British intelligence services’ bulk collection of the population’s telephone, email and web browsing data breaches European law, according to a preliminary legal opinion by the Advocate General of the European Court of Justice.
French and Belgian laws which require telephone and internet companies to store and retain data on citizens’ phone and internet activity on behalf of the state intelligence services were also found unlawful.
Advocate General (AG) Campos Sánchez-Bordona said in a legal opinion on 15 January 2020 that MI5, MI6 and GCHQ were engaged in “general and indiscriminate retention” of citizens’ personal data that provides detailed information on individuals and was incompatible with European law.
The opinion, which is not binding, is expected to be considered by the European Court of Justice (ECJ) of the European Union (EU) in a full hearing within the next six months.
It comes after the Investigatory Powers Tribunal referred questions over the legality of the UK’s bulk communications collection programme to the ECJ in the wake of a legal challenge by Privacy International.
“If the court agrees with the AG’s opinion, then unlawful bulk surveillance schemes, including the one operated by the UK, will be reined in,” said Privacy International’s legal director, Caroline Wilson Palow. “The opinion is a win for privacy.”
MI5 requests for more private sector data could be affected
The decision is also likely to have implications for security service MI5, after its director, Andrew Parker, this week called for more access to telecommunications and other personal data from the private sector, said privacy and security expert Ian Brown.
The UK will need to comply with the General Data Protection Regulation (GDPR) if it wants to remain compatible with the EU’s data protection regime, putting it under pressure to comply with any future EU court ruling on bulk data collection.
Caroline Wilson Palow, Privacy International
“While the UK will have more freedom following Brexit to legislate on these issues, it still must be careful if it wishes – as is government policy – to obtain a GDPR adequacy determination,” he said.
National security does not exempt governments from EU law
The Advocate General opinion argues that member states cannot use national security exemptions to escape from the safeguards of European law, when they impose legal obligations on telephone and internet companies to retain their customers’ data.
Access to communications data must be subject to prior review or an independent administrative authority committed both to safeguarding national security and defending citizens’ fundamental rights and requests for data must be made in specific terms, the AG wrote.
Data retention by telephone companies and internet service providers should be limited to specific categories of data that are essential for the prevention and control of crime and the safeguarding of national security, and each category of data should be held for a defined time.
The opinion supports a landmark ruling by the ECJ after a legal challenge by former Labour MP Tom Watson, when the court found that the blanket collection of communications data was unlawful – a decision that has proved unpopular with the UK and other EU governments.
Bulk communications data
- GCHQ and MI5 obtain bulk communications data, under section 94 of the Telecommunications Act 1984.
- GCHQ collects data on email and telecommunications traffic from telephone and internet service providers, which is merged into data obtained from other forms of interception, including, for example, bulk collection from internet cables.
- Around 5% of GCHQ’s original intelligence is based on material gathered under section 94.
- MI5 has collected communications data from telephone and internet companies since 2005. MI5 argues that the data is anonymous, as no subscriber details are included. The data is of significant intelligence and security value. It retains bulk communications data for one year.
- The existence of bulk communications data collection remained secret until November 2015, when it was disclosed along with the introduction of the Investigatory Powers Bill.
Sánchez-Bordona said the European e-privacy directive, 2002/58, and the Treaty of the European Union, which allow member states powers to override privacy on national security grounds, apply to bulk data collection.
But where states impose requirements on telecoms and internet companies to collect and retain data on their behalf, intelligence agencies should comply with EU privacy laws and court decisions.
These laws should be “interpreted as precluding national legislation which imposes an obligation on providers of electronic communications networks to provide the security and intelligence agencies of a member state with ‘bulk communications data’ which entails the prior general and indiscriminate collection of the data,” the AG wrote.
French data retention regime unlawful
The Advocate General presented his findings in a series of four similar legal opinions, in response to legal challenges brought against European surveillance practices in the UK, France and Belgium.
Sánchez-Bordona concluded that France’s data retention scheme, which requires all communications companies to store all the communications data of their subscribers for one year, is incompatible with European law.
He found that, in line with the Tele2/Watson judgment, the fight against terrorism and similar threats to national security cannot justify the “general and indiscriminate” retention of citizens’ communications data.
Data retention should be targeted and should be limited to specific groups of people or specific geographical area, he said.
The AG found that real-time collection of traffic and location data of people suspected to have links to a specific terrorist threat by France’s intelligence services is lawful – but only if the state does not require communications companies to collect data they don’t already collect for billing and marketing purposes.
France’s surveillance law was incompatible with European law because it posed no obligation on the French state to inform people that their data was being processed in cases where it did not interfere with national security, the investigation of serious crime, and other lawful objectives.
Belgium breaching EU law
In a separate opinion, the AG found that Belgium’s surveillance regime also breaches EU law.
The country allows data retention for reasons which go beyond fighting terrorism and serious crime, including the investigation and detection and prosecution of less serious crime, the defence of the territory, and the protection of public security.
This imposes a general and indiscriminate duty on internet and phone companies to permanently and continuously retain data about people’s phone and internet use, and their location, in a way that is incompatible with the Charter of Fundamental Rights of the European Union.
The AG said Belgium could continue its bulk data surveillance programme on a temporary basis, but only for as long as strictly necessary to make it compatible with European law.
EU privacy law applies in national security cases
If security agencies carry out bulk data collection without imposing obligations on communications service providers, then EU law does not apply, the AG found.
