62 to 64).

104 See below, paragraphs 306 to 316 of this Opinion.

105 It should be noted, however, that Article 16(5)(b) of the agreement envisaged provides that the retention may be
extended for ‘an additional two-year period only to ensure the accountability of or oversee public administration so that it
may be disclosed to the passenger should the passenger request it’. As such, that extension of the retention of the data,
which did not feature in the observations of the interested parties, does not appear to raise any particular problems, since it
is designed solely to protect the rights of passengers whose data has been processed.

106 See paragraph 224 of this Opinion.

107 Namely, respectively, ‘other names on , including number of travellers on PNR’; ‘all available contact information
(including originator information)’; ‘general remarks including other supplementary information (), special service
information (SSI) and special service request (SSR) information, to the extent that it contains any information capable of
identifying a natural person’; and ‘any advance passenger information () data collected for reservation purposes to the
extent that it contains any information capable of identifying a natural person’.

108 See paragraph 267 of this Opinion.

109 See paragraphs 306 to 316 of this Opinion.

110 See, by analogy, judgment of 6 October 2015, Schrems(C‑362/14, EU:C:2015:650, paragraph 73).

111 See, respectively, Article 18(1)(a) to (d) and Article 19(1)(a) to (d) of the agreement envisaged. It follows from
Article 18(2) and Article 19(3) of the agreement envisaged that the safeguards laid down in those provisions are also to
apply to the transfer of analytical information containing data.

112 See, by analogy, ECtHR, 12 January 2016, Szabó and Vissy v. Hungary (CE:ECHR:2016:0112JUD003713814,
paragraph 77).

113 It should be pointed out, for all practical purposes, that Article 19(1)(h) of the Agreement concluded with Australia
states that data may be transferred on a case-by-case basis to a third country authority only where the Australian Customs
and Border Protection Service is satisfied that the receiving authority has agreed not to further transfer data.

114 See, to that effect, judgments of 16 October 2012, Commission v Austria(C‑614/10, EU:C:2012:631, paragraphs 36
and 37); of 8 April 2014, Commission v Hungary(C‑288/12, EU:C:2014:237, paragraphs 47 and 48); and of 6 October
2015, Schrems(C‑362/14, EU:C:2015:650, paragraph 68).

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 45/46
8.9.2017 CURIA - Documents

115 This letter constitutes, in accordance with Article 30(2)(b) of the agreement envisaged, the notification through
diplomatic channels of the identity of the two authorities referred to in Article 10 and Article 14(1) of that agreement.

116 L.R.C., 1985, ch. P-21. The consolidated version of that Act, up to date as at 16 March 2016, is available on the
website of the Department of Justice Canada: http://lois-laws.justice.gc.ca.

117 In the context of the application of Article 8 of the ECHR, the ECtHR emphasises the independence which the
supervisory body must enjoy vis-à-vis the Executive. See, as regards the monitoring of interceptions of private
communications, ECtHR, 4 December 2015, Zakharov v. Russia (CE:ECHR:2015:1204JUD004714306, paragraphs 278
and 279).

118 It is thus apparent from the provisions of the Canada Border Services Agency Act (S.S. 2005, c. 38) that the
Minister is responsible for the (section 6.1), that the President of the has the control and management of that agency ‘under
the direction of the Minister’ (section 8.1) and that the exercises the powers that relate to the border legislation conferred by
the Act ‘subject to any direction given by the Minister’ (section 12.1). No provision of the Act mentions the Appeals
Directorate or, a fortiori, confers on it a special status within the CBSA. The Act, up to date as at 16 March 2016, is
available on the website of the Department of Justice Canada: http://lois-laws.justice.gc.ca

119 I would add that, when the agreement envisaged has been concluded, Article 26 thereof provides for a joint review
of its implementation one year after its entry into force and at regular intervals thereafter, and in any event four years after
its entry into force. If the implementation of Article 14(2) of the agreement envisaged gives rise to difficulties, they could
therefore be evaluated by the contracting parties and, if necessary, resolved in application of Article 25(1) of that agreement
or, failing that, could lead the Union to suspend the application of the agreement, in accordance with the procedure laid
down in Article 25(2) of the agreement envisaged. Furthermore, when the agreement envisaged has been introduced into
the EU legal order, none of those procedures would in my view detract from the possibility for a national court of a
Member State, hearing a dispute relating to the application of that agreement, to submit a question to the Court for a
preliminary ruling on the validity of the decision concluding the agreement, in the light of Article 5 of the agreement
envisaged and the circumstances that have arisen after that decision, by analogy with the Court’s observation in
paragraph 77 of the judgment of 6 October 2015, Schrems(C‑362/14, EU:C:2015:650) concerning the examination of the
validity of an adequacy decision adopted by the Commission. The question as to the influence that the opinion of the Court
that will be delivered in the present case may have on the answer to be given to such a reference for a ruling on validity is
outside the scope of this Opinion.

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=183140&occ=first&dir=… 46/46
24.5.2016 EN Official Journal of the European Union L 135/53

REGULATION (EU) 2016/794 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 11 May 2016
on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and
repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA
and 2009/968/JHA

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 88 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure (1),

Whereas:

(1) Europol was set up by Council Decision 2009/371/JHA (2) as an entity of the Union funded from the general
budget of the Union to support and strengthen action by competent authorities of the Member States and their
mutual cooperation in preventing and combating organised crime, terrorism and other forms of serious crime
affecting two or more Member States. Decision 2009/371/JHA replaced the Convention based on Article K.3 of
the Treaty on European Union, on the establishment of a European Police Office (Europol Convention) (3).

(2) Article 88 of the Treaty on the Functioning of the European Union (TFEU) provides for Europol to be governed
by a regulation to be adopted in accordance with the ordinary legislative procedure. It also requires the
establishment of procedures for the scrutiny of Europol's activities by the European Parliament, together with
national parliaments, subject to point (c) of Article 12 of the Treaty on European Union (TEU) and Article 9 of
Protocol No 1 on the role of National Parliaments in the European Union, annexed to the TEU and to the TFEU
(‘Protocol No 1’), in order to enhance the democratic legitimacy and accountability of Europol to the Union's
citizens. Therefore, Decision 2009/371/JHA should be replaced by a regulation laying down, inter alia, rules on
parliamentary scrutiny.

(3) The ‘Stockholm programme — An open and secure Europe serving and protecting citizens’ (4) calls for Europol
to evolve and become a hub for information exchange between the law enforcement authorities of the
Member States, a service provider and a platform for law enforcement services. On the basis of an assessment of
Europol's functioning, further enhancement of its operational effectiveness is needed to meet that objective.

(4) Large-scale criminal and terrorist networks pose a significant threat to the internal security of the Union and to
the safety and livelihood of its citizens. Available threat assessments show that criminal groups are becoming
increasingly poly-criminal and cross-border in their activities. National law enforcement authorities therefore need
to cooperate more closely with their counterparts in other Member States. In this context, it is necessary to equip
Europol to better support Member States in Union-wide crime prevention, analyses and investigations. This was
also confirmed in the evaluation of Decision 2009/371/JHA.

(1) Position of the European Parliament of 25 February 2014 (not yet published in the Official Journal) and position of the Council at first
reading of 10 March 2016 (not yet published in the Official Journal). Position of the European Parliament of 11 May 2016 (not yet
published in the Official Journal).
(2) Council Decision 2009/371/JHA of 6 April 2009 establishing the European Police Office (Europol) (OJ L 121, 15.5.2009, p. 37).
(3) OJ C 316, 27.11.1995, p. 1.
(4) OJ C 115, 4.5.2010, p. 1.
L 135/54 EN Official Journal of the European Union 24.5.2016

(5) This Regulation aims to amend and expand the provisions of Decision 2009/371/JHA and of Council
Decisions 2009/934/JHA (1), 2009/935/JHA (2), 2009/936/JHA (3) and 2009/968/JHA (4) implementing
Decision 2009/371/JHA. Since the amendments to be made are of a substantial number and nature, those
Decisions should, in the interests of clarity, be replaced in their entirety in relation to the Member States bound
by this Regulation. Europol as established by this Regulation should replace and assume the functions of Europol
as established by Decision 2009/371/JHA, which, as a consequence, should be repealed.

(6) As serious crime often occurs across internal borders, Europol should support and strengthen Member States'
actions and their cooperation in preventing and combating serious crime affecting two or more Member States.
Given that terrorism is one of the most significant threats to the security of the Union, Europol should assist
Member States in facing common challenges in this regard. As the Union law enforcement agency, Europol
should also support and strengthen actions and cooperation in tackling forms of crime that affect the interests of
the Union. Among the forms of crime with which Europol is competent to deal, organised crime will continue to
fall within the scope of Europol's main objectives, as, given its scale, significance and consequences, it also calls
for a common approach by the Member States. Europol should also offer support in preventing and combating
related criminal offences which are committed in order to procure the means of perpetrating acts in respect of
which Europol is competent or to facilitate or perpetrate such acts or to ensure the impunity of committing
them.

(7) Europol should provide strategic analyses and threat assessments to assist the Council and the Commission in
laying down strategic and operational priorities of the Union for fighting crime and in the operational implemen­
tation of those priorities. Where the Commission so requests in accordance with Article 8 of Council Regulation
(EU) No 1053/2013 (5), Europol should also carry out risk analyses, including in respect of organised crime,
insofar as the risks concerned may undermine the application of the Schengen acquis by the Member States.
Moreover, at the request of the Council or the Commission where appropriate, Europol should provide strategic
analyses and threat assessments to contribute to the evaluation of states that are candidates for accession to the
Union.

(8) Attacks against information systems affecting Union bodies or two or more Member States are a growing menace
in the Union, in particular in view of their speed and impact and the difficulty in identifying their sources. When
considering requests by Europol to initiate an investigation into a serious attack of suspected criminal origin
against information systems affecting Union bodies or two or more Member States, Member States should
respond to Europol without delay, taking into account the fact that the rapidity of the response is a key factor in
successfully tackling computer crime.

(9) Given the importance of the inter-agency cooperation, Europol and Eurojust should ensure that necessary
arrangements are established to optimise their operational cooperation, taking due account of their respective
missions and mandates and of the interests of Member States. In particular, Europol and Eurojust should keep
each other informed of any activity involving the financing of joint investigation teams.

(10) When a joint investigation team is set up, the relevant agreement should determine the conditions relating to the
participation of the Europol staff in the team. Europol should keep a record of its participation in such joint
investigation teams targeting criminal activities falling within the scope of its objectives.

(11) Europol should be able to request Member States to initiate, conduct or coordinate criminal investigations in
specific cases where cross-border cooperation would add value. Europol should inform Eurojust of such requests.

(1) Council Decision 2009/934/JHA of 30 November 2009 adopting the implementing rules governing Europol's relations with partners,
including the exchange of personal data and classified information (OJ L 325, 11.12.2009, p. 6).
(2) Council Decision 2009/935/JHA of 30 November 2009 determining the list of third States and organisations with which Europol shall
conclude agreements (OJ L 325, 11.12.2009, p. 12).
(3) Council Decision 2009/936/JHA of 30 November 2009 adopting the implementing rules for Europol analysis work files (OJ L 325,
11.12.2009, p. 14).
(4) Council Decision 2009/968/JHA of 30 November 2009 adopting the rules on the confidentiality of Europol information (OJ L 332,
17.12.2009, p. 17).
(5) Council Regulation (EU) No 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the
application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing
Committee on the evaluation and implementation of Schengen (OJ L 295, 6.11.2013, p. 27).
24.5.2016 EN Official Journal of the European Union L 135/55

(12) Europol should be a hub for information exchange in the Union. Information collected, stored, processed,
analysed and exchanged by Europol includes criminal intelligence which relates to information about crime or
criminal activities falling within the scope of Europol's objectives, obtained with a view to establishing whether
concrete criminal acts have been committed or may be committed in the future.

(13) In order to ensure Europol's effectiveness as a hub for information exchange, clear obligations should be laid
down requiring Member States to provide Europol with the data necessary for it to fulfil its objectives. While
implementing such obligations, Member States should pay particular attention to providing data relevant to the
fight against crimes considered to be strategic and operational priorities within relevant policy instruments of the
Union, in particular the priorities set by the Council in the framework of the EU Policy Cycle for organised and
serious international crime. Member States should also endeavour to provide Europol with a copy of bilateral and
multilateral exchanges of information with other Member States on crime falling within Europol's objectives.
When supplying Europol with the necessary information, Member States should also include information about
any alleged cyber attacks affecting Union bodies located in their territory. At the same time, Europol should
increase the level of its support to Member States, so as to enhance mutual cooperation and the sharing of
information. Europol should submit an annual report to the European Parliament, to the Council, to the
Commission and to national parliaments on the information provided by the individual Member States.

(14) To ensure effective cooperation between Europol and Member States, a national unit should be set up in each
Member State (the ‘national unit’). The national unit should be the liaison link between national competent
authorities and Europol, thereby having a coordinating role in respect of Member States' cooperation with
Europol, and thus helping to ensure that each Member State responds to Europol requests in a uniform way. To
ensure a continuous and effective exchange of information between Europol and the national units, and to
facilitate their cooperation, each national unit should designate at least one liaison officer to be attached to
Europol.

(15) Taking into account the decentralised structure of some Member States and the need to ensure rapid exchanges of
information, Europol should be allowed to cooperate directly with competent authorities in Member States,
subject to the conditions defined by Member States, while keeping the national units informed at the latter's
request.

(16) The establishment of joint investigation teams should be encouraged and Europol staff should be able to
participate in them. To ensure that such participation is possible in every Member State, Council Regulation
(Euratom, ECSC, EEC) No 549/69 (1) provides that Europol staff do not benefit from immunities while they are
participating in joint investigation teams.

(17) It is also necessary to improve the governance of Europol, by seeking efficiency gains and streamlining
procedures.

(18) The Commission and the Member States should be represented on the Management Board of Europol (the
‘Management Board’) to effectively supervise its work. The members and the alternate members of the
Management Board should be appointed taking into account their relevant managerial, administrative and
budgetary skills and knowledge of law enforcement cooperation. Alternate members should act as members in
the absence of the member.

(19) All parties represented on the Management Board should make efforts to limit the turnover of their represen­
tatives, with a view to ensuring the continuity of the Management Board's work. All parties should aim to
achieve a balanced representation between men and women on the Management Board.

(20) The Management Board should be able to invite non-voting observers whose opinion may be relevant for the
discussion, including a representative designated by the Joint Parliamentary Scrutiny Group (JPSG).

(1) Regulation (Euratom, ECSC, EEC) No 549/69 of the Council of 25 March 1969 determining the categories of officials and other servants
of the European Communities to whom the provisions of Article 12, the second paragraph of Article 13 and Article 14 of the Protocol
on the Privileges and Immunities of the Communities apply (OJ L 74, 27.3.1969, p. 1).
L 135/56 EN Official Journal of the European Union 24.5.2016

(21) The Management Board should be given the necessary powers, in particular to set the budget, verify its
execution, and adopt the appropriate financial rules and planning documents, as well as adopt rules for the
prevention and management of conflicts of interest in respect of its members, establish transparent working
procedures for decision-making by the Executive Director of Europol, and adopt the annual activity report. It
should exercise the powers of appointing authority vis-à-vis staff of the agency, including the Executive Director.

(22) To ensure the efficient day-to-day functioning of Europol, the Executive Director should be its legal representative
and manager, acting independently in the performance of his or her duties and ensuring that Europol carries out
the tasks provided for by this Regulation. In particular, the Executive Director should be responsible for preparing
budgetary and planning documents submitted for the decision of the Management Board and for implementing
the multiannual programming and annual work programmes of Europol and other planning documents.

(23) For the purposes of preventing and combating crime falling within the scope of its objectives, it is necessary for
Europol to have the fullest and most up-to-date information possible. Therefore, Europol should be able to
process data provided to it by Member States, Union bodies, third countries, international organisations and,
under stringent conditions laid down by this Regulation, private parties, as well as data coming from publicly
available sources, in order to develop an understanding of criminal phenomena and trends, to gather information
about criminal networks, and to detect links between different criminal offences.

(24) To improve Europol's effectiveness in providing accurate crime analyses to the competent authorities of the
Member States, it should use new technologies to process data. Europol should be able to swiftly detect links
between investigations and common modi operandi across different criminal groups, to check cross-matches of
data and to have a clear overview of trends, while guaranteeing a high level of protection of personal data for
individuals. Therefore, Europol databases should be structured in such a way as to allow Europol to choose the
most efficient IT structure. Europol should also be able to act as a service provider, in particular by providing a
secure network for the exchange of data, such as the secure information exchange network application (SIENA),
aimed at facilitating the exchange of information between Member States, Europol, other Union bodies, third
countries and international organisations. In order to ensure a high level of data protection, the purpose of
processing operations and access rights as well as specific additional safeguards should be laid down. In
particular, the principles of necessity and proportionality should be observed with regard to the processing of
personal data.

(25) Europol should ensure that all personal data processed for operational analyses are allocated a specific purpose.
Nonetheless, in order for Europol to fulfil its mission, it should be allowed to process all personal data received
to identify links between multiple crime areas and investigations, and should not be limited to identifying
connections only within one crime area.

(26) To respect the ownership of data and the protection of personal data, Member States, Union bodies, third
countries and international organisations should be able to determine the purpose or purposes for which Europol
may process the data they provide and to restrict access rights. Purpose limitation is a fundamental principle of
personal data processing; in particular, it contributes to transparency, legal certainty and predictability and is
particularly of high importance in the area of law enforcement cooperation, where data subjects are usually
unaware when their personal data are being collected and processed and where the use of personal data may
have a very significant impact on the lives and freedoms of individuals.

(27) To ensure that data are accessed only by those needing access in order to perform their tasks, this Regulation
should lay down detailed rules on different degrees of right of access to data processed by Europol. Such rules
should be without prejudice to restrictions on access imposed by data providers, as the principle of ownership of
data should be respected. In order to increase efficiency in the prevention and combating of crimes falling within
the scope of Europol's objectives, Europol should notify Member States of information which concerns them.

(28) To enhance operational cooperation between the agencies, and particularly to establish links between data already
in the possession of the different agencies, Europol should enable Eurojust and the European Anti-Fraud Office
(OLAF) to have access, on the basis of a hit/no hit system, to data available at Europol. Europol and Eurojust
should be able to conclude a working arrangement ensuring, in a reciprocal manner within their respective
mandates, access to, and the possibility of searching, all information that has been provided for the purpose of
24.5.2016 EN Official Journal of the European Union L 135/57

cross-checking in accordance with specific safeguards and data protection guarantees provided for in this
Regulation. Any access to data available at Europol should, by technical means, be limited to information falling
within the respective mandates of those Union bodies.

