Felix Pergande - Fotolia
Phone and internet service providers (ISPs) should only keep records of their customers’ phone calls, email and web browsing history if it is necessary to tackle serious crime, the European Court of Justice ruled on 19 July 2016.
The preliminary finding, issued by Europe’s highest court, concluded that the retention of personal communications data posed a serious risk to privacy.
Its use must be proportionate to the advantages it offers in the fight against only the most serious crime, according to the opinion of advocate general Henrik Saugmandsgaard Øe.
Although it is non-binding, the European Court of Justice (ECJ) is likely to follow the advocate general’s opinion in its final verdict, which is expected later in 2016.
The case has the potential to restrict surveillance powers in the Investigatory Powers Bill – known as the snoopers’ charter – which is passing through Parliament.
The opinion follows a legal challenge brought by a Conservative member of Parliament, David Davis, and Labour’s Tom Watson, challenging the legality of the government’s Data Retention and Investigatory Powers Act (Dripa) 2014, which was rushed through Parliament with little scrutiny.
David Davis MP withdraws from legal action
Davis previously argued that data retention laws turn the entire nation into potential crime suspects, but withdrew his name from the legal action following his appointment to Theresa May’s cabinet as Brexit minister on 13 July 2016.
As home secretary, May was responsible for introducing the controversial successor to Dripa, the Investigatory Powers Bill, through Parliament.
The IP Bill gives explicit legal authority for suspicionless surveillance, including automated hacking attacks, bulk collection of data and the ability to issue secret orders to manufacturers and service providers to compromise security without notifying their customers.
As a member of May’s cabinet, Davis will be expected to support the bill.
Legal requirements must be met
In the 69-page opinion, Saugmandsgaard Øe ruled that the general obligation to retain data may be compatible with European Union (EU) law, but the UK and other member states must meet strict legal requirements.
Government data retention regulations must be laid down clearly in law, they must respect the right to people’s private life and the right to protect personal data, he stated.
Any interference in these rights should be carried solely in the fight against serious crime. Ordinary offences and the smooth conduct of civil proceedings are not sufficient, said the advocate general.
Member states should only use retained data when it is not possible to obtain evidence in other ways that would not affect an individual’s fundamental rights, he added.
UK service providers are required to retain data which makes it possible to identify the location, source and destination of emails and phone calls, as well as the time, duration and the type of communication used. The content of communications is not included.
The advocate general found, however, that using private data for anything short of the prevention of serious crime would be disproportionate in law.
Under Dripa, government agencies can collect private communications data for a wide range of purposes, ranging from the interests of national security, to public health and safety, and the collection of tax.
People have “no way of knowing” if they are under unlawful investigation
According to Henrik Saugmandsgaard Øe, telecoms and internet service providers would be incapable of checking whether requests for the public’s data were strictly necessary, and the vast majority of the data retained by government will relate to people who will never be connected in any way with serious crime.
“Persons whose data are consulted have no way of knowing that they are under investigation, even if their data is used abusively or unlawfully,” he said.
Why the government collects personal data
- Interests of national security.
- Prevention or detection of crime or the prevention of disorder.
- Interests of the economic wellbeing of the UK.
- Interests of national security.
- Interests of public safety.
- Protection of public health.
- Assessment or collection of any tax, contribution or other sum payable to the government.
- Prevention of harm to physical or mental health in urgent cases.
- Provision of assistance in investigations into alleged miscarriages of justice.
- Identification of persons who have died or who are unable to identify themselves because of a condition other than one resulting from a crime (such as a natural disaster or an accident).
- Exercise of functions relating to the regulation of financial services and markets or to financial stability.
- Any other purpose specified in an order made by the home secretary.
There may be specific situations of extreme urgency, in which UK law enforcement agencies need immediate access to retained data, without any prior review. But as far possible, it is vital that prior authorisation be maintained and an emergency procedure introduced by an independent authority to approve emergency requests, said Saugmandsgaard Øe.
“The requirement of proportionality within a democratic society prevents the combating of ordinary offences and the smooth conduct of proceedings other than criminal proceedings from constituting justifications for a general data retention obligation,” he said.
The ECJ's general advocate called for sensitive data to be excluded from retention, including data subject to professional legal privilege and that which could identify journalists’ sources.
ECJ opinion ‘too vague’
European Parliament’s green home affairs spokesperson Jan Philipp Albrecht, however, said the opinion of the advocate general did provide concrete answers in the legal case on blanket data retention provisions in EU member states.
“The advocate general leaves it open to his own judges or the national courts to make their own assessment in the individual cases,” he said, referring to the European Court of Justice’s judgement in the Digital Rights Ireland case in March 2014.
“We can only hope that the judges of the court will not allow themselves to be that vague when interpreting the EU fundamental rights vis-a-vis member state laws,” he said.
Court decision could restrict snoopers’ charter
Graham Smith, technology partner at international law firm Bird & Bird, said the opinion, were it to be adopted by the European Court, had the potential to restrict the scope of government surveillance in the IP Bill going through Parliament.
“The most obvious potential issue for the IP Bill is any restriction on purpose to serious crime, given the variety of purposes for which the bill would allow access to retained communications data.”
He said the IP Bill went further than Dripa, by extending the monitoring of the population’s internet activities from site-level browsing histories to much wider surveillance known as internet connection records.
“The government acknowledges that these are more intrusive than ordinary communications data. This expansion may provide new grounds of challenge, whatever the decision of the ECJ in Davis/Watson,” he said.
Serious blow to IP Bill
Privacy International, which has made presentations to the ECJ in the case, said the opinion was “a serious blow to the IP Bill”, adding it hoped it “presages a strong judgement from the court itself”. It called for greater oversight and protection for people’s privacy.
“The bulk powers – what we would call mass surveillance powers – embedded throughout the IP Bill go far beyond tackling serious crime. They would give a range of public bodies, not just the police and intelligence agencies, the power to access the personal data of innocent people, often without any form of warrant,” it said.
Internet service providers concerned
James Blessing, chair of the Internet Service Providers Association (ISPA), said the opinion of the advocate general raised serious questions about some aspects of the Investigatory Powers Bill.
“ISPA therefore calls on the Home Office to ensure the legal framework around data retention is fully compliant with the final court judgement,” he said.
Read more about the Investigatory Powers Bill
- Computer businesses or IT staff who fail to destroy security on their products or services on demand, or who decline a Home Office order to hack their customers in Britain or overseas by installing or operating government malware, could face bankruptcy or long jail sentences if a new law before parliament goes ahead.
- Questions raised about Britain’s snoopers’ charter after Denmark abandons its own UK-style surveillance programme for a second time.
Read more on Privacy and data protection
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
EU’s top court questions legality of UK phone and internet data surveillance
Schrems v Facebook: European court strikes down EU-US Privacy Shield agreement
European court to decide legality of EU-US data sharing in dispute between Schrems and Facebook