IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

UK 'mass surveillance' regime is illegal, EU court declares

Indiscriminate data collection contravenes rights to privacy and data protection, despite “national security” justification

Mass data retention and collection regimes deployed by member states must be subject to strict privacy safeguards outlined under EU law, according to a landmark legal judgement.

The European Court of Justice (CJEU) has declared that legislation, such as the UK’s contentious Investigatory Powers Act (IPA) 2016, cannot legally require a service provider to indiscriminately retain traffic and location data for national security purposes.

National surveillance legislation in these countries require telecommunications companies, including Internet Service Providers (ISPs), to retain personal data on an ongoing basis so that it can be accessed as and when necessary by law enforcement agencies.

Critics, including prominent privacy activist groups, have branded these practices as intrusive and disproportionate, however, also citing the potential for abuse. The case was brought forward by Privacy International, who argued that regimes such as those commonly in use are illegal under EU law, which in this case supersedes national legislation.

Member states, in particular the UK, France and Belgium, must adhere to the Privacy and Electronic Communications Regulations (PECR), better known as the e-Privacy directive, when drafting legislation.

The judgement has also deemed the data retention practices incompatible with the fundamental rights of privacy, freedom of expression, as well as data protection as outlined by the e-Privacy directive and legislation such as GDPR. Specifically, the data processing activities by ISPs, such as the transmission to public authorities, are not compatible - even for reasons relating to “national security”.

“The ruling is particularly significant because it makes clear that EU law applies, even in the national security context, if a member state’s surveillance law requires a telecommunications provider to process personal data,” Privacy International said.

“The governments of EU countries are legally compelled to ensure that the retention, access and subsequent use of any data meet specific requirements. These requirements, commonly referred to as ‘safeguards’, are crucial to ensure that there is a proper balance between the privacy of the individual and the protection of the public.”

The kind of communications data collected under such regimes include traffic, location, subscriber data - and any other data including metadata - surrounding communications, although the content of a communication is exempt. 

This information, however, can be used in order to determine information about contacts as well as a person’s whereabouts and intentions. Map searches, device information, search engine results and location information, for example, can be combined to glean information about potential suspects.

“This data makes it possible to find out the identity of people with whom a user has communicated and by what means, to identify the time of these communications, and the places from which those communication originated,” Privacy International added.

“Importantly, communications data also reveals the frequency of contact of the user with specific people during a given period.”

While the ruling is clear in that such powers, as outlined in the IPA 2016, aren’t compatible with EU law, the judgement does open the door for their use in exceptional circumstances. 

In cases where a member state is facing a serious imminent threat to national security, the CJEU states law enforcement may deviate from their legal obligations to retain and collect data as is necessary, for so long as is necessary. 

The powers can also be used in a specific, targeted way, where the intention is to combat serious crime and prevent threats to public security. There must, however, be safeguards in place, and such practices as well as the application of these safeguards must be reviewed by a court.

The judgement also raises questions regarding the future relationship between the UK and the EU, especially with regards to the UK retaining data adequacy status. With the IPA 2016 seemingly incompatible with EU law with respect to data processing, maintaining the UK’s indiscriminate data collection regime may not be seen favourably unless amendments are made.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022