Cross-Border Data Forum Bannner

Lawfare – How Europe’s Intelligence Services Aim to Avoid the EU’s Highest Court—and What It Means for the United States


In this article ‘How Europe’s Intelligence Services Aim to Avoid the EU’s Highest Court—and What It Means for the United States’, Theodore Christakis and Kenneth Propp explore the ongoing struggle within the European Union to delimit the national security exception in its data protection law for the activities of EU Member State intelligence services, and the corresponding impact this Brussels debate could have on the ongoing transatlantic negotiations to restore a secure basis for commercial data transfers from the European Union to the United States.

The article discusses:

  • How the Court of Justice of the European Union (CJEU)’s case-law has placed restrictions on the ability of EU member states to collect and process data for national security and for law enforcement purposes.
  • The reactions of EU Member States to these restrictions. In particular, it discusses how France has led efforts at the Council of the European Union to bypass the CJEU’s case-law by implementing a broad national security exception into the proposed ePrivacy Regulation.
  • How European law in this area has been developed not only by the European Union but also through the European Convention on Human Rights (ECHR), which imposes important limitations on the national security activities of European countries’ intelligence agencies.

The authors note that although EU Member States may benefit from an exemption under the proposed ePrivacy Regulation if the Council position is enacted, EU law provides no national security exemption that may be invoked on behalf of third-state intelligence services. The United States, as well as other third countries, will remain under the close scrutiny of the CJEU in Schrems-like cases addressing their “adequacy” and “essential equivalence.” Similarly, while national data protection authorities in Europe will have no basis in EU law to sanction a company responding to an EU Member State request for data on national security grounds, they will be able to heavily fine companies transferring data to the United States, on the basis that U.S. national security laws do not meet the Schrems II and the European Data Protection Board’s restrictive surveillance standards. Such an imbalance might well be unstable.

 To read the full article on the Lawfare blog, please click here.

 These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.