Wait - how do intelligence agencies come about this mass data in the first place?
Whether it’s your local supermarket, your phone service provider or a ride-hailing app, these days companies hold huge amounts of data about you. EU law requires governments to protect your privacy. Among other obligations, companies are asked to keep the length of time data is stored to a strict legal minimum. That’s a wise protection. Because the longer data is kept, the more likely it is that it can be abused, lost, stolen, shared, used to profile and even track you. But even though this is EU law, some governments have (unwisely) forced companies to keep hold of your data for much longer. This is called mandatory data retention.
When such data retention is general and indiscriminate, it means that sensitive data will be kept, even though you’re not suspected of any crime. Basically, it’s a form of mass surveillance. Like other mass surveillance, this means we’re all treated as suspects. In a democracy, the principle is meant to be ‘no suspicion, no surveillance’. The police and other state bodies already have massive powers. General and indiscriminate data retention is a step too far, and a disproportionate threat to our privacy.
General and indiscriminate data retention was at issue in the French and Belgian cases.
The UK case concerned another form of surveillance - general and indiscriminate data collection. Telecommunications companies could be compelled to deliver bulk communications data to directly to the UK intelligence agencies. That means the UK intelligence agencies would retain the data themselves.
So what does general and indiscriminate data retention, or data collection, have to do with privacy?
Retention: General and indiscriminate data retention threatens your privacy in several ways. It overrides other EU privacy laws that are meant to minimise how long your data is kept by companies. When data is retained for longer than is necessary, it can be abused, lost, stolen, shared, used to profile and even track you. And when that retention is general and indiscriminate, it means the government does not necessarily even have a good reason to force companies to keep the data. Instead, its asking them to keep all of it just in case.
Retention of this data also means that governments will have easier access to it. If that access is not governed by robust safeguards, it can lead to serious privacy interferences.Collection: General and indiscriminate data collection violates privacy by allowing a government to directly collect all data from a company. This is a significant intrusion, as noted above, because communications data can be so revealing of our personal lives. The CJEU has found that general and indiscriminate collection, as was occuring in the UK, is the same as general and indiscriminate access. That is, it skips over any of the safeguards that should normally be applied to access to data. For that reason, it violates EU law.
So is it all good news?
The judgments are welcome, both for their application of EU law to these national security contexts, and because of their condemnation of preventative, general and indiscriminate retention or collection of communications data.
The judgments establish a new approach to data retention (and collection) in national security contexts. However, exceptions are introduced for retention where there is a serious threat to national security that is genuine and present or foreseeable, so long as retention in that context is temporary. The French and Belgian judgment also sets different standards for some types of data, like IP addresses and subscriber data.
New safeguards are enumerated for the real-time analysis or collection of communications data.
We will have to wait for the cases to return to their national level courts to see how all of these new standards play out in practice.
How did we get here? Why were these three cases examined together?The Court of Justice of the European Union - referred to for brevity as CJEU – is the highest judicial authority of the EU which rules on member states’ compliance with EU treaties. All CJEU rulings are binding on EU member states and their domestic courts. On 6th October 2020, the CJEU issued two separate judgments in three separate cases, one for the UK (Privacy International) case and a joint one for the French (La Quadrature du Net and Others) and Belgian (Ordre des barreaux francophones and germanophone and Others) cases.
Each of these cases was referred to the CJEU from their respective national courts. For instance, in the UK case, it was the Investigatory Powers Tribunal (IPT), the British judicial body that hears complaints about surveillance practices, that referred the case to the CJEU.
As the three cases raised similar questions in relation to the bulk data retention or collection regimes in each of these countries, the CJEU decided to examine them together, and held a joint hearing in 2019. While all three cases cover similar issues, the facts differ enough to have led the CJEU to issue two separate but closely linked judgments.
Ok, so what happens next?As said above, the EU Court heard the UK, French and Belgian cases based on respective requests (known as ‘referrals’) made by each country’s national courts to the CJEU to interpret a matter of EU law application and interpretation. For instance, in the UK case, it was the IPT that referred the case to the CJEU. Now that the CJEU has decided on the application of EU law in relation to bulk data retention and collection, the cases will be sent back to the national courts for a final decision. The UK case will go back to the IPT and similarly, the French case will return to the French highest administrative court (the Conseil d’État) that had referred the French case. In turn, the Belgian case will be sent back to Belgium’s Constitutional Court.
The national courts’ decisions will be guided by the CJEU’s findings.
Nice. How can I help?
Having strong laws and technology which protect privacy is incredibly important, but the most important thing is that people are aware of the issues and are able to influence powerful companies and governments. You can read more about the case, how such surveillance works, and some of the issues it raises here.
To keep up to date on the case and all our work, you can sign up to our mailing list here - don’t worry, you can choose the topics you are most interested in… and we take proper care of your data!
As we are a charity with limited funds, any support you can give us through a donation would be most appreciated - you can do so here.
To reiterate however, to really ensure that we don’t sleepwalk into a world of ubiquitous state and corporate surveillance, it is essential that people put pressure on governments and corporations - so if there’s one thing you can do, it’s make your voice heard!