EU countries are permitted to carry out the indiscriminate transmission and retention of communications data only when there is a ‘serious threat to national security’, the bloc’s highest court ruled on Tuesday (6 October).
The European Court of Justice said that such practices carried out by security agencies should be ‘limited to what is strictly necessary’ and must also be subject to a review by a court of an independent administrative authority.
Under general conditions, however, the practice of EU countries obliging services providers to snoop on communications data contravenes the 2002 ePrivacy directive and represents a ‘serious interference’ with protections outlined in the EU charter.
In this respect, in the absence of a valid national security threat, the mass and indiscriminate surveillance of communications networks is subject to EU law but does not qualify for the national security exemption as outlined in Article 15(1) of the ePrivacy directive, the court found.
The judgment came after several privacy groups had raised the case in the UK, Belgium, and France, arguing that data retention and processing regimes in those countries violated European rights.
The claimants in the case, UK-based charity Privacy International, had originally taken umbrage at the harvesting of bulk personal datasets and bulk communications data by the UK security and intelligence agencies.
Privacy International applauded the ECJ’s decision in reaffirming the obligation of police agencies to conduct surveillance programs only under specific national security conditions.
“Today’s judgment reinforces the rule of law in the EU. In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies,” said Caroline Wilson Palow, legal director of Privacy International.
“While the police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power,” she added.
The European Court of Justice also warned on Tuesday that any such data, collected as part of criminal proceedings that had been harvested in ways that violate EU law, would not be admissible in trials.
However, Tuesday’s ruling also made clear that member states themselves are responsible for determining what activity constitutes a national security threat. Moreover, surveillance tools can continue to be applied beyond a certain time limit, should the threat be judged to persist.
UK-EU data transfer worries
The court’s reading comes at a testing time for EU-UK data transfers, as the European Commission continues to assess the adequacy of the UK’s data protection landscape in line with EU standards.
The conclusion that the UK’s surveillance powers as outlined in the 2016 Investigatory Powers Act should have been subject to EU law for as long as the UK was a member state of the EU, and, as a result, are not compatible with EU law currently, will raise more questions about the extent by which the UK’s snooping powers diverge from EU data protection law.
Should those conducting the assessment within the Commission deem the divergence too harsh, there is a very real possibility that the UK may not be granted an adequacy agreement that would allow for the unimpeded transmission of data between the UK and the EU after the transition period expires on 31 December.
“This reinforces previous ECJ rulings that the UK security services’ powers around personal data are in the scope of EU law, and do not fully align with it,” said Mark Taylor, partner and data protection lawyer at Osborne Clarke.
“This is very likely to be a point of contention in the European Commission’s consideration of whether to give the UK data adequacy status on Brexit. As such, this national security ruling has broader ramifications for UK business than might first appear.”
Should the UK fail to obtain an adequacy agreement for the transfer of data with the EU, in order for the legal transmission of data to continue, businesses in the UK would need to revise their contractual arrangements with clients, inserting so-called ‘standard contractual clauses’ which would guarantee a minimum level of data protection commensurate with EU standards.
In this context, the EU executive has concerns that certain aspects of the UK’s data protection regime may change in the future and negatively impact the safety of EU personal data when transferred to the country.
“While the UK applies EU data protection rules during the transition period, certain aspects of its system may change in the future, such as rules on international transfers,” a Commission source told EURACTIV recently.
“These aspects, therefore, raise questions that need to be addressed,” the source added.
[Edited by Zoran Radosavljevic]