The Republic is a journal published by The Palantir Foundation, featuring commentary and essays on technology, national security policy, and international affairs.

The Security Lens

The Security Lens

To promote national security, the European Union must reform its approach to digital privacy.

By

Mr. Christian Wiese Svanberg is a Copenhagen-based attorney-at-law specializing in Data Protection Law, Cybersecurity, and National Security Law. He is the former general counsel of the Danish Defense Intelligence Service and data protection officer of the Danish National Police.

“Protecting Europe is Europe’s duty. I believe now is therefore the time to build a true European Defense Union. Yes, I know there are some who are perhaps uncomfortable with the idea. But what we should be uncomfortable about are the threats to our security.”

So spoke Ursula von der Leyen, president of the European Commission – the executive branch of the European Union (EU) – when presenting her Political Guidelines in July 2024.1  The guidelines inform the priorities for the next five-year European Commission. They further stated the Commission “will look at all of our policies through a security lens.”2

This is a welcome approach, but as von der Leyen indicated, the EU’s entrance into the domain of national security policy will be met with concern by some Member States. EU institutions have historically shown limited understanding for the sensitive issues at play when nation states protect their national security and public order. 

One policy area where Europe must look through a security lens, is European Data Protection Law. 

European Data Protection Law

European Data Protection Law is best known for its centerpiece legislation, the General Data Protection Regulation or GDPR.3  The GDPR sets out extensive rules on the protection of personal data and the privacy of individuals, and its scope covers almost the entire private and the public sectors at large of EU Member States. Law enforcement agencies are not covered by the GDPR but are subject to a parallel legal act, the Law Enforcement Directive (LED), which contains similar but more lenient rules on privacy and data protection.4 Formally, neither of these two acts – nor EU Law in general – apply to the activities of the intelligence agencies of the EU Member States or to activities safeguarding national security. However, this has not prevented European Data Protection Law from having a marked, if indirect, impact on public order and national security in the EU.

A key reason for this development is that the right to data protection is protected by the European Charter on Fundamental Rights, which formally became part of the EU Treaty on December 1, 2009, via the Treaty of Lisbon.5

However, when adopting the Treaty of Lisbon, EU Member States expressly declared that “whenever rules on protection of personal data to be adopted on the basis of Article 16 could have direct implications for national security, due account will have to be taken of the specific characteristics of the matter.” Similarly, it is expressly provided in Article 4(2) of the Treaty on European Union, that the EU “shall respect… essential State functions [of Member States], including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.”

While the Member States may have expected that the above quoted provisions and declarations of political intent were adequate to ensure a clear delineation between Member State and EU competences, developments have shown they were mistaken. 

Tension: European Data Protection Law and national security and public order

In European public policy parlance, “data retention” refers to the rules compelling internet service and telecommunication providers to keep information about individual end users concerning the use of devices such as their mobile phones and tablets accessing the networks of such providers. Retained information includes who the end user called, IP-addresses, and the geo-location of the end user captured by logging the physical telecommunication masts used.6

These rules lead to providers storing very large quantities of data on individuals. As data is retained for up to one year, the data can – if used for this purpose – give a detailed profile of a person’s whereabouts, preferences, and associations. However, this data can only be legally accessed by relevant authorities when investigating serious crimes, like homicide or terrorism, or when countering threats to national security.7

Law enforcement and intelligence services have consistently maintained that data retention is an important tool for identifying suspects, victims, and witnesses in these types of cases. Often, data retention is the only tool available when identifying suspects and mapping the planning and execution of a crime. Thus, despite judicial skepticism and intense criticism from civil liberty advocates, many EU member states have maintained data retention rules.

Given the privacy-related implications of these rules, data retention has been challenged in national courts in EU Member States. These cases have focused on the EU data protection rules applicable to the providers retaining the data. Thus, when providers retain and transfer data on behalf of national authorities, general data protection principles adopted by the EU are applied. 

