Bad news for France, the UK, Belgium and other European countries forcing their Internet service providers to store all their customers’ traffic and location data for intelligence purposes; the highest court in the European Union has confirmed that it is illegal to do so, unless there is a clear and present danger to national or public security.
The rulings, handed down by the Court of Justice of the European Union (CJEU) in three cases involving France, the UK and Belgium, are not just a victory for privacy advocates who have been fighting national antitrust schemes. . . . . data retention in the EU. They could also be a blow to the UK’s hopes of maintaining unhindered data flows with the EU after Brexit takes place later this year.
This is because the UK would need a decision from the European Commission on the adequacy of data protection for its companies to continue serving customers on the continent. This is granted to countries whose privacy laws are roughly in line with those of the EU. But now the highest court in the EU has ruled that the UK’s data retention laws and those of France and Belgium violate the block’s privacy laws.
In a press release, the court said that the 2002 EU Electronic Privacy Directive “excludes national legislation that requires electronic communications service providers to carry out the general and indiscriminate transmission of traffic data and location data to security and intelligence agencies to safeguard national security. ” “
“Today’s ruling reinforces the rule of law in the EU,” said Caroline Wilson Palow, legal director of Privacy International, one of the activist groups that initiated the cases. Democratic societies must put limits and controls on the surveillance powers of our police and intelligence agencies. “
Long-running argument
The discussion about the legality of data retention laws has raged for years.
In 2014, a year after NSA whistleblower Edward Snowden revealed that Verizon was collecting customer records for intelligence purposes in the US, the CJEU struck down an eight-year EU law that required similar activity. . . . in all Europe. He said that the Data Retention Directive did not include sufficient safeguards for people’s privacy; Most importantly, the law is disproportionate to the threat for which it was designed.
But some countries continued to have their own data retention laws, although they no longer have an EU law to support them. In late 2016, the CJEU reissued a ruling on the matter, saying such national laws were not acceptable unless they had strict safeguards.
Some European countries defended themselves, arguing that data retention laws are not covered by the Electronic Privacy Directive, because countries, and not the EU, can decide on national security measures. The European Commission supported them in this. However, the court clarified on Tuesday that, yes, EU privacy law definitely applies here, and that means data retention schemes must be provided, with strong privacy guarantees.
In addition, the CJEU said that national courts must ignore evidence gathered through the “general and indiscriminate” retention of traffic and location data.
They may do so temporarily when faced with “a serious threat to national security that proves to be genuine and present or foreseeable”, and they may have laws that require selective retention of such data “on the basis of objective and non-discriminatory factors, on categories of interested persons or using geographic criteria “
Countries can even force electronic communications providers to collect traffic and location data in real time, provided it is limited to suspected terrorists and an independent court or body has authorized the measure.
In the UK, the Investigative Powers Act, popularly known as the “Snooper Letter”, tells ISPs and mobile operators to store all their customers’ connection records for one year, regardless whether those clients are suspected of a crime or not. The law allows UK authorities to examine, without a court order, to which servers a person is connected and when.