UK 'mass surveillance' regime is illegal, EU court declares

Indiscriminate data collection contravenes rights to privacy and data protection, despite “national security” justification

Mass data retention and collection regimes deployed by member states must be subject to strict privacy safeguards outlined under EU law, according to a landmark legal judgement.

The European Court of Justice (CJEU) has declared that legislation, such as the UK’s contentious Investigatory Powers Act (IPA) 2016, cannot legally require a service provider to indiscriminately retain traffic and location data for national security purposes.

National surveillance legislation in these countries require telecommunications companies, including Internet Service Providers (ISPs), to retain personal data on an ongoing basis so that it can be accessed as and when necessary by law enforcement agencies.

Critics, including prominent privacy activist groups, have branded these practices as intrusive and disproportionate, however, also citing the potential for abuse. The case was brought forward by Privacy International, who argued that regimes such as those commonly in use are illegal under EU law, which in this case supersedes national legislation.

Member states, in particular the UK, France and Belgium, must adhere to the Privacy and Electronic Communications Regulations (PECR), better known as the e-Privacy directive, when drafting legislation.

The judgement has also deemed the data retention practices incompatible with the fundamental rights of privacy, freedom of expression, as well as data protection as outlined by the e-Privacy directive and legislation such as GDPR. Specifically, the data processing activities by ISPs, such as the transmission to public authorities, are not compatible - even for reasons relating to “national security”.

“The ruling is particularly significant because it makes clear that EU law applies, even in the national security context, if a member state’s surveillance law requires a telecommunications provider to process personal data,” Privacy International said.

“The governments of EU countries are legally compelled to ensure that the retention, access and subsequent use of any data meet specific requirements. These requirements, commonly referred to as ‘safeguards’, are crucial to ensure that there is a proper balance between the privacy of the individual and the protection of the public.”

The kind of communications data collected under such regimes include traffic, location, subscriber data - and any other data including metadata - surrounding communications, although the content of a communication is exempt. 

This information, however, can be used in order to determine information about contacts as well as a person’s whereabouts and intentions. Map searches, device information, search engine results and location information, for example, can be combined to glean information about potential suspects.

“This data makes it possible to find out the identity of people with whom a user has communicated and by what means, to identify the time of these communications, and the places from which those communication originated,” Privacy International added.

“Importantly, communications data also reveals the frequency of contact of the user with specific people during a given period.”

While the ruling is clear in that such powers, as outlined in the IPA 2016, aren’t compatible with EU law, the judgement does open the door for their use in exceptional circumstances. 

In cases where a member state is facing a serious imminent threat to national security, the CJEU states law enforcement may deviate from their legal obligations to retain and collect data as is necessary, for so long as is necessary. 

The powers can also be used in a specific, targeted way, where the intention is to combat serious crime and prevent threats to public security. There must, however, be safeguards in place, and such practices as well as the application of these safeguards must be reviewed by a court.

The judgement also raises questions regarding the future relationship between the UK and the EU, especially with regards to the UK retaining data adequacy status. With the IPA 2016 seemingly incompatible with EU law with respect to data processing, maintaining the UK’s indiscriminate data collection regime may not be seen favourably unless amendments are made.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020