(29) Europol should maintain cooperative relations with other Union bodies, authorities of third countries, internat­
ional organisations and private parties, to the extent required for the accomplishment of its tasks.

(30) To ensure operational effectiveness, Europol should be able to exchange all relevant information, with the
exception of personal data, with other Union bodies, authorities of third countries and international organ­
isations, to the extent necessary for the performance of its tasks. Since companies, firms, business associations,
non-governmental organisations and other private parties hold expertise and information of direct relevance to
the prevention and combating of serious crime and terrorism, Europol should also be able to exchange such
information with private parties. To prevent and combat cybercrime, as related to network and information
security incidents, Europol should, pursuant to the applicable legislative act of the Union laying down measures
to ensure a high common level of network and information security across the Union, cooperate and exchange
information, with the exception of personal data, with national authorities competent for the security of network
and information systems.

(31) Europol should be able to exchange relevant personal data with other Union bodies to the extent necessary for
the accomplishment of its or their tasks.

(32) Serious crime and terrorism often have links beyond the territory of the Union. Europol should therefore be able
to exchange personal data with authorities of third countries and with international organisations such as the In­
ternational Criminal Police Organisation — Interpol to the extent necessary for the accomplishment of its tasks.

(33) All Member States are affiliated to Interpol. To fulfil its mission, Interpol receives, stores and circulates data to
assist competent law enforcement authorities to prevent and combat international crime. Therefore, it is
appropriate to strengthen cooperation between Europol and Interpol by promoting an efficient exchange of
personal data whilst ensuring respect for fundamental rights and freedoms regarding the automatic processing of
personal data. When personal data is transferred from Europol to Interpol, this Regulation, in particular the
provisions on international transfers, should apply.

(34) To guarantee purpose limitation, it is important to ensure that personal data can be transferred by Europol to
Union bodies, third countries and international organisations only if necessary for preventing and combating
crime that falls within Europol's objectives. To this end, it is necessary to ensure that, when personal data are
transferred, the recipient gives an undertaking that the data will be used by the recipient or transferred onward to
a competent authority of a third country solely for the purpose for which they were originally transferred.
Further onward transfer of the data should take place in compliance with this Regulation.

(35) Europol should be able to transfer personal data to an authority of a third country or an international
organisation on the basis of a Commission decision finding that the country or international organisation in
question ensures an adequate level of data protection (‘adequacy decision’), or, in the absence of an adequacy
decision, an international agreement concluded by the Union pursuant to Article 218 TFEU, or a cooperation
agreement allowing for the exchange of personal data concluded between Europol and the third country prior to
the entry into force of this Regulation. In light of Article 9 of Protocol No 36 on transitional provisions, annexed
to the TEU and to the TFEU, the legal effects of such agreements are to be preserved until those agreements are
repealed, annulled or amended in the implementation of the Treaties. Where appropriate and in accordance with
Regulation (EC) No 45/2001 of the European Parliament and of the Council (1), the Commission should be able
to consult the European Data Protection Supervisor (EDPS) before and during the negotiation of an international
agreement. Where the Management Board identifies an operational need for cooperation with a third country or

(1) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with
regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8,
12.1.2001, p. 1).
L 135/58 EN Official Journal of the European Union 24.5.2016

an international organisation, it should be able to suggest to the Council that the latter draw the attention of the
Commission to the need for an adequacy decision or for a recommendation for the opening of negotiations on
an international agreement as referred to above.

(36) Where a transfer of personal data cannot be based on an adequacy decision, an international agreement
concluded by the Union or an existing cooperation agreement, the Management Board, in agreement with the
EDPS, should be allowed to authorise a set of transfers, where specific conditions so require and provided that
adequate safeguards are ensured. The Executive Director should be allowed to authorise the transfer of data in
exceptional cases on a case-by-case basis, where such transfer is required, under specific strict conditions.

(37) Europol should be able to process personal data originating from private parties and private persons only if those
data are transferred to Europol by one of the following: a national unit in accordance with its national law; a
contact point in a third country or an international organisation with which there is established cooperation
through a cooperation agreement allowing for the exchange of personal data concluded in accordance with
Article 23 of Decision 2009/371/JHA prior to the entry into force of this Regulation; an authority of a third
country or an international organisation which is subject to an adequacy decision or with which the Union has
concluded an international agreement pursuant to Article 218 TFEU. However, in cases where Europol receives
personal data directly from private parties and the national unit, contact point or authority concerned cannot be
identified, Europol should be able to process those personal data solely for the purpose of identifying those
entities, and such data should be deleted unless those entities resubmit those personal data within four months
after the transfer takes place. Europol should ensure by technical means that, during that period, such data would
not be accessible for processing for any other purpose.

(38) Taking into account the exceptional and specific threat posed to the internal security of the Union by terrorism
and other forms of serious crime, especially when facilitated, promoted or committed using the internet, the
activities that Europol should undertake on the basis of this Regulation, stemming from its implementation of
the Council Conclusions of 12 March 2015 and the call by the European Council of 23 April 2015 in relation
especially to those priority areas, in particular the corresponding practice of direct exchanges of personal data
with private parties, should be evaluated by the Commission by 1 May 2019.

(39) Any information which has clearly been obtained in obvious violation of human rights should not be processed.

(40) Data protection rules at Europol should be strengthened and should draw on the principles underpinning
Regulation (EC) No 45/2001 to ensure a high level of protection of individuals with regard to the processing of
personal data. As Declaration No 21 on the protection of personal data in the fields of judicial cooperation in
criminal matters and police cooperation, attached to the TEU and the TFEU, recognises the specificity of personal
data processing in the law enforcement context, the data protection rules of Europol should be autonomous
while at the same time consistent with other relevant data protection instruments applicable in the area of police
cooperation in the Union. Those instruments include, in particular, Directive (EU) 2016/680 of the European
Parliament and of the Council (1), as well as the Convention for the Protection of Individuals with regard to
Automatic Processing of Personal Data of the Council of Europe and its Recommendation No R(87) 15 (2).

(41) Any processing of personal data by Europol should be lawful and fair in relation to the data subjects concerned.
The principle of fair processing requires transparency of processing allowing data subjects concerned to exercise
their rights under this Regulation. It should be possible nevertheless to refuse or restrict access to their personal
data if, with due regard to the interests of the data subjects concerned, such refusal or restriction constitutes a
necessary measure to enable Europol to fulfil its tasks properly, to protect security and public order or to prevent
crime, to guarantee that a national investigation will not be jeopardised or to protect the rights and freedoms of
third parties. To enhance transparency, Europol should make publicly available a document setting out in an
intelligible form the applicable provisions regarding the processing of personal data and the means available to
data subjects to exercise their rights. Europol should also publish on its website a list of adequacy decisions,

(1) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
(2) Council of Europe Committee of Ministers Recommendation No R(87) 15 to the Member States on regulating the use of personal data in
the police sector, 17.9.1987.
24.5.2016 EN Official Journal of the European Union L 135/59

agreements and administrative arrangements relating to the transfer of personal data to third countries and inter­
national organisations. Moreover, in order to increase Europol's transparency vis-à-vis Union citizens and its
accountability, Europol should publish on its website a list of its Management Board members and, where
appropriate, the summaries of the outcome of the meetings of the Management Board, while respecting data
protection requirements.

(42) As far as possible, personal data should be distinguished according to their degree of accuracy and reliability.
Facts should be distinguished from personal assessments, in order to ensure both the protection of individuals
and the quality and reliability of the information processed by Europol. In the case of information obtained from
publicly available sources, particularly sources on the internet, Europol should as far as possible assess the
accuracy of such information and the reliability of its source with particular diligence in order to address the
risks associated with the internet as regards the protection of personal data and privacy.

(43) Personal data relating to different categories of data subjects are processed in the area of law enforcement
cooperation. Europol should make distinctions between personal data in respect of different categories of data
subjects as clear as possible. Personal data concerning persons such as victims, witnesses and persons possessing
relevant information, as well as personal data concerning minors, should in particular be protected. Europol
should only process sensitive data if those data supplement other personal data already processed by Europol.

(44) In the light of the fundamental right to the protection of personal data, Europol should not store personal data
for longer than is necessary for the performance of its tasks. The need for continued storage of such data should
be reviewed no later than three years after the start of its initial processing.

(45) To guarantee the security of personal data, Europol and Member States should implement necessary technical and
organisational measures.

(46) Any data subject should have a right of access to personal data concerning him or her, a right to rectification if
those data are inaccurate, and a right to erasure or restriction if those data are no longer required. The costs
related to exercising the right of access to personal data should not represent a barrier to effectively exercising
that right. The rights of the data subject and the exercise thereof should not affect the obligations incumbent
upon Europol and should be subject to the restrictions laid down in this Regulation.

(47) The protection of the rights and freedoms of data subjects requires a clear attribution of the responsibilities
under this Regulation. In particular, Member States should be responsible for the accuracy of data, for keeping up
to date the data they have transferred to Europol and for the legality of such data transfers. Europol should be
responsible for the accuracy of data and for keeping up to date the data provided by other data suppliers or
resulting from Europol's own analyses. Europol should ensure that data are processed fairly and lawfully, and are
collected and processed for a specific purpose. Europol should also ensure that the data are adequate, relevant,
not excessive in relation to the purpose for which they are processed, stored no longer than is necessary for that
purpose, and processed in a manner that ensures appropriate security of personal data and confidentiality of data
processing.

(48) Europol should keep records of collection, alteration, access, disclosure, combination or erasure of personal data
for the purposes of verifying the lawfulness of the data processing, self-monitoring and ensuring proper data
integrity and security. Europol should be obliged to co-operate with the EDPS and to make logs or documentation
available upon request, so that they can be used for monitoring processing operations.

(49) Europol should designate a Data Protection Officer to assist it in monitoring compliance with this Regulation.
The Data Protection Officer should be in a position to perform his or her duties and tasks independently and
effectively, and should be provided with the necessary resources to do so.
L 135/60 EN Official Journal of the European Union 24.5.2016

(50) Independent, transparent, accountable and effective structures for supervision are essential for the protection of
individuals with regard to the processing of personal data as required by Article 8(3) of the Charter of
Fundamental Rights of the European Union. National authorities competent for the supervision of the processing
of personal data should monitor the lawfulness of personal data provided by Member States to Europol. The
EDPS should monitor the lawfulness of data processing carried out by Europol, exercising his or her functions
with complete independence. In this regard, the prior consultation mechanism is an important safeguard for new
types of processing operations. This should not apply to specific individual operational activities, such as
operational analysis projects, but to the use of new IT systems for the processing of personal data and any
substantial changes thereto.

(51) It is important to ensure strengthened and effective supervision of Europol and to guarantee that the EDPS can
make use of appropriate law enforcement data protection expertise when he or she assumes responsibility for
data protection supervision of Europol. The EDPS and national supervisory authorities should closely cooperate
with each other on specific issues requiring national involvement and should ensure the consistent application of
this Regulation throughout the Union.

(52) In order to facilitate the cooperation between the EDPS and the national supervisory authorities, but without
prejudice to the independence of the EDPS and his or her responsibility for data protection supervision of
Europol, they should regularly meet within the Cooperation Board, which, as an advisory body, should deliver
opinions, guidelines, recommendations and best practices on various issues requiring national involvement.

(53) As Europol also processes non-operational personal data, unrelated to criminal investigations, such as personal
data concerning staff of Europol, service providers or visitors, the processing of such data should be subject to
Regulation (EC) No 45/2001.

(54) The EDPS should hear and investigate complaints lodged by data subjects. The investigation following a
complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case.
The national supervisory authority should inform the data subject of the progress and the outcome of the
complaint within a reasonable period.

(55) Any individual should have the right to a judicial remedy against a decision of the EDPS concerning him or her.

(56) Europol should be subject to the general rules on contractual and non-contractual liability applicable to Union
institutions, agencies and bodies, save as regards the rules on liability for unlawful data processing.

(57) It may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is
a consequence of action by Europol or by a Member State. Europol and the Member State in which the event that
gave rise to the damage occurred should therefore be jointly and severally liable.

(58) While respecting the role of the European Parliament together with national parliaments in the scrutiny of
Europol's activities, it is necessary that Europol be a fully accountable and transparent internal organisation. To
that end, in light of Article 88 TFEU, procedures should be established for the scrutiny of Europol's activities by
the European Parliament together with national parliaments. Such procedures should be subject to point (c) of
Article 12 TEU and to Article 9 of Protocol No 1, providing that the European Parliament and national
parliaments are together to determine the organisation and promotion of effective and regular interparliamentary
cooperation within the Union. The procedures to be established for the scrutiny of Europol's activities should
take due account of the need to ensure that the European Parliament and the national parliaments stand on an
equal footing, as well as the need to safeguard the confidentiality of operational information. However, the way in
which national parliaments scrutinise their governments in relation to the activities of the Union is a matter for
the particular constitutional organisation and practice of each Member State.

(59) The Staff Regulations of Officials of the European Union (the ‘Staff Regulations’) and the Conditions of
Employment of Other Servants of the European Union (the ‘Conditions of Employment of Other Servants’) laid
down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (1) should apply to Europol staff. Europol should

(1) OJ L 56, 4.3.1968, p. 1.

24.5.2016 EN Official Journal of the European Union L 135/61

be able to employ staff from the competent authorities of the Member States as temporary agents whose period
of service should be limited in order to maintain the principle of rotation, as the subsequent reintegration of such
staff members into the service of their competent authority facilitates close cooperation between Europol and the
competent authorities of the Member States. Member States should take any measure necessary to ensure that
staff engaged at Europol as temporary agents may, at the end of their term of service at Europol, return to the
national civil service to which they belong.

(60) Given the nature of the duties of Europol and the role of the Executive Director, the competent committee of the
European Parliament should be able to invite the Executive Director to appear before it prior to his or her
appointment, as well as prior to any extension of his or her term of office. The Executive Director should also
present the annual report to the European Parliament and to the Council. Furthermore, the European Parliament
and the Council should be able to invite the Executive Director to report on the performance of his or her duties.

(61) To guarantee the full autonomy and independence of Europol, it should be granted an autonomous budget, with
revenue coming essentially from a contribution from the general budget of the Union. The Union budgetary
procedure should be applicable as far as the Union contribution and any other subsidies chargeable to the general
budget of the Union are concerned. The auditing of accounts should be undertaken by the Court of Auditors.

(62) Commission Delegated Regulation (EU) No 1271/2013 (1) should apply to Europol.

(63) Given their specific legal and administrative powers and their technical competences in conducting cross-border
information-exchange activities, operations and investigations, including in joint investigation teams, and in
providing facilities for training, the competent authorities of the Member States should be able to receive grants
from Europol without a call for proposals in accordance with point (d) of Article 190(1) of Commission
Delegated Regulation (EU) No 1268/2012 (2).

(64) Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (3) should apply to
Europol.

(65) Europol processes data that require particular protection as they include sensitive non-classified and EU classified
information. Europol should therefore draw up rules on the confidentiality and processing of such information.
The rules on the protection of EU classified information should be consistent with Council
Decision 2013/488/EU (4).

(66) It is appropriate to evaluate the application of this Regulation regularly.

(67) The necessary provisions regarding accommodation for Europol in The Hague, where it has its headquarters, and
the specific rules applicable to all Europol's staff and members of their families should be laid down in a
headquarters agreement. Furthermore, the host Member State should provide the necessary conditions for the
smooth operation of Europol, including multilingual, European-oriented schooling and appropriate transport
connections, so as to attract high-quality human resources from as wide a geographical area as possible.

(68) Europol as established by this Regulation replaces and succeeds Europol as established by
Decision 2009/371/JHA. It should therefore be the legal successor of all its contracts, including employment
contracts, liabilities and properties acquired. International agreements concluded by Europol as established by
Decision 2009/371/JHA and agreements concluded by Europol as established by the Europol Convention
before 1 January 2010 should remain in force.

(1) Commission Delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies
referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (OJ L 328,
7.12.2013, p. 42).
(2) Commission Delegated Regulation (EU) No 1268/2012 of 29 October 2012 on the rules of application of Regulation (EU, Euratom)
No 966/2012 of the European Parliament and of the Council on the financial rules applicable to the general budget of the Union
(OJ L 362, 31.12.2012, p. 1).
(3) Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations
conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of
the Council and Council Regulation (Euratom) No 1074/1999 (OJ L 248, 18.9.2013, p. 1).
(4) Council Decision 2013/488/EU of 23 September 2013 on the security rules for protecting EU classified information (OJ L 274,
15.10.2013, p. 1).
L 135/62 EN Official Journal of the European Union 24.5.2016

(69) To enable Europol to continue to fulfil the tasks of Europol as established by Decision 2009/371/JHA to the best
of its abilities, transitional measures should be laid down, in particular with regard to the Management Board, the
Executive Director and staff employed under a contract of indefinite duration as a local staff member concluded
by Europol as established by the Europol Convention, who should be offered the possibility of employment as a
member of the temporary or contract staff under the Conditions of Employment of Other Servants.

(70) The Council Act of 3 December 1998 (1) on Europol staff regulations has been repealed by Article 63 of
Decision 2009/371/JHA. However, it should continue to apply to staff employed by Europol before the entry into
force of Decision 2009/371/JHA. Therefore, transitional provisions should provide that contracts concluded in
accordance with those staff regulations are to remain governed by them.

(71) Since the objective of this Regulation, namely the establishment of an entity responsible for law enforcement
cooperation at Union level, cannot be sufficiently achieved by the Member States but can rather, by reason of the
scale and effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance
with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality
as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

(72) In accordance with Article 3 and Article 4a(1) of Protocol No 21 on the position of the United Kingdom and
Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TFEU, Ireland has
notified its wish to take part in the adoption and application of this Regulation.

(73) In accordance with Articles 1 and 2 and Article 4a(1) of Protocol No 21 on the position of the United Kingdom
and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and the TFEU, and
without prejudice to Article 4 of that Protocol, the United Kingdom is not taking part in the adoption of this
Regulation and is not bound by it or subject to its application.

(74) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to
the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its
application.

(75) The EDPS has been consulted and issued an opinion on 31 May 2013.

