Electronic intelligence falls within the domain of the Member States of the European Union (EU), who have sole responsibility for safeguarding their internal security. Electronic surveillance conducted by national law enforcement authorities is inherently linked to the right to privacy and personal data protection. Such rights are enshrined in European Union treaties and secondary legislation as well as in Conventions adopted by the Council of Europe and in the International Covenant on Civil and Political Rights, which binds EU Members. The Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms guarantee the rights to privacy and personal data protection to everyone within the jurisdiction of the EU Member States. Legal issues arising from electronic surveillance that may infringe on the human rights of individuals are not subject to review by the Court of Justice of the EU. Aggrieved individuals, upon exhausting legal remedies at the national level, may bring their cases to the European Court of Human Rights in Strasbourg for a final review. Following the Snowden revelations in the United States and press reports of mass electronic surveillance conducted by law enforcement authorities of several EU Members, the European Parliament adopted the Resolution on the US NSA Surveillance Programme, Surveillance Bodies in Various (EU) Members States and Their Impact on EU Citizens’ Fundamental Rights. Moreover, the United Nations General Assembly, in a resolution adopted in 2013, urged UN Members to review their legislation on secret surveillance.
While the legislative institutions of the surveyed countries are involved in general oversight of their respective intelligence agencies, special government bodies for reviewing the legality of interception surveillance and privacy issues have also been created. These special bodies focus on how information is stored, shared among security agencies within the country and abroad, destroyed, and made available to interested individuals. Limitations on intelligence collection are established by national constitutions, criminal procedure laws, and special legislation, and are aimed at the general defense of rights and freedoms. They include restrictions in terms of scope, duration, and subject matter of surveillance activities. The use of special powers, including communications surveillance, require express permission from the Minister of Interior (Netherlands), issuance of a judicial order (Romania), or an approval warrant authorized by the Secretary of State (United Kingdom). All national laws of the surveyed countries provide for special instruments to preserve personal data. At the same time, because of gaps in legislation and the national legal systems’ weaknesses, these measures are not always effective in regard to privacy protection.
Under European Union (EU) treaties, foreign electronic surveillance conducted by national law enforcement authorities of the twenty-eight EU Member States falls within the domain of the EU Members. The Treaty on European Union provides that “national security remains the sole responsibility of each Member State,” and, hence, the EU arguably lacks competence to legislate in this area. Moreover, based on the Treaty on the Functioning of the EU, the Court of Justice of the EU does not have jurisdiction over cases that involve surveillance conducted by national authorities in order to safeguard the internal security of the EU Members.
In conducting electronic surveillance, either foreign or domestic, EU Members are required to maintain a balance between the needs of law enforcement authorities and respect for the fundamental rights to privacy, personal data protection, and private and family life, as such rights are guaranteed in domestic legislation, EU law, and international agreements, including the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHRFF) and the International Covenant on Civil and Political Rights, by which EU Members are bound. Under settled case law of the European Court of Human Rights, national enforcement authorities are required, when conducting electronic surveillance, to justify such activity against the privacy of individuals on the basis of a law that sets forth clearly defined grounds, including national security and public safety, and adheres to the principles of necessity and proportionality.
A number of EU Member States have been identified as engaging in large-scale surveillance. In the aftermath of the Snowden revelations in the United States, it was reported that a number of EU Members, including France, Germany, Sweden, and the United Kingdom, were allegedly involved in mass surveillance operations in cooperation with the United States. The allegations spurred a debate at the EU level with the European Parliament playing a leading role among the EU institutions by instructing the Civil Liberties Committee to conduct an inquiry. The inquiry led to the adoption of the Resolution on the US NSA Surveillance Programme, Surveillance Bodies in Various EU Members States and Their Impact on EU Citizens’ Fundamental Rights and on Transatlantic Cooperation in Justice and Home Affairs.
II. Electronic Surveillance: Competence Issues
Competence in the area of surveillance between the EU and its Member States is delineated in a number of articles found in the Treaty on European Union (TEU) and the Treaty on the Functioning of the EU (TFEU). Article 4, paragraph 2 of the TEU states that the Union “shall respect [the Member States’] essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.” In a similar vein, article 72 of the TFEU stipulates that title V of the Treaty pertaining to the Area of Freedom, Security and Justice, “shall not affect the exercise of the responsibilities incumbent upon Member States with regard to the maintenance of law and order and the safeguarding of internal security.” Moreover, article 73 of the TFEU allows the Member States to “organise between themselves and under their responsibility such forms of cooperation and coordination as they deem appropriate between the [competent national agencies] responsible for safeguarding national security.”
