The Advocate General for the Court of Justice of the European Union (CJEU), Campos Sánchez-Bordona, has today issued a landmark legal “opinion” that could effectively limit the ability of national security agencies (e.g. GCHQ) to force internet providers (e.g. broadband ISPs) into the bulk retention of personal customer data.
At present laws, like the controversial 2016 UK Investigatory Powers Act, force ISPs into logging the Internet Connection Records (ICR) of all their customers for up to 12 months (e.g. the IP addresses of the servers you’ve visited and when), which can be accessed without a warrant and occurs regardless of whether or not you’re suspected of a crime (note: obtaining the content of a communication still requires a warrant).
However in recent years the CJEU has maintained a consistent line of case‑law on the retention of and access to personal data, which has tended to protect the individual’s right to privacy. Naturally the authorities in some Member States, such as the UK, are concerned by these judgements because, in their view, “the result is to deprive them of an instrument which they consider essential to the safeguarding of national security and countering terrorism.”
Recently Campos Sánchez-Bordona was asked to give his legal opinion on several related cases and today’s outcome could create problems for the UK Government (here). Admittedly such opinions are non-binding, although they do tend to be upheld by the vast majority of cases that ultimately go to full court.
Campos Sánchez-Bordona said:
I recommend that the Court of Justice should reply to the Investigatory Powers Tribunal (United Kingdom) in the following terms:
Article 4 TEU and Article 1(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) should be interpreted as precluding national legislation which imposes an obligation on providers of electronic communications networks to provide the security and intelligence agencies of a Member State with ‘bulk communications data’ which entails the prior general and indiscriminate collection of that data.
In a related press release (here) the Advocate General further clarified that national courts could only permit their security agencies to force telecoms providers to retain personal data “on an exceptional and temporary basis, even where that legislation is incompatible with EU law, if maintaining those effects is justified by overriding considerations relating to threats to public security or national security that cannot be addressed by other means or other alternatives, but only for as long as is strictly necessary to correct the incompatibility with EU law.”
At this point it’s worth remembering that the UK is in the process of leaving the EU (Brexit), although the above could still create complications for that process. During the transition period our Government will need to negotiate an “adequacy” agreement for data protection standards (supporting exchanges of personal data between the EU and UK) and such things are easier when the rules are in close alignment. In this case though the EU could end up having stricter rules and that could throw up some obstacles, as well as legal challenges by privacy campaigners.