nmann77 - stock.adobe.com

EU’s top court questions legality of UK phone and internet data surveillance

European Court of Justice rules that the UK and EU member states must comply with EU privacy laws when harvesting people’s sensitive communications data from telecoms and internet companies

This article can also be found in the Premium Editorial Download: Computer Weekly: The future of storage

The UK’s mass collection and analysis of the population’s telephone, email and web browsing data has been called into question by Europe’s top court.

The European Court of Justice (ECJ) today ruled that collection of communications traffic data from telecoms and internet companies was a “particularly serious” interference of privacy rights under European law.

The court found that the UK and EU member states cannot use “national security” exemptions to override EU privacy law when harvesting people’s data from communications companies.

The decision is likely to raise questions over the UK’s ability to secure an adequacy agreement with the EU to continue sharing data with European countries after Brexit.

The court’s ruling followed a legal challenge by campaign group Privacy International over the legality of the UK’s bulk communications data (BCD) collection regime.

The court issued a separate judgments over French and Belgian bulk data collection and retention programmes, alongside the UK’s ruling.

Caroline Wilson Palow, legal director of Privacy International, said the judgment would require EU states, and also the UK, to place limits on the surveillance powers of police and the intelligence agencies.

“European law applies any time that a national government tries to ask a telecommunications provider to process personal data for the state, including providing access to communications data, or retaining data, even in the context of national security,” she said.

“We think this is a really big win for the rule of law because it means that now the fundamental privacy, data protection and freedom of expression protections under EU law are going to be applied.”

The decision calls into question the UK’s historic use of the Telecommunications Act 1984 to require telecoms and internet companies to retain and hand over their customers’ communications data to MI5 and GCHQ.

The UK will also need to assess the impact of the court’s decision on the Investigatory Powers Act 2016, which has governed bulk communications data collection since 2018, said Wilson Palow.

The decision puts the UK under pressure to reform its surveillance laws or risk losing an adequacy decision that will allow UK organisations to share data with Europe after Brexit.

The ECJ struck down the EU-US data-sharing agreement Privacy Shield in July, after raising concerns over US surveillance of EU citizens.

“It is definitely going to play into the question of adequacy, for sure,” said Wilson Palow. “This is going to be one more judgment that the UK is going to have to look at to see if their practices are in line with what the EU would consider necessary privacy protections.”

Citizens feel their private lives are subject to ‘constant surveillance’

Europe’s law and intelligence agencies have access to citizens’ communications data, including details of websites they have visited, records of where emails were sent and at what time, email subject lines and the location of mobile phones and call records.

This “metadata” can be used to build a highly detailed profile of an individual, including sensitive information, such as their sexuality, religious beliefs and medical conditions alongside their contacts and associates, interests and habits, and movements over time.

The ECJ confirmed in its judgment today that communications data allowed the intelligence and other government agencies to build up profiles of individuals. It said the data was no less sensitive than the content of communications.

“Those operations do not require prior authorisation from a court or independent administrative body and do not involve notifying the persons concerned in any way,” the court said.

The practice “is likely to generate in the minds of the persons concerned the feeling that their private lives are subject to constant surveillance”, it added.

The court said that EU member states, and the UK, cannot require electronic communications services to carry out the “general and indiscriminate” transmission of traffic data and location data to the security and intelligence agencies, even for national security reasons.

France ‘can no longer impose bulk metadata retention’

In a parallel judgement, the ECJ’s ruling will mean that France can no longer require internet service providers (ISPs) and phone companies to log the metadata of their entire population.

In a statement, the campaign group, La Quadrature du Net, said that the “ruling draws a legal framework that is much more protective of freedoms and right to privacy than the existing French law”.

The campaign group said the French government can still require ISPs to retain the IP addresses of the entire population, these addresses can now only be used for the purpose of combating serious crime or of safeguarding national security, particularly, terrorism.

“Another important victory is that web hosting services can no longer be forced by law to monitor all their users on behalf of the state, keeping track of who publishes what, with which IP address, when, etc,” it said.    

The ruling in the French case follows a legal challenge by La Quadrature du Net, the federation of internet service providers FFDN, and a non-profit internet service provider, in calling for the annulment of regulations that allow France to order the indiscriminate retention of personal data.

The campaign group said that French law was in flagrant contradiction with the EU court.

“The court notes that the French mechanisms for controlling the intelligence services are not sufficient, and we will ensure that the necessary safeguards are strengthened during the announced reform of French law,” it said.

Investigatory Powers Tribunal

The ECJ ruling in Privacy International, follows a legal challenge by the NGO over the lawfulness of the intelligence agencies’ use of BCD and bulk personal data in June 2015, at the Investigatory Powers Tribunal – the UK’s most secret court.

The UK claimed that bulk data collection fell outside the scope of the EU because it relates to national security rather than serious crime, arguing that Article 8 of the European Convention on Human Rights – which guarantees people the right to a private family and home life and private correspondence – provides sufficient safeguards for the public.

Privacy International argued that communications data was “liable to allow very precise conclusions to be drawn” about people’s private lives and relationships.