Whereas electronic surveillance is a state function, as the European Parliament has noted, the EU also possesses some competence concerning the internal security of the EU on the grounds of article 67, paragraph 3 of the TFEU. The article states that the EU “shall endeavor to ensure a high level of security, through measures to prevent and combat crime.” The EU has exercised such competence by legislating and concluding international agreements, such as the Terrorist Financing Tracking Programme (TFTP) and Passenger Name Record (PNR) Agreement with the United States, designed to fight terrorism and other forms of serious crime, and by establishing agencies, such as EUROPOL and the Office of the EU Counter-terrorism Co-ordinator, tasked with combating terrorism and organized crime. The Parliament takes the position that the EU enjoys competence in the field of security because of the overlap of the notions of “national security,” “internal security,” “internal security of the EU,” and “international security.”
A corollary of the EU’s lack of competence in the area of surveillance is its lack of authority to legislate on secret surveillance in order to limit it and/or impose stricter safeguards. In the event that the Commission, using its right of initiative, introduced legislation on the subject, it would not be enforceable given the lack of jurisdiction of the European Court of Justice on security matters.
III. Privacy and Personal Data Protection Issues
Electronic surveillance inevitably involves the collection and storage of personal data, access by law enforcement authorities to such data, and the possible infringement of the rights to privacy and the protection of personal data.
Under EU law, the right to privacy and the right to protection of personal data are two distinct fundamental human rights. These rights are also guaranteed in the legal systems of the EU Member States and in international agreements to which the EU parties are signatories, including the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHRFF).
The Charter of Fundamental Rights of the European Union (CFR), which acquired binding status on December 1, 2009, recognizes the right to privacy in article 7 and the right to the protection of one’s personal data in article 8. Furthermore, article 8 reaffirms the principle that personal data must be processed fairly and for specific purposes, based on the consent of the individual concerned or some other legitimate purposes laid down by law. It also recognizes the right of individuals to access the data collected and the right to have it rectified, in case of inaccuracy or incompleteness. Compliance with such rules is entrusted to the control of an independent authority established by the EU Member States. The right to personal data may be restricted by law in order to strike a balance with the freedoms and rights of others and public safety and security, subject to the principle of proportionality, which is established in the EU and in the legal systems of the Member States.
The TFEU recognizes the right of every individual to his/her personal data—that is, individuals own their data. It also introduced a new and specific legal basis for the adoption of rules on data protection and granted authority to the EU legislative bodies (Parliament and Council) to adopt rules concerning the processing of personal data in the field of judicial cooperation in criminal matters, and police cooperation in the cross-border and domestic processing of personal data.
The right to respect for private and family life, home, and correspondence is established in article 8 of the ECHRFF, to which all EU Members are also participating states as members of the Council of Europe. The ECHRFF recognizes, however, that there are circumstances in a democratic society where it may be necessary for the state to interfere with this right, but only in accordance with the law and for certain clearly defined grounds, such as national security, public safety, economic well-being, the prevention of crimes, and the protection of the rights and freedoms of others. When such interference by public authorities acting in their official capacities does occur, article 13 of the ECHRFF requires a means of redress for the affected individual.
A. Directive 95/46/EC on Personal Data Protection
Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data is the basic framework legislation in the EU on personal data protection. The Directive provides strong protections applicable to the processing of personal data of persons living within the jurisdiction of the EU Member States. Pursuant to Directive No. 95/46/EC on personal data protection, the ownership of personal data belongs to individuals who have legal rights over the collection and processing of personal data. One of the key requirements for the processing of personal data is that the data subject must unambiguously give his/her consent, after being informed that his/her data will be processed.
Pursuant to the Directive, the data subject has the right of access, as provided for in article 12, which means that the data subject is entitled to information regarding any processing of his/her data, the purposes of processing, the categories of the data, and the recipients of the data. The basic principles governing the processing of one’s personal data are the following:
- Finality: Data must be collected for an explicit, specific, and legitimate purpose.
- Transparency: Individuals must be informed of the data collected and the purpose of collection.
- Legitimacy: Processing must be occur for a legitimate reason pursuant to article 7 of the Directive.
- Proportionality: The personal data collected must be adequate, relevant, and not excessive in relation to the purpose of collection.
- Accuracy and Retention of the Data: Individuals’ records must be accurate and up to date. False or inaccurate data must be corrected.
