EU’s top court questions legality of UK phone and internet data surveillance

Citizens feel their private lives are subject to ‘constant surveillance’

Europe’s law and intelligence agencies have access to citizens’ communications data, including details of websites they have visited, records of where emails were sent and at what time, email subject lines and the location of mobile phones and call records.

This “metadata” can be used to build a highly detailed profile of an individual, including sensitive information, such as their sexuality, religious beliefs and medical conditions alongside their contacts and associates, interests and habits, and movements over time.

The ECJ confirmed in its judgment today that communications data allowed the intelligence and other government agencies to build up profiles of individuals. It said the data was no less sensitive than the content of communications.

“Those operations do not require prior authorisation from a court or independent administrative body and do not involve notifying the persons concerned in any way,” the court said.

The practice “is likely to generate in the minds of the persons concerned the feeling that their private lives are subject to constant surveillance”, it added.

The court said that EU member states, and the UK, cannot require electronic communications services to carry out the “general and indiscriminate” transmission of traffic data and location data to the security and intelligence agencies, even for national security reasons.

France ‘can no longer impose bulk metadata retention’

In a parallel judgement, the ECJ’s ruling will mean that France can no longer require internet service providers (ISPs) and phone companies to log the metadata of their entire population.

In a statement, the campaign group, La Quadrature du Net, said that the “ruling draws a legal framework that is much more protective of freedoms and right to privacy than the existing French law”.

The campaign group said the French government can still require ISPs to retain the IP addresses of the entire population, these addresses can now only be used for the purpose of combating serious crime or of safeguarding national security, particularly, terrorism.

“Another important victory is that web hosting services can no longer be forced by law to monitor all their users on behalf of the state, keeping track of who publishes what, with which IP address, when, etc,” it said.    

The ruling in the French case follows a legal challenge by La Quadrature du Net, the federation of internet service providers FFDN, and a non-profit internet service provider, in calling for the annulment of regulations that allow France to order the indiscriminate retention of personal data.

The campaign group said that French law was in flagrant contradiction with the EU court.

“The court notes that the French mechanisms for controlling the intelligence services are not sufficient, and we will ensure that the necessary safeguards are strengthened during the announced reform of French law,” it said.

Investigatory Powers Tribunal

The ECJ ruling in Privacy International, follows a legal challenge by the NGO over the lawfulness of the intelligence agencies’ use of BCD and bulk personal data in June 2015, at the Investigatory Powers Tribunal – the UK’s most secret court.

The UK claimed that bulk data collection fell outside the scope of the EU because it relates to national security rather than serious crime, arguing that Article 8 of the European Convention on Human Rights – which guarantees people the right to a private family and home life and private correspondence – provides sufficient safeguards for the public.

Privacy International argued that communications data was “liable to allow very precise conclusions to be drawn” about people’s private lives and relationships.

The Investigatory Powers Tribunal referred two questions to the European Court of Justice in September 2017, in the wake of the hearing.

It asked the the ECJ to decide, first, whether requiring telcos and internet companies to supply data to the intelligence agencies of member states fell within the scope of EU law and the e-Privacy Directive.

Second, if the answer to the first question was yes, whether the legal safeguards in the Tele2/Watson judgment in 2016 – which found the general and indiscriminate retention of communications unlawful – should apply to the extent that they impeded security and intelligence agencies in national security cases.

In answer to the first question, the court found unequivocally that when governments require telecommunications and internet companies to share communications data with the state, or requires them to retain data for later access, EU law did apply.

Although the full implications of the judgment are not yet clear,  in press statement, the court referred to possible safeguards. These included the suggestion that governments accessed data for a limited time, when it was strictly necessary, and that access was “subject to an effective review, either by a court or an independent administrative body”. For example, intelligence agencies could be limited to categories of people or a geographic location.

European governments sought greater surveillance powers

The European court’s decision is a setback for the UK and EU states, which argued for the right to continue collecting BCD without additional controls at a two-day hearing on 9 and 10 September 2019.

Member states gave 15-minute oral presentations and written submissions to the court in Luxembourg, arguing that generalised, indiscriminate retention data was necessary for national security and for fighting crime.

The UK government argued that applying rulings by the ECJ and other EU law to current surveillance legislation would cripple the intelligence services’ ability to collect BCD.

Today’s ruling follows an opinion by Manuel Campos Sánchez-Bordona, Advocate General at the ECJ, that member states cannot use national security exemptions to escape from the safeguards of European law, when they impose legal obligations on telephone and internet companies to retain their customers’ data.

Sánchez-Bordona said in January the European e-privacy directive, 2002/58, and the Treaty of the European Union, which allow member states powers to override privacy on national security grounds, apply to bulk data collection

These laws should be “interpreted as precluding national legislation which imposes an obligation on providers of electronic communications networks to provide the security and intelligence agencies of a member state with ‘bulk communications data’ which entails the prior general and indiscriminate collection of the data,” the AG wrote.

Europe’s law on data retention has been in legal limbo since 2014, when the ECJ declared that Europe’s Data Protection Directive interfered in a serious manner with individuals’ fundamental rights and declared it invalid following a legal challenge by Digital Rights Ireland.

EU member states have been in no hurry to reinstate a new version of the directive, with stronger protections for individual privacy, giving them the freedom to continue with their existing data retention programmes.

In the UK, the case is now expected go back to the Investigatory Powers Tribunal for a ruling on Privacy International’s complaint against the UK’s BCD surveillance programme in the light of the ECJ judgment.