The Investigatory Powers Tribunal referred two questions to the European Court of Justice in September 2017, in the wake of the hearing.

Bulk communications data

  • GCHQ and MI5 obtained bulk communications data, under Section 94 of the Telecommunications Act 1984. That law has since been superseded by the Investigatory Powers Act 2016.
  • GCHQ collects data on email and telecommunications traffic from telephone and internet service providers, which is merged into data obtained from other forms of interception, including, for example, bulk collection from internet cables. GCHQ has been collecting data from telecoms and internet companies since 2001.
  • MI5 has collected communications data from telephone and internet companies since 2005. MI5 argues that the data is anonymous, as no subscriber details are included. The data is of significant intelligence and security value. It retains bulk communications data for one year.
  • The existence of bulk communications data collection remained secret until November 2015, when it was disclosed along with the introduction of the Investigatory Powers Bill. 

It asked the the ECJ to decide, first, whether requiring telcos and internet companies to supply data to the intelligence agencies of member states fell within the scope of EU law and the e-Privacy Directive.

Second, if the answer to the first question was yes, whether the legal safeguards in the Tele2/Watson judgment in 2016 – which found the general and indiscriminate retention of communications unlawful – should apply to the extent that they impeded security and intelligence agencies in national security cases.

In answer to the first question, the court found unequivocally that when governments require telecommunications and internet companies to share communications data with the state, or requires them to retain data for later access, EU law did apply.

Although the full implications of the judgment are not yet clear,  in press statement, the court referred to possible safeguards. These included the suggestion that governments accessed data for a limited time, when it was strictly necessary, and that access was “subject to an effective review, either by a court or an independent administrative body”. For example, intelligence agencies could be limited to categories of people or a geographic location.

European governments sought greater surveillance powers

The European court’s decision is a setback for the UK and EU states, which argued for the right to continue collecting BCD without additional controls at a two-day hearing on 9 and 10 September 2019.

Member states gave 15-minute oral presentations and written submissions to the court in Luxembourg, arguing that generalised, indiscriminate retention data was necessary for national security and for fighting crime.

The UK government argued that applying rulings by the ECJ and other EU law to current surveillance legislation would cripple the intelligence services’ ability to collect BCD.

Today’s ruling follows an opinion by Manuel Campos Sánchez-Bordona, Advocate General at the ECJ, that member states cannot use national security exemptions to escape from the safeguards of European law, when they impose legal obligations on telephone and internet companies to retain their customers’ data.

Sánchez-Bordona said in January the European e-privacy directive, 2002/58, and the Treaty of the European Union, which allow member states powers to override privacy on national security grounds, apply to bulk data collection

These laws should be “interpreted as precluding national legislation which imposes an obligation on providers of electronic communications networks to provide the security and intelligence agencies of a member state with ‘bulk communications data’ which entails the prior general and indiscriminate collection of the data,” the AG wrote.

Europe’s law on data retention has been in legal limbo since 2014, when the ECJ declared that Europe’s Data Protection Directive interfered in a serious manner with individuals’ fundamental rights and declared it invalid following a legal challenge by Digital Rights Ireland.

EU member states have been in no hurry to reinstate a new version of the directive, with stronger protections for individual privacy, giving them the freedom to continue with their existing data retention programmes.

In the UK, the case is now expected go back to the Investigatory Powers Tribunal for a ruling on Privacy International’s complaint against the UK’s BCD surveillance programme in the light of the ECJ judgment.

EU’s data retention laws and key judgments

The ePrivacy Directive allows member states to override the privacy rights of an individual’s electronic communications to safeguard national security, defence, public security, and the prevention, investigation and detection of criminal offences – or the unauthorised use of electronic communications systems. See Article 1(3).

The Treaty of the European Union, in Article 4, gives member states the freedom to maintain law and order and safeguard national security.

These rights are balanced by the Charter of Fundamental Rights of the European Union, which gives citizens the right to a private life, privacy communications and the right to protection of their personal data. Where national telcos and internet service providers retain data and share it with law enforcement, EU law would apply.

The EU Data Retention Directive, passed in 2006, required member states to store their citizens’ telecommunications data for a minimum of six months and a maximum of 12. It allowed police and security agencies to access data about the public’s communications – including their IP addresses – subject to a court order. It was later declared invalid by the ECJ, leaving the legal position on data retention in the EU uncertain.

In 2014, the European Court of Justice declared the EU’s data retention directive invalid, following a case brought by Digital Rights Ireland. The ECJ found that the directive interfered in a particularly serious manner with the fundamental rights to a private life and to the protection of personal data. It was likely to generate a feeling that people were under constant surveillance, unless individuals were told their data had been accessed.

In 2016, the ECJ found the EU law precluded the general and indiscriminate retention of communications data by governments, following legal action brought by MP Tom Watson. The judgment, known as Tele2/Watson, said blanket data collection was unlawful, that only the data of those suspected of serious crimes should be accessed, and that those who had their data accessed must be notified.

Read more on Privacy and data protection

Data Center
Data Management