EU: Mass, suspicionless surveillance regimes are illegal, court confirms

On 6 October 2020, the Court of Justice of the EU (CJEU) ruled in two separate cases (concerning the UK, and France and Belgium) that mass surveillance by national security agencies - here, the mass retention and collection of telecommunications data - is not in line with EU law, and that only certain types of limited data retention schemes with adequate safeguards are permissible.


As summarised by Privacy International, who brought the case concerning the UK, the key points are as follows:

  1. EU law applies every time a national government forces telecommunications providers to process data, including when it is done for the purposes of national security.
  2. EU law sets out privacy safeguards regarding the collection and retention of data by national governments, which countries such as the UK, France and Belgium must follow.
  3. The cases will now return to each individual country’s courts for implementation of the judgment.

PI provide a more detailed overview of the issues at stake in the cases here.

The UK case concerned bulk data collection by the security agencies. As PI put it: "Telecommunications companies could be compelled to deliver bulk communications data to directly to the UK intelligence agencies. That means the UK intelligence agencies would retain the data themselves."

The French and Belgian cases concerned data retention schemes, whereby telecoms service providers are required to retain metadata on their customers' activities (such as who they called and when) in case it is subsequently required by state agencies.

The cases in question were referred to the EU by national courts, in order to obtain the CJEU's opinion on whether and how EU law should be applied.

As the CJEU put it, in its press release on the three cases:

"The Court of Justice confirms that EU law precludes national legislation requiring a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or of safeguarding national security."

While the member states argued before the court that EU law should not apply to the surveillance regimes in place, the court felt otherwise, as explained in its press release:

"...national legislation requiring providers of electronic communications services to retain traffic data and location data or to forward that data to the national security and intelligence authorities for that purpose falls within the scope of [the EU Directive on privacy and electronic communications]."

Furthermore, the Directive on privacy and electronic communications:

"...does not authorise the Member States to adopt, inter alia for the purposes of national security, legislative measures intended to restrict the scope of rights and obligations provided for in that directive, in particular the obligation to ensure the confidentiality of communications and traffic data, unless such measures comply with the general principles of EU law, including the principle of proportionality, and the fundamental rights guaranteed by the Charter."

Neither the UK's bulk data collection regime, nor France's and Belgium's bulk data retention schemes, are in line with the requirements of the 2002 Directive or general EU law, ruled the court. Overall, the three surveillance schemes:

"...constitute particularly serious interferences with the fundamental rights guaranteed by the Charter, where there is no link between the conduct of the persons whose data is affected and the objective pursued by the legislation at issue."

The court did not entirely rule out mass surveillance of the type currently taking place. In the face of a "serious threat to national security that proves to be genuine and present or foreseeable," the state may make an order "order requiring providers of electronic communications services to retain, generally and indiscriminately, traffic data and location data."

However, even mass surveillance conducted in extremis must be subject to safeguards: it must be limited in time and subject to review by a court or independent administrative body.

While generalised, mass, suspicionless surveillance is ruled out, states may also introduce measures for:

"...the targeted retention, limited in time to what is strictly necessary, of traffic and location data, which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion."

Equally, the "general and indiscriminate retention of IP addresses" is still permitted, as is the "real-time collection" (i.e. interception) of traffic and location data on a limited number of persons believed to be engaged in terrorism. Furthermore, the court permits:

"...the expedited retention of data available to service providers, where situations arise in which it becomes necessary to retain that data beyond statutory data retention periods in order to shed light on serious criminal offences or attacks on national security, where such offences or attacks have already been established or where their existence may reasonably be suspected."

In summary, it might be said that the state's surveillance menu is still rather extensive - but the buffet has been discontinued. How the national courts will now apply the CJEU's ruling in the individual cases in Belgium, France and the UK, remains to be seen.

Documentation and coverage

Judgments

CJEU press release

Coverage

Find out more about surveillance in Europe in the Statewatch database

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error