Electronic intelligence falls within the domain of the Member States of the European Union (EU), who have sole responsibility for safeguarding their internal security. Electronic surveillance conducted by national law enforcement authorities is inherently linked to the right to privacy and personal data protection. Such rights are enshrined in European Union treaties and secondary legislation as well as in Conventions adopted by the Council of Europe and in the International Covenant on Civil and Political Rights, which binds EU Members. The Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms guarantee the rights to privacy and personal data protection to everyone within the jurisdiction of the EU Member States. Legal issues arising from electronic surveillance that may infringe on the human rights of individuals are not subject to review by the Court of Justice of the EU. Aggrieved individuals, upon exhausting legal remedies at the national level, may bring their cases to the European Court of Human Rights in Strasbourg for a final review.
Following the Snowden revelations in the United States and press reports of mass electronic surveillance conducted by law enforcement authorities of several EU Members, the European Parliament adopted a resolution on the US NSA Surveillance Programme, Surveillance Bodies in Various (EU) Members States and Their Impact on EU Citizens’ Fundamental Rights. Moreover, the United Nations General Assembly, in a resolution adopted in 2013, urged UN Members to review their legislation on secret surveillance.
In February 2016, the EU and the United States signed an umbrella agreement on the protection of personal data and privacy for law enforcement purposes.
Under European Union (EU) treaties, foreign electronic surveillance conducted by national law enforcement authorities of the twenty-eight EU Member States falls within the domain of the EU Members. The Treaty on European Union provides that “national security remains the sole responsibility of each Member State,” and, hence, the EU arguably lacks competence to legislate in this area. Moreover, based on the Treaty on the Functioning of the EU, the Court of Justice of the EU does not have jurisdiction over cases that involve surveillance conducted by national authorities in order to safeguard the internal security of the EU Members.
In conducting electronic surveillance, either foreign or domestic, EU Members are required to maintain a balance between the needs of law enforcement authorities and respect for the fundamental rights to privacy, personal data protection, and private and family life, as such rights are guaranteed in domestic legislation, EU law, and international agreements, including the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHRFF) and the International Covenant on Civil and Political Rights, by which EU Members are bound. Under settled case law of the European Court of Human Rights, national enforcement authorities are required, when conducting electronic surveillance, to justify such activity against the privacy of individuals on the basis of a law that sets forth clearly defined grounds, including national security and public safety, and adheres to the principles of necessity and proportionality.
A number of EU Member States have been identified as engaging in large-scale surveillance. In the aftermath of the Snowden revelations in the United States, it was reported that a number of EU Members, including France, Germany, Sweden, and the United Kingdom, were allegedly involved in mass surveillance operations in cooperation with the United States. The allegations spurred a debate at the EU level with the European Parliament playing a leading role among the EU institutions by instructing the Civil Liberties Committee to conduct an inquiry. The inquiry led to the adoption of the Resolution on the US NSA Surveillance Programme, Surveillance Bodies in Various EU Members States and Their Impact on EU Citizens’ Fundamental Rights and on Transatlantic Cooperation in Justice and Home Affairs.
II. Electronic Surveillance: Competence Issues
Competence in the area of surveillance between the EU and its Member States is delineated in a number of articles found in the Treaty on European Union (TEU) and the Treaty on the Functioning of the EU (TFEU). Article 4, paragraph 2 of the TEU states that the Union “shall respect [the Member States’] essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.” In a similar vein, article 72 of the TFEU stipulates that title V of the Treaty pertaining to the Area of Freedom, Security and Justice, “shall not affect the exercise of the responsibilities incumbent upon Member States with regard to the maintenance of law and order and the safeguarding of internal security.” Moreover, article 73 of the TFEU allows the Member States to “organise between themselves and under their responsibility such forms of cooperation and coordination as they deem appropriate between the [competent national agencies] responsible for safeguarding national security.”
