Large Scale Surveillance to Protect National Security: under EU Control?

Abstract

Mass surveillance of online communication is the dominant paradigm to protect national security. In the EU, countries such as the Netherlands, Germany, and France have sophisticated schemes in place to collect internet and telephone metadata from potentially every citizen. These mass surveillance schemes interfere with the rights to privacy and data protection and may chill the exercise of freedom of expression or association. Intelligence services engage in cross-border data sharing of data with partner services. Such sharing of data is done on a voluntary basis, and often, domestic legislation leaves gaps in the protection of individual rights in the context of cross-border data sharing. In addition to that, oversight of multilateral data sharing by intelligence services suffers from an accountability gap, since there are several limitations in domestic legislation that organizes such oversight. An open question is if the EU could play a role in ensuring that the fundamental rights of citizens are protected when intelligence services share data across borders. In principle, article 4(2) of the Treaty on European Union (TEU) provides that national security is the sole responsibility of each Member States. The EU thus formally has no competence to regulate national security issues. At the same time, the Court of Justice of the EU (CJEU) has brought several mass surveillance and data retention schemes that were set up with the aim of protection national security within the scope of EU law. In this paper, I describe the legal reasoning of the CJEU with which it has brought national security issues within the reach of EU law, focusing on, among others, the recent case of Privacy International (C-623/17) and other cases in the fields of data retention and state surveillance. I contextualize these developments by looking into other fields of law where the CJEU has found ways to review policy areas that are excluded from the EU’s competences in light of EU law (e.g. sports; health; education). Such competence creep relies, among others, on the increasing importance of the Charter of Fundamental Rights in the EU legal order. I then consider the implications of such competence creep for mass surveillance of online communication by EU Member States. This paper adds to existing work on data retention and state surveillance in the EU, by bringing in the novel angle of the (lack) of EU competences in the field of national security. In the literature, the fact that the EU has no competences on national security is often mentioned, but not further studied. This paper aims to provide a better understanding of the way this exemption functions in EU law and its implications for the protection of privacy, freedom of expression, and other fundamental rights in the EU.