In 2012, the Commission drafted two legislative pieces in order to reform EU legislation on privacy and data protection: (a) a draft regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), and (b) a Directive on the Protection of Individuals with Regard to the Processing of Personal Data by Competent Authorities with regard to criminal offenses.
B. Confidentiality of Communications
Confidentiality of communications is a principle enshrined in the legal systems of the EU Member States. At the EU level, confidentiality of communications is stipulated in Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications). In particular, article 5 of the Directive requires that EU Members “prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than the users, without the consent of the users concerned, except when legally authorized to do so in accordance with article 15(1).”
Interception or surveillance is permitted on the grounds of national security; defense and public security; and the prevention, investigation, detection, and prosecution of criminal offenses or of unauthorized use of an electronic communications system, as referred to in article 13(1) of Directive 95/46/EC.
EU Members are also allowed to adopt legislation on data retention for a limited period and based on the same grounds provided above.
D. Data Retention
Prior to its invalidation in April 2014, Directive No. 2006/24/EC (the Data Retention Directive), required the providers of publicly available electronic communications services or public communications networks to retain traffic and location data belonging to individuals or legal entities. Such data included the calling telephone number and name and address of the subscriber or registered user, user IDs (a unique identifier assigned to each person who signs with an electronic communications service), Internet protocol addresses, the numbers dialed, and call forwarding or call transfer records. The retention period was to last for a minimum period of six months and up to two years, and the sole purpose of processing and storing the data was to prevent, investigate, detect, and prosecute serious crimes, such as organized crime and terrorism. The content of the communications of individuals was not retained.
On April 8, 2014, the Grand Chamber of the Court of Justice of the European Union (CJEU) issued a judgment declaring the Directive invalid. The Directive was challenged on the grounds of infringement of the right to private life, and the right to the protection of personal data of individuals, as guaranteed in articles 7 and 8, respectively, of the Charter of Fundamental Rights of the European Union.
In examining the issue of interference with the rights to privacy and the protection of personal data, the CJEU made the following observations:
- The obligation imposed on providers of electronic communications services or public communications networks “constitutes in itself an interference with the rights guaranteed by article 7 of the Charter,”
- Access of the national authorities to data “constitutes a further interference with that fundamental right,” and
- The interferences described above also violate the right to protection of personal data.
The CJEU reasoned that the Directive did not establish clear and precise rules that regulate the “extent of interference with the fundamental rights of Art. 7 and 8 of the Charter.” Therefore, it concluded that the Directive “entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.”
The CJEU also held that the security and protection of personal data cannot be fully guaranteed in the absence of review of compliance by an independent authority of the rules on data protection, as required by article 8 of the Charter of Fundamental Rights.
IV. Case Law
Legal challenges to intelligence operations on the grounds of infringing the rights of the individual (such as the right to privacy freedom of expression, and a remedy) or because the intelligence operations are not conducted in accordance with the applicable law and are in violation of the standards of necessity and proportionality are not subject to review by the Court of Justice of the EU, as explicitly stated in article 276 of the TFEU:
in exercising its powers regarding the provisions of Chapters 4 and 5 of Title V of Part Three relating to the area of freedom, security and justice, the Court of Justice of the European Union shall have no jurisdiction to review the validity or proportionality of operations carried out by the police or other law enforcement services of a Member State or the exercise of the responsibilities incumbent upon Member States with regard to the maintenance of law and order and the safeguarding of internal security.
Such challenges can be brought before the European Court of Human Rights (ECHR), however. In general, the ECHR has found that the “mere existence of legislation allowing secret surveillance constitutes an interference with private life such that the necessity and legality requirements of article 8 of the European Convention on Human Rights must be met.” The ECHR has also found that emails, telephone communications, faxes, and Internet usage fall within the ambit of article 8 of the Convention.
As far as the legality requirement, the ECHR has a strict requirement that surveillance activities must be based on a law and not conducted as matter of policy.
In considering the legality of various surveillance programs followed by Members of the Council of Europe, the ECHR has concluded that the following key features are in compliance with article 8 of the Convention:
- Surveillance was performed in compliance with a law adopted by a state’s legislature;
- the law exactly defined the purposes for which surveillance may be undertaken;
- The stated purposes were true and not used as a pretext; and
- Surveillance was conducted because of serious ground that the individual monitored was planning or had committed a serious criminal offense.
V. Large-scale Surveillance and Compatibility with Human Rights
As stated above, at the EU level, large-scale surveillance conducted by government agencies of the EU Member States has raised concerns as to the compatibility of such activities with human rights standards.