Whereas electronic surveillance is a state function, as the European Parliament has noted, the EU also possesses some competence concerning the internal security of the EU on the grounds of article 67, paragraph 3 of the TFEU. The article states that the EU “shall endeavor to ensure a high level of security, through measures to prevent and combat crime.” The EU has exercised such competence by legislating and concluding international agreements, such as the Terrorist Financing Tracking Programme (TFTP) and Passenger Name Record (PNR) Agreement with the United States, designed to fight terrorism and other forms of serious crime, and by establishing agencies, such as EUROPOL and the Office of the EU Counter-terrorism Co-ordinator, tasked with combating terrorism and organized crime. The Parliament takes the position that the EU enjoys competence in the field of security because of the overlap of the notions of “national security,” “internal security,” “internal security of the EU,” and “international security.”
A corollary of the EU’s lack of competence in the area of surveillance is its lack of authority to legislate on secret surveillance in order to limit it and/or impose stricter safeguards. In the event that the Commission, using its right of initiative, introduced legislation on the subject, it would not be enforceable given the lack of jurisdiction of the European Court of Justice on security matters.
III. Privacy and Personal Data Protection Issues
Electronic surveillance inevitably involves the collection and storage of personal data, access by law enforcement authorities to such data, and the possible infringement of the rights to privacy and the protection of personal data.
Under EU law, the right to privacy and the right to protection of personal data are two distinct fundamental human rights. These rights are also guaranteed in the legal systems of the EU Member States and in international agreements to which the EU parties are signatories, including the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHRFF).
The Charter of Fundamental Rights of the European Union (CFR), which acquired binding status on December 1, 2009, recognizes the right to privacy in article 7 and the right to the protection of one’s personal data in article 8. Furthermore, article 8 reaffirms the principle that personal data must be processed fairly and for specific purposes, based on the consent of the individual concerned or some other legitimate purposes laid down by law. It also recognizes the right of individuals to access the data collected and the right to have it rectified, in case of inaccuracy or incompleteness. Compliance with such rules is entrusted to the control of an independent authority established by the EU Member States. The right to personal data may be restricted by law in order to strike a balance with the freedoms and rights of others and public safety and security, subject to the principle of proportionality, which is established in the EU and in the legal systems of the Member States.
The TFEU recognizes the right of every individual to his/her personal data—that is, individuals own their data. It also introduced a new and specific legal basis for the adoption of rules on data protection and granted authority to the EU legislative bodies (Parliament and Council) to adopt rules concerning the processing of personal data in the field of judicial cooperation in criminal matters, and police cooperation in the cross-border and domestic processing of personal data.
The right to respect for private and family life, home, and correspondence is established in article 8 of the ECHRFF, to which all EU Members are also participating states as members of the Council of Europe. The ECHRFF recognizes, however, that there are circumstances in a democratic society where it may be necessary for the state to interfere with this right, but only in accordance with the law and for certain clearly defined grounds, such as national security, public safety, economic well-being, the prevention of crimes, and the protection of the rights and freedoms of others. When such interference by public authorities acting in their official capacities does occur, article 13 of the ECHRFF requires a means of redress for the affected individual.
A. Directive 95/46/EC on Personal Data Protection
Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data is the basic framework legislation in the EU on personal data protection. The Directive provides strong protections applicable to the processing of personal data of persons living within the jurisdiction of the EU Member States. Pursuant to Directive No. 95/46/EC on personal data protection, the ownership of personal data belongs to individuals who have legal rights over the collection and processing of personal data. One of the key requirements for the processing of personal data is that the data subject must unambiguously give his/her consent, after being informed that his/her data will be processed.
Pursuant to the Directive, the data subject has the right of access, as provided for in article 12, which means that the data subject is entitled to information regarding any processing of his/her data, the purposes of processing, the categories of the data, and the recipients of the data. The basic principles governing the processing of one’s personal data are the following:
- Finality: Data must be collected for an explicit, specific, and legitimate purpose.
- Transparency: Individuals must be informed of the data collected and the purpose of collection.
- Legitimacy: Processing must be occur for a legitimate reason pursuant to article 7 of the Directive.
- Proportionality: The personal data collected must be adequate, relevant, and not excessive in relation to the purpose of collection.
- Accuracy and Retention of the Data: Individuals’ records must be accurate and up to date. False or inaccurate data must be corrected.
Directive 95/46/EC will be repealed on May 25, 2018, and replaced by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation). Regulation 2016/679 will be applicable as of May 25, 2018.
In addition to the above Regulation, the EU adopted Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and on the Free Movement of Such Data, and Repealing Council Framework Decision 2008/977/JHA. Member States have an implementation deadline of May 6, 2018, to comply with this Directive.
Intelligence activities conducted by national law enforcement authorities that involve national security issues or issues concerning the common foreign and security policy of the EU fall outside the scope of Regulation 2016/679 and Directive 2016/680.
B. Confidentiality of Communications
Confidentiality of communications is a principle enshrined in the legal systems of the EU Member States. At the EU level, confidentiality of communications is stipulated in Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications). In particular, article 5 of the Directive requires that EU Members “prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than the users, without the consent of the users concerned, except when legally authorized to do so in accordance with article 15(1).”
Interception or surveillance is permitted on the grounds of national security; defense and public security; and the prevention, investigation, detection, and prosecution of criminal offenses or of unauthorized use of an electronic communications system, as referred to in article 13(1) of Directive 95/46/EC.
EU Members are also allowed to adopt legislation on data retention for a limited period and based on the same grounds provided above.
D. Data Retention
Prior to its invalidation in April 2014, Directive No. 2006/24/EC (the Data Retention Directive), required the providers of publicly available electronic communications services or public communications networks to retain traffic and location data belonging to individuals or legal entities. Such data included the calling telephone number and name and address of the subscriber or registered user, user IDs (a unique identifier assigned to each person who signs with an electronic communications service), Internet protocol addresses, the numbers dialed, and call forwarding or call transfer records. The retention period was to last for a minimum period of six months and up to two years, and the sole purpose of processing and storing the data was to prevent, investigate, detect, and prosecute serious crimes, such as organized crime and terrorism. The content of the communications of individuals was not retained.
On April 8, 2014, the Grand Chamber of the Court of Justice of the European Union (CJEU) issued a judgment declaring the Directive invalid. The Directive was challenged on the grounds of infringement of the right to private life, and the right to the protection of personal data of individuals, as guaranteed in articles 7 and 8, respectively, of the Charter of Fundamental Rights of the European Union.
In examining the issue of interference with the rights to privacy and the protection of personal data, the CJEU made the following observations:
- The obligation imposed on providers of electronic communications services or public communications networks “constitutes in itself an interference with the rights guaranteed by article 7 of the Charter,”
- Access of the national authorities to data “constitutes a further interference with that fundamental right,” and
- The interferences described above also violate the right to protection of personal data.
The CJEU reasoned that the Directive did not establish clear and precise rules that regulate the “extent of interference with the fundamental rights of Art. 7 and 8 of the Charter.” Therefore, it concluded that the Directive “entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.”
The CJEU also held that the security and protection of personal data cannot be fully guaranteed in the absence of review of compliance by an independent authority of the rules on data protection, as required by article 8 of the Charter of Fundamental Rights.
In September 2015, the Commission announced that, following the CJEU’s decision, it has no plans to introduce new legislation on data retention at the EU level. Therefore, EU Members are free to adopt national rules on this issue.
E. EU–US Agreement
On June 2, 2016, the European Union and the United States signed the Agreement on the Protection of Personal Data Information Relating to the Prevention, Investigation, Detection and, Prosecution of Criminal Offenses. The Agreement covers all personal data, such as names, addresses, and criminal records that will be exchanged between the EU and the US for the purposes of the prevention, detection, investigation, and prosecution of criminal offenses, including terrorism. In addition, the Agreement will provide safeguards and guarantees the lawfulness of data transfers, and will improve and facilitate EU–US law enforcement cooperation. The Agreement will enter into force one month after both parties exchange notifications that their domestic ratification procedures have taken place. At the EU level, the European Parliament must give its consent to conclude the Agreement.
IV. Case Law
Legal challenges to intelligence operations on the grounds of infringing the rights of the individual (such as the right to privacy freedom of expression, and a remedy) or because the intelligence operations are not conducted in accordance with the applicable law and are in violation of the standards of necessity and proportionality are not subject to review by the Court of Justice of the EU, as explicitly stated in article 276 of the TFEU:
in exercising its powers regarding the provisions of Chapters 4 and 5 of Title V of Part Three relating to the area of freedom, security and justice, the Court of Justice of the European Union shall have no jurisdiction to review the validity or proportionality of operations carried out by the police or other law enforcement services of a Member State or the exercise of the responsibilities incumbent upon Member States with regard to the maintenance of law and order and the safeguarding of internal security.
Such challenges can be brought before the European Court of Human Rights (ECHR), however. In general, the ECHR has found that the “mere existence of legislation allowing secret surveillance constitutes an interference with private life such that the necessity and legality requirements of article 8 of the European Convention on Human Rights must be met.” The ECHR has also found that emails, telephone communications, faxes, and Internet usage fall within the ambit of article 8 of the Convention.
As far as the legality requirement, the ECHR has a strict requirement that surveillance activities must be based on a law and not conducted as matter of policy.
B. Case of Szabo and Vissy v. Hungary
In January 2016, the ECHR issued a critical judgment on mass surveillance issues in the case of Szabo and Vissy v. Hungary. Two applicants challenged 2011 legislation that permitted broad surveillance activities of the Hungarian Anti-Terrorism Task Force, on the grounds that it violated the applicants rights to privacy, home, and correspondence. The ECHR ruled against Hungary because the contested legislation violated the rights of the applicants, due to sweeping secret surveillance, the lack of notification of surveillance measures, and other effective safeguards. As far as ex ante (prior) authorization, the ECHR held that it is not mandatory, as long as there is ex post judicial control. However, the ECHR ruled that Hungary failed to meet this requirement as well.
The ECHR has developed a number of minimum standards to which the national laws of the Member States of the Council of Europe must adhere, in order to avoid abuses of power and future litigation by affected or concerned individuals.  These standards include: (a) a description of the nature of the offenses that may give rise to an interception order; (b) identification of the categories of people who are likely to have their telephones tapped; (c) a limit on the duration of telephone tapping; (d) the procedure to be followed for examining, using, and storing the data obtained; (e) the precautions to be taken when communicating the data to other parties; and (f) the circumstances in which recordings may or must be erased or the tapes destroyed.
A decision to authorize surveillance activity must be given by an independent body prior to initiation of such activities; it is not necessary that the body that gives authorization is judicial as long as it enjoys independence from the executive. The ECHR has accepted the practice of governments to waive authorization in emergency situations in order to expedite an operation, or where, due to the circumstances, authorization is not possible.
As the ECHR has emphasized, especially in cases where prior authorization is not possible, the ex post review of government surveillance, either judicial or otherwise, is absolutely essential. That oversight, which must be performed by an independent external body, is also recommended by the UN Rapporteur on Human Rights. In its 2010 Report on Compilation of Good Practices on Legal and Institutional Frameworks and Measures that Ensure Respect for Human Rights by Intelligence Agencies While Countering Terrorism, Including on Their Oversight, the UN Rapporteur suggested that oversight be exercised by at least one institution fully independent of both the intelligence services and the political executive.
Finally, an individual must be provided with an effective remedy through an existing complaint mechanism where one may raise allegations of violations of privacy rights.
V. Large-scale Surveillance and Compatibility with Human Rights
As stated above, at the EU level, large-scale surveillance conducted by government agencies of the EU Member States has raised concerns as to the compatibility of such activities with human rights standards.
The Parliament’s Resolutionon the US NSA Surveillance Programme, Surveillance Bodies in Various EU Members States and Their Impact on EU Citizens’ Fundamental Rights, mentioned above, is a political statement lacking binding force. It urged EU Members to discontinue the mass collection of data and to ensure that national laws and policies on electronic surveillance are in line with EU and Council of Europe standards. It also proposed to establish at the EU level a high-level group to monitor progress. In April 2014, the Parliament also requested the EU Agency for Fundamental Rights (FRA) to conduct research on the impact of large-scale surveillance on fundamental rights and to review whether individuals whose data are collected by intelligence agencies have adequate remedies against such practices. The FRA’s final report will be published in 2017.
Similarly, the United Nations General Assembly adopted a resolution on December 18, 2013, urging UN Members to respect the right of privacy in digital communications and to review their legislation and practices on secret surveillance.
A 2013 study conducted by the Directorate General for Internal Policies of the European Parliament, entitled National Programs of Mass Surveillance of Personal Data in EU Member States and Their Compatibility with EU Law, examines mass surveillance practices in four EU countries: France, Germany, Sweden, Netherlands, and the United Kingdom. The study indicates that cooperation with foreign intelligence services appears to be a common practice. The study cites the so-called “Five Eyes” network, which comprises the US, UK, Canada, Australia, and New Zealand, that originated from a 1946 multilateral agreement for cooperation in signals intelligence, and which has extended over time in terms of activities (Echelon, and now Fornsat). The US also engages in cooperative relationships with “second-tier” and “third-tier” partners such as France and Germany.
The report indicates that some legal regimes operate on the basis of orders issued by special courts (for instance, in Sweden), while others were based on warrants issued by the government (the UK and Netherlands) or through an authorization role accorded to specially appointed oversight bodies (Germany, France, and Netherlands).
With regard to oversight, the report found that in several Member States oversight bodies encounter a number of constraints that limit their ability to scrutinize the intelligence agencies’ surveillance practices. In Sweden, the two main oversight institutions—the intelligence court and the Statens inspektion för försvarsunderrättelseverksamheten (Siun, State Inspection for Defense Intelligence Activity)—are deemed to be insufficiently independent. France’s main oversight body, the Commission nationale pour les interceptions de securité (CNCIS, National Commission for Security Interceptions), was found to be substantially constrained in its reach, because it has limited administrative capacity. The report also identified gaps in the UK’s intelligence oversight regime, as evidenced by the statement released in July 2014 by the Intelligence Security Committee on the Government Communications Headquarters’ (GCHQ’s) alleged interception of communications under the PRISM program.
The report also found that the surveillance programs operated by the Member States endanger the EU principle of “sincere cooperation,” enshrined in article 4.3 of the Treaty on the European Union, because they compromise compliance with existing EU-level mutual assistance and cooperation legal regimes and lawful searches between EU Member States and with the US, and also compromise the internal security of the EU.
Prepared by Theresa Papademetriou
Senior Foreign Law Specialist
 Consolidated Version of the Treaty on European Union (TEU) art. 4, para. 2, 2016 O.J. (C 202) 1, 13, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2016.202.01.0001.01.ENG&toc=OJ:C:2016:202:TOC# C_2016202EN.01001301, archived at https://perma.cc/EY34-D354.
 Consolidated Version of the Treaty on the Functioning of the European Union (TFEU) art. 276, 2016 O.J. (C 202) 1, 47, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2016.202.01.0001.01.ENG&toc= OJ:C:2016:202:TOC#C_2016202EN.01004701, archived at https://perma.cc/2WJX-NL39.
 International Covenant on Civil and Political Rights art. 17, Dec. 16, 1966, entry into force Mar. 23, 1976, 999 U.N.T.S. 171, https://treaties.un.org/doc/Publication/UNTS/Volume%20999/volume-999-I-14668-English.pdf, archived at https://perma.cc/9LKM-LWTU.
 Angelique Chrisafis, France ‘Runs Vast Electronic Spying Operation Using NSA-style Methods’: Intelligence Agency Has Spied on French Public’s Phone Calls, Emails and Internet Activity, Says Le Monde Newspaper, The Guardian (July 4, 2013), http://www.theguardian.com/world/2013/jul/04/france-electronic-spying-operation-nsa, archived at https://perma.cc/99Q4-9EUJ.
 The German Prism: Berlin Wants to Spy Too, Spiegel Online International (June 17, 2013), http://www.spiegel.de/international/germany/berlin-profits-from-us-spying-program-and-is-planning-its-own-a-906129.html, archived at https://perma.cc/76UD-VVJT.
 Jordan Shilton, Swedish Intelligence Service Spying on Russia for US National Security Agency, World Socialists Web Site (Dec. 30, 2013), https://www.wsws.org/en/articles/2013/12/30/swed-d30.html, archived at https://perma.cc/8DBJ-FJKA.
 European Parliament Resolution 2013/2188 (INI) of 12 March 2014 on the US NSA Surveillance Programme, Surveillance Bodies in Various EU Members States and Their Impact on EU Citizens’ Fundamental Rights and on Transatlantic Cooperation in Justice and Home Affairs, http://www.europarl.europa.eu/sides/getDoc.do?type=TA& reference=P7-TA-2014-0230&language=EN&ring=A7-2014-0139, archived at https://perma.cc/X7CF-VSXP.
 TEU, supra note 1, art. 4, para. 2.
 TFEU, supra note 2, art. 72.
 Resolution 2013/2188 (INI), supra note 8.
 TFEU, supra note 2, art. 67, para. 3.
 Press Release, European Commission, EU-US Agreements: Commission Reports on TFTP and PNR (Nov. 27, 2013), http://europa.eu/rapid/press-release_IP-13-1160_en.htm, archived at https://perma.cc/7296-YZ3P.
 Europol’s Priorities, Europol, https://www.europol.europa.eu/content/page/europol%E2%80%99s-priorities-145 (last visited Dec. 4, 2014), archived at https://perma.cc/SA23-Z4Q4.
 Counter-terrorism Co-ordinator, Council of the European Union, http://www.consilium.europa.eu/policies/ fight-against-terrorism/eu-counter-terrorism-co-ordinator?lang=en (last visited June 13, 2016), archived at https://perma.cc/KSP3-HPWY.
 Resolution 2013/2188(INI), supra note 8, para. Y.
 The right to privacy is also protected by article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHRFF), CETS No. 005 (1950), http://www.echr.coe.int/Documents/Convention_ ENG.pdf, archived at https://perma.cc/S63S-8ZZF, to which all EU Member States are states parties, as members of the Council of Europe. In addition, automatic processing of personal data is protected and governed by the 1981 Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and Its Protocol, ETS No. 108 (1981). Details of Treaty No. 108, Council of Europe, http://conventions. coe.int/Treaty/en/Treaties/Html/108.htm (last visited June 14, 2016), archived at https://perma.cc/C259-ARSZ. Recently, the Council of Europe began revising the 1981 Convention to bring it in line with contemporary technology and ensure harmonization with EU legal reforms. The Consultative Committee of the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (ETS No. 108), Modernization of Convention 108: New Proposals (Mar. 5, 2012), http://www.coe.int/t/dghl/standardsetting/ dataprotection/tpd_documents/T-PD-BUR_2012_01Rev_en.pdf, archived at https://perma.cc/C6EU-SASH.
 Charter of Fundamental Rights of the European Union, 2016 O.J. (C 202/2) 389, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C:2016:202:TOC, archived at https://perma.cc/F9DE-FEKD.
 Id. art. 8.
 Id. art. 52(1).
 TFEU, supra note 2, art. 16.
 Id. art. 16, para. 2.
 ECHRFF, supra note 18, art. 8.
 Id. art. 8.
 Id. art. 13.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML, archived at https://perma.cc/5R5E-CHFB.
 Id. art. 12.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) art. 94, 2016 O.J. (L 119) 1, http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32016R0679, archived at https://perma.cc/3DBH-PKN4.
 Id. art. 99.
 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and on the Free Movement of Such Data, and Repealing Council Framework Decision 2008/977/JHA, 2016 O.J. (L 119) 89, http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32016R0679, archived at https://perma.cc/BH32-VK2P.
 Id. art. 63.
 Id. Preamble (16).
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications) art. 5, 2002 O.J. (L 201) 37, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri= CELEX:32002L0058:en:HTML, archived at https://perma.cc/AFB3-JCPU.
 Id. art. 5(1).
 Id. art. 15(1).
 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L 105) 54, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF, archived at https://perma.cc/BVQ3-ZSR5.
 Grand Chamber, Digital Rights Ireland Ltd. (C–293/12) v. Minister for Communications, Marine and Natural Resources (Apr. 8, 2014), http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0293, archived at https://perma.cc/A5DF-ZJF2.
 Id. paras. 34–36.
 Id. para. 65.
 Id. para. 66.
 Press Release, European Commission Statement on National Data Retention Laws (Sept. 16, 2015), http://europa.eu/rapid/press-release_STATEMENT-15-5654_en.htm, archived at https://perma.cc/MT7Y-EL9M.
 Signing of the “Umbrella” Agreement: A Major Step Forward in EU-U.S. Relations, European Commission, Justice (June 2, 2016), http://ec.europa.eu/justice/newsroom/data-protection/news/160602_en.htm, archived at https://perma.cc/5Q47-WFDD.
 Agreement Between the United States of America and the European Union on the Protection of Personal Information Relating to the Prevention, Investigation, Detection, and Prosecution of Criminal Offenses (Draft for Initialing) art. 3. http://ec.europa.eu/justice/data-protection/files/dp-umbrella-agreement_en.pdf, archived at https://perma.cc/FXY5-3NAP.
 Id. art. 29.
 TFEU, supra note 2, art. 276.
 Sarah St. Vincent, Center for Democracy & Technology, International Law and Secret Surveillance: Binding Restrictions Upon State Monitoring of Telephone and Internet Activity 9 (Sept. 4, 2014) (citing Weber & Saravia v. Germany (2006), https://cdt.org/files/2014/09/CDT-IL-surveillance.pdf, archived at https://perma.cc/2TGV-HUBD.
 Grand Chamber, Digital Rights Ireland Ltd. (C–293/12), at 9.
 Id. at 10.
 Id. para. 89.
 Id. para. 56.
 Id. paras. 57 & 72.
 Id. para. 56.
 Id. para. 77.
 Id. paras. 77 & 80.
 Martin Scheinin, Special Rapporteur on the Promotion and Protection of Human Rights and Fundamental Freedoms While Countering Terrorism, Compilation of Good Practices on Legal and Institutional Frameworks and Measures that Ensure Respect for Human Rights by Intelligence Agencies While Countering Terrorism, Including on Their Oversight, at 9, U.N. Doc. A/HRC/14/46 (May 17, 2010), https://fas.org/irp/eprint/unhrc.pdf, archived at https://perma.cc/JR29-GU86.
 Id. paras. 77, 78 & 80.
 Resolution 2013/2188(INI), supra note 8.
 National Intelligence Authorities and Surveillance in the EU: Fundamental Rights Safeguards and Remedies, European Union Agency for Fundamental Rights, http://fra.europa.eu/en/project/2014/national-intelligence-authorities-and-surveillance-eu-fundamental-rights-safeguards-and (last visited June 14, 2016), archived at https://perma.cc/DW2E-EMD2.
 The Right to Privacy in the Digital Age, G.A. Res. 68/167, U.N. Doc A/RES/68/167 (Dec.18, 2013), http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/68/167, archived at https://perma.cc/HAY5-TFXJ.
 European Parliament Directorate General for Internal Policies, National Programmes for Mass Surveillance of Personal Data in EU Member States and Their Compatibility with EU Law (hereinafter Mass Surveillance Study) 24 (Oct. 2013), http://www.europarl.europa.eu/RegData/etudes/etudes/join/2013/ 493032/IPOL-LIBE_ET(2013)493032_EN.pdf, archived at https://perma.cc/7X8D-WAV9.
 For more information on on surveillance, including Echelon/Fornsat, see European Parliament, Interception Capabilities 2014, http://www.europarl.europa.eu/document/activities/cont/201309/20130916ATT71388/ 20130916ATT71388EN.pdf, archived at https://perma.cc/JW6E-PK59.
 Mass Surveillance Study, supra note 65, at 24.
 Id. at 25.
 Id. at 26.
Last Updated: 09/27/2016