(76) This Regulation respects the fundamental rights and observes the principles recognised in particular by the
Charter of Fundamental Rights of the European Union, in particular the right to the protection of personal data
and the right to privacy as protected by Articles 8 and 7 of the Charter, as well as by Article 16 TFEU,

HAVE ADOPTED THIS REGULATION:

CHAPTER I

GENERAL PROVISIONS, OBJECTIVES AND TASKS OF EUROPOL

Article 1

Establishment of the European Union Agency for Law Enforcement Cooperation

1. A European Union Agency for Law Enforcement Cooperation (Europol) is hereby established with a view to
supporting cooperation among law enforcement authorities in the Union.

2. Europol as established by this Regulation shall replace and succeed Europol as established by
Decision 2009/371/JHA.

(1) Council Act of 3 December 1998 laying down the staff regulations applicable to Europol employees (OJ C 26, 30.1.1999, p. 23).
24.5.2016 EN Official Journal of the European Union L 135/63

Article 2

Definitions

For the purposes of this Regulation:

(a) ‘the competent authorities of the Member States’ means all police authorities and other law enforcement services
existing in the Member States which are responsible under national law for preventing and combating criminal
offences. The competent authorities shall also comprise other public authorities existing in the Member States
which are responsible under national law for preventing and combating criminal offences in respect of which
Europol is competent;

(b) ‘strategic analysis’ means all methods and techniques by which information is collected, stored, processed and
assessed with the aim of supporting and developing a criminal policy that contributes to the efficient and effective
prevention of, and the fight against, crime;

(c) ‘operational analysis’ means all methods and techniques by which information is collected, stored, processed and
assessed with the aim of supporting criminal investigations;

(d) ‘Union bodies’ means institutions, bodies, missions, offices and agencies set up by, or on the basis of, the TEU and
the TFEU;

(e) ‘international organisation’ means an organisation and its subordinate bodies governed by public international law,
or any other body which is set up by, or on the basis of, an agreement between two or more countries;

(f) ‘private parties’ means entities and bodies established under the law of a Member State or third country, in
particular companies and firms, business associations, non-profit organisations and other legal persons that are not
covered by point (e);

(g) ‘private persons’ means all natural persons;

(h) ‘personal data’ means any information relating to a data subject;

(i) ‘data subject’ means an identified or identifiable natural person, an identifiable person being a person who can be
identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,
location data or an online identifier or to one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that person;

(j) ‘genetic data’ means all personal data relating to the genetic characteristics of an individual that have been inherited
or acquired, which give unique information about the physiology or the health of that individual, resulting in
particular from an analysis of a biological sample from the individual in question;

(k) ‘processing’ means any operation or set of operations which is performed upon personal data or sets of personal
data, whether or not by automated means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction;

(l) ‘recipient’ means a natural or legal person, public authority, agency or any other body to which data are disclosed,
whether a third party or not;

(m) ‘transfer of personal data’ means the communication of personal data, actively made available, between a limited
number of identified parties, with the knowledge or intention of the sender to give the recipient access to the
personal data;

(n) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
L 135/64 EN Official Journal of the European Union 24.5.2016

(o) ‘the data subject's consent’ means any freely given, specific, informed and unambiguous indication of his or her
wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to
personal data relating to him or her being processed;

(p) ‘administrative personal data’ means all personal data processed by Europol apart from those that are processed to
meet the objectives laid down in Article 3.

Article 3

Objectives

1. Europol shall support and strengthen action by the competent authorities of the Member States and their mutual
cooperation in preventing and combating serious crime affecting two or more Member States, terrorism and forms of
crime which affect a common interest covered by a Union policy, as listed in Annex I.

2. In addition to paragraph 1, Europol's objectives shall also cover related criminal offences. The following shall be
considered to be related criminal offences:

(a) criminal offences committed in order to procure the means of perpetrating acts in respect of which Europol is
competent;

(b) criminal offences committed in order to facilitate or perpetrate acts in respect of which Europol is competent;

(c) criminal offences committed in order to ensure the impunity of those committing acts in respect of which Europol
is competent.

Article 4

Tasks

1. Europol shall perform the following tasks in order to achieve the objectives set out in Article 3:

(a) collect, store, process, analyse and exchange information, including criminal intelligence;

(b) notify the Member States, via the national units established or designated pursuant to Article 7(2), without delay of
any information and connections between criminal offences concerning them;

(c) coordinate, organise and implement investigative and operational actions to support and strengthen actions by the
competent authorities of the Member States, that are carried out:

(i) jointly with the competent authorities of the Member States; or

(ii) in the context of joint investigation teams in accordance with Article 5 and, where appropriate, in liaison with
Eurojust;

(d) participate in joint investigation teams, as well as propose that they be set up in accordance with Article 5;

(e) provide information and analytical support to Member States in connection with major international events;

(f) prepare threat assessments, strategic and operational analyses and general situation reports;
24.5.2016 EN Official Journal of the European Union L 135/65

(g) develop, share and promote specialist knowledge of crime prevention methods, investigative procedures and
technical and forensic methods, and provide advice to Member States;

(h) support Member States' cross-border information exchange activities, operations and investigations, as well as joint
investigation teams, including by providing operational, technical and financial support;

(i) provide specialised training and assist Member States in organising training, including with the provision of
financial support, within the scope of its objectives and in accordance with the staffing and budgetary resources at
its disposal in coordination with the European Union Agency for Law Enforcement Training (CEPOL);

(j) cooperate with the Union bodies established on the basis of Title V of the TFEU and with OLAF, in particular
through exchanges of information and by providing them with analytical support in the areas that fall within their
competence;

(k) provide information and support to EU crisis management structures and missions established on the basis of the
TEU, within the scope of Europol's objectives as set out in Article 3;

(l) develop Union centres of specialised expertise for combating certain types of crime falling within the scope of
Europol's objectives, in particular the European Cybercrime Centre;

(m) support Member States' actions in preventing and combating forms of crime listed in Annex I which are facilitated,
promoted or committed using the internet, including, in cooperation with Member States, the making of referrals of
internet content, by which such forms of crime are facilitated, promoted or committed, to the online service
providers concerned for their voluntary consideration of the compatibility of the referred internet content with their
own terms and conditions.

2. Europol shall provide strategic analyses and threat assessments to assist the Council and the Commission in laying
down strategic and operational priorities of the Union for fighting crime. Europol shall also assist in the operational
implementation of those priorities.

3. Europol shall provide strategic analyses and threat assessments to assist the efficient and effective use of the
resources available at national and Union level for operational activities and the support of those activities.

4. Europol shall act as the Central Office for combating euro counterfeiting in accordance with Council
Decision 2005/511/JHA (1). Europol shall also encourage the coordination of measures carried out to fight euro counter­
feiting by the competent authorities of the Member States or in the context of joint investigation teams, where
appropriate in liaison with Union bodies and the authorities of third countries.

5. Europol shall not apply coercive measures in carrying out its tasks.

CHAPTER II

COOPERATION BETWEEN MEMBER STATES AND EUROPOL

Article 5

Participation in joint investigation teams

1. Europol staff may participate in the activities of joint investigation teams dealing with crime falling within
Europol's objectives. The agreement setting up a joint investigation team shall determine the conditions relating to the
participation of the Europol staff in the team, and shall include information on the rules on liability.

(1) Council Decision 2005/511/JHA of 12 July 2005 on protecting the euro against counterfeiting, by designating Europol as the Central
Office for combating euro counterfeiting (OJ L 185, 16.7.2005, p. 35).
L 135/66 EN Official Journal of the European Union 24.5.2016

2. Europol staff may, within the limits of the laws of the Member States in which a joint investigation team is
operating, assist in all activities and exchanges of information with all members of the joint investigation team.

3. Europol staff participating in a joint investigation team may, in accordance with this Regulation, provide all
members of the team with necessary information processed by Europol for the purposes set out in Article 18(2).
Europol shall at the same time inform the national units of the Member States represented in the team, as well as those
of the Member States which provided the information.

4. Information obtained by Europol staff while part of the joint investigation team may, with the consent and under
the responsibility of the Member State which provided the information, be processed by Europol for the purposes set
out in Article 18(2), under the conditions laid down in this Regulation.

5. Where Europol has reason to believe that setting up a joint investigation team would add value to an investigation,
it may propose this to the Member States concerned and take measures to assist them in setting up the joint investi­
gation team.

Article 6

Request by Europol for the initiation of a criminal investigation

1. In specific cases where Europol considers that a criminal investigation should be initiated into a crime falling
within the scope of its objectives, it shall request the competent authorities of the Member States concerned via the
national units to initiate, conduct or coordinate such a criminal investigation.

2. The national units shall inform Europol without delay of the decision of the competent authorities of the
Member States concerning any request made pursuant to paragraph 1.

3. If the competent authorities of a Member State decide not to accede to a request made by Europol pursuant to
paragraph 1, they shall inform Europol of the reasons for their decision without undue delay, preferably within one
month of receipt of the request. However, the reasons may be withheld if providing them would:

(a) be contrary to the essential interests of the security of the Member State concerned; or

(b) jeopardise the success of an ongoing investigation or the safety of an individual.

4. Europol shall immediately inform Eurojust of any request made pursuant to paragraph 1 and of any decision of a
competent authority of a Member State pursuant to paragraph 2.

Article 7

Europol national units

1. The Member States and Europol shall cooperate with each other in the fulfilment of their respective tasks set out
in this Regulation.

2. Each Member State shall establish or designate a national unit, which shall be the liaison body between Europol
and the competent authorities of that Member State. Each Member State shall appoint an official as the head of its
national unit.
24.5.2016 EN Official Journal of the European Union L 135/67

3. Each Member State shall ensure that its national unit is competent under national law to fulfil the tasks assigned to
national units in this Regulation, and in particular that it has access to national law enforcement data and other relevant
data necessary for cooperation with Europol.

4. Each Member State shall determine the organisation and the staff of its national unit in accordance with its
national law.

5. In accordance with paragraph 2, the national unit shall be the liaison body between Europol and the competent
authorities of the Member States. However, subject to conditions determined by the Member States, including prior
involvement of the national unit, the Member States may allow direct contacts between their competent authorities and
Europol. The national unit shall at the same time receive from Europol any information exchanged in the course of
direct contacts between Europol and the competent authorities, unless the national unit indicates that it does not need
to receive such information.

6. Each Member State shall, via its national unit or, subject to paragraph 5, a competent authority, in particular:

(a) supply Europol with the information necessary for it to fulfil its objectives, including information relating to forms
of crime the prevention or combating of which is considered a priority by the Union;

(b) ensure effective communication and cooperation of all relevant competent authorities with Europol;

(c) raise awareness of Europol's activities;

(d) in accordance with point (a) of Article 38(5), ensure compliance with national law when supplying information to
Europol.

7. Without prejudice to the discharge by Member States of their responsibilities with regard to the maintenance of
law and order and the safeguarding of internal security, Member States shall not in any particular case be obliged to
supply information in accordance with point (a) of paragraph 6 that would:

(a) be contrary to the essential interests of the security of the Member State concerned;

(b) jeopardise the success of an ongoing investigation or the safety of an individual; or

(c) disclose information relating to organisations or specific intelligence activities in the field of national security.

However, Member States shall supply information as soon as it ceases to fall within the scope of points (a), (b) or (c) of
the first subparagraph.

8. Member States shall ensure that their financial intelligence units established pursuant to Directive 2005/60/EC of
the European Parliament and of the Council (1) are allowed to cooperate with Europol via their national unit regarding
analyses, within the limits of their mandate and competence.

9. The heads of the national units shall meet on a regular basis, in particular to discuss and resolve problems that
occur in the context of their operational cooperation with Europol.

10. The costs incurred by national units in communications with Europol shall be borne by the Member States and,
with the exception of the costs of connection, shall not be charged to Europol.

11. Europol shall draw up an annual report on the information provided by each Member State pursuant to point (a)
of paragraph 6 on the basis of the quantitative and qualitative evaluation criteria defined by the Management Board. The
annual report shall be sent to the European Parliament, the Council, the Commission and national parliaments.

(1) Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial
system for the purpose of money laundering and terrorist financing (OJ L 309, 25.11.2005, p. 15).
L 135/68 EN Official Journal of the European Union 24.5.2016

Article 8

Liaison officers

1. Each national unit shall designate at least one liaison officer to be attached to Europol. Except as otherwise laid
down in this Regulation, the liaison officers shall be subject to the national law of the designating Member State.

2. Liaison officers shall constitute the national liaison bureaux at Europol and shall be instructed by their national
units to represent the interests of the latter within Europol in accordance with the national law of the designating
Member State and the provisions applicable to the administration of Europol.

3. Liaison officers shall assist in the exchange of information between Europol and their Member States.

4. Liaison officers shall, in accordance with their national law, assist in the exchange of information between their
Member States and the liaison officers of other Member States, third countries and international organisations. Europol's
infrastructure may be used, in accordance with national law, for such bilateral exchanges also to cover crimes falling
outside the scope of the objectives of Europol. All such exchanges of information shall be in accordance with applicable
Union and national law.

5. The Management Board shall determine the rights and obligations of liaison officers in relation to Europol. Liaison
officers shall enjoy the privileges and immunities necessary for the performance of their tasks in accordance with
Article 63(2).

6. Europol shall ensure that liaison officers are fully informed of and associated with all of its activities, in so far as
necessary for the performance of their tasks.

7. Europol shall cover the costs of providing Member States with the necessary premises within the Europol building
and adequate support for liaison officers to perform their duties. All other costs that arise in connection with the
designation of liaison officers shall be borne by the designating Member State, including the costs of equipment for
liaison officers, unless the European Parliament and the Council decide otherwise on the recommendation of the
Management Board.

CHAPTER III

ORGANISATION OF EUROPOL

Article 9

Administrative and management structure of Europol

The administrative and management structure of Europol shall comprise:

(a) a Management Board;

(b) an Executive Director;

(c) where appropriate, other advisory bodies established by the Management Board in accordance with point (s) of
Article 11(1).
24.5.2016 EN Official Journal of the European Union L 135/69

SECTION 1

Management Board

Article 10

Composition of the Management Board

1. The Management Board shall be composed of one representative from each Member State and one representative
of the Commission. Each representative shall have a voting right.

2. The members of the Management Board shall be appointed taking into account their knowledge of law
enforcement cooperation.

3. Each member of the Management Board shall have an alternate member who shall be appointed taking into
account the criterion set out in paragraph 2. The alternate member shall represent the member in his or her absence.

The principle of a balanced gender representation on the Management Board shall also be taken into account.

4. Without prejudice to the right of the Member States and of the Commission to terminate the mandate of their
respective member and alternate member, the membership of the Management Board shall be for a period of four years.
That term shall be extendable.

Article 11

Functions of the Management Board

1. The Management Board shall:

(a) adopt each year, by a majority of two-thirds of its members and in accordance with Article 12, a document
containing Europol's multiannual programming and its annual work programme for the following year;

(b) adopt, by a majority of two-thirds of its members, the annual budget of Europol and exercise other functions in
respect of Europol's budget pursuant to Chapter X;

(c) adopt a consolidated annual activity report on Europol's activities and, by 1 July of the following year, send it to the
European Parliament, the Council, the Commission, the Court of Auditors and the national parliaments. The
consolidated annual activity report shall be made public;

(d) adopt the financial rules applicable to Europol in accordance with Article 61;

(e) adopt an internal anti-fraud strategy, proportionate to fraud risks, taking into account the costs and benefits of the
measures to be implemented;

(f) adopt rules for the prevention and management of conflicts of interest in respect of its members, including in
relation to their declaration of interests;

(g) in accordance with paragraph 2, exercise, with respect to the staff of Europol, the powers conferred by the Staff
Regulations on the appointing authority and by the Conditions of Employment of Other Servants on the authority
empowered to conclude a contract of employment of other servants (‘the appointing authority powers’);

(h) adopt appropriate implementing rules giving effect to the Staff Regulations and the Conditions of Employment of
Other Servants in accordance with Article 110 of the Staff Regulations;
L 135/70 EN Official Journal of the European Union 24.5.2016

(i) adopt internal rules regarding the procedure for the selection of the Executive Director, including rules on the
composition of the selection committee which ensure its independence and impartiality;

(j) propose to the Council a shortlist of candidates for the posts of Executive Director and Deputy Executive Directors
and, where relevant, propose to the Council that their terms of office be extended or that they be removed from
office in accordance with Articles 54 and 55;

(k) establish performance indicators and oversee the Executive Director's performance, including the implementation of
Management Board decisions;

(l) appoint a Data Protection Officer, who shall be functionally independent in the performance of his or her duties;

(m) appoint an accounting officer, who shall be subject to the Staff Regulations and the Conditions of Employment of
Other Servants and functionally independent in the performance of his or her duties;

(n) establish, where appropriate, an internal audit capability;

(o) ensure adequate follow-up to findings and recommendations stemming from the internal or external audit reports
and evaluations, as well as from investigations of OLAF and the EDPS;

(p) define the evaluation criteria for the annual report in accordance with Article 7(11);

(q) adopt guidelines further specifying the procedures for the processing of information by Europol in accordance with
Article 18, after consulting the EDPS;

(r) decide upon the conclusion of working and administrative arrangements in accordance with Article 23(4) and
Article 25(1), respectively;

(s) decide, taking into consideration both business and financial requirements, upon the establishment of Europol's
internal structures, including Union centres of specialised expertise as referred to in point (l) of Article 4(1), upon a
proposal of the Executive Director;

(t) adopt its rules of procedure, including provisions concerning the tasks and the functioning of its secretariat;

(u) adopt, where appropriate, other internal rules.

2. If the Management Board considers it necessary for the performance of Europol's tasks, it may suggest to the
Council that it draw the attention of the Commission to the need for an adequacy decision as referred to in point (a) of
Article 25(1) or for a recommendation for a decision authorising the opening of negotiations with a view to the
conclusion of an international agreement as referred to in point (b) of Article 25(1).

3. The Management Board shall, in accordance with Article 110 of the Staff Regulations, adopt a decision based on
Article 2(1) of the Staff Regulations and on Article 6 of the Conditions of Employment of Other Servants delegating the
relevant appointing authority powers to the Executive Director and establishing the conditions under which such
delegation of powers may be suspended. The Executive Director shall be authorised to subdelegate those powers.

Where exceptional circumstances so require, the Management Board may, by way of a decision, temporarily suspend the
delegation of the appointing authority powers to the Executive Director and any subdelegation of such powers and
exercise them itself or delegate those powers to one of its members or to a staff member other than the Executive
Director.

