Europe's top court has delivered another slap-down to indiscriminate government mass surveillance regimes.
In a ruling today the CJEU has made it clear that national security concerns do not exclude EU Member States from the need to comply with general principles of EU law such as proportionality and respect for fundamental rights to privacy, data protection and freedom of expression.
However the court has also allowed for derogations, saying that a pressing national security threat can justify limited and temporary bulk data collection and retention -- capped to 'what is strictly necessary'.
While threats to public security or the need to combat serious crime may also allow for targeted retention of data provided it's accompanied by 'effective safeguards' and reviewed by a court or independent authority.
#ECJ: Judgment in cases C-511/18 La Quadrature du Net, C-512/18 French Data Network, C-520/18 Ordre des barreaux francophones et germanophone and C-623/17 Privacy International pic.twitter.com/eB95ymLyCt
— EU Court of Justice (@EUCourtPress) October 6, 2020
The reference to the CJEU joined a number of cases, including legal challenges brought by rights advocacy group Privacy International to bulk collection powers baked into the UK’s Investigatory Powers Act; a La Quadrature du Net (and others’) challenge to a 2015 French decree related to specialized intelligence services; and a challenge to Belgium's 2016 law on collection and retention of comms data.
Civil rights campaigners had been eagerly awaiting today's judgements from the Grand Chamber, following an opinion by an advisor to the court in January which implied certain EU Member States' surveillance regimes were breaching the law.
At the time of writing key complainants had yet to issue a response.
Of course a government agency's definition of how much data collection is 'strictly necessary' in a national security context (or, indeed, what constitutes an 'effective safeguard') may be rather different to the benchmark of civil rights advocacy groups -- so it seems unlikely this ruling will be the last time the CJEU is asked to clarify where the legal limits of mass surveillance lie.
3) For instance it is huge that the Court says that while States have the possibility to order general retention of data in some exceptional cases, this decision “must be subject to effective review by a court or an independent administrative body WHOSE DECISION IS BINDING”...
— Theodore CHRISTAKIS (@TC_IntLaw) October 6, 2020
Additionally, the judgement raises interesting questions over the UK's chances of gaining a data protection adequacy agreement from the European Commission -- as it leaves the EU in 2021 at the end of the brexit transition process this year -- something it needs for digital data flows from the EU to continue uninterrupted as now.
The problem is the UK's Investigatory Powers Act (IPA) gives government agencies broad powers to intercept and retain digital communications -- but here the CJEU is making it clear that such bulk powers must be the exception, not the statutory rule.
So, again, a battle over definitions could be looming...
This wouldn't be a surprise — it has been done before, and met with judicial approval — but could well be one of the next battlegrounds.
I think it's fair to say it is unlikely that the HO is going to strike out Part 4 IPA (nor, based on this, need it do).
— Neil Brown (@neil_neilzone) October 6, 2020
Questions have also been raised, via a legal challenge to the IPA in the UK, over its security agencies' handling of intercepted data -- with a court being told last year of systematic breaches of safeguards set out in the legislation. Such revelations also do not bode well for 'adequacy'.
Another interesting component of today's CJEU judgement suggests that in EU states with indiscriminate mass surveillance regimes there could be grounds for overturning individual criminal convictions which are based on evidence obtained via such illegal surveillance.
On this, the court writes in a press release: "As EU law currently stands, it is for national law alone to determine the rules relating to the admissibility and assessment, in criminal proceedings against persons suspected of having committed serious criminal offences, of information and evidence obtained by the retention of data in breach of EU law. However, the Court specifies that the directive on privacy and electronic communications, interpreted in the light of the principle of effectiveness, requires national criminal courts to disregard information and evidence obtained by means of the general and indiscriminate retention of traffic and location data in breach of EU law, in the context of such criminal proceedings, where those persons suspected of having committed criminal offences are not in a position to comment effectively on that information and evidence."
Update: Privacy International has now responded to the CJEU judgements, saying the UK, French and Belgian surveillance regimes must be amended to be brought within EU law.
In a statement, legal director Caroline Wilson Palow said: "Today’s judgment reinforces the rule of law in the EU. In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies.
"While the Police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power. They should focus on providing us with effective, targeted surveillance systems that protect both our security and our fundamental rights."
Hugo Roy, representing Privacy International in the French case, added: “This judgment is a landmark after nearly six years of actions in French courts to restore the right to privacy with respect to our electronic communications. We hope now that the French Conseil d’ État will finally apply European human rights law standards to the French State.”