Privacy International – CJEU Judgment (European Union, 2020)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled that UK agencies could not collect bulk communications data without proper legal justification. This matters because it emphasizes the need for clear rules when handling personal information, especially in the context of security. Companies should be aware that indiscriminate data collection can face legal challenges.
What happened
UK agencies were found to have collected bulk communications data without a valid legal basis.
Who was affected
Individuals whose communications data was collected by UK agencies were affected.
What the authority found
The Court held that the bulk collection of communications data must have a valid legal basis, emphasizing the need for compliance with privacy laws.
Why this matters
This ruling highlights the importance of protecting personal data even in security contexts. Companies should ensure they have strong legal grounds for any data collection practices.
Privacy international has challenged the lawfulness of the practices of collecting and using the bulk communications data (BCD) by the UK security and intelligence agencies. The Investigatory Powers Tribunal referred to the Court of Justice of the European Union the questions whether the existence of such practices fall within the scope of EU law and of Directive 2002/58 and if yes, does the EU law precludes national legislation enabling State authority to require providers of electronic communications services to carry out the 'general and indiscriminate' transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security. The referring court asked two questions : firstly, having regard to Article 4 TEU (referring to national security) and Article 1(3) of Directive 2002/58, ("Directive shall not apply to activities ..... which fall to the activities concerning public security, defence, State security") does a requirement in a direction by a Secretary of State to a provider of an electronic communications network that it must provide bulk communications data to the security and intelligence agencies of a Member State fall within the scope of Union law and of Directive. The second question reffered to the court was seeking to ascertain whether Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter, is to be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security. The UK and several EU members states highlighted that the activities of security and intelligence agencies are the sole responsibility of Member States as it guaranteed in the treaty (Article 4(2) TEU)
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for Privacy International in EU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
6 October 2020
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-2791About this data
Cite as: Cookie Fines. Privacy International - European Union (2020). Retrieved from cookiefines.eu
Last updated: