National Security and New Forms of Surveillance: From the Data Retention Saga to a Data Subject Centred Approach

National security is a regulatory complex area that brings together public and private actors performing a variety of functions for the safeguarding of the EU Member States’ national interests. The article critically reflects on the applicability of EU law in this area by examining the complexities and controversies surrounding the respective judiciary and legislative approaches as well as the emerging surveillance practices deployed under the veil of national security. It argues that, while it is laudable that some aspects of national security were brought within the scope of application of EU law by the CJEU through its data retention jurisprudence, the grounding of the EU law applicability on the activities of private entities (controllers) is problematic. In particular, it creates significant legal uncertainties as private and public bodies are increasingly intertwined in the field of security and Member States push back against such expansion of EU law, while the case law does not take into account new forms of intrusive surveillance such as Pegasus. To counter these issues, the article proposes a new data subject-focused approach for the grounding of the scope of application of EU law -including to national security measures- which shifts the focus from the entity carrying out the national security operation (controller) to the individuals being affected (data subject). As such, it aligns better with fundamental rights and the constitutional foundations of EU data protection law and is urgently needed in the rapidly privatised and algorithmised area of national security.