The European Union’s top court dealt a blow to bulk surveillance regimes in member nations, especially the UK, France, and Belgium. In a ruling on Tuesday, the European Court of Justice held that mass surveillance exercises to safeguard national security don’t exempt member states from complying with EU law. The court pronounced two separate but similar and closely linked judgments in three separate cases: one for a UK case and a joint one for a French and Belgian case. The UK case was brought by Privacy International, and the French one was brought by rights bodies La Quadrature du Net, the French Data Network, and the Fédération FDN.

The cases were first filed in their individual countries, and were later referred to the European Court of Justice. In a Q&A published on its website, UK-based digital rights body Privacy International explained that national surveillance laws in the UK, France and elsewhere in Europe “require telecommunications companies and service providers to store large amounts of personal data on an ongoing basis for later collection or other access by security and intelligence agencies (SIAs)”. Privacy International had challenged a provision of the UK’s Investigatory Powers Act, which allows for the bulk acquisition and use of communications data by UK’s security agencies, calling it unlawful.

There is one exception, however: While pronouncing the judgement, the court offered an exception. It said that in situations where a member state faces “serious threat” to national security, it can be derogated from the obligation to ensure data confidentiality, and retain that data for a period that is “strictly necessary”. This decision will be subject to review either by a court or an “independent administrative body” whose decision is binding, the court said. The court did not explain how the “independent administrative body” should be formed.

Data accessed by security agencies: Privacy International explained that communications data includes “traffic data, location data, subscriber data, and any other data surrounding a communication EXCEPT for the actual content of a communication”. Such data can also reveal map searches, visited websites, location information, as well as information about every device connected to a network, the body said. “When collected in aggregate about one or a number of individuals, communications data is potentially no less sensitive than the actual content. This data makes it possible to find out the identity of people with whom a user has communicated and by what means, to identify the time of these communications, and the places from which those communication originated”, Privacy International noted.

The judgement said that accessing and retaining such data is a “particularly serious” interference with privacy.

“Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies. While the Police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power,” said Caroline Wilson Palow, Privacy International’s legal director.

How the case started

Privacy International, in 2015, had challenged the bulk acquisition and use of communications data by UK’s security agencies, under its Investigatory Powers Act, before the Investigatory Powers Tribunal. The rights body had contended that that the UK regime was unlawful under EU law, but the UK government countered that the bulk communications data regime, as it related to national security, was outside the scope of the EU law.

The UK Tribunal referred the case to the European Court of Justice, asking it to decide whether UK security forces accessing bulk communication records falls under EU law, and the kinds of safeguards that should exist around such access.

A separate case in France, filed at the Conseil d’État (France’s highest administrative court) by rights bodies La Quadrature du Net, the French Data Network, and the Fédération FDN, challenged two French intelligence and international surveillance laws of 2015, which it said allows the indiscriminate retention of personal data. Privacy International had intervened in the French case in February 2016, and in July 2018, the French court referred the case to the European Court of Justice, raising similar concerns as the UK case with regard to whether EU law should apply.

The European Court of Justice then decided to hear a joint case from the UK and France, along with another case filed against a 2016 Belgian law on collection and retention of communications data.