Article 12

Multiannual programming and annual work programmes

1. The Management Board shall, by 30 November each year, adopt a document containing Europol's multiannual
programming and annual work programme, based on a draft put forward by the Executive Director, taking into account
the opinion of the Commission and, as regards the multiannual programming, after having consulted the JPSG. The
Management Board shall forward that document to the Council, the Commission and the JPSG.
24.5.2016 EN Official Journal of the European Union L 135/71

2. The multiannual programming shall set out the overall strategic programming, including the objectives, expected
results and performance indicators. It shall also set out the resource planning, including the multiannual budget and
staff. It shall include the strategy for relations with third countries and international organisations.

The multiannual programming shall be implemented by means of annual work programmes and shall, where
appropriate, be updated following the outcome of external and internal evaluations. The conclusion of those evaluations
shall also be reflected, where appropriate, in the annual work programme for the following year.

3. The annual work programme shall comprise detailed objectives, expected results and performance indicators. It
shall also contain a description of the actions to be financed and an indication of the financial and human resources
allocated to each action, in accordance with the principles of activity-based budgeting and management. The annual
work programme shall be consistent with the multiannual programming. It shall clearly indicate tasks that have been
added, changed or deleted compared to the previous financial year.

4. Where, after adoption of an annual work programme, a new task is assigned to Europol, the Management Board
shall amend the annual work programme.

5. Any substantial amendment to the annual work programme shall be adopted by the same procedure as that
applicable to the adoption of the initial annual work programme. The Management Board may delegate to the Executive
Director the power to make non-substantial amendments to the annual work programme.

Article 13

Chairperson and Deputy Chairperson of the Management Board

1. The Management Board shall elect a Chairperson and a Deputy Chairperson from within the group of three
Member States that have jointly prepared the Council's 18-month programme. They shall serve for the 18-month period
corresponding to that Council programme. If, however, the Chairperson's or the Deputy Chairperson's membership of
the Management Board ends at any time during their term of office as Chairperson or Deputy Chairperson, their term of
office shall automatically expire at the same time.

2. The Chairperson and the Deputy Chairperson shall be elected by a majority of two-thirds of the members of the
Management Board.

3. Where the Chairperson is unable to carry out his or her duties, he or she shall automatically be replaced by the
Deputy Chairperson.

Article 14

Meetings of the Management Board

1. The Chairperson shall convene the meetings of the Management Board.

2. The Executive Director shall take part in the deliberations of the Management Board.

3. The Management Board shall hold at least two ordinary meetings a year. In addition, it shall meet on the initiative
of its Chairperson, or at the request of the Commission or of at least one-third of its members.

4. The Management Board may invite any person whose opinion may be relevant for the discussion, including, where
appropriate, a representative of the JPSG, to attend its meeting as a non-voting observer.
L 135/72 EN Official Journal of the European Union 24.5.2016

5. The members and the alternate members of the Management Board may, subject to its rules of procedure, be
assisted at the meetings by advisers or experts.

6. Europol shall provide the secretariat for the Management Board.

Article 15

Voting rules of the Management Board

1. Without prejudice to points (a) and (b) of Article 11(1), Article 13(2), Article 50(2), Article 54(8) and Article 64,
the Management Board shall take decisions by a majority of its members.

2. Each member shall have one vote. In the absence of a voting member, his or her alternate shall be entitled to
exercise his or her right to vote.

3. The Executive Director shall not take part in the vote.

4. The Management Board's rules of procedure shall establish more detailed voting arrangements, in particular the
circumstances in which a member may act on behalf of another member, and any quorum requirements, where
necessary.

SECTION 2

Executive Director

Article 16

Responsibilities of the Executive Director

1. The Executive Director shall manage Europol. He or she shall be accountable to the Management Board.

2. Without prejudice to the powers of the Commission or the Management Board, the Executive Director shall be
independent in the performance of his or her duties and shall neither seek nor take instructions from any government
or any other body.

3. The Council may invite the Executive Director to report on the performance of his or her duties.

4. The Executive Director shall be the legal representative of Europol.

5. The Executive Director shall be responsible for the implementation of the tasks assigned to Europol by this
Regulation, in particular:

(a) the day-to-day administration of Europol;

(b) making proposals to the Management Board as regards the establishment of Europol's internal structures;

(c) implementing decisions adopted by the Management Board;

(d) preparing the draft multiannual programming and annual work programmes and submitting them to the
Management Board, after having consulted the Commission;
24.5.2016 EN Official Journal of the European Union L 135/73

(e) implementing the multiannual programming and the annual work programmes and reporting to the Management
Board on their implementation;

(f) preparing appropriate draft implementing rules to give effect to the Staff Regulations and the Conditions of
Employment of Other Servants in accordance with Article 110 of the Staff Regulations;

(g) preparing the draft consolidated annual report on Europol's activities and presenting it to the Management Board
for adoption;

(h) preparing an action plan following up conclusions of internal or external audit reports and evaluations, as well as
investigation reports and recommendations from investigations by OLAF and the EDPS, and reporting on progress
twice a year to the Commission and regularly to the Management Board;

(i) protecting the financial interests of the Union by applying measures to prevent fraud, corruption and any other
illegal activity and, without prejudice to the investigative competence of OLAF, by effective checks and, if irregular­
ities are detected, by recovering amounts wrongly paid and, where appropriate, by effective, proportionate and
dissuasive administrative and financial penalties;

(j) preparing a draft internal anti-fraud strategy for Europol and presenting it to the Management Board for adoption;

(k) preparing draft internal rules for the prevention and management of conflicts of interest in respect of the members
of the Management Board and presenting those draft rules to the Management Board for adoption;

(l) preparing draft financial rules applicable to Europol;

(m) preparing Europol's draft statement of estimates of revenue and expenditure and implementing its budget;

(n) supporting the Chairperson of the Management Board in preparing Management Board meetings;

(o) informing the Management Board on a regular basis regarding the implementation of Union strategic and
operational priorities for fighting crime;

(p) performing other tasks pursuant to this Regulation.

CHAPTER IV

PROCESSING OF INFORMATION

Article 17

Sources of information

1. Europol shall only process information that has been provided to it:

(a) by Member States in accordance with their national law and Article 7;

(b) by Union bodies, third countries and international organisations in accordance with Chapter V;

(c) by private parties and private persons in accordance with Chapter V.

2. Europol may directly retrieve and process information, including personal data, from publicly available sources,
including the internet and public data.

3. In so far as Europol is entitled under Union, international or national legal instruments to gain computerised
access to data from Union, international or national information systems, it may retrieve and process information,
including personal data, by such means if that is necessary for the performance of its tasks. The applicable provisions of
such Union, international or national legal instruments shall govern access to, and the use of, that information by
Europol, in so far as they provide for stricter rules on access and use than those laid down by this Regulation. Access to
such information systems shall be granted only to duly authorised staff of Europol and only in so far as this is necessary
and proportionate for the performance of their tasks.
L 135/74 EN Official Journal of the European Union 24.5.2016

Article 18

Purposes of information processing activities

1. In so far as is necessary for the achievement of its objectives as laid down in Article 3, Europol may process
information, including personal data.

2. Personal data may be processed only for the purposes of:

(a) cross-checking aimed at identifying connections or other relevant links between information related to:

(i) persons who are suspected of having committed or taken part in a criminal offence in respect of which Europol
is competent, or who have been convicted of such an offence;

(ii) persons regarding whom there are factual indications or reasonable grounds to believe that they will commit
criminal offences in respect of which Europol is competent;

(b) analyses of a strategic or thematic nature;

(c) operational analyses;

(d) facilitating the exchange of information between Member States, Europol, other Union bodies, third countries and in­
ternational organisations.

3. Processing for the purpose of operational analyses as referred to in point (c) of paragraph 2 shall be performed by
means of operational analysis projects, in respect of which the following specific safeguards shall apply:

(a) for every operational analysis project, the Executive Director shall define the specific purpose, categories of personal
data and categories of data subjects, participants, duration of storage and conditions for access, transfer and use of
the data concerned, and shall inform the Management Board and the EDPS thereof;

(b) personal data may only be collected and processed for the purpose of the specified operational analysis project.
Where it becomes apparent that personal data may be relevant for another operational analysis project, further
processing of that personal data shall only be permitted insofar as such further processing is necessary and propor­
tionate and the personal data are compatible with the provisions set out in point (a) that apply to the other analysis
project;

(c) only authorised staff may access and process the data of the relevant project.

4. The processing referred to in paragraphs 2 and 3 shall be carried out in compliance with the data protection
safeguards provided for in this Regulation. Europol shall duly document those processing operations. The documentation
shall be made available, upon request, to the Data Protection Officer and to the EDPS for the purpose of verifying the
lawfulness of the processing operations.

5. Categories of personal data and categories of data subjects whose data may be collected and processed for each
purpose referred to in paragraph 2 are listed in Annex II.

6. Europol may temporarily process data for the purpose of determining whether such data are relevant to its tasks
and, if so, for which of the purposes referred to in paragraph 2. The Management Board, acting on a proposal from the
Executive Director and after consulting the EDPS, shall further specify the conditions relating to the processing of such
data, in particular with respect to access to and use of the data, as well as time limits for the storage and deletion of the
data, which may not exceed six months, having due regard to the principles referred to in Article 28.

7. The Management Board, after consulting the EDPS, shall, as appropriate, adopt guidelines further specifying
procedures for the processing of information for the purposes listed in paragraph 2 in accordance with point (q) of
Article 11(1).
24.5.2016 EN Official Journal of the European Union L 135/75

Article 19

Determination of the purpose of, and restrictions on, the processing of information by Europol

1. A Member State, a Union body, a third country or an international organisation providing information to Europol
shall determine the purpose or purposes for which it is to be processed, as referred to in Article 18. If it has not done
so, Europol, in agreement with the provider of the information concerned, shall process the information in order to
determine the relevance of such information as well as the purpose or purposes for which it is to be further processed.
Europol may process information for a purpose different from that for which information has been provided only if
authorised so to do by the provider of the information.

2. Member States, Union bodies, third countries and international organisations may indicate, at the moment of
providing information to Europol, any restriction on access thereto or the use to be made thereof, in general or specific
terms, including as regards its transfer, erasure or destruction. Where the need for such restrictions becomes apparent
after the information has been provided, they shall inform Europol accordingly. Europol shall comply with such
restrictions.

3. In duly justified cases Europol may assign restrictions to access or use by Member States, Union bodies, third
countries and international organisations of information retrieved from publicly available sources.

Article 20

Access by Member States and Europol's staff to information stored by Europol

1. Member States shall, in accordance with their national law and Article 7(5), have access to, and be able to search,
all information which has been provided for the purposes of points (a) and (b) of Article 18(2). This shall be without
prejudice to the right of Member States, Union bodies, third countries and international organisations to indicate any
restrictions in accordance with Article 19(2).

2. Member States shall, in accordance with their national law and Article 7(5), have indirect access on the basis of a
hit/no hit system to information provided for the purposes of point (c) of Article 18(2). This shall be without prejudice
to any restrictions indicated by the Member States, Union bodies and third countries or international organisations
providing the information, in accordance with Article 19(2).

In the case of a hit, Europol shall initiate the procedure by which the information that generated the hit may be shared,
in accordance with the decision of the provider of the information to Europol.

3. In accordance with national law, the information referred to in paragraphs 1 and 2 shall be accessed and further
processed by Member States only for the purpose of preventing and combating:

(a) forms of crime in respect of which Europol is competent; and

(b) other forms of serious crime, as set out in Council Framework Decision 2002/584/JHA (1).

4. Europol staff duly empowered by the Executive Director shall have access to information processed by Europol to
the extent required for the performance of their duties and without prejudice to Article 67.

(1) Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between
Member States (OJ L 190, 18.7.2002, p. 1).
L 135/76 EN Official Journal of the European Union 24.5.2016

Article 21

Access by Eurojust and OLAF to information stored by Europol

1. Europol shall take all appropriate measures to enable Eurojust and OLAF, within their respective mandates, to have
indirect access on the basis of a hit/no hit system to information provided for the purposes of points (a), (b) and (c) of
Article 18(2), without prejudice to any restrictions indicated by the Member State, Union body, third country or internat­
ional organisation providing the information in question, in accordance with Article 19(2).

In the case of a hit, Europol shall initiate the procedure by which the information that generated the hit may be shared,
in accordance with the decision of the provider of the information to Europol, and only to the extent that the data
generating the hit are necessary for the performance of Eurojust's or OLAF's tasks.

2. Europol and Eurojust may conclude a working arrangement ensuring, in a reciprocal manner and within their
respective mandates, access to, and the possibility of searching, all information that has been provided for the purpose
specified in point (a) of Article 18(2). This shall be without prejudice to the right of Member States, Union bodies, third
countries and international organisations to indicate restrictions on access to, and the use of, such data, and shall be in
accordance with the data protection guarantees provided for in this Regulation.

3. Searches of information in accordance with paragraphs 1 and 2 shall be carried out only for the purpose of
identifying whether information available at Eurojust or OLAF matches with information processed at Europol.

4. Europol shall allow searches in accordance with paragraphs 1 and 2 only after obtaining from Eurojust
information on which National Members, Deputies and Assistants, as well as Eurojust staff members, and from OLAF
information on which OLAF staff members, have been designated as authorised to perform such searches.

5. If, during Europol's information-processing activities in respect of an individual investigation, Europol or a

Member State identifies the need for coordination, cooperation or support in accordance with the mandate of Eurojust
or OLAF, Europol shall notify them to that effect and shall initiate the procedure for sharing the information, in
accordance with the decision of the Member State providing the information. In such a case, Eurojust or OLAF shall
consult with Europol.

6. Eurojust, including the College, the National Members, Deputies and Assistants, as well as Eurojust staff members,
and OLAF, shall respect any restriction on access or use, in general or specific terms, indicated by Member States, Union
bodies, third countries and international organisations in accordance with Article 19(2).

7. Europol, Eurojust and OLAF shall inform each other if, after consulting each other's data in accordance with
paragraph 2 or as a result of a hit in accordance with paragraph 1, there are indications that data may be incorrect or
may conflict with other data.

Article 22

Duty to notify Member States

1. Europol shall, in accordance with point (b) of Article 4(1), notify a Member State without delay of any information
concerning it. If such information is subject to access restrictions pursuant to Article 19(2) that would prohibit its being
shared, Europol shall consult with the provider of the information stipulating the access restriction and seek its authoris­
ation for sharing.

In such a case, the information shall not be shared without an explicit authorisation by the provider.
24.5.2016 EN Official Journal of the European Union L 135/77

2. Irrespective of any access restrictions, Europol shall notify a Member State of any information concerning it if this
is absolutely necessary in the interest of preventing an imminent threat to life.

In such a case, Europol shall at the same time notify the provider of the information about the sharing of the
information and justify its analysis of the situation.

CHAPTER V

RELATIONS WITH PARTNERS

SECTION 1

Common provisions

Article 23

Common provisions

1. In so far as necessary for the performance of its tasks, Europol may establish and maintain cooperative relations
with Union bodies in accordance with the objectives of those bodies, the authorities of third countries, international
organisations and private parties.

2. Subject to any restriction pursuant to Article 19(2) and without prejudice to Article 67, Europol may directly
exchange all information, with the exception of personal data, with entities referred to in paragraph 1 of this Article, in
so far as such an exchange is relevant for the performance of Europol's tasks.

3. The Executive Director shall inform the Management Board about any regular cooperative relations which Europol
intends to establish and maintain in accordance with paragraphs 1 and 2, and about the development of such relations
once established.

4. For the purposes set out in paragraphs 1 and 2, Europol may conclude working arrangements with entities
referred to in paragraph 1. Such working arrangements shall not allow the exchange of personal data and shall not bind
the Union or its Member States.

5. Europol may receive and process personal data from entities referred to in paragraph 1 insofar as necessary and
proportionate for the legitimate performance of its tasks and subject to the provisions of this Chapter.

6. Without prejudice to Article 30(5), personal data shall only be transferred by Europol to Union bodies, third
countries and international organisations if necessary for preventing and combating crime falling within the scope of
Europol's objectives and in accordance with this Regulation, and if the recipient gives an undertaking that the data will
be processed only for the purpose for which they were transferred. If the data to be transferred have been provided by a
Member State, Europol shall seek that Member State's consent, unless the Member State has granted its prior authoris­
ation to such onward transfer, either in general terms or subject to specific conditions. Such consent may be withdrawn
at any time.

7. Onward transfers of personal data held by Europol by Member States, Union bodies, third countries and internat­
ional organisations shall be prohibited, unless Europol has given its prior explicit authorisation.

8. Europol shall ensure that detailed records of all transfers of personal data and of the grounds for such transfers are
recorded in accordance with this Regulation.

9. Any information which has clearly been obtained in obvious violation of human rights shall not be processed.
L 135/78 EN Official Journal of the European Union 24.5.2016

SECTION 2

Transfer and exchange of personal data

Article 24

Transfer of personal data to Union bodies

Subject to any possible restrictions pursuant to Article 19(2) or (3) and without prejudice to Article 67, Europol may
directly transfer personal data to a Union body, insofar as such transfer is necessary for the performance of its tasks or
those of the recipient Union body.

Article 25

Transfer of personal data to third countries and international organisations

1. Subject to any possible restrictions pursuant to Article 19(2) or (3) and without prejudice to Article 67, Europol
may transfer personal data to an authority of a third country or to an international organisation, insofar as such transfer
is necessary for the performance of Europol's tasks, on the basis of one of the following:

(a) a decision of the Commission adopted in accordance with Article 36 of Directive (EU) 2016/680, finding that the
third country or a territory or a processing sector within that third country or the international organisation in
question ensures an adequate level of protection (‘adequacy decision’);

(b) an international agreement concluded between the Union and that third country or international organisation
pursuant to Article 218 TFEU adducing adequate safeguards with respect to the protection of privacy and
fundamental rights and freedoms of individuals;

(c) a cooperation agreement allowing for the exchange of personal data concluded, before 1 May 2017, between
Europol and that third country or international organisation in accordance with Article 23 of
Decision 2009/371/JHA.

Europol may conclude administrative arrangements to implement such agreements or adequacy decisions.

2. The Executive Director shall inform the Management Board about exchanges of personal data on the basis of
adequacy decisions pursuant to point (a) of paragraph 1.