The Parliament’s Resolution on the US NSA Surveillance Programme, Surveillance Bodies in Various EU Members States and Their Impact on EU Citizens’ Fundamental Rights has value as a political statement, but it lacks binding force. It urges the EU Members to discontinue the mass collection of data and to ensure that national laws and policies on electronic surveillance are in line with EU and Council of Europe standards. It also proposed to establish at the EU level a high-level group to monitor progress. In March 2014, the Parliament also requested the EU Agency for Fundamental Rights (FRA) to conduct research on the impact of large-scale surveillance on fundamental rights and to review whether individuals whose data are collected by intelligence agencies have adequate remedies against such practices. The FRA findings will be published shortly.
A study conducted by the Directorate General for Internal Policies of the European Parliament, entitled National Programs of Mass Surveillance of Personal Data in EU Member States and Their Compatibility with EU Law, examines mass surveillance practices in four EU countries: France, Germany, Sweden, Netherlands, and the United Kingdom. The study indicates that cooperation with foreign intelligence services appears to be a common practice. The study cites the so-called “Five Eyes” network, which comprises the US, UK, Canada, Australia, and New Zealand, that originated from a 1946 multilateral agreement for cooperation in signals intelligence, and which has extended over time in terms of activities (Echelon, and now Fornsat). The US also engages in cooperative relationships with “second-tier” and “third-tier” partners such as France and Germany.
The report indicates that some legal regimes operate on the basis of orders issued by special courts (for instance, in Sweden), while others were based on warrants issued by the government (the UK and Netherlands) or through an authorization role accorded to specially appointed oversight bodies (Germany, France, and Netherlands).
With regard to oversight, the report found that in several Member States oversight bodies encounter a number of constraints that limit their ability to scrutinize the intelligence agencies’ surveillance practices. In Sweden, the two main oversight institutions—the intelligence court and the Statens inspektion för försvarsunderrättelseverksamheten (Siun, State Inspection for Defense Intelligence Activity)—are deemed to be insufficiently independent. France’s main oversight body, the Commission nationale pour les interceptions de securité (CNCIS, National Commission for Security Interceptions), was found to be substantially constrained in its reach, because it has limited administrative capacity. The report also identified gaps in the UK’s intelligence oversight regime, as evidenced by the statement released in July 2014 by the Intelligence Security Committee on the Government Communications Headquarters’ (GCHQ’s) alleged interception of communications under the PRISM program.
The report also found that the surveillance programs operated by the Member States endanger the EU principle of “sincere cooperation,” enshrined in article 4.3 of the Treaty on the European Union, because they compromise compliance with existing EU-level mutual assistance and cooperation legal regimes and lawful searches between EU Member States and with the US, and also compromise the internal security of the EU.
Prepared by Theresa Papademetriou
Senior Foreign Law Specialist
 Consolidated Version of the Treaty on European Union (TEU) art. 4, para. 2, 2012 O.J. (C 326) 13http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012M/TXT.
 Consolidated Version of the Treaty on the Functioning of the European Union (TFEU) art. 276, 2012 O.J. (C 326) 47, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012E/TXT.
 International Covenant on Civil and Political Rights art. 17, Dec. 16, 1966, entry into force Mar. 23, 1976, http://www.ohchr.org/en/professionalinterest/pages/ccpr.aspx.
 Angelique Chrisafis, France ‘Runs Vast Electronic Spying Operation Using NSA-style Methods’: Intelligence Agency Has Spied on French Public’s Phone Calls, Emails and Internet Activity, Says Le Monde Newspaper, The Guardian (July 4, 2013), http://www.theguardian.com/world/2013/jul/04/france-electronic-spying-operation-nsa.
 The German Prism: Berlin Wants to Spy Too, Spiegel Online International (June 17, 2013), http://www.spiegel.de/international/germany/berlin-profits-from-us-spying-program-and-is-planning-its-own-a-906129.html.
 Jordan Shilton, Swedish Intelligence Service Spying on Russia for US National Security Agency, Global Research (Dec. 2013), http://www.globalresearch.ca/swedish-intelligence-service-spying-on-russia-for-us-national-security-agency/5362967.
 European Parliament Resolution 2013/2188 (INI) of 12 March 2014 on the US NSA Surveillance Programme, Surveillance Bodies in Various EU Members States and Their Impact on EU Citizens’ Fundamental Rights and on Transatlantic Cooperation in Justice and Home Affairs, http://www.europarl.europa.eu/sides/getDoc.do?type=TA& reference=P7-TA-2014-0230&language=EN&ring=A7-2014-0139.
 TEU, supra note 1, art. 4, para. 2.