So, indirectly, principles like “necessity” and “proportionality” set out in EU rules intended for the private sector have set the standards for how national security and law enforcement authorities are allowed to access and use retained data. On this basis, the highest court within the EU system, the Court of Justice of the European Union (CJEU), has ruled several times on the legality of data retention. 

In its jurisprudence, the CJEU has generally been restrictive. But it has also expressed what seems like skepticism towards the authorities using retained data. For example, in its landmark ruling in the Digital Rights Ireland case, the Court struck down the EU-wide rules on data retention, stating as part of its motivation that “the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.”8,9

In other words, the Court – in applying data protection standards made for the private sector – held that the mere fact that individuals know that the data may be used by authorities may lead them to sense they are subject to “constant surveillance.” But is this a reasonable standard to apply in democracies governed by the rule of law? In most Westen democracies, almost any data held by private or public entities is legally accessible by intelligence and law enforcement agencies, assuming the relevant rules for obtaining warrants and other forms of judicial approval are met in accordance with national law. Why should a different standard apply to this data?

In another central ruling in the case of La Quadrature du Net, the Court reaffirmed its view that data retention must be “targeted.”10 This means providers may only be compelled to retain data for national security purposes if the Member State concerned can prove “a serious threat to national security that is shown to be genuine and present or foreseeable.” Even if a Member State can prove that, the general data retention may only take place for a “period that is limited in time to what is strictly necessary.” Additionally, retention and use of data for the purpose of combatting serious crime is only allowed when targeted at “categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary.”

Essentially, the Court ruled that law enforcement authorities are required to know beforehand either which mobile phones will be used by perpetrators of serious crime or in which geographical areas serious crimes will be committed. To this demand, most law enforcement officers would likely respond by observing that if they know by whom, and where, serious crime is going to be committed, they will seek to prevent such crime. Of course, law enforcement does not have this knowledge, let alone knowledge of which devices or phone numbers prospective criminals will use when planning or committing crimes. Similarly, national security authorities would note that national security threats are not limited in time, which is why these authorities cannot “turn on or off” the obligation of providers to retain data. Espionage, terrorism, disinformation campaigns, manipulation of elections, infrastructure sabotage, and other serious threats to national security are consistently pervasive across Europe and likely to remain so for the foreseeable future.

These rulings by the CJEU on data retention have unveiled a fundamental tension between the Court’s application of data protection law and the operational needs of national law enforcement and intelligence services. At times, the backlash has been substantial. The Minister of Justice for Denmark remarked on January 27, 2022 that the CJEU was “political,” “activist,” and “on the side of criminals” when ruling on data retention.11 During the pleadings of the Le Quadrature du Net-case, a total of 17 EU Member States and the European Commission intervened to argue that “targeted” data retention – as invented by the CJEU – is fundamentally unworkable and leads to crime which could have been prevented, victims that could have been protected, and allow criminals to evade the law. The Court chose to disregard these arguments.

The way forward: a new European approach of “trust-but-verify”

As indicated by Commission President von der Leyen, many EU Member State governments are likely to feel uneasy with the EU and CJEU playing a substantive role in national security unless there is a greater willingness to accommodate Member State interests. 

Barring a change to the EU Treaty – which would be cumbersome and politically very difficult to achieve – the next best solution is that both the EU institutions and the Member States pursue legislation to reconcile the principles of European Data Protection Law with the demands of national security. And as the EU pivots to address the acute threat to Europe’s security from an aggressive Russia, ensuring that European values do not undermine Europe’s security, is more important than ever. Once such rules are adopted, the CJEU should recognize that the sensitive balancing of national security interests requires a wide margin of discretion be left to Member States, as they alone have the full understanding of the threats confronting Europe. 

Luckily, striking this balance, while maintaining meaningful safeguards, is not without precedents in a European context. The European Court of Human Rights (ECHR) has succeeded in effectively enforcing privacy and data protection rights while recognizing and accommodating the need for Member States to have the investigative and intelligence-collecting capability necessary to protect their citizens.12 Most notably, the ECHR has held that the “bulk collection” of telecommunication data via Signal Intelligence (SIGINT), which in practice means collecting all internet communication passing through a Member State, can take place under the European Convention of Human Rights.13 However, the Court also held that such collection must be subject to “sufficient ‘end-to-end’ safeguards to provide adequate and effective guarantees against arbitrariness and the risk of abuse”.  