3. Europol shall publish on its website and keep up to date a list of adequacy decisions, agreements, administrative
arrangements and other instruments relating to the transfer of personal data in accordance with paragraph 1.

4. By 14 June 2021, the Commission shall assess the provisions contained in the cooperation agreements referred to
in point (c) of paragraph 1, in particular those concerning data protection. The Commission shall inform the
European Parliament and the Council about the outcome of that assessment, and may, if appropriate, submit to the
Council a recommendation for a decision authorising the opening of negotiations for the conclusion of international
agreements referred to in point (b) of paragraph (1).

5. By way of derogation from paragraph 1, the Executive Director may authorise the transfer of personal data to third
countries or international organisations on a case-by-case basis if the transfer is:

(a) necessary in order to protect the vital interests of the data subject or of another person;

(b) necessary to safeguard legitimate interests of the data subject where the law of the Member State transferring the
personal data so provides;
24.5.2016 EN Official Journal of the European Union L 135/79

(c) essential for the prevention of an immediate and serious threat to the public security of a Member State or a third
country;

(d) necessary in individual cases for the purposes of the prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal sanctions; or

(e) necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention,
investigation, detection or prosecution of a specific criminal offence or the execution of a specific criminal sanction.

Personal data shall not be transferred if the Executive Director determines that fundamental rights and freedoms of the
data subject concerned override the public interest in the transfer referred to in points (d) and (e).

Derogations may not be applicable to systematic, massive or structural transfers.

6. By way of derogation from paragraph 1, the Management Board may, in agreement with the EDPS, authorise for a
period not exceeding one year, which shall be renewable, a set of transfers in accordance with points (a) to (e) of
paragraph 5, taking into account the existence of adequate safeguards with respect to the protection of privacy and
fundamental rights and freedoms of individuals. Such authorisation shall be duly justified and documented.

7. The Executive Director shall as soon as possible inform the Management Board and the EDPS of the cases in which
paragraph 5 has been applied.

8. Europol shall keep detailed records of all transfers made pursuant to this Article.

Article 26

Exchanges of personal data with private parties

1. Insofar as is necessary in order for Europol to perform its tasks, Europol may process personal data obtained from
private parties on condition that they are received via:

(a) a national unit in accordance with national law;

(b) the contact point of a third country or an international organisation with which Europol has concluded,
before 1 May 2017, a cooperation agreement allowing for the exchange of personal data in accordance with
Article 23 of Decision 2009/371/JHA; or

(c) an authority of a third country or an international organisation which is the subject of an adequacy decision as
referred to in point (a) of Article 25(1) of this Regulation or with which the Union has concluded an international
agreement pursuant to Article 218 TFEU.

2. In cases where Europol nonetheless receives personal data directly from private parties and where the national
unit, contact point or authority concerned, as referred to in paragraph 1, cannot be identified, Europol may process
those personal data solely for the purpose of such identification. Subsequently, the personal data shall be forwarded
immediately to the national unit, contact point or authority concerned and shall be deleted unless the national unit,
contact point or authority concerned resubmits those personal data in accordance with Article 19(1) within four
months after the transfer takes place. Europol shall ensure by technical means that, during that period, the data in
question are not accessible for processing for any other purpose.

3. Following the transfer of personal data in accordance with point (c) of paragraph 5 of this Article, Europol may in
connection therewith receive personal data directly from a private party which that private party declares it is legally
allowed to transmit in accordance with the applicable law, in order to process such data for the performance of the task
set out in point (m) of Article 4(1).
L 135/80 EN Official Journal of the European Union 24.5.2016

4. If Europol receives personal data from a private party in a third country with which there is no agreement
concluded either on the basis of Article 23 of Decision 2009/371/JHA or on the basis of Article 218 TFEU, or which is
not the subject of an adequacy decision as referred to in point (a) of Article 25(1) of this Regulation, Europol may
forward those data only to a Member State, or to a third country concerned with which such an agreement has been
concluded.

5. Europol may not transfer personal data to private parties except where, on a case-by-case basis where strictly
necessary and subject to any possible restrictions stipulated pursuant to Article 19(2) or (3) and without prejudice to
Article 67:

(a) the transfer is undoubtedly in the interests of the data subject, and either the data subject's consent has been given
or the circumstances allow a clear presumption of consent; or

(b) the transfer is absolutely necessary in the interests of preventing the imminent perpetration of a crime, including
terrorism, for which Europol is competent; or

(c) the transfer of personal data which are publicly available is strictly necessary for the performance of the task set out
in point (m) of Article 4(1) and the following conditions are met:

(i) the transfer concerns an individual and specific case; and

(ii) no fundamental rights and freedoms of the data subjects concerned override the public interest necessitating the
transfer in the case at hand.

6. With regard to points (a) and (b) of paragraph 5 of this Article, if the private party concerned is not established
within the Union or in a country with which Europol has a cooperation agreement allowing for the exchange of
personal data, with which the Union has concluded an international agreement pursuant to Article 218 TFEU or which
is the subject of an adequacy decision as referred to in point (a) of Article 25(1) of this Regulation, the transfer shall
only be authorised if the transfer is:

(a) necessary in order to protect the vital interests of the data subject or another person; or

(b) necessary in order to safeguard legitimate interests of the data subject; or

(c) essential for the prevention of an immediate and serious threat to public security of a Member State or a third
country; or

(d) necessary in individual cases for the purposes of the prevention, investigation, detection or prosecution of criminal
offences for which Europol is competent; or

(e) necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention,
investigation, detection or prosecution of a specific criminal offence for which Europol is competent.

7. Europol shall ensure that detailed records of all transfers of personal data and the grounds for such transfers are
recorded in accordance with this Regulation and communicated upon request to the EDPS pursuant to Article 40.

8. If the personal data received or to be transferred affect the interests of a Member State, Europol shall immediately
inform the national unit of the Member State concerned.

9. Europol shall not contact private parties to retrieve personal data.

10. The Commission shall evaluate the practice of direct exchanges of personal data with private parties
by 1 May 2019.
24.5.2016 EN Official Journal of the European Union L 135/81

Article 27

Information from private persons

1. Insofar as is necessary in order for Europol to perform its tasks, Europol may receive and process information
originating from private persons. Personal data originating from private persons may only be processed by Europol on
condition that they are received via:

(a) a national unit in accordance with national law;

(b) the contact point of a third country or an international organisation with which Europol has concluded,
before 1 May 2017, a cooperation agreement allowing for the exchange of personal data in accordance with
Article 23 of Decision 2009/371/JHA; or

(c) an authority of a third country or an international organisation which is the subject of an adequacy decision as
referred to in point (a) of Article 25(1) or with which the Union has concluded an international agreement pursuant
to Article 218 TFEU.

2. If Europol receives information, including personal data, from a private person residing in a third country with
which there is no international agreement concluded either on the basis of Article 23 of Decision 2009/371/JHA or on
the basis of Article 218 TFEU, or which is not the subject of an adequacy decision as referred to in point (a) of
Article 25(1) of this Regulation, Europol may only forward that information to a Member State or to a third country
concerned with which such an international agreement has been concluded.

3. If the personal data received affect the interests of a Member State, Europol shall immediately inform the national
unit of the Member State concerned.

4. Europol shall not contact private persons to retrieve information.

5. Without prejudice to Articles 36 and 37, Europol may not transfer personal data to private persons.

CHAPTER VI

DATA PROTECTION SAFEGUARDS

Article 28

General data protection principles

1. Personal data shall be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with
those purposes. Further processing of personal data for historical, statistical or scientific research purposes shall not
be considered incompatible provided that Europol provides appropriate safeguards, in particular to ensure that data
are not processed for any other purposes;

(c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;

(d) accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate,
having regard to the purposes for which they are processed, are erased or rectified without delay;
L 135/82 EN Official Journal of the European Union 24.5.2016

(e) kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which
the personal data are processed; and

(f) processed in a manner that ensures appropriate security of personal data.

2. Europol shall make publicly available a document setting out in an intelligible form the provisions regarding the
processing of personal data and the means available for the exercise of the rights of data subjects.

Article 29

Assessment of reliability of the source and accuracy of information

1. The reliability of the source of information originating from a Member State shall be assessed as far as possible by
the providing Member State using the following source evaluation codes:

(A): where there is no doubt as to the authenticity, trustworthiness and competence of the source, or if the information
is provided by a source which has proved to be reliable in all instances;

(B): where the information is provided by a source which has in most instances proved to be reliable;

(C): where the information is provided by a source which has in most instances proved to be unreliable;

(X): where the reliability of the source cannot be assessed.

2. The accuracy of information originating from a Member State shall be assessed as far as possible by the providing
Member State using the following information evaluation codes:

(1): information the accuracy of which is not in doubt;

(2): information known personally to the source but not known personally to the official passing it on;

(3): information not known personally to the source but corroborated by other information already recorded;

(4): information not known personally to the source and which cannot be corroborated.

3. Where Europol, on the basis of information already in its possession, comes to the conclusion that the assessment
provided for in paragraphs 1 or 2 needs to be corrected, it shall inform the Member State concerned and seek to agree
on an amendment to the assessment. Europol shall not change the assessment without such agreement.

4. Where Europol receives information from a Member State without an assessment in accordance with paragraphs 1
or 2, it shall attempt to assess the reliability of the source or the accuracy of information on the basis of information
already in its possession. The assessment of specific data and information shall take place in agreement with the
providing Member State. A Member State may also agree with Europol in general terms on the assessment of specified
types of data and specified sources. If no agreement is reached in a specific case, or no agreement in general terms
exists, Europol shall assess the information or data and shall attribute to such information or data the evaluation
codes (X) and (4) referred to in paragraphs 1 and 2 respectively.

5. This Article shall apply mutatis mutandis where Europol receives data or information from a Union body, third
country, international organisation or private party.
24.5.2016 EN Official Journal of the European Union L 135/83

6. Information from publicly available sources shall be assessed by Europol using the evaluation codes set out in
paragraphs 1 and 2.

7. Where information is the result of an analysis made by Europol in the performance of its tasks, Europol shall
assess such information in accordance with this Article, and in agreement with the Member States participating in the
analysis.

Article 30

Processing of special categories of personal data and of different categories of data subjects

1. Processing of personal data in respect of victims of a criminal offence, witnesses or other persons who can provide
information concerning criminal offences, or in respect of persons under the age of 18, shall be allowed if it is strictly
necessary and proportionate for preventing or combating crime that falls within Europol's objectives.

2. Processing of personal data, by automated or other means, revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs or trade union membership and processing of genetic data or data concerning a
person's health or sex life shall be prohibited, unless it is strictly necessary and proportionate for preventing or
combating crime that falls within Europol's objectives and if those data supplement other personal data processed by
Europol. The selection of a particular group of persons solely on the basis of such personal data shall be prohibited.

3. Only Europol shall have direct access to personal data as referred to in paragraphs 1 and 2. The Executive Director
shall duly authorise a limited number of Europol officials to have such access if it is necessary for the performance of
their tasks.

4. No decision by a competent authority which produces adverse legal effects concerning a data subject shall be
based solely on automated processing of data as referred to in paragraph 2, unless the decision is expressly authorised
pursuant to national or Union legislation.

5. Personal data as referred to in paragraphs 1 and 2 shall not be transmitted to Member States, Union bodies, third
countries or international organisations unless such transmission is strictly necessary and proportionate in individual
cases concerning crime that falls within Europol's objectives and in accordance with Chapter V.

6. Every year Europol shall provide to the EDPS a statistical overview of all personal data as referred to in
paragraph 2 which it has processed.

Article 31

Time-limits for the storage and erasure of personal data

1. Personal data processed by Europol shall be stored by Europol only for as long as is necessary and proportionate
for the purposes for which the data are processed.

2. Europol shall in any event review the need for continued storage no later than three years after the start of initial
processing of personal data. Europol may decide on the continued storage of personal data until the following review,
which shall take place after another period of three years, if continued storage is still necessary for the performance of
Europol's tasks. The reasons for the continued storage shall be justified and recorded. If no decision is taken on the
continued storage of personal data, that data shall be erased automatically after three years.
L 135/84 EN Official Journal of the European Union 24.5.2016

3. If personal data as referred to in Article 30(1) and (2) are stored for a period exceeding five years, the EDPS shall
be informed accordingly.

4. Where a Member State, a Union body, a third country or an international organisation has indicated any
restriction as regards the earlier erasure or destruction of the personal data at the moment of transfer in accordance
with Article 19(2), Europol shall erase the personal data in accordance with those restrictions. If continued storage of
the data is deemed necessary, on the basis of information that is more extensive than that possessed by the data
provider, in order for Europol to perform its tasks, Europol shall request the authorisation of the data provider to
continue storing the data and shall present a justification for such request.

5. Where a Member State, a Union body, a third country or an international organisation erases from its own data
files personal data provided to Europol, it shall inform Europol accordingly. Europol shall erase the data unless the
continued storage of the data is deemed necessary, on the basis of information that is more extensive than that
possessed by the data provider, in order for Europol to perform its tasks. Europol shall inform the data provider of the
continued storage of such data and present a justification of such continued storage.

6. Personal data shall not be erased if:

(a) this would damage the interests of a data subject who requires protection. In such cases, the data shall be used only
with the express and written consent of the data subject;

(b) their accuracy is contested by the data subject, for a period enabling Member States or Europol, where appropriate,
to verify the accuracy of the data;

(c) they have to be maintained for purposes of proof or for the establishment, exercise or defence of legal claims; or

(d) the data subject opposes their erasure and requests the restriction of their use instead.

Article 32

Security of processing

1. Europol shall implement appropriate technical and organisational measures to protect personal data against
accidental or unlawful destruction, accidental loss or unauthorised disclosure, alteration and access or any other
unauthorised form of processing.

2. In respect of automated data processing, Europol and each Member State shall implement measures designed to:

(a) deny unauthorised persons access to data-processing equipment used for processing personal data (equipment access
control);

(b) prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(c) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal
data (storage control);

(d) prevent the use of automated data-processing systems by unauthorised persons using data-communication
equipment (user control);

(e) ensure that persons authorised to use an automated data-processing system have access only to data covered by their
access authorisation (data access control);
24.5.2016 EN Official Journal of the European Union L 135/85

(f) ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted
using data-communication equipment (communication control);

(g) ensure that it is possible to verify and establish which personal data have been input into automated data-processing
systems and when and by whom the data were input (input control);

(h) ensure that it is possible to verify and establish what data have been accessed by which member of personnel and at
what time (access log);

(i) prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal
data or during the transportation of data media (transport control);

(j) ensure that it is possible, in the event of interruption, to restore installed systems immediately (recovery); and

(k) ensure that the functions of the system perform faultlessly, that the occurrence of faults in the functions is
immediately reported (reliability) and that stored data cannot be corrupted by system malfunctions (integrity).

3. Europol and Member States shall establish mechanisms to ensure that security needs are taken on board across
information system boundaries.

Article 33

Data protection by design

Europol shall implement appropriate technical and organisational measures and procedures in such a way that the data
processing will comply with this Regulation and protect the rights of the data subjects concerned.

Article 34

Notification of a personal data breach to the authorities concerned

1. In the event of a personal data breach, Europol shall without undue delay notify the EDPS, as well as the
competent authorities of the Member States concerned, of that breach, in accordance with the conditions laid down in
Article 7(5),as well as the provider of the data concerned.

2. The notification referred to in paragraph 1 shall, as a minimum:

(a) describe the nature of the personal data breach including, where possible and appropriate, the categories and
number of data subjects concerned and the categories and number of data records concerned;

(b) describe the likely consequences of the personal data breach;

(c) describe the measures proposed or taken by Europol to address the personal data breach; and

(d) where appropriate, recommend measures to mitigate the possible adverse effects of the personal data breach.

3. Europol shall document any personal data breaches, including the facts surrounding the breach, its effects and the
remedial action taken, thereby enabling the EDPS to verify compliance with this Article.
L 135/86 EN Official Journal of the European Union 24.5.2016

Article 35

Communication of a personal data breach to the data subject

1. Subject to paragraph 4 of this Article, where a personal data breach as referred to in Article 34 is likely to severely
and adversely affect the rights and freedoms of the data subject, Europol shall communicate the personal data breach to
the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 shall describe, where possible, the nature of the
personal data breach, recommend measures to mitigate the possible adverse effects of the personal data breach, and
contain the identity and contact details of the Data Protection Officer.

3. If Europol does not have the contact details of the data subject concerned, it shall request the provider of the data
to communicate the personal data breach to the data subject concerned and to inform Europol about the decision taken.
Member States providing the data shall communicate the breach to the data subject concerned in accordance with the
procedures of their national law.

4. The communication of a personal data breach to the data subject shall not be required if:

(a) Europol has applied to the personal data concerned by that breach appropriate technological protection measures
that render the data unintelligible to any person who is not authorised to access it;

(b) Europol has taken subsequent measures which ensure that the data subject's rights and freedoms are no longer likely
to be severely affected; or

(c) such communication would involve disproportionate effort, in particular owing to the number of cases involved. In
such a case, there shall instead be a public communication or similar measure informing the data subjects concerned
in an equally effective manner.

5. The communication to the data subject may be delayed, restricted or omitted where this constitutes a necessary
measure with due regard for the legitimate interests of the person concerned:

(a) to avoid obstructing official or legal inquiries, investigations or procedures;

(b) to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the
execution of criminal penalties;

(c) to protect public and national security;

(d) to protect the rights and freedoms of third parties.

Article 36

Right of access for the data subject

1. Any data subject shall have the right, at reasonable intervals, to obtain information on whether personal data
relating to him or her are processed by Europol.

2. Without prejudice to paragraph 5, Europol shall provide the following information to the data subject:

(a) confirmation as to whether or not data related to him or her are being processed;

(b) information on at least the purposes of the processing operation, the categories of data concerned, and the
recipients or categories of recipients to whom the data are disclosed;
24.5.2016 EN Official Journal of the European Union L 135/87

(c) communication in an intelligible form of the data undergoing processing and of any available information as to their
sources;

(d) an indication of the legal basis for processing the data;

(e) the envisaged period for which the personal data will be stored;

(f) the existence of the right to request from Europol rectification, erasure or restriction of processing of personal data
concerning the data subject.

3. Any data subject wishing to exercise the right of access to personal data relating to him or her may make a request
to that effect, without incurring excessive costs, to the authority appointed for that purpose in the Member State of his
or her choice. That authority shall refer the request to Europol without delay, and in any case within one month of
receipt.