“The crucial point that runs across all three cases is whether EU law was applicable on issues of national security. And they concluded that so long as the legal regime imposes obligations to network operators, the e-privacy directive applies,” said Ilia Siatitsa, legal officer at Privacy International.
She said the opinion, if upheld by the European Court of Justice, is likely to have long-term implications for the Investigatory Powers Act, also known as the Snoopers’ Charter, which gives the UK intelligence services unprecedented surveillance powers.
Privacy expert Brown said the AG’s opinion “places significant constraints on UK legislation in this area as it applies to the private sector”. And if followed would also invalidate the current UK requirement for electronic communication providers to give “bulk communications data form all their customers to security and intelligence agencies for later analysis”.
NGOs in three countries lead surveillance challenge
The AG’s opinion came following a legal challenge by Privacy International. The Investigatory Powers Tribunal asked the ECJ to decide, first, whether requiring telcos and internet companies to supply data to the intelligence agencies of member states falls within the scope of EU law and the e-Privacy Directive.
Second, if the answer to the first question is yes, whether the legal safeguards in the Tele2/Watson judgment in 2016 – which found the general and indiscriminate retention of communications unlawful – should apply to the extent that they impede security and intelligence agencies (SIAs) in national security cases.
Belgium’s constitutional court asked the ECJ to decide whether EU law allows national legislation to compel telcos and internet service providers to retain the communications and location data for a wide range of purposes, including the investigation of serious crime, the safeguarding of national security, and defence.
France’s highest administrative court, the Conseil D’État, asked the European Court of Justice whether the e-Privacy Directive permits the real-time collection of traffic and location data of specified individuals, and whether individuals should be informed their data has been collected once the investigation is over.
The intervention follows two lawsuits filed by the French Data Network, a non-profit organisation, the campaigning group La Quadrature du Net, the federation of internet service providers FFDN, and a non-profit internet service provider, which called for the annulment of regulations that allow the indiscriminate retention of personal data in contravention of EU law.
European governments sought greater surveillance powers
The Advocate General’s opinion will be seen as a setback for the UK and other EU states, which argued for the right to continue collecting bulk communications data without additional controls at a two-day hearing on 9 and 10 September 2019.
Nearly 20 member states gave 15-minute oral presentations and written submissions to the court in Luxembourg, arguing that generalised, indiscriminate retention data was necessary for national security and for fighting crime.
The UK government argues that applying rulings by the ECJ and other EU law to current surveillance legislation would cripple the ability of the intelligence services to collect bulk communications data.
The European Data Protection Supervisor, represented by Anna Buchta, head of policy and constitution, however, told the court that the data collected by governments should be subject to privacy safeguards.
She said that metadata included the subject line of emails, addresses of websites visited, date, time and length of online conversations, the geographical location of the device, email headers, telephone numbers called, and the location of terminal equipment, which could “be as revealing as the actual contents of the communication”.
Research has shown that it is possible to identify individuals from a small amount of mobile phone data, and to discover intimate details about a person’s life, including their political leanings and associations, medical conditions, sexual orientation and religious beliefs, she said in written evidence.
Privacy International claimed in legal filings that communications data was “liable to allow very precise conclusions to be drawn” about people’s private lives, “such as everyday habits, permanent or temporary places of residence, daily or other movement, the activities carried out, the social relationships of those persons, and the social engagements frequented by them”.
Europe’s law on data retention has been in legal limbo since 2014 when the ECJ declared Europe’s Data Protection Directive interfered in a serious manner with individuals’ fundamental rights and declared it invalid following a legal challenge by Digital Rights Ireland.
European member states have been in no hurry to re-instate a new version of the directive, with stronger protections for individual privacy, giving them the freedom to continue with their existing data retention programmes.
EU’s data retention laws and key judgments
The ePrivacy directive allows member states to override the privacy rights of an individual’s electronic communications to safeguard national security, defence, public security, and the prevention, investigation and detection of criminal offences – or the unauthorised use of electronic communications systems. See article 1(3).
The Treaty of the European Union, in article 4, gives member states the freedom to maintain law and order and safeguard national security.
These rights are balanced by the Charter of Fundamental Rights of the European Union, which gives citizens the right to a private life, privacy communications and the right to protection of their personal data. Where national telcos and internet service providers retain data and share it with law enforcement, EU law would apply.
The EU Data Retention Directive, passed in 2006, required member states to store their citizens’ telecommunications data for a minimum of six months and a maximum of 12. It allowed police and security agencies to access data about the public’s communications – including their IP addresses – subject to a court order. It was later declared invalid by the ECJ, leaving the legal position on data retention in the EU uncertain.
In 2014, the European Court of Justice declared the EU’s data retention directive invalid, following a case brought by Digital Rights Ireland. The ECJ found that the directive interfered in a particularly serious manner with the fundamental rights to a private life and to the protection of personal data. It was likely to generate a feeling that people were under constant surveillance, unless individuals were told their data had been accessed.
In 2016, the ECJ found the EU law precluded the general and indiscriminate retention of communications data by governments, following legal action brought by MP Tom Watson. The judgment, known as Tele2/Watson, said blanket data collection was unlawful, that only the data of those suspected of serious crimes should be accessed, and that those who had their data accessed must be notified.
Read more on Privacy and data protection
What does Brexit mean for the future of UK digital policy? A view from Europe
EU’s top court questions legality of UK phone and internet data surveillance
EU and US start discussions on ‘enhanced’ Privacy Shield data-sharing agreement
EU court opinion finds EU-US data transfers lawful but raises questions over Privacy Shield