Today, the Court of Justice of the European Union (CJEU) ruled that the mass surveillance programmes conducted by British, French and Belgian security agencies are not tenable under EU law.
The ruling stated that instead of being the norm, bulk retention of communications data should only be permissible in the presence of a clear danger to national security. Aspects of EU law such as proportionality, and fundamental rights to privacy, data protection and freedom of expression, should also be respected.
Caroline Wilson Palow, legal director of Privacy International, said in a statement: “Today’s judgment reinforces the rule of law in the EU. In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies.”
National security – which bulk data retention purportedly falls under – has typically been left up to member states. This latest ruling overturns this assumption, and says that this activity should also be in line with to EU law.
However, the ruling offers some wiggle room to snooping states. It stipulates that if a member state is facing a serious threat to national security, through appropriate legislative measures it can conduct general and indiscriminate retention of data. However, this is only acceptable for a limited period during which time it’s strictly necessary.
For combating serious crime, member states are also permitted to carry out targeted data retention. In this case, appropriate safeguards and a review carried out by a court or an independent administrative authority are required.
“The judgment does not prevent all data retention, nor all security service access to data,” says Mark Taylor, partner and data protection lawyer Osborne Clarke. “However, it indicates that the extent of current retention, and the legal controls around it, need adjustment to align with EU data protection laws.”
The ruling could influence the UK’s chances of securing a data adequacy agreement, which is needed to preserve the unhindered flow of data to and from the bloc after Brexit.
The UK’s Investigatory Powers Act (IPA) is the biggest impediment to securing such an agreement. The Act requires ISPs and mobile operators to store all their customers’ data for a year, regardless of whether the users are criminals or not.
Although countries already within the EU have typically been given a free pass on this front, countries seeking to gain an adequacy agreement are expected to conform to more stringent standards regarding bulk collection of data for national security purposes.
This has led to some criticisms of hypocrisy. For example, in the case of the UK, what was considered acceptable when it was a member state, may disqualify it from gaining an adequacy agreement with the EU.
Internet and technology lawyer Neil Brown tweeted: “In terms of the UK’s IPA, this is going to be an interesting one. The UK may well argue that the current framework does not provide for “general and indiscriminate” retention — it sets out a framework under which an SoS, with independent oversight, can issue retention notices.
“This wouldn’t be a surprise — it has been done before, and met with judicial approval — but could well be one of the next battlegrounds.”
Mark Taylor, partner and data protection lawyer, Osborne Clarke said the powers of the UK’s security agencies are “very likely to be a point of contention in the European Commission’s consideration of whether to give the UK data adequacy status on Brexit”.