Mass surveillance regimes in the UK, Belgium and France which require bulk collection of digital data for a national security purpose may be at least partially in breach of fundamental privacy rights of European Union citizens, per the opinion of an influential advisor to Europe's top court issued today.
Advocate general Campos Sánchez-Bordona's (non-legally binding) opinion, which pertains to four references to the Court of Justice of the European Union (CJEU), takes the view that EU law covering the privacy of electronic communications applies in principle when providers of digital services are required by national laws to retain subscriber data for national security purposes.
A number of cases related to EU states' surveillance powers and citizens' privacy rights are dealt with in the opinion, including legal challenges brought by rights advocacy group Privacy International to bulk collection powers enshrined in the UK's Investigatory Powers Act; and a La Quadrature du Net (and others') challenge to a 2015 French decree related to specialized intelligence services.
At stake is a now familiar argument: Privacy groups contend that states' bulk data collection and retention regimes have overreached the law, becoming so indiscriminately intrusive as to breach fundamental EU privacy rights -- while states counter-claim they must collect and retain citizens' data in bulk in order to fight national security threats such as terrorism.
Hence, in recent years, we've seen attempts by certain EU Member States to create national frameworks which effectively rubberstamp swingeing surveillance powers -- that then, in turn, invite legal challenge under EU law.
The AG opinion holds with previous case law from the CJEU -- specifically the Tele2 Sverige and Watson judgments -- that "general and indiscriminate retention of all traffic and location data of all subscribers and registered users is disproportionate", as the press release puts it.
Instead the recommendation is for "limited and discriminate retention" -- with also "limited access to that data".
"The Advocate General maintains that the fight against terrorism must not be considered solely in terms of practical effectiveness, but in terms of legal effectiveness, so that its means and methods should be compatible with the requirements of the rule of law, under which power and strength are subject to the limits of the law and, in particular, to a legal order that finds in the defence of fundamental rights the reason and purpose of its existence," runs the PR in a particularly elegant passage summarizing the opinion.
The French legislation is deemed to fail on a number of fronts, including for imposing "general and indiscriminate" data retention obligations, and for failing to include provisions to notify data subjects that their information is being processed by a state authority where such notifications are possible without jeopardizing its action.
Belgian legislation also falls foul of EU law, per the opinion, for imposing a "general and indiscriminate" obligation on digital service providers to retain data -- with the AG also flagging that its objectives are problematically broad ("not only the fight against terrorism and serious crime, but also defence of the territory, public security, the investigation, detection and prosecution of less serious offences").
The UK's bulk surveillance regime is similarly seen by the AG to fail the core "general and indiscriminate collection" test.
There's a slight carve out for national legislation that's incompatible with EU law being, in Sánchez-Bordona's view, permitted to maintain its effects "on an exceptional and temporary basis". But only if such a situation is justified by what is described as "overriding considerations relating to threats to public security or national security that cannot be addressed by other means or other alternatives, but only for as long as is strictly necessary to correct the incompatibility with EU law".
If the court follows the opinion it's possible states might seek to interpret such an exceptional provision as a degree of wiggle room to keep unlawful regimes running further past their legal sell-by-date.
Similarly, there could be questions over what exactly constitutes "limited" and "discriminate" data collection and retention -- which could encourage states to push a 'maximal' interpretation of where the legal line lies.
Nonetheless, privacy advocates are viewing the opinion as a positive sign for the defence of fundamental rights.
In a statement welcoming the opinion, Privacy International dubbed it "a win for privacy". "We all benefit when robust rights schemes, like the EU Charter of Fundamental Rights, are applied and followed," said legal director, Caroline Wilson Palow. "If the Court agrees with the AG's opinion, then unlawful bulk surveillance schemes, including one operated by the UK, will be reined in."
The CJEU will issue its ruling at a later date -- typically between three to six months after an AG opinion.
The opinion comes at a key time given European Commission lawmakers are set to rethink a plan to update the ePrivacy Directive, which deals with the privacy of electronic communications, after Member States failed to reach agreement last year over an earlier proposal for an ePrivacy Regulation -- so the AG's view will likely feed into that process.
This makes the revised e-Privacy Regulation a *huge* national security battleground for the MSes (they will miss the UK fighting for more surveillance) and is v relevant also to the ongoing debates on “bulk”/mass surveillance, and MI5’s latest requests… #ePR
— Ian Brown (@1Br0wn) January 15, 2020
The opinion may also have an impact on other legislative processes -- such as the talks on the EU e-evidence package and negotiations on various international agreements on cross-border access to e-evidence -- according to Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo.
"It is worth noting that, under Article 4(2) of the Treaty on the European Union, “national security remains the sole responsibility of each Member State”. Yet, the advocate general’s opinion suggests that this provision does not exclude that EU data protection rules may have direct implications for national security," Tosoni also pointed out.
"Should the Court decide to follow the opinion... 'metadata' such as traffic and location data will remain subject to a high level of protection in the European Union, even when they are accessed for national security purposes. This would require several Member States -- including Belgium, France, the UK and others -- to amend their domestic legislation."