A similar approach could be adopted by the CJEU and in EU Law, recognizing the scope and character of the security threat facing the EU without compromising the essence of the right to data protection and privacy. The rules and the practice of the CJEU, especially, should reflect the fact that ensuring national security and public order requires trusting authorities to collect and use large quantities of personal data – including data about individuals that are suspected of no crime or other illicit activity. 

Holding the opposite view – that authorities in Western democracies cannot be entrusted with collecting and using personal data about its citizens for the purpose of protecting those same citizens,  even when subject to strict rules and oversight – is a risky path to walk. Both intelligence services and law enforcement authorities fundamentally strive to uncover that which is unknown. Who was at the crime scene? Who corresponded with an agent of a hostile foreign power? And, just as important, who was not there and thus are immaterial to the investigation? Who – or what – are hostile foreign powers directing their collection of intelligence at, and how do we counter that threat? They must be entrusted with wide mandates to collect and use the intelligence necessary to answer these questions. These authorities operate under tailored rules and strict oversight unlike any applicable to other government agencies, rules on documentation, judicial approvals, warrants, and political oversight. This oversight remains even if transparency must sometimes be limited to protect sources and methods, the safety of individuals, and relationships with foreign partners. 

Trust must also be placed in oversight bodies and courts of law charged with verifying compliance with these rules. These institutions provide effective redress to any individual reasonably found to have been subjected to unwarranted surveillance. Indeed, accepting that authorities will make mistakes and overstep their mandates, and providing meaningful redress and accountability when it happens, is a hallmark of democracies governed by law. 

The security challenges faced by the West are mounting and complex. They demand not just a shift of resources toward the scaling of military production capacity across Europe, but also a shift in policy. EU policymakers, legislators, courts and others who oversee the activities of national security authorities and law enforcement must adopt a new European approach of “trust-but-verify” – trust in authorities to protect Europe and in oversight bodies to verify that authorities act within their mandates.   

  1. “Statement at the European Parliament Plenary by President Ursula von der Leyen, candidate for a second mandate 2024–2029,” European Commission, effective January 9, 2025. ↩︎
  2. Ibid. ↩︎
  3. “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),” Official Journal of the European Union, L 119, May 4, 2016, p. 1–88. ↩︎
  4. “Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA,” Official Journal of the European Union, L 119, May 4, 2016, p. 89–131. ↩︎
  5. “Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community,” Official Journal of the European Union, C 306/1, December 17, 2007. ↩︎
  6. No communications content — i.e. the content of a phone conversation, e-mails or messaging between mobile phones — are retained. Data retention is thus distinguishable from interception of communications and relates solely to data about communications (metadata). ↩︎
  7. Transfer of retained data must be approved either beforehand or — when exigent circumstances apply — after the fact by an independent authority, which in most Member States means a judicial authority. ↩︎
  8. Judgment of the Court (Grand Chamber) of 8 April 2014 Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources, Court of Justice of the European Union, C‑293/12. ↩︎
  9. “Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC,” Official Journal of the European Union, L 105, April 13, 2006, p. 54–63. ↩︎
  10. Judgment of the Court (Grand Chamber) of 6 October 2020, La Quadrature du Net and Others v. Premier ministre and Others, Court of Justice of the European Union C-511/18. ↩︎
  11. Ritzau, “Minister om overvågning: EU-Domstolen er på forbrydernes side,” Berlingske Tidende, January 28, 2022. ↩︎
  12. The Court of the Council of Europe. ↩︎
  13. Grand Chamber Judgment of 25 May 2021 in Big Brother Watch and Others v. The United Kingdom, European Court of Human Rights (Applications nos. 58170/13, 62322/14 and 24960/15); Grand Chamber Judgment of 25 May 2021 in Centrum för Rättvisa v. Sweden, European Court of Human Rights (Application no. 35252/08). ↩︎