4. Europol shall confirm receipt of the request under paragraph 3. Europol shall answer it without undue delay, and
in any case within three months of receipt by Europol of the request from the national authority.

5. Europol shall consult the competent authorities of the Member States, in accordance with the conditions laid down
in Article 7(5), and the provider of the data concerned, on a decision to be taken. A decision on access to personal data
shall be conditional on close cooperation between Europol and the Member States and the provider of the data directly
concerned by the access of the data subject to such data. If a Member State or the provider of the data objects to
Europol's proposed response, it shall notify Europol of the reasons for its objection in accordance with paragraph 6 of
this Article. Europol shall take the utmost account of any such objection. Europol shall subsequently notify its decision
to the competent authorities concerned, in accordance with the conditions laid down in Article 7(5), and to the provider
of the data.

6. The provision of information in response to any request under paragraph 1 may be refused or restricted if such
refusal or restriction constitutes a measure that is necessary in order to:

(a) enable Europol to fulfil its tasks properly;

(b) protect security and public order or prevent crime;

(c) guarantee that any national investigation will not be jeopardised; or

(d) protect the rights and freedoms of third parties.

When the applicability of an exemption is assessed, the fundamental rights and interests of the data subject shall be
taken into account.

7. Europol shall inform the data subject in writing of any refusal or restriction of access, of the reasons for such a
decision and of his or her right to lodge a complaint with the EDPS. Where the provision of such information would
deprive paragraph 6 of its effect, Europol shall only notify the data subject concerned that it has carried out the checks,
without giving any information which might reveal to him or her whether or not personal data concerning him or her
are processed by Europol.

Article 37

Right to rectification, erasure and restriction

1. Any data subject having accessed personal data concerning him or her processed by Europol in accordance with
Article 36 shall have the right to request Europol, through the authority appointed for that purpose in the
Member State of his or her choice, to rectify personal data concerning him or her held by Europol if they are incorrect
or to complete or update them. That authority shall refer the request to Europol without delay and in any case within
one month of receipt.
L 135/88 EN Official Journal of the European Union 24.5.2016

2. Any data subject having accessed personal data concerning him or her processed by Europol in accordance with
Article 36 shall have the right to request Europol, through the authority appointed for that purpose in the
Member State of his or her choice, to erase personal data relating to him or her held by Europol if they are no longer
required for the purposes for which they are collected or are further processed. That authority shall refer the request to
Europol without delay and in any case within one month of receipt.

3. Europol shall restrict rather than erase personal data as referred to in paragraph 2 if there are reasonable grounds
to believe that erasure could affect the legitimate interests of the data subject. Restricted data shall be processed only for
the purpose that prevented their erasure.

4. If personal data as referred to in paragraphs 1, 2 and 3 held by Europol have been provided to it by third
countries, international organisations or Union bodies, have been directly provided by private parties or have been
retrieved by Europol from publicly available sources or result from Europol's own analyses, Europol shall rectify, erase
or restrict such data and, where appropriate, inform the providers of the data.

5. If personal data as referred to in paragraphs 1, 2 and 3 held by Europol have been provided to Europol by
Member States, the Member States concerned shall rectify, erase or restrict such data in collaboration with Europol,
within their respective competences.

6. If incorrect personal data have been transferred by another appropriate means or if the errors in the data provided
by Member States are due to faulty transfer or transfer in breach of this Regulation or if they result from data being
input, taken over or stored in an incorrect manner or in breach of this Regulation by Europol, Europol shall rectify or
erase such data in collaboration with the provider of the data concerned.

7. In the cases referred to in paragraphs 4, 5 and 6, all addressees of the data concerned shall be notified forthwith.
In accordance with the rules applicable to them, the addressees shall then rectify, erase or restrict those data in their
systems.

8. Europol shall inform the data subject in writing without undue delay, and in any case within three months of
receipt of a request in accordance with paragraph 1 or 2, that data concerning him or her have been rectified, erased or
restricted.

9. Within three months of receipt of a request in accordance with paragraph 1 or 2, Europol shall inform the data
subject in writing of any refusal of rectification, erasure or restricting, of the reasons for such a refusal and of the
possibility of lodging a complaint with the EDPS and of seeking a judicial remedy.

Article 38

Responsibility in data protection matters

1. Europol shall store personal data in a way that ensures that their source, as referred to in Article 17, can be
established.

2. The responsibility for the quality of personal data as referred to in point (d) of Article 28(1) shall lie with:

(a) the Member State or the Union body which provided the personal data to Europol;

(b) Europol in respect of personal data provided by third countries or international organisations or directly provided by
private parties; of personal data retrieved by Europol from publicly available sources or resulting from Europol's
own analyses; and of personal data stored by Europol in accordance with Article 31(5).
24.5.2016 EN Official Journal of the European Union L 135/89

3. If Europol becomes aware that personal data provided pursuant to points (a) and (b) of Article 17(1) are factually
incorrect or have been unlawfully stored, it shall inform the provider of those data accordingly.

4. Europol shall be responsible for compliance with the principles referred to in points (a), (b), (c), (e) and (f) of
Article 28(1).

5. The responsibility for the legality of a data transfer shall lie with:

(a) the Member State which provided the personal data to Europol;

(b) Europol in the case of personal data provided by it to Member States, third countries or international organisations.

6. In the case of a transfer between Europol and a Union body, the responsibility for the legality of the transfer shall
lie with Europol.

Without prejudice to the first subparagraph, where the data are transferred by Europol following a request from the
recipient, both Europol and the recipient shall be responsible for the legality of such a transfer.

7. Europol shall be responsible for all data processing operations carried out by it, with the exception of the bilateral
exchange of data using Europol's infrastructure between Member States, Union bodies, third countries and international
organisations to which Europol has no access. Such bilateral exchanges shall take place under the responsibility of the
entities concerned and in accordance with their law. The security of such exchanges shall be ensured in accordance with
Article 32.

Article 39

Prior consultation

1. Any new type of processing operations to be carried out shall be subject to prior consultation where:

(a) special categories of data as referred to in Article 30(2) are to be processed;

(b) the type of processing, in particular using new technologies, mechanisms or procedures, presents specific risks for
the fundamental rights and freedoms, and in particular the protection of personal data, of data subjects.

2. The prior consultation shall be carried out by the EDPS following receipt of a notification from the Data
Protection Officer that shall contain at least a general description of the envisaged processing operations, an assessment
of the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks, safeguards and
security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this
Regulation, taking into account the rights and legitimate interests of the data subjects and other persons concerned.

3. The EDPS shall deliver his or her opinion to the Management Board within two months following receipt of the
notification. That period may be suspended until the EDPS has obtained any further information that he or she may
have requested.

If the opinion has not been delivered after four months it shall be deemed to be favourable.

If the opinion of the EDPS is that the notified processing may involve a breach of any provision of this Regulation, he
or she shall, where appropriate, make proposals to avoid such a breach. Where Europol does not modify the processing
operation accordingly, the EDPS may exercise the powers granted to him or her under Article 43(3).
L 135/90 EN Official Journal of the European Union 24.5.2016

4. The EDPS shall keep a register of all processing operations that have been notified to him or her pursuant to
paragraph 1. The register shall not be made public.

Article 40

Logging and documentation

1. For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data integrity
and security, Europol shall keep records of the collection, alteration, access, disclosure, combination or erasure of
personal data. Such logs or documentation shall be deleted after three years, unless the data which they contain are
further required for ongoing control. There shall be no possibility of modifying the logs.

2. Logs or documentation prepared pursuant to paragraph 1 shall be communicated upon request to the EDPS, to the
Data Protection Officer and, if required for a specific investigation, to the national unit concerned. The information thus
communicated shall only be used for the control of data protection and for ensuring proper data processing as well as
data integrity and security.

Article 41

Data Protection Officer

1. The Management Board shall appoint a Data Protection Officer, who shall be a member of the staff. In the
performance of his or her duties, he or she shall act independently.

2. The Data Protection Officer shall be selected on the basis of his or her personal and professional qualities and, in
particular, the expert knowledge of data protection.

It shall be ensured in the selection of the Data Protection Officer that no conflict of interest may result from the
performance of his or her duty in that capacity and from any other official duties, in particular those relating to the
application of this Regulation.

3. The Data Protection Officer shall be appointed for a term of four years. He or she shall be eligible for
reappointment up to a maximum total term of eight years. He or she may be dismissed from his or her function as Data
Protection Officer by the Management Board only with the consent of the EDPS, if he or she no longer meets the
conditions required for the performance of his or her duties.

4. After his or her appointment, the Data Protection Officer shall be registered with the EDPS by the Management
Board.

5. With respect to the performance of his or her duties, the Data Protection Officer shall not receive any instructions.

6. The Data Protection Officer shall, in particular, have the following tasks with regard to personal data, with the
exception of administrative personal data:

(a) ensuring, in an independent manner, the internal application of this Regulation concerning the processing of
personal data;

(b) ensuring that a record of the transfer and receipt of personal data is kept in accordance with this Regulation;
24.5.2016 EN Official Journal of the European Union L 135/91

(c) ensuring that data subjects are informed of their rights under this Regulation at their request;

(d) cooperating with Europol staff responsible for procedures, training and advice on data processing;

(e) cooperating with the EDPS;

(f) preparing an annual report and communicating that report to the Management Board and to the EDPS;

(g) keeping a register of personal data breaches.

7. The Data Protection Officer shall also carry out the functions provided for by Regulation (EC) No 45/2001 with
regard to administrative personal data.

8. In the performance of his or her tasks, the Data Protection Officer shall have access to all the data processed by
Europol and to all Europol premises.

9. If the Data Protection Officer considers that the provisions of this Regulation concerning the processing of
personal data have not been complied with, he or she shall inform the Executive Director and shall require him or her
to resolve the non-compliance within a specified time.

If the Executive Director does not resolve the non-compliance of the processing within the time specified, the Data
Protection Officer shall inform the Management Board. The Data Protection Officer and the Management Board shall
agree a specified time for a response by the latter. If the Management Board does not resolve the non-compliance within
the time specified, the Data Protection Officer shall refer the matter to the EDPS.

10. The Management Board shall adopt implementing rules concerning the Data Protection Officer. Those
implementing rules shall, in particular, concern the selection procedure for the position of the Data Protection Officer
and his or her dismissal, tasks, duties and powers, and safeguards ensuring the independence of the Data Protection
Officer.

11. Europol shall provide the Data Protection Officer with the staff and resources needed in order for him or her to
be able to carry out his or her duties. Those staff members shall have access to all the data processed at Europol and to
Europol premises only to the extent necessary for the performance of their tasks.

12. The Data Protection Officer and his or her staff shall be bound by the obligation of confidentiality in accordance
with Article 67(1).

Article 42

Supervision by the national supervisory authority

1. Each Member State shall designate a national supervisory authority. The national supervisory authority shall have
the task of monitoring independently, in accordance with its national law, the permissibility of the transfer, the retrieval
and any communication to Europol of personal data by the Member State concerned, and of examining whether such
transfer, retrieval or communication violates the rights of the data subjects concerned. For that purpose, the national
supervisory authority shall have access, at the national unit or at the liaison officers' premises, to data submitted by its
Member State to Europol in accordance with the relevant national procedures and to logs and documentation as referred
to in Article 40.

2. For the purpose of exercising their supervisory function, national supervisory authorities shall have access to the
offices and documents of their respective liaison officers at Europol.
L 135/92 EN Official Journal of the European Union 24.5.2016

3. National supervisory authorities shall, in accordance with the relevant national procedures, supervise the activities
of national units and the activities of liaison officers, insofar as such activities are relevant to the protection of personal
data. They shall also keep the EDPS informed of any actions they take with respect to Europol.

4. Any person shall have the right to request the national supervisory authority to verify the legality of any transfer
or communication to Europol of data concerning him or her in any form and of access to those data by the
Member State concerned. That right shall be exercised in accordance with the national law of the Member State in which
the request is made.

Article 43

Supervision by the EDPS

1. The EDPS shall be responsible for monitoring and ensuring the application of the provisions of this Regulation
relating to the protection of fundamental rights and freedoms of natural persons with regard to the processing of
personal data by Europol, and for advising Europol and data subjects on all matters concerning the processing of
personal data. To that end, he or she shall fulfil the duties set out in paragraph 2 and exercise the powers laid down in
paragraph 3, while closely cooperating with the national supervisory authorities in accordance with Article 44.

2. The EDPS shall have the following duties:

(a) hearing and investigating complaints, and informing the data subject of the outcome within a reasonable period;

(b) conducting inquiries either on his or her own initiative or on the basis of a complaint, and informing the data
subject of the outcome within a reasonable period;

(c) monitoring and ensuring the application of this Regulation and any other Union act relating to the protection of
natural persons with regard to the processing of personal data by Europol;

(d) advising Europol, either on his or her own initiative or in response to a consultation, on all matters concerning the
processing of personal data, in particular before it draws up internal rules relating to the protection of fundamental
rights and freedoms with regard to the processing of personal data;

(e) keeping a register of new types of processing operations notified to him or her by virtue of Article 39(1) and
registered in accordance with Article 39(4);

(f) carrying out a prior consultation on processing notified to him or her.

3. The EDPS may pursuant to this Regulation:

(a) give advice to data subjects on the exercise of their rights;

(b) refer a matter to Europol in the event of an alleged breach of the provisions governing the processing of personal
data, and, where appropriate, make proposals for remedying that breach and for improving the protection of the
data subjects;

(c) order that requests to exercise certain rights in relation to data be complied with where such requests have been
refused in breach of Articles 36 and 37;

(d) warn or admonish Europol;

24.5.2016 EN Official Journal of the European Union L 135/93

(e) order Europol to carry out the rectification, restriction, erasure or destruction of personal data which have been
processed in breach of the provisions governing the processing of personal data and to notify such actions to third
parties to whom such data have been disclosed;

(f) impose a temporary or definitive ban on processing operations by Europol which are in breach of the provisions
governing the processing of personal data;

(g) refer a matter to Europol and, if necessary, to the European Parliament, the Council and the Commission;

(h) refer a matter to the Court of Justice of the European Union under the conditions provided for in the TFEU;

(i) intervene in actions brought before the Court of Justice of the European Union.

4. The EDPS shall have the power to:

(a) obtain from Europol access to all personal data and to all information necessary for his or her enquiries;

(b) obtain access to any premises in which Europol carries on its activities when there are reasonable grounds for
presuming that an activity covered by this Regulation is being carried out there.

5. The EDPS shall draw up an annual report on the supervisory activities of Europol, after consulting the national
supervisory authorities. That report shall be part of the annual report of the EDPS referred to in Article 48 of
Regulation (EC) No 45/2001.

The report shall include statistical information regarding complaints, inquiries, and investigations carried out in
accordance with paragraph 2, as well as regarding transfers of personal data to third countries and international organ­
isations, cases of prior consultation, and the use of the powers laid down in paragraph 3.

6. The EDPS, the officials and the other staff members of the EDPS's Secretariat shall be bound by the obligation of
confidentiality laid down in Article 67(1).

Article 44

Cooperation between the EDPS and national supervisory authorities

1. The EDPS shall act in close cooperation with the national supervisory authorities on issues requiring national
involvement, in particular if the EDPS or a national supervisory authority finds major discrepancies between the
practices of Member States or potentially unlawful transfers in the use of Europol's channels for exchanges of
information, or in the context of questions raised by one or more national supervisory authorities on the implemen­
tation and interpretation of this Regulation.

2. The EDPS shall use the expertise and experience of the national supervisory authorities in carrying out his or her
duties as set out in Article 43(2). In carrying out joint inspections together with the EDPS, members and staff of
national supervisory authorities shall, taking due account of the principles of subsidiarity and proportionality, have
powers equivalent to those laid down in Article 43(4) and be bound by an obligation equivalent to that laid down in
Article 43(6). The EDPS and the national supervisory authorities shall, each acting within the scope of their respective
competences, exchange relevant information and assist each other in carrying out audits and inspections.

3. The EDPS shall keep national supervisory authorities fully informed of all issues directly affecting or otherwise
relevant to them. Upon the request of one or more national supervisory authorities, the EDPS shall inform them of
specific issues.
L 135/94 EN Official Journal of the European Union 24.5.2016

4. In cases relating to data originating from one or more Member States, including the cases referred to in
Article 47(2), the EDPS shall consult the national supervisory authorities concerned. The EDPS shall not decide on
further action to be taken before those national supervisory authorities have informed the EDPS of their position, within
a deadline specified by him or her which shall not be shorter than one month and not longer than three months. The
EDPS shall take the utmost account of the respective positions of the national supervisory authorities concerned. In
cases where the EDPS intends not to follow the position of a national supervisory authority, he or she shall inform that
authority, provide a justification and submit the matter for discussion to the Cooperation Board established by
Article 45(1).

In cases which the EDPS considers to be extremely urgent, he or she may decide to take immediate action. In such cases,
the EDPS shall immediately inform the national supervisory authorities concerned and justify the urgent nature of the
situation as well as the action he or she has taken.

Article 45

Cooperation Board

1. A Cooperation Board with an advisory function is hereby established. It shall be composed of a representative of a
national supervisory authority of each Member State and of the EDPS.

2. The Cooperation Board shall act independently when performing its tasks pursuant to paragraph 3 and shall
neither seek nor take instructions from any body.

3. The Cooperation Board shall have the following tasks:

(a) discussing general policy and strategy of data protection supervision of Europol and the permissibility of the
transfer, the retrieval and any communication to Europol of personal data by the Member States;

(b) examining difficulties of interpretation or application of this Regulation;

(c) studying general problems relating to the exercise of independent supervision or the exercise of the rights of data
subjects;

(d) discussing and drawing up harmonised proposals for joint solutions on matters referred to in Article 44(1);

(e) discussing cases submitted by the EDPS in accordance with Article 44(4);

(f) discussing cases submitted by any national supervisory authority; and

(g) promoting awareness of data protection rights.

4. The Cooperation Board may issue opinions, guidelines, recommendations and best practices. The EDPS and the
national supervisory authorities shall, without prejudice to their independence and each acting within the scope of their
respective competences, take the utmost account of them.

5. The Cooperation Board shall meet whenever necessary, and at least twice a year. The costs and servicing of its
meetings shall be borne by the EDPS.

6. Rules of procedure of the Cooperation Board shall be adopted at its first meeting by a simple majority of its
members. Further working methods shall be developed jointly as necessary.
24.5.2016 EN Official Journal of the European Union L 135/95

Article 46

Administrative personal data

Regulation (EC) No 45/2001 shall apply to all administrative personal data held by Europol.

