The European Court of Justice has ruled that it’s illegal for countries indiscriminately collect electronic communications data, unless they have a really good reason.
The long-running case has been brought, in part, by French digital freedom advocate group La Quadrature du Net. It was a response to the French practice of getting CSPs to retain metadata on all their customers, just in case the French authorities should want to see what they’ve been up to at any time.
“The Court of Justice confirms that EU law precludes national legislation requiring a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or of safeguarding national security,” opened the ECJ ruling.
There followed, however, a pretty major caveat. “However, in situations where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable, that Member State may derogate from the obligation to ensure the confidentiality of data relating to electronic communications by requiring, by way of legislative measures, the general and indiscriminate retention of that data for a period that is limited in time to what is strictly necessary, but which may be extended if the threat persists.”
The net effect seems to be that government agencies will have to ask permission before carrying out mass surveillance of their citizens, but that doesn’t seem like much of a barrier. Just look at the massive erosion of civil liberties still taking place throughout the world in response to a viral pandemic that started months ago, with negligible judicial oversight.
“A first reading suggests that it was a ‘victorious defeat’,” wrote La Quadrature du Net in its initial response. “Although the Court affirms that France can no longer impose this bulk metadata retention obligation, it reveals several important exceptions. This decision is a defeat in the sense that these exceptions reduce the effectiveness of the right to privacy and will inevitably lead to abuses, which we will detail later.”
Caroline Wilson Palow, Legal Director of Privacy International, which also works to safeguard individual rights in the technology world, seemed more up-beat. “Today’s judgment reinforces the rule of law in the EU,” she said. “In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies.
“While the Police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power. They should focus on providing us with effective, targeted surveillance systems that protect both our security and our fundamental rights.”
While it’s good that this matter is receiving attention, it’s hard to see how data privacy has been significantly tightened by this ruling. It will probably further complicate the ongoing negotiations with the US over data transfer, but how many governments are going to turn down requests made in the name of national security?