UK, French, Belgian blanket spying systems ruled illegal by Europe’s top court

Five-year legal battle pays off. Now countries have to figure out what to do

Analysis Mass surveillance programs run by the UK, French and Belgian governments are illegal, Europe’s top court has decided in a huge win for privacy advocates.

The European Court of Justice (CJEU) announced on Tuesday that legislation passed by all three countries that allows the government to demand traffic and location data from internet and mobile providers in "a general or indiscriminate way" breaks EU data privacy laws - even when national security concerns are invoked.

“The directive does not authorise the Member States to adopt, inter alia for the purposes of national security, legislative measures intended to restrict the scope of rights and obligations provided for in that directive, in particular the obligation to ensure the confidentiality of communications and traffic data, unless such measures comply with the general principles of EU law, including the principle of proportionality, and the fundamental rights guaranteed by the Charter,” the court decided.

In layman’s terms that means that a government can’t build a massive database of what everyone does and then query it later while investigating a case. Instead, they will need to carry out targeted surveillance and data retention - identifying specific people or accounts or phone numbers - and have a court review those requests to make sure they are not overly broad.

The ruling is significant because it directly addresses the issue of national security - something that has been used for years to bypass existing personal data protection legislation - and states categorically that EU privacy laws still apply in such circumstances, almost always.

The decision includes a specific carve-out when it comes to national security, noting that “in situations where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable, that Member State may derogate from the obligation to ensure the confidentiality of data relating to electronic communications by requiring, by way of legislative measures, the general and indiscriminate retention of that data for a period that is limited in time to what is strictly necessary, but which may be extended if the threat persists.”

In other words mass data collection should be short term and public - legislation has to be considered and passed - and only conducted for a limited period.

Time to start on new secret legal interpretations

As such, the intelligence services will immediately start work on their own interpretations of what phrases like “strictly necessary” and “persistent threat” mean and see if they can fit them within existing laws. If that effort doesn’t hold water, we can probably expect to see new legislation proposed by the government.

The decision is the result of a five-year legal battle, led in the UK by Privacy International. Although the result was expected given a series of previous rulings by the CJEU over privacy, and an opinion in this case by the court’s advocate general that stated pretty much the same thing back in January, it is still stark.


How do you solve a problem like Privacy Shield? US and EU policymakers kick off discussions


Privacy International’s legal director Caroline Wilson Palow said of the decision: “Today’s judgment reinforces the rule of law in the EU. In these turbulent times, it serves as a reminder that no government should be above the law.

“Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies. While the Police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power. They should focus on providing us with effective, targeted surveillance systems that protect both our security and our fundamental rights.”

The judgment is also a bend in a long battle that started when Edward Snowden revealed the extent of government mass surveillance back in 2013. After Snowden’s revelations the US government in particular argued that metadata did not infringe privacy because it was not the actual content of the message or voice recordings.

Metadata diversion dead

This ruling puts that argument to bed - in Europe at least - when it states that communications data (metadata) is covered by privacy laws and that national security concerns do not override them.

In fact, the court specifically notes that “the general and indiscriminate retention of traffic data and location data... constitute particularly serious interferences with the fundamental rights guaranteed by the Charter, where there is no link between the conduct of the persons whose data is affected and the objective pursued by the legislation at issue.” The result is that the decision should, in theory at least, mean the end of mass surveillance in Europe.

Of course when it comes to the UK, there is also Brexit. The UK’s intelligence services have long taken a more American approach to data gathering - namely, to take everything possible in whatever way possible. Government ministers have repeatedly noted that the UK will retain its current systems and doesn’t have to listen to Europe now that the UK has left the European Union.

In reality, however, the UK will still remain under the authority of Europe’s top courts for some period of time. If the UK does insist on retaining surveillance programs now found to be illegal under European law, it will almost certainly result in a similar situation to the ongoing battle with the US over transatlantic data flows.

This year, Europe found that the Privacy Shield agreement between the US and Europe was illegal in large part because of US mass surveillance systems. That agreement had replaced its predecessor, the Safe Harbor deal, that was also found to be illegal.

At the time of writing, there has been no response to the ruling by the UK government. ®

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022