Europe’s top court has delivered another slap-down to indiscriminate government mass surveillance regimes.
In a ruling today the CJEU has made it clear that national security concerns do not exclude EU Member States from the need to comply with general principles of EU law such as proportionality and respect for fundamental rights to privacy, data protection and freedom of expression.
However the court has also allowed for derogations, saying that a pressing national security threat can justify limited and temporary bulk data collection and retention — capped to ‘what is strictly necessary’.
While threats to public security or the need to combat serious crime may also allow for targeted retention of data provided it’s accompanied by ‘effective safeguards’ and reviewed by a court or independent authority.
#ECJ: Judgment in cases C-511/18 La Quadrature du Net, C-512/18 French Data Network, C-520/18 Ordre des barreaux francophones et germanophone and C-623/17 Privacy International pic.twitter.com/eB95ymLyCt
— EU Court of Justice (@EUCourtPress) October 6, 2020
The reference to the CJEU joined a number of cases, including legal challenges brought by rights advocacy group Privacy International to bulk collection powers baked into the UK’s Investigatory Powers Act; a La Quadrature du Net (and others’) challenge to a 2015 French decree related to specialized intelligence services; and a challenge to Belgium’s 2016 law on collection and retention of comms data.
Civil rights campaigners had been eagerly awaiting today’s judgements from the Grand Chamber, following an opinion by an advisor to the court in January which implied certain EU Member States’ surveillance regimes were breaching the law.
At the time of writing key complainants had yet to issue a response.
Of course a government agency’s definition of how much data collection is ‘strictly necessary’ in a national security context (or, indeed, what constitutes an ‘effective safeguard’) may be rather different to the benchmark of civil rights advocacy groups — so it seems unlikely this ruling will be the last time the CJEU is asked to clarify where the legal limits of mass surveillance lie.
3) For instance it is huge that the Court says that while States have the possibility to order general retention of data in some exceptional cases, this decision “must be subject to effective review by a court or an independent administrative body WHOSE DECISION IS BINDING”…
— Theodore CHRISTAKIS (@TC_IntLaw) October 6, 2020
Additionally, the judgement raises interesting questions over the UK’s chances of gaining a data protection adequacy agreement from the European Commission — as it leaves the EU in 2021 at the end of the brexit transition process this year — something it needs for digital data flows from the EU to continue uninterrupted as now.
The problem is the UK’s Investigatory Powers Act (IPA) gives government agencies broad powers to intercept and retain digital communications — but here the CJEU is making it clear that such bulk powers must be the exception, not the statutory rule.
So, again, a battle over definitions could be looming…
This wouldn't be a surprise — it has been done before, and met with judicial approval — but could well be one of the next battlegrounds.
I think it's fair to say it is unlikely that the HO is going to strike out Part 4 IPA (nor, based on this, need it do).
— Neil Brown (@neil_neilzone) October 6, 2020
Questions have also been raised, via a legal challenge to the IPA in the UK, over its security agencies’ handling of intercepted data — with a court being told last year of systematic breaches of safeguards set out in the legislation. Such revelations also do not bode well for ‘adequacy’.
Another interesting component of today’s CJEU judgement suggests that in EU states with indiscriminate mass surveillance regimes there could be grounds for overturning individual criminal convictions which are based on evidence obtained via such illegal surveillance.
On this, the court writes in a press release: “As EU law currently stands, it is for national law alone to determine the rules relating to the admissibility and assessment, in criminal proceedings against persons suspected of having committed serious criminal offences, of information and evidence obtained by the retention of data in breach of EU law. However, the Court specifies that the directive on privacy and electronic communications, interpreted in the light of the principle of effectiveness, requires national criminal courts to disregard information and evidence obtained by means of the general and indiscriminate retention of traffic and location data in breach of EU law, in the context of such criminal proceedings, where those persons suspected of having committed criminal offences are not in a position to comment effectively on that information and evidence.”