CHAPTER VII

REMEDIES AND LIABILITY

Article 47

Right to lodge a complaint with the EDPS

1. Any data subject shall have the right to lodge a complaint with the EDPS if he or she considers that the processing
by Europol of personal data relating to him or her does not comply with this Regulation.

2. Where a complaint relates to a decision as referred to in Article 36 or 37, the EDPS shall consult the national
supervisory authorities of the Member State that provided the data or the Member State directly concerned. In adopting
his or her decision, which may extend to a refusal to communicate any information, the EDPS shall take into account
the opinion of the national supervisory authority.

3. Where a complaint relates to the processing of data provided by a Member State to Europol, the EDPS and the
national supervisory authority of the Member State that provided the data shall, each acting within the scope of their
respective competences, ensure that the necessary checks on the lawfulness of the processing of the data have been
carried out correctly.

4. Where a complaint relates to the processing of data provided to Europol by Union bodies, third countries or inter­
national organisations, or of data retrieved by Europol from publicly available sources or resulting from Europol's own
analyses, the EDPS shall ensure that Europol has correctly carried out the necessary checks on the lawfulness of the
processing of the data.

Article 48

Right to a judicial remedy against the EDPS

Any action against a decision of the EDPS shall be brought before the Court of Justice of the European Union.

Article 49

General provisions on liability and the right to compensation

1. Europol's contractual liability shall be governed by the law applicable to the contract in question.

2. The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration
clause in a contract concluded by Europol.
L 135/96 EN Official Journal of the European Union 24.5.2016

3. Without prejudice to Article 49, in the case of non-contractual liability, Europol shall, in accordance with the
general principles common to the laws of the Member States, make good any damage caused by its departments or by
its staff in the performance of their duties.

4. The Court of Justice of the European Union shall have jurisdiction in disputes relating to compensation for damage
as referred to in paragraph 3.

5. The personal liability of Europol staff vis-à-vis Europol shall be governed by the provisions laid down in the Staff
Regulations or in the Conditions of Employment of Other Servants applicable to them.

Article 50

Liability for incorrect personal data processing and the right to compensation

1. Any individual who has suffered damage as a result of an unlawful data processing operation shall have the right
to receive compensation for damage suffered, either from Europol in accordance with Article 340 TFEU or from the
Member State in which the event that gave rise to the damage occurred, in accordance with its national law. The
individual shall bring an action against Europol before the Court of Justice of the European Union, or against the
Member State before a competent national court of that Member State.

2. Any dispute between Europol and Member States over the ultimate responsibility for compensation awarded to an
individual in accordance with paragraph 1 shall be referred to the Management Board, which shall decide by a
majority of two-thirds of its members, without prejudice to the right to challenge that decision in accordance with
Article 263 TFEU.

CHAPTER VIII

JOINT PARLIAMENTARY SCRUTINY

Article 51

Joint Parliamentary scrutiny

1. Pursuant to Article 88 TFEU, the scrutiny of Europol's activities shall be carried out by the European Parliament
together with national parliaments. This shall constitute a specialised Joint Parliamentary Scrutiny Group (JPSG)
established together by the national parliaments and the competent committee of the European Parliament. The
organisation and the rules of procedure of the JPSG shall be determined together by the European Parliament and the
national parliaments in accordance with Article 9 of Protocol No 1.

2. The JPSG shall politically monitor Europol's activities in fulfilling its mission, including as regards the impact of
those activities on the fundamental rights and freedoms of natural persons.

For the purposes of the first subparagraph:

(a) the Chairperson of the Management Board, the Executive Director or their Deputies shall appear before the JPSG at
its request to discuss matters relating to the activities referred to in the first subparagraph, including the budgetary
aspects of such activities, the structural organisation of Europol and the potential establishment of new units and
specialised centres, taking into account the obligations of discretion and confidentiality. The JPSG may decide to
invite to its meetings other relevant persons, where appropriate;
24.5.2016 EN Official Journal of the European Union L 135/97

(b) the EDPS shall appear before the JPSG at its request, and at least once a year, to discuss general matters relating to
the protection of fundamental rights and freedoms of natural persons, and in particular the protection of personal
data, with regard to Europol's activities, taking into account the obligations of discretion and confidentiality;

(c) the JPSG shall be consulted in relation to the multiannual programming of Europol in accordance with Article 12(1).

3. Europol shall transmit the following documents, for information purposes, to the JPSG, taking into account the
obligations of discretion and confidentiality:

(a) threat assessments, strategic analyses and general situation reports relating to Europol's objective as well as the
results of studies and evaluations commissioned by Europol;

(b) the administrative arrangements concluded pursuant to Article 25(1);

(c) the document containing the multiannual programming and the annual work programme of Europol, referred to in
Article 12(1);

(d) the consolidated annual activity report on Europol's activities, referred to in point (c) of Article 11(1);

(e) the evaluation report drawn up by the Commission, referred to in Article 68(1).

4. The JPSG may request other relevant documents necessary for the fulfilment of its tasks relating to the political
monitoring of Europol's activities, subject to Regulation (EC) No 1049/2001 of the European Parliament and of the
Council (1) and without prejudice to Articles 52 and 67 of this Regulation.

5. The JPSG may draw up summary conclusions on the political monitoring of Europol's activities and submit those
conclusions to the European Parliament and national parliaments. The European Parliament shall forward them, for
information purposes, to the Council, the Commission and Europol.

Article 52

Access by the European Parliament to information processed by or through Europol

1. For the purpose of enabling it to exercise parliamentary scrutiny of Europol's activities in accordance with
Article 51, access by the European Parliament to sensitive non-classified information processed by or through Europol,
upon the European Parliament's request, shall comply with the rules referred to in Article 67(1).

2. Access by the European Parliament to EU classified information processed by or through Europol shall be
consistent with the Interinstitutional Agreement of 12 March 2014 between the European Parliament and the Council
concerning the forwarding to and the handling by the European Parliament of classified information held by the Council
on matters other than those in the area of the common foreign and security policy (2), and shall comply with the rules
referred to in Article 67(2) of this Regulation.

3. The necessary details regarding access by the European Parliament to the information referred to in paragraphs 1
and 2 shall be governed by working arrangements concluded between Europol and the European Parliament.

(1) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European
Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
(2) OJ C 95, 1.4.2014, p. 1.
L 135/98 EN Official Journal of the European Union 24.5.2016

CHAPTER IX

STAFF

Article 53

General provisions

1. The Staff Regulations, the Conditions of Employment of Other Servants and the rules adopted by agreement
between the institutions of the Union for giving effect to the Staff Regulations and to the Conditions of Employment of
Other Servants shall apply to the staff of Europol with the exception of staff who, on 1 May 2017, are employed
pursuant to a contract concluded by Europol as established by the Europol Convention without prejudice to
Article 73(4) of this Regulation. Such contracts shall continue to be governed by the Council Act of 3 December 1998.

2. Europol staff shall consist of temporary staff and/or contract staff. The Management Board shall be informed on a
yearly basis of contracts of an indefinite duration granted by the Executive Director. The Management Board shall decide
which temporary posts provided for in the establishment plan can be filled only by staff from the competent authorities
of the Member States. Staff recruited to occupy such posts shall be temporary agents and may be awarded only fixed-
term contracts, renewable once for a fixed period.

Article 54

Executive Director

1. The Executive Director shall be engaged as a temporary agent of Europol under point (a) of Article 2 of the
Conditions of Employment of Other Servants.

2. The Executive Director shall be appointed by the Council from a shortlist of candidates proposed by the
Management Board, following an open and transparent selection procedure.

The shortlist shall be drawn up by a selection committee set up by the Management Board and composed of members
designated by Member States and a Commission representative

For the purpose of concluding a contract with the Executive Director, Europol shall be represented by the Chairperson
of the Management Board.

Before appointment, the candidate selected by the Council may be invited to appear before the competent committee of
the European Parliament, which shall subsequently give a non-binding opinion.

3. The term of office of the Executive Director shall be four years. By the end of that period, the Commission, in
association with the Management Board, shall undertake an assessment taking into account:

(a) an evaluation of the Executive Director's performance, and

(b) Europol's future tasks and challenges.

4. The Council, acting on a proposal from the Management Board that takes into account the assessment referred to
in paragraph 3, may extend the term of office of the Executive Director once and for no more than four years.
24.5.2016 EN Official Journal of the European Union L 135/99

5. The Management Board shall inform the European Parliament if it intends to propose to the Council that the
Executive Director's term of office be extended. Within the month before any such extension, the Executive Director may
be invited to appear before the competent committee of the European Parliament.

6. An Executive Director whose term of office has been extended shall not participate in another selection procedure
for the same post at the end of the overall period.

7. The Executive Director may be removed from office only pursuant to a decision of the Council acting on a
proposal from the Management Board. The European Parliament shall be informed about that decision.

8. The Management Board shall reach decisions regarding proposals to be made to the Council on the appointment,
extension of the term of office, or removal from office, of the Executive Director by a majority of two-thirds of its
members with voting rights.

Article 55

Deputy Executive Directors

1. Three Deputy Executive Directors shall assist the Executive Director. The Executive Director shall define their tasks.

2. Article 54 shall apply to the Deputy Executive Directors. The Executive Director shall be consulted prior to their
appointment, any extension of their term of office or their removal from office.

Article 56

Seconded national experts

1. Europol may make use of seconded national experts.

2. The Management Board shall adopt a decision laying down rules on the secondment of national experts to
Europol.

CHAPTER X

FINANCIAL PROVISIONS

Article 57

Budget

1. Estimates of all revenue and expenditure for Europol shall be prepared each financial year, which shall correspond
to the calendar year, and shall be shown in Europol's budget.

2. Europol's budget shall be balanced in terms of revenue and of expenditure.

L 135/100 EN Official Journal of the European Union 24.5.2016

3. Without prejudice to other resources, Europol's revenue shall comprise a contribution from the Union entered in
the general budget of the Union.

4. Europol may benefit from Union funding in the form of delegation agreements or ad hoc grants in accordance
with its financial rules referred to in Article 61 and with the provisions of the relevant instruments supporting the
policies of the Union.

5. Europol's expenditure shall include staff remuneration, administrative and infrastructure expenses, and operating
costs.

6. Budgetary commitments for actions relating to large-scale projects extending over more than one financial year
may be broken down into several annual instalments.

Article 58

Establishment of the budget

1. Each year the Executive Director shall draw up a draft statement of estimates of Europol's revenue and expenditure
for the following financial year, including an establishment plan, and shall send it to the Management Board.

2. The Management Board shall, on the basis of the draft statement of estimates, adopt a provisional draft estimate of
Europol's revenue and expenditure for the following financial year and shall send it to the Commission by 31 January
each year.

3. The Management Board shall send the final draft estimate of Europol's revenue and expenditure, which shall
include a draft establishment plan, to the European Parliament, the Council and the Commission by 31 March each year.

4. The Commission shall send the statement of estimates to the European Parliament and the Council, together with
the draft general budget of the Union.

5. On the basis of the statement of estimates, the Commission shall enter in the draft general budget of the Union
the estimates that it considers necessary for the establishment plan and the amount of the contribution to be charged to
the general budget, which it shall place before the European Parliament and the Council in accordance with Articles 313
and 314 TFEU.

6. The European Parliament and the Council shall authorise the appropriations for the contribution from the Union
to Europol.

7. The European Parliament and the Council shall adopt Europol's establishment plan.

8. Europol's budget shall be adopted by the Management Board. It shall become final following the final adoption of
the general budget of the Union. Where necessary, it shall be adjusted accordingly.

9. For any building projects likely to have significant implications for Europol's budget, Delegated Regulation (EU)
No 1271/2013 shall apply.
24.5.2016 EN Official Journal of the European Union L 135/101

Article 59

Implementation of the budget

1. The Executive Director shall implement Europol's budget.

2. Each year the Executive Director shall send to the European Parliament and the Council all information relevant to
the findings of any evaluation procedures.

Article 60

Presentation of accounts and discharge

1. Europol's accounting officer shall send the provisional accounts for the financial year (year N) to the Commission's
accounting officer and to the Court of Auditors by 1 March of the following financial year (year N + 1).

2. Europol shall send a report on the budgetary and financial management for year N to the European Parliament,
the Council and the Court of Auditors by 31 March of year N + 1.

3. The Commission's accounting officer shall send Europol's provisional accounts for year N, consolidated with the
Commission's accounts, to the Court of Auditors by 31 March of year N + 1.

4. On receipt of the Court of Auditors' observations on Europol's provisional accounts for year N pursuant to
Article 148 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (1), Europol's
accounting officer shall draw up Europol's final accounts for that year. The Executive Director shall submit them to the
Management Board for an opinion.

5. The Management Board shall deliver an opinion on Europol's final accounts for year N.

6. Europol's accounting officer shall, by 1 July of year N + 1, send the final accounts for year N to the
European Parliament, the Council, the Commission, the Court of Auditors and national parliaments, together with the
Management Board's opinion referred to in paragraph 5.

7. The final accounts for year N shall be published in the Official Journal of the European Union by 15 November of
year N + 1.

8. The Executive Director shall send to the Court of Auditors, by 30 September of year N + 1, a reply to the
observations made in its annual report. He or she shall also send the reply to the Management Board.

9. The Executive Director shall submit to the European Parliament, at the latter's request, any information required
for the smooth application of the discharge procedure for year N, as laid down in Article 109(3) of Delegated
Regulation (EU) No 1271/2013.

10. On a recommendation from the Council acting by a qualified majority, the European Parliament shall,
before 15 May of year N + 2, grant a discharge to the Executive Director in respect of the implementation of the budget
for year N.

(1) Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council of 25 October 2012 on the financial rules
applicable to the general budget of the Union and repealing Council Regulation (EC, Euratom) No 1605/2002 (OJ L 298, 26.10.2012,
p. 1).
L 135/102 EN Official Journal of the European Union 24.5.2016

Article 61

Financial rules

1. The financial rules applicable to Europol shall be adopted by the Management Board after consultation with the
Commission. They shall not depart from Delegated Regulation (EU) No 1271/2013 unless such a departure is
specifically required for the operation of Europol and the Commission has given its prior consent.

2. Europol may award grants related to the fulfilment of tasks as referred to in Article 4.

3. Europol may award grants without a call for proposals to Member States for performance of their cross-border
operations and investigations and for the provision of training relating to the tasks referred to in points (h) and (i) of
Article 4(1).

4. In respect of the financial support to be given to joint investigation teams' activities, Europol and Eurojust shall
jointly establish the rules and conditions upon which applications for such support are to be processed.

CHAPTER XI

MISCELLANEOUS PROVISIONS

Article 62

Legal status

1. Europol shall be an agency of the Union. It shall have legal personality.

2. In each Member State Europol shall enjoy the most extensive legal capacity accorded to legal persons under
national law. Europol may, in particular, acquire and dispose of movable and immovable property and be a party to
legal proceedings.

3. In accordance with Protocol No 6 on the location of the seats of the institutions and of certain bodies, agencies
and departments of the European Union, annexed to the TEU and to the TFEU (‘Protocol No 6’), Europol shall have its
seat in The Hague.

Article 63

Privileges and immunities

1. Protocol No 7 on the privileges and immunities of the European Union, annexed to the TEU and to the TFEU,
shall apply to Europol and its staff.

2. Privileges and immunities of liaison officers and members of their families shall be subject to an agreement
between the Kingdom of Netherlands and the other Member States. That agreement shall provide for such privileges and
immunities as are necessary for the proper performance of the tasks of liaison officers.
24.5.2016 EN Official Journal of the European Union L 135/103

Article 64

Language arrangements

1. The provisions laid down in Regulation No 1 (1) shall apply to Europol.

2. The Management Board shall decide by a majority of two-thirds of its members on the internal language
arrangements of Europol.

3. The translation services required for the functioning of Europol shall be provided by the Translation Centre for the
bodies of the European Union.

Article 65

Transparency

1. Regulation (EC) No 1049/2001 shall apply to documents held by Europol.

2. By 14 December 2016, the Management Board shall adopt the detailed rules for applying Regulation (EC)
No 1049/2001 with regard to Europol documents.

3. Decisions taken by Europol under Article 8 of Regulation (EC) No 1049/2001 may be the subject of a complaint
to the European Ombudsman or of an action before the Court of Justice of the European Union, in accordance with
Articles 228 and 263 TFEU respectively.

4. Europol shall publish on its website a list of the Management Board members and summaries of the outcome of
the meetings of the Management Board. The publication of those summaries shall be temporarily or permanently
omitted or restricted if such publication would risk jeopardising the performance of Europol's tasks, taking into account
its obligations of discretion and confidentiality and the operational character of Europol.

Article 66

Combating fraud

1. In order to facilitate the fight against fraud, corruption and any other illegal activities under Regulation (EU,
Euratom) No 883/2013, Europol shall, by 30 October 2017, accede to the Interinstitutional Agreement of 25 May 1999
between the European Parliament, the Council of the European Union and the Commission of the
European Communities concerning internal investigations by the European Anti-Fraud Office (OLAF) (2) and shall adopt
appropriate provisions applicable to all employees of Europol, using the template set out in the Annex to that
Agreement.

2. The Court of Auditors shall have a power of audit, on the basis of documents and on-the-spot checks, over all
grant beneficiaries, contractors and subcontractors who have received Union funds from Europol.

(1) Regulation No 1 determining the languages to be used by the European Economic Community (OJ 17, 6.10.1958, p. 385/58).
(2) OJ L 136, 31.5.1999, p. 15.
L 135/104 EN Official Journal of the European Union 24.5.2016

3. OLAF may carry out investigations, including on-the-spot checks and inspections, with a view to establishing
whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in
connection with a grant or a contract awarded by Europol. Such investigations shall be carried out in accordance with
the provisions and procedures laid down in Regulation (EU, Euratom) No 883/2013 and in Council Regulation
(Euratom, EC) No 2185/96 (1).

4. Without prejudice to paragraphs 1, 2 and 3, working arrangements with Union bodies, authorities of third
countries, international organisations and private parties, contracts, grant agreements and grant decisions of Europol
shall contain provisions expressly empowering the Court of Auditors and OLAF to conduct the audits and investigations
referred to in paragraphs 2 and 3, in accordance with their respective competences.

Article 67

Rules on the protection of sensitive non-classified and classified information

1. Europol shall establish rules on the obligations of discretion and confidentiality and on the protection of sensitive
non-classified information.

