UK 'mass surveillance' regime is illegal, EU court declares

Indiscriminate data collection contravenes rights to privacy and data protection, despite “national security” justification

Graphic of a gigantic and sinister CCTV camera observing anonymous people in a crowd

Mass data retention and collection regimes deployed by member states must be subject to strict privacy safeguards outlined under EU law, according to a landmark legal judgement.

The European Court of Justice (CJEU) has declared that legislation, such as the UK’s contentious Investigatory Powers Act (IPA) 2016, cannot legally require a service provider to indiscriminately retain traffic and location data for national security purposes.

National surveillance legislation in these countries require telecommunications companies, including Internet Service Providers (ISPs), to retain personal data on an ongoing basis so that it can be accessed as and when necessary by law enforcement agencies.

Critics, including prominent privacy activist groups, have branded these practices as intrusive and disproportionate, however, also citing the potential for abuse. The case was brought forward by Privacy International, who argued that regimes such as those commonly in use are illegal under EU law, which in this case supersedes national legislation.

Member states, in particular the UK, France and Belgium, must adhere to the Privacy and Electronic Communications Regulations (PECR), better known as the e-Privacy directive, when drafting legislation.

The judgement has also deemed the data retention practices incompatible with the fundamental rights of privacy, freedom of expression, as well as data protection as outlined by the e-Privacy directive and legislation such as GDPR. Specifically, the data processing activities by ISPs, such as the transmission to public authorities, are not compatible - even for reasons relating to “national security”.

“The ruling is particularly significant because it makes clear that EU law applies, even in the national security context, if a member state’s surveillance law requires a telecommunications provider to process personal data,” Privacy International said.

“The governments of EU countries are legally compelled to ensure that the retention, access and subsequent use of any data meet specific requirements. These requirements, commonly referred to as ‘safeguards’, are crucial to ensure that there is a proper balance between the privacy of the individual and the protection of the public.”

The kind of communications data collected under such regimes include traffic, location, subscriber data - and any other data including metadata - surrounding communications, although the content of a communication is exempt. 

This information, however, can be used in order to determine information about contacts as well as a person’s whereabouts and intentions. Map searches, device information, search engine results and location information, for example, can be combined to glean information about potential suspects.

“This data makes it possible to find out the identity of people with whom a user has communicated and by what means, to identify the time of these communications, and the places from which those communication originated,” Privacy International added.

“Importantly, communications data also reveals the frequency of contact of the user with specific people during a given period.”

While the ruling is clear in that such powers, as outlined in the IPA 2016, aren’t compatible with EU law, the judgement does open the door for their use in exceptional circumstances. 

In cases where a member state is facing a serious imminent threat to national security, the CJEU states law enforcement may deviate from their legal obligations to retain and collect data as is necessary, for so long as is necessary. 

The powers can also be used in a specific, targeted way, where the intention is to combat serious crime and prevent threats to public security. There must, however, be safeguards in place, and such practices as well as the application of these safeguards must be reviewed by a court.

The judgement also raises questions regarding the future relationship between the UK and the EU, especially with regards to the UK retaining data adequacy status. With the IPA 2016 seemingly incompatible with EU law with respect to data processing, maintaining the UK’s indiscriminate data collection regime may not be seen favourably unless amendments are made.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

22 Apr 2021
What is hacktivism?
hacking

What is hacktivism?

22 Apr 2021
Unsecured cloud storage led to data exposure at New England energy company
data protection

Unsecured cloud storage led to data exposure at New England energy company

22 Apr 2021
Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021