On the 6th of October, the European Union Court of Justice (CJEU) deliberated that the scope of the EU GDPR, its principles, and the individuals' rights to privacy, extend to data collection and data retention for processes with a 'general' purpose of national security.
In brief, the UK government held that the bulk communications data details were not under the scope of GDPR for access by security agencies, and the CJEU ruled that EU GDPR has jurisdiction over national rules requiring companies to collect and retain communications data of individuals with the goal of sharing details with security agencies.
The Court also held that only in the event of a genuine, present, and serious threat to national security, EU member states could allow indiscriminate and bulk retention of data with an ad-hoc time-limited legislative measure.
The Legal Director of Privacy International, Caroline Wilson Palow, said:
“Today’s judgment reinforces the rule of law in the EU. In these turbulent times, it serves as a reminder that no government should be above the law."
Reminders of Privacy Shield anyone?
The UK is currently awaiting for an adequacy decision as third country from the European Commission for after the Brexit transition period ends. UK government's stance puts the island in the same limbo as the US today for what concerns cross border data sharing.