2. Europol shall establish rules on the protection of EU classified information which shall be consistent with
Decision 2013/488/EU in order to ensure an equivalent level of protection for such information.

Article 68

Evaluation and review

1. By 1 May 2022 and every five years thereafter, the Commission shall ensure that an evaluation assessing, in
particular, the impact, effectiveness and efficiency of Europol and of its working practices is carried out. The evaluation
may, in particular, address the possible need to modify the structure, operation, field of action and tasks of Europol, and
the financial implications of any such modification.

2. The Commission shall submit the evaluation report to the Management Board. The Management Board shall
provide its observations on the evaluation report within three months from the date of receipt. The Commission shall
then submit the final evaluation report, together with the Commission's conclusions, and the Management Board's
observations in an annex thereto, to the European Parliament, the Council, the national parliaments and the
Management Board. Where appropriate, the main findings of the evaluation report shall be made public.

Article 69

Administrative inquiries

The activities of Europol shall be subject to inquiries by the European Ombudsman in accordance with Article 228
TFEU.

(1) Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the
Commission in order to protect the European Communities' financial interests against fraud and other irregularities (OJ L 292,
15.11.1996, p. 2).
24.5.2016 EN Official Journal of the European Union L 135/105

Article 70

Headquarters

The necessary arrangements concerning the accommodation to be provided for Europol in the Kingdom of the
Netherlands and the facilities to be made available by the Kingdom of the Netherlands, together with the specific rules
applicable there to the Executive Director, members of the Management Board, Europol's staff and members of their
families, shall be laid down in a headquarters agreement between Europol and the Kingdom of the Netherlands, in
accordance with Protocol No 6.

CHAPTER XII

TRANSITIONAL PROVISIONS

Article 71

Legal succession

1. Europol as established by this Regulation shall be the legal successor in respect of all contracts concluded by,
liabilities incumbent upon and properties acquired by Europol as established by Decision 2009/371/JHA.

2. This Regulation shall not affect the legal force of agreements concluded by Europol as established by
Decision 2009/371/JHA before 13 June 2016, or of agreements concluded by Europol as established by the Europol
Convention before 1 January 2010.

Article 72

Transitional arrangements concerning the Management Board

1. The term of office of the members of the Management Board as established on the basis of Article 37 of
Decision 2009/371/JHA shall terminate on 1 May 2017.

2. During the period from 13 June 2016 to 1 May 2017, the Management Board as established on the basis of
Article 37 of Decision 2009/371/JHA shall:

(a) exercise the functions of the Management Board in accordance with Article 11 of this Regulation;

(b) prepare the adoption of the rules relating to the application of Regulation (EC) No 1049/2001 with regard to
Europol documents as referred to in Article 65(2) of this Regulation, and of the rules referred to in Article 67 of
this Regulation;

(c) prepare any instrument necessary for the application of this Regulation, in particular any measures relating to
Chapter IV; and

(d) review the internal rules and measures which it has adopted on the basis of Decision 2009/371/JHA so as to allow
the Management Board as established pursuant to Article 10 of this Regulation to take a decision pursuant to
Article 76 of this Regulation.
L 135/106 EN Official Journal of the European Union 24.5.2016

3. The Commission shall without delay after 13 June 2016 take the measures necessary to ensure that the
Management Board established pursuant to Article 10 starts its work on 1 May 2017.

4. By 14 December 2016, the Member States shall notify the Commission of the names of the persons whom they
have appointed as member and alternate member of the Management Board, in accordance with Article 10.

5. The Management Board established pursuant to Article 10 shall hold its first meeting on 1 May 2017. On that
occasion it shall, if necessary, take decisions as referred to in Article 76.

Article 73

Transitional arrangements concerning the Executive Director, the Deputy Directors and staff

1. The Director of Europol appointed on the basis of Article 38 of Decision 2009/371/JHA shall, for the remaining
period of his or her term of office, be assigned the responsibilities of Executive Director, as provided for in Article 16 of
this Regulation. The other conditions of his or her contract shall remain unchanged. If the term of office ends between
13 June 2016 and 1 May 2017, it shall be extended automatically until 1 May 2018.

2. Should the Director appointed on the basis of Article 38 of Decision 2009/371/JHA be unwilling or unable to act
in accordance with paragraph 1 of this Article, the Management Board shall designate an interim Executive Director to
exercise the duties assigned to the Executive Director for a period not exceeding 18 months, pending the appointment
provided for in Article 54(2) of this Regulation.

3. Paragraphs 1 and 2 of this Article shall apply to the Deputy Directors appointed on the basis of Article 38 of
Decision 2009/371/JHA.

4. In accordance with the Conditions of Employment of Other Servants, the authority referred to in the first
paragraph of Article 6 thereof shall offer employment of indefinite duration as a member of the temporary or contract
staff to any person who, on 1 May 2017, is employed under a contract of indefinite duration as a local staff member
concluded by Europol as established by the Europol Convention. The offer of employment shall be based on the tasks to
be performed by the servant as a member of the temporary or contract staff. The contract concerned shall take effect at
the latest on 1 May 2018. A staff member who does not accept the offer referred to in this paragraph may retain his or
her contractual relationship with Europol in accordance with Article 53(1).

Article 74

Transitional budgetary provisions

The discharge procedure in respect of the budgets approved on the basis of Article 42 of Decision 2009/371/JHA shall
be carried out in accordance with the rules established by Article 43 thereof.

CHAPTER XIII

FINAL PROVISIONS

Article 75

Replacement and repeal

1. Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA are hereby replaced
for the Member States bound by this Regulation with effect from 1 May 2017.
24.5.2016 EN Official Journal of the European Union L 135/107

Therefore, Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA are repealed
with effect from 1 May 2017.

2. With regard to the Member States bound by this Regulation, references to the Decisions referred to in paragraph 1
shall be construed as references to this Regulation.

Article 76

Maintenance in force of the internal rules adopted by the Management Board

Internal rules and measures adopted by the Management Board on the basis of Decision 2009/371/JHA shall remain in
force after 1 May 2017, unless otherwise decided by the Management Board in the application of this Regulation.

Article 77

Entry into force and application

1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of
the European Union.

2. It shall apply from 1 May 2017.

However, Articles 71, 72 and 73 shall apply from 13 June 2016.

This Regulation shall be binding in its entirety and directly applicable in the Member States in
accordance with the Treaties.

Done at Strasbourg, 11 May 2016.

For the European Parliament For the Council

The President The President
M. SCHULZ J.A. HENNIS-PLASSCHAERT
L 135/108 EN Official Journal of the European Union 24.5.2016

ANNEX I

LIST OF FORMS OF CRIME REFERRED TO IN ARTICLE 3(1)

— terrorism,
— organised crime,
— drug trafficking,
— money-laundering activities,
— crime connected with nuclear and radioactive substances,
— immigrant smuggling,
— trafficking in human beings,
— motor vehicle crime,
— murder and grievous bodily injury,
— illicit trade in human organs and tissue,
— kidnapping, illegal restraint and hostage-taking,
— racism and xenophobia,
— robbery and aggravated theft,
— illicit trafficking in cultural goods, including antiquities and works of art,
— swindling and fraud,
— crime against the financial interests of the Union,
— insider dealing and financial market manipulation,
— racketeering and extortion,
— counterfeiting and product piracy,
— forgery of administrative documents and trafficking therein,
— forgery of money and means of payment,
— computer crime,
— corruption,
— illicit trafficking in arms, ammunition and explosives,
— illicit trafficking in endangered animal species,
— illicit trafficking in endangered plant species and varieties,
— environmental crime, including ship-source pollution,
— illicit trafficking in hormonal substances and other growth promoters,
— sexual abuse and sexual exploitation, including child abuse material and solicitation of children for sexual purposes,
— genocide, crimes against humanity and war crimes.
24.5.2016 EN Official Journal of the European Union L 135/109

ANNEX II

A. Categories of personal data and categories of data subjects whose data may be collected and processed for the
purpose of cross-checking as referred to in point (a) of Article 18(2)

1. Personal data collected and processed for the purpose of cross-checking shall relate to:

(a) persons who, in accordance with the national law of the Member State concerned, are suspected of having
committed or having taken part in a criminal offence in respect of which Europol is competent, or who have
been convicted of such an offence;

(b) persons regarding whom there are factual indications or reasonable grounds under the national law of the
Member State concerned to believe that they will commit criminal offences in respect of which Europol is
competent.

2. Data relating to the persons referred to in paragraph 1 may include only the following categories of personal data:

(a) surname, maiden name, given names and any alias or assumed name;

(b) date and place of birth;

(c) nationality;

(d) sex;

(e) place of residence, profession and whereabouts of the person concerned;

(f) social security numbers, driving licences, identification documents and passport data; and

(g) where necessary, other characteristics likely to assist in identification, including any specific objective physical
characteristics not subject to change such as dactyloscopic data and DNA profile (established from the non-
coding part of DNA).

3. In addition to the data referred to in paragraph 2, the following categories of personal data concerning the persons
referred to in paragraph 1 may be collected and processed:

(a) criminal offences, alleged criminal offences and when, where and how they were (allegedly) committed;

(b) means which were or which may have been used to commit those criminal offences, including information
concerning legal persons;

(c) departments handling the case and their filing references;

(d) suspected membership of a criminal organisation;

(e) convictions, where they relate to criminal offences in respect of which Europol is competent;

(f) inputting party.

These data may be provided to Europol even when they do not yet contain any references to persons.

4. Additional information held by Europol or national units concerning the persons referred to in paragraph 1 may
be communicated to any national unit or to Europol, should either so request. National units shall do so in
compliance with their national law.

5. If proceedings against the person concerned are definitively dropped or if that person is definitively acquitted, the
data relating to the case in respect of which either decision has been taken shall be deleted.
L 135/110 EN Official Journal of the European Union 24.5.2016

B. Categories of personal data and categories of data subjects whose data may be collected and processed for the
purpose of analyses of a strategic or thematic nature, for the purpose of operational analyses or for the purpose of
facilitating the exchange of information as referred to in points (b), (c) and (d) of Article 18(2)

1. Personal data collected and processed for the purpose of analyses of a strategic or thematic nature, for the purpose
of operational analyses or for the purpose of facilitating the exchange of information between Member States,
Europol, other Union bodies, third countries and international organisations shall relate to:

(a) persons who, pursuant to the national law of the Member State concerned, are suspected of having committed
or having taken part in a criminal offence in respect of which Europol is competent, or who have been
convicted of such an offence;

(b) persons regarding whom there are factual indications or reasonable grounds under the national law of the
Member State concerned to believe that they will commit criminal offences in respect of which Europol is
competent;

(c) persons who might be called on to testify in investigations in connection with the offences under consideration
or in subsequent criminal proceedings;

(d) persons who have been the victims of one of the offences under consideration or with regard to whom certain
facts give reason to believe that they could be the victims of such an offence;

(e) contacts and associates; and

(f) persons who can provide information on the criminal offences under consideration.

2. The following categories of personal data, including associated administrative data, may be processed on the
categories of persons referred to in points (a) and (b) of paragraph 1:

(a) personal details:

(i) present and former surnames;

(ii) present and former forenames;

(iii) maiden name;

(iv) father's name (where necessary for the purpose of identification);

(v) mother's name (where necessary for the purpose of identification):

(vi) sex;

(vii) date of birth;

(viii) place of birth;

(ix) nationality;

(x) marital status;

(xi) alias;

(xii) nickname;

(xiii) assumed or false name;

(xiv) present and former residence and/or domicile;

(b) physical description:

(i) physical description;

(ii) distinguishing features (marks/scars/tattoos etc.);

24.5.2016 EN Official Journal of the European Union L 135/111

(c) means of identification:

(i) identity documents/driving licence;

(ii) national identity card/passport numbers;

(iii) national identification number/social security number, if applicable;

(iv) visual images and other information on appearance;

(v) forensic identification information such as fingerprints, DNA profile (established from the non-coding part
of DNA), voice profile, blood group, dental information;

(d) occupation and skills:

(i) present employment and occupation;

(ii) former employment and occupation;

(iii) education (school/university/professional);

(iv) qualifications;

(v) skills and other fields of knowledge (language/other);

(e) economic and financial information:

(i) financial data (bank accounts and codes, credit cards, etc.);

(ii) cash assets;

(iii) shareholdings/other assets;

(iv) property data;

(v) links with companies;

(vi) bank and credit contacts;

(vii) tax position;

(viii) other information revealing a person's management of his or her financial affairs;

(f) behavioural data:

(i) lifestyle (such as living above means) and routine;

(ii) movements;

(iii) places frequented;

(iv) weapons and other dangerous instruments;

(v) danger rating;

(vi) specific risks such as escape probability, use of double agents, connections with law enforcement
personnel;

(vii) criminal-related traits and profiles;

(viii) drug abuse;

(g) contacts and associates, including type and nature of the contact or association;
L 135/112 EN Official Journal of the European Union 24.5.2016

(h) means of communication used, such as telephone (static/mobile), fax, pager, electronic mail, postal addresses,
internet connection(s);

(i) means of transport used, such as vehicles, boats, aircraft, including information identifying those means of
transport (registration numbers);

(j) information relating to criminal conduct:

(i) previous convictions;

(ii) suspected involvement in criminal activities;

(iii) modi operandi;

(iv) means which were or may be used to prepare and/or commit crimes;

(v) membership of criminal groups/organisations and position in the group/organisation;

(vi) role in the criminal organisation;

(vii) geographical range of criminal activities;

(viii) material gathered in the course of an investigation, such as video and photographic images;

(k) references to other information systems in which information on the person is stored:

(i) Europol;

(ii) police/customs agencies;

(iii) other enforcement agencies;

(iv) international organisations;

(v) public entities;

(vi) private entities;

(l) information on legal persons associated with the data referred to in points (e) and (j):

(i) designation of the legal person;

(ii) location;

(iii) date and place of establishment;

(iv) administrative registration number;

(v) legal form;

(vi) capital;

(vii) area of activity;

(viii) national and international subsidiaries;

(ix) directors;

(x) links with banks.

3. ‘Contacts and associates’, as referred to in point (e) of paragraph 1, are persons through whom there is sufficient
reason to believe that information which relates to the persons referred to in points (a) and (b) of paragraph 1 and
which is relevant for the analysis can be gained, provided they are not included in one of the categories of persons
referred to in points (a), (b), (c), (d) and (f) of paragraph 1. ‘Contacts’ are those persons who have a sporadic
contact with the persons referred to in points (a) and (b) of paragraph 1. ‘Associates’ are those persons who have a
regular contact with the persons referred to in points (a) and (b) of paragraph 1.
24.5.2016 EN Official Journal of the European Union L 135/113

In relation to contacts and associates, the data referred to in paragraph 2 may be stored as necessary, provided
there is reason to assume that such data are required for the analysis of the relationship of such persons with
persons referred to in points (a) and (b) of paragraph 1. In this context, the following shall be observed:

(a) such relationship shall be clarified as soon as possible;

(b) the data referred to in paragraph 2 shall be deleted without delay if the assumption that such relationship
exists turns out to be unfounded;

(c) all data referred to in paragraph 2 may be stored if contacts or associates are suspected of having committed
an offence falling within the scope of Europol's objectives, or have been convicted for the commission of such
an offence, or if there are factual indications or reasonable grounds under the national law of the
Member State concerned to believe that they will commit such an offence;

(d) data referred to in paragraph 2 on contacts, and associates, of contacts as well as on contacts, and associates,
of associates shall not be stored, with the exception of data on the type and nature of their contact or
association with the persons referred to in points (a) and (b) of paragraph 1;

(e) if a clarification pursuant to the previous points is not possible, this shall be taken into account when a
decision is taken on the need for, and the extent of, data storage for further analysis.

4. With regard to a person who, as referred to in point (d) of paragraph 1, has been the victim of one of the offences
under consideration or who, on the basis of certain facts there is reason to believe could be the victim of such an
offence, the data referred to in point (a) to point (c)(iii) of paragraph 2 as well as the following categories of data
may be stored:

(a) victim identification data;

(b) reason for victimisation;

(c) damage (physical/financial/psychological/other);

(d) whether anonymity is to be guaranteed;

(e) whether participation in a court hearing is possible;

(f) crime-related information provided by or through persons referred to in point (d) of paragraph 1, including
where necessary information on their relationship with other persons, for the purpose of identifying the
persons referred to in points (a) and (b) of paragraph 1.

Other data referred to in paragraph 2 may be stored as necessary, provided there is reason to assume that they are
required for the analysis of a person's role as victim or potential victim.

Data not required for any further analysis shall be deleted.

5. With regard to persons who, as referred to in point (c) of paragraph 1, might be called on to testify in investi­
gations in connection with the offences under consideration or in subsequent criminal proceedings, data referred
to in point (a) to point (c)(iii) of paragraph 2 as well as categories of data complying with the following criteria
may be stored:

(a) crime-related information provided by such persons, including information on their relationship with other
persons included in the analysis work file;

(b) whether anonymity is to be guaranteed;

(c) whether protection is to be guaranteed and by whom;

(d) new identity;

(e) whether participation in a court hearing is possible.

Other data referred to in paragraph 2 may be stored as necessary, provided there is reason to assume that they are
required for the analysis of such persons' role as witness.

Data not required for any further analysis shall be deleted.

L 135/114 EN Official Journal of the European Union 24.5.2016

6. With regard to persons who, as referred to in point (f) of paragraph 1, can provide information on the criminal
offences under consideration, data referred to in point (a) to point (c)(iii) of paragraph 2 as well as categories of
data complying with the following criteria may be stored:

(a) coded personal details;

(b) type of information supplied;

(c) whether anonymity is to be guaranteed;

(d) whether protection is to be guaranteed and by whom;

(e) new identity;

(f) whether participation in a court hearing is possible;

(g) negative experiences;

(h) rewards (financial/favours).

Other data referred to in paragraph 2 may be stored as necessary, provided there is reason to assume that they are
required for the analysis of such persons' role as informant.

Data not required for any further analysis shall be deleted.

7. If, at any time during the course of an analysis, it becomes clear on the basis of serious and corroborating
indications that a person should be included in a category of persons, as defined in this Annex, other than the
category in which that person was initially placed, Europol may process only the data on that person which is
permitted under that new category, and all other data shall be deleted.

If, on the basis of such indications, it becomes clear that a person should be included in two or more different
categories as defined in this Annex, all data allowed under such categories may be processed by Europol.