 TFEU, supra note 2, art. 72.
 Resolution 2013/2188 (INI), supra note 8.
 TFEU, supra note 2, art. 67, para. 3.
 Press Release, European Commission, EU-US Agreements: Commission Reports on TFTP and PNR (Nov. 27, 2013), http://europa.eu/rapid/press-release_IP-13-1160_en.htm.
 Europol’s Priorities, Europol, https://www.europol.europa.eu/content/page/europol%E2%80%99s-priorities-145 (last visited Dec. 4, 2014).
 EU Counter-terrorism Co-ordinator, Council of the European Union, http://www.consilium.europa.eu/ policies/fight-against-terrorism/eu-counter-terrorism-co-ordinator?lang=en (last visited Dec. 4, 2014).
 Resolution 2013/2188(INI), supra note 8, para. Y.
 The right to privacy is also protected by article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHRFF), CETS No. 005 (1950), http://www.echr.coe.int/Documents/Convention_ ENG.pdf, to which all EU Member States are states parties, as members of the Council of Europe. In addition, automatic processing of personal data is protected and governed by the 1981 Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and Its Protocol, ETS No. 108 (1981), http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm. Recently, the Council of Europe began revising the 1981 Convention to bring it in line with contemporary technology and ensure harmonization with EU legal reforms. The Consultative Committee of the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (ETS No. 108), Modernization of Convention 108: New Proposals (Mar. 5, 2012), http://www.coe.int/t/dghl/standard setting/dataprotection/tpd_documents/T-PD-BUR_2012_01Rev_en.pdf.
 Charter of Fundamental Rights of the European Union, 2010 O.J. (C 83) 02, http://eur-lex.europa. eu/LexUriServ/ LexUriServ.do?uri=OJ:C:2010:083:0389:0403:EN:PDF.
 Id. art. 8.
 Id. art. 52(1).
 TFEU, supra note 2, art. 16.
 Id. art. 16, para. 2.
 ECHRFF, supra note 18, art. 8.
 Id. art. 8.
 Id. art. 13.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.
 Id. art. 12.
 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (Jan. 15, 2012), http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri= COM:2012:0011:FIN:EN:PDF.
 Proposal for a Directive of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of Such Data, COM (2012) 10 final (Jan. 25, 2012), http://eur-lex.europa.eu/LexUriServ /LexUriServ.do?uri= COM:2012:0010:FIN:EN:PDF.
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications) art. 5, 2002 O.J. (L 201) 37, http://eur-lex.europa.eu/LexUriServ/LexUri Serv.do?uri= OJ:L:2002:201:0037:0047:EN:PDF.
 Id. art. 5(1).
 Id. art. 15(1).
 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L 105) 54, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF.
 Grand Chamber, Digital Rights Ireland Ltd. (C–293/12) v. Minister for Communications, Marine and Natural Resources (Apr. 8, 2014), http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62012C J0293&rid=1.
 Id. paras. 34–36.
 Id. para. 65.
 Id. para. 66.
 TFEU, supra note 1, art. 276.
 Sarah St. Vincent, Center for Democracy& Technology, International Law and Secret Surveillance: Binding Restrictions Upon State Monitoring of Telephone and Internet Activity 9 (Sept. 4, 2014) (citing Weber & Saravia v. Germany (2006) & Levey v. Bulgaria).
 Grand Chamber, Digital Rights Ireland Ltd. (C–293/12), at 9.
 Id. at 10.
 Id. at 12.
 National Intelligence Authorities and Surveillance in the EU: Fundamental Rights Safeguards and Remedies, European Union Agency for Fundamental Rights, http://fra.europa.eu/en/project/2014/national-intelligence-authorities-and-surveillance-eu-fundamental-rights-safeguards-and (last visited Dec. 5, 2014).
 European Parliament Directorate General for Internal Policies, National Programmes for Mass Surveillance of Personal Data in EU Member States and Their Compatibility with EU Law (hereinafter Mass Surveillance Study) 24 (Oct. 2013), http://www.europarl.europa.eu/RegData/etudes/etudes/join/2013/ 493032/IPOL-LIBE_ET(2013)493032_EN.pdf.
 For more information on on surveillance, including Echelon/Fornsat, see European Parliament, Interception Capabilities 2014, http://www.europarl.europa.eu/document/activities/cont/201309/20130916ATT71388/ 20130916ATT71388EN.pdf.
 Mass Surveillance Study, supra note 47, at 24.
 Id. at 25.
 Id. at 26.
Last Updated: 06/09/2015