Bad news for France, the United Kingdom, Belgium and other European countries that force their Internet service providers to store all their customers’ traffic and location data for intelligence purposes—the European Union’s top court has confirmed it is illegal to do this, unless there is a clear and present danger to national or public security.
The rulings, handed down by the Court of Justice of the European Union (CJEU) in three cases involving France, the U.K. and Belgium, aren’t just a victory for the privacy campaigners that have been fighting national data-retention schemes in the EU. They also could be a blow to the U.K.’s hopes of maintaining unimpeded data flows with the EU after Brexit fully takes place at the end of this year.
That’s because the U.K. would need a so-called data-protection adequacy decision from the European Commission, in order for its companies to continue serving customers on the continent. This is awarded to countries whose privacy laws are roughly in line with those of the EU. But now the EU’s highest court has ruled that the U.K.’s data-retention laws, and those in France and Belgium, break the bloc’s privacy laws.
In a press release, the court said the EU’s 2002 ePrivacy Directive “precludes national legislation requiring providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.”
“Today’s judgment reinforces the rule of law in the EU,” said Caroline Wilson Palow, the legal director of Privacy International, one of the activist groups that launched the cases. “In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies.”
The argument over the legality of data retention laws has been raging for years now.
In 2014, the year after NSA whistleblower Edward Snowden revealed Verizon was collecting customer records for intelligence purposes in the U.S., the CJEU struck down an eight-year-old EU law that mandated similar activity across Europe. It said the Data Retention Directive did not include enough safeguards for people’s privacy—crucially, the law was disproportionate to the threat it was designed to combat.
But some countries continued to have their own data-retention laws, despite no longer having an EU law to underpin them. At the end of 2016, the CJEU again issued a ruling on the matter, saying such national laws were not acceptable unless they had strict safeguards.
Some European countries fought back, arguing that data-retention laws are not covered by the ePrivacy Directive, because countries—and not the EU— get to decide on national security measures. The European Commission backed them up on this. However, the court clarified Tuesday that, yes, EU privacy law definitely does apply here, and that means data-retention schemes have to be proportionate, with strong privacy safeguards.
What’s more, the CJEU said national courts have to disregard evidence gathered through the “general and indiscriminate” retention of traffic and location data.
Nonetheless, the CJEU’s ruling did leave open several routes for governments to maintain data-retention policies for traffic and location data. They can temporarily do so when facing “a serious threat to national security that proves to be genuine and present or foreseeable,” and they can have laws demanding targeted retention of such data, “on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion.”
Countries can even force electronic communications providers to collect traffic and location data in real time, as long as it’s limited to suspected terrorists, and a court or independent body has authorized the measure.
In the U.K., the Investigatory Powers Act—popularly known as the “Snooper’s Charter”—tells Internet service providers and mobile operators to store all their customers’ connection records for up to a year, whether or not those customers are suspected of a crime. The law allows British authorities to examine, without a warrant, which servers a person connected to and when.
According to the Irish data privacy lawyer Simon McGarr, the CJEU’s ruling in the British case “puts the U.K., with its surveillance system feeding into [signals intelligence agency] GCHQ, firmly outside the ‘adequacy’ zone of EU Data Protection law.