UK 'mass surveillance' regime is illegal, EU court declares
Indiscriminate data collection contravenes rights to privacy and data protection, despite “national security” justification
Mass data retention and collection regimes deployed by member states must be subject to strict privacy safeguards outlined under EU law, according to a landmark legal judgement.
The European Court of Justice (CJEU) has declared that legislation, such as the UK’s contentious Investigatory Powers Act (IPA) 2016, cannot legally require a service provider to indiscriminately retain traffic and location data for national security purposes.
National surveillance legislation in these countries require telecommunications companies, including Internet Service Providers (ISPs), to retain personal data on an ongoing basis so that it can be accessed as and when necessary by law enforcement agencies.
Critics, including prominent privacy activist groups, have branded these practices as intrusive and disproportionate, however, also citing the potential for abuse. The case was brought forward by Privacy International, who argued that regimes such as those commonly in use are illegal under EU law, which in this case supersedes national legislation.
Member states, in particular the UK, France and Belgium, must adhere to the Privacy and Electronic Communications Regulations (PECR), better known as the e-Privacy directive, when drafting legislation.
The judgement has also deemed the data retention practices incompatible with the fundamental rights of privacy, freedom of expression, as well as data protection as outlined by the e-Privacy directive and legislation such as GDPR. Specifically, the data processing activities by ISPs, such as the transmission to public authorities, are not compatible - even for reasons relating to “national security”.
“The ruling is particularly significant because it makes clear that EU law applies, even in the national security context, if a member state’s surveillance law requires a telecommunications provider to process personal data,” Privacy International said.
“The governments of EU countries are legally compelled to ensure that the retention, access and subsequent use of any data meet specific requirements. These requirements, commonly referred to as ‘safeguards’, are crucial to ensure that there is a proper balance between the privacy of the individual and the protection of the public.”
The kind of communications data collected under such regimes include traffic, location, subscriber data - and any other data including metadata - surrounding communications, although the content of a communication is exempt.
This information, however, can be used in order to determine information about contacts as well as a person’s whereabouts and intentions. Map searches, device information, search engine results and location information, for example, can be combined to glean information about potential suspects.
“This data makes it possible to find out the identity of people with whom a user has communicated and by what means, to identify the time of these communications, and the places from which those communication originated,” Privacy International added.
“Importantly, communications data also reveals the frequency of contact of the user with specific people during a given period.”
While the ruling is clear in that such powers, as outlined in the IPA 2016, aren’t compatible with EU law, the judgement does open the door for their use in exceptional circumstances.
In cases where a member state is facing a serious imminent threat to national security, the CJEU states law enforcement may deviate from their legal obligations to retain and collect data as is necessary, for so long as is necessary.
The powers can also be used in a specific, targeted way, where the intention is to combat serious crime and prevent threats to public security. There must, however, be safeguards in place, and such practices as well as the application of these safeguards must be reviewed by a court.
The judgement also raises questions regarding the future relationship between the UK and the EU, especially with regards to the UK retaining data adequacy status. With the IPA 2016 seemingly incompatible with EU law with respect to data processing, maintaining the UK’s indiscriminate data collection regime may not be seen favourably unless amendments are made.