Q&A: EU’s top court rules that UK, French and Belgian mass surveillance regimes must respect privacy
The Court of Justice of the European Union issued judgments in three cases in the UK, France and Belgium. Privacy International answers some of the main questions.
On 6th October 2020, the Court of Justice of the European Union (CJEU) issued judgments in three cases from the UK (Privacy International), France (La Quadrature du Net and Others) and Belgium (Ordre des barreaux francophones et germanophone and Others).
After Privacy International’s (PI) initial reaction, below they answer some of the main questions relating primarily to the UK and the French cases.
NOTE: This post reflects PI’s initial reaction to the judgment and may be updated.
What is the ruling all about?
The CJEU has ruled that mass data retention and collection practices for national security purposes undertaken by member states, must comply with EU law, and therefore must be subjected to its privacy safeguards.
The ruling is particularly significant because it makes clear that EU law applies, even in the national security context, if a member state’s surveillance law requires a telecommunications provider to process personal data.
National surveillance laws in the UK, France and elsewhere in Europe require telecommunications companies and service providers to store large amounts of personal data on an ongoing basis for later collection or other access by security and intelligence agencies (SIAs). Today’s ruling confirmed once again that general and indiscriminate data retention and collection of communications data are incompatible with fundamental human rights of privacy, data protection and freedom of expression.
The governments of EU countries are legally compelled to ensure that the retention, access and subsequent use of any data meet specific requirements. These requirements, commonly referred to as ‘safeguards’, are crucial to ensure that there is a proper balance between the privacy of the individual and the protection of the public.
You can read background on the case here.
What sort of data are we talking about here?
These cases deal solely with different types of communications data. Communications data includes traffic data, location data, subscriber data, and any other data surrounding a communication EXCEPT for the actual content of a communication. Communications data can yield information about contacts, as well as the who, what, when, and where of our communications. For example, communications data can reveal map searches, visited websites, location information, as well as information about every device connected to a network.
When collected in aggregate about one or a number of individuals, communications data is potentially no less sensitive than the actual content. This data makes it possible to find out the identity of people with whom a user has communicated and by what means, to identify the time of these communications, and the places from which those communication originated. Importantly, communications data also reveals the frequency of contact of the user with specific people during a given period.
In all three cases, the CJEU reiterated that the retention or collection of traffic and location data is a “particularly serious” interference with privacy.
Wait – how do intelligence agencies come about this mass data in the first place?
Whether it is your local supermarket, your phone service provider or a ride-hailing app, these days companies hold huge amounts of data about you. EU law requires governments to protect your privacy. Among other obligations, companies are asked to keep the length of time data is stored to a strict legal minimum. That’s a wise protection. Because the longer data is kept, the more likely it is that it can be abused, lost, stolen, shared, used to profile and even track you. But even though this is EU law, some governments have (unwisely) forced companies to keep hold of your data for much longer. This is called mandatory data retention.
When such data retention is general and indiscriminate, it means that sensitive data will be kept, even though you’re not suspected of any crime. Basically, it’s a form of mass surveillance. Like other mass surveillance, this means we’re all treated as suspects. In a democracy, the principle is meant to be ‘no suspicion, no surveillance’. The police and other state bodies already have massive powers. General and indiscriminate data retention is a step too far, and a disproportionate threat to our privacy.
General and indiscriminate data retention was at issue in the French and Belgian cases.
The UK case concerned another form of surveillance – general and indiscriminate data collection.
Telecommunications companies could be compelled to deliver bulk communications data directly to the UK intelligence agencies. That means the UK intelligence agencies would retain the data themselves.
So what does general and indiscriminate data retention, or data collection, have to do with privacy?
Retention: General and indiscriminate data retention threatens your privacy in several ways. It overrides other EU privacy laws that are meant to minimise how long your data is kept by companies. When data is retained for longer than is necessary, it can be abused, lost, stolen, shared, used to profile and even track you. And when that retention is general and indiscriminate, it means the government does not necessarily even have a good reason to force companies to keep the data. Instead, its asking them to keep all of it just in case.
Retention of this data also means that governments will have easier access to it. If that access is not governed by robust safeguards, it can lead to serious privacy interferences.
Collection: General and indiscriminate data collection violates privacy by allowing a government to directly collect all data from a company. This is a significant intrusion, as noted above, because communications data can be so revealing of our personal lives. The CJEU has found that general and indiscriminate collection, as was occuring in the UK, is the same as general and indiscriminate access. That is, it skips over any of the safeguards that should normally be applied to access to data. For that reason, it violates EU law.
So is it all good news?
The judgments are welcome, both for their application of EU law to these national security contexts, and because of their condemnation of preventative, general and indiscriminate retention or collection of communications data.
The judgments establish a new approach to data retention (and collection) in national security contexts. However, exceptions are introduced for retention where there is a serious threat to national security that is genuine and present or foreseeable, so long as retention in that context is temporary. The French and Belgian judgment also sets different standards for some types of data, like IP addresses and subscriber data.
New safeguards are enumerated for the real-time analysis or collection of communications data.
We will have to wait for the cases to return to their national level courts to see how all of these new standards play out in practice.
How did we get here? Why were these three cases examined together?
The Court of Justice of the European Union – referred to for brevity as CJEU – is the highest judicial authority of the EU which rules on member states’ compliance with EU treaties. All CJEU rulings are binding on EU member states and their domestic courts.
On 6th October 2020, the CJEU issued two separate judgments in three separate cases, one for the UK (Privacy International) case and a joint one for the French (La Quadrature du Net and Others) and Belgian (Ordre des barreaux francophones and germanophone and Others) cases.
Each of these cases was referred to the CJEU from their respective national courts. For instance, in the UK case, it was the Investigatory Powers Tribunal (IPT), the British judicial body that hears complaints about surveillance practices, that referred the case to the CJEU.
As the three cases raised similar questions in relation to the bulk data retention or collection regimes in each of these countries, the CJEU decided to examine them together, and held a joint hearing in 2019. While all three cases cover similar issues, the facts differ enough to have led the CJEU to issue two separate but closely linked judgments.
Ok, so what happens next?
As said above, the EU Court heard the UK, French and Belgian cases based on respective requests (known as ‘referrals’) made by each country’s national courts to the CJEU to interpret a matter of EU law application and interpretation. For instance, in the UK case, it was the IPT that referred the case to the CJEU.
Now that the CJEU has decided on the application of EU law in relation to bulk data retention and collection, the cases will be sent back to the national courts for a final decision. The UK case will go back to the IPT and similarly, the French case will return to the French highest administrative court (the Conseil d’État) that had referred the French case. In turn, the Belgian case will be sent back to Belgium’s Constitutional Court.
The national courts’ decisions will be guided by the CJEU’s findings.
Nice. How can I help?
Having strong laws and technology which protect privacy is incredibly important, but the most important thing is that people are aware of the issues and are able to influence powerful companies and governments. You can read more about the case, how such surveillance works, and some of the issues it raises here.
To keep up to date on the case and all our work, you can sign up to Privacy international’s mailing list here – don’t worry, you can choose the topics you are most interested in… and PI takes proper care of your data!
As PI is a charity with limited funds, any support you can give them through a donation would be most appreciated – you can do so here.
To reiterate however, to really ensure that we don’t sleepwalk into a world of ubiquitous state and corporate surveillance, it is essential that people put pressure on governments and corporations – so if there’s one thing you can do, it’s make your voice heard!
This article was first published by Privacy international here.