Analysis Mass surveillance programs run by the UK, French and Belgian governments are illegal, Europe’s top court has decided in a huge win for privacy advocates.
The European Court of Justice (CJEU) announced on Tuesday that legislation passed by all three countries that allows the government to demand traffic and location data from internet and mobile providers in "a general or indiscriminate way" breaks EU data privacy laws - even when national security concerns are invoked.
“The directive does not authorise the Member States to adopt, inter alia for the purposes of national security, legislative measures intended to restrict the scope of rights and obligations provided for in that directive, in particular the obligation to ensure the confidentiality of communications and traffic data, unless such measures comply with the general principles of EU law, including the principle of proportionality, and the fundamental rights guaranteed by the Charter,” the court decided.
In layman’s terms that means that a government can’t build a massive database of what everyone does and then query it later while investigating a case. Instead, they will need to carry out targeted surveillance and data retention - identifying specific people or accounts or phone numbers - and have a court review those requests to make sure they are not overly broad.
The ruling is significant because it directly addresses the issue of national security - something that has been used for years to bypass existing personal data protection legislation - and states categorically that EU privacy laws still apply in such circumstances, almost always.
The decision includes a specific carve-out when it comes to national security, noting that “in situations where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable, that Member State may derogate from the obligation to ensure the confidentiality of data relating to electronic communications by requiring, by way of legislative measures, the general and indiscriminate retention of that data for a period that is limited in time to what is strictly necessary, but which may be extended if the threat persists.”
In other words mass data collection should be short term and public - legislation has to be considered and passed - and only conducted for a limited period.
Time to start on new secret legal interpretations
As such, the intelligence services will immediately start work on their own interpretations of what phrases like “strictly necessary” and “persistent threat” mean and see if they can fit them within existing laws. If that effort doesn’t hold water, we can probably expect to see new legislation proposed by the government.
The decision is the result of a five-year legal battle, led in the UK by Privacy International. Although the result was expected given a series of previous rulings by the CJEU over privacy, and an opinion in this case by the court’s advocate general that stated pretty much the same thing back in January, it is still stark.
How do you solve a problem like Privacy Shield? US and EU policymakers kick off discussionsREAD MORE
Privacy International’s legal director Caroline Wilson Palow said of the decision: “Today’s judgment reinforces the rule of law in the EU. In these turbulent times, it serves as a reminder that no government should be above the law.
“Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies. While the Police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power. They should focus on providing us with effective, targeted surveillance systems that protect both our security and our fundamental rights.”
The judgment is also a bend in a long battle that started when Edward Snowden revealed the extent of government mass surveillance back in 2013. After Snowden’s revelations the US government in particular argued that metadata did not infringe privacy because it was not the actual content of the message or voice recordings.
Metadata diversion dead
This ruling puts that argument to bed - in Europe at least - when it states that communications data (metadata) is covered by privacy laws and that national security concerns do not override them.
In fact, the court specifically notes that “the general and indiscriminate retention of traffic data and location data... constitute particularly serious interferences with the fundamental rights guaranteed by the Charter, where there is no link between the conduct of the persons whose data is affected and the objective pursued by the legislation at issue.” The result is that the decision should, in theory at least, mean the end of mass surveillance in Europe.
Of course when it comes to the UK, there is also Brexit. The UK’s intelligence services have long taken a more American approach to data gathering - namely, to take everything possible in whatever way possible. Government ministers have repeatedly noted that the UK will retain its current systems and doesn’t have to listen to Europe now that the UK has left the European Union.
In reality, however, the UK will still remain under the authority of Europe’s top courts for some period of time. If the UK does insist on retaining surveillance programs now found to be illegal under European law, it will almost certainly result in a similar situation to the ongoing battle with the US over transatlantic data flows.
This year, Europe found that the Privacy Shield agreement between the US and Europe was illegal in large part because of US mass surveillance systems. That agreement had replaced its predecessor, the Safe Harbor deal, that was also found to be illegal.
At the time of writing, there has been no response to the ruling by the UK government. ®