Top Euro court advised: Cops, spies yelling 'national security' isn’t enough to force ISPs to hand over massive piles of people's private data

Analysis In a massive win for privacy rights, the advocate general advising the European Court of Justice (ECJ) has said that national security concerns should not override citizens’ data privacy. Thus, ISPs should not be forced to hand over personal information without clear justification.

That doesn't mean that the intelligence and security services should not oblige communications companies to hand over information, especially when it comes to terrorism suspects, the opinion, handed down yesterday, proposes. But it would mean that those requests will need to be done “on an exceptional and temporary basis,” as opposed to sustained blanket harvesting of information – and only when justified by “overriding considerations relating to threats to public security or national security.”

In other words, a US-style hoovering up of personal data is not legal under European law.

The legal argument being made by the AG is technically advisory - the ECJ has yet to decide - though in roughly 80 per cent of cases it does side with the preliminary opinion put forward by its Advocate General, in this case Manuel Campos Sánchez-Bordona.

If the ECJ agrees, it could also have significant implications for the UK which has passed a law that gives the security services extraordinary reach and powers – which is in a legal limbo due to the ongoing Brexit plans to leave the European Union.

If this proposed legal solution is adopted by the court, the UK will be able to retain its current laws, though it would almost certainly face legal challenges and would have a hard time reaching an agreement with Europe over data-sharing – something that could have enormous security and economic implications.

The case itself was sparked by a legal challenge from Privacy International against the UK’s Investigatory Powers Act (IPA) as well as a French data retention law.

In essence, the issue was whether national governments can oblige private parties - in this case, mostly ISPs - to hand over personal details by simply saying there were national security issues at hand.

The AG opines that no, it cannot: the European Directive on privacy and electronic communications continues to apply, and is not superseded by security claims. It does not apply to public bodies who are obliged to do what the government says.

Key part

This is the key part of the legal argument: “The provisions of the directive will not apply to activities which are intended to safeguard national security and are undertaken by the public authorities themselves, without requiring the cooperation of private individuals and, therefore, without imposing on them obligations in the management of business” (UK Case C-623/17, paragraph 34/79).”

That is explained in slightly more accessible language in a ECJ press release [PDF] today. It says that: “When the cooperation of private parties, on whom certain obligations are imposed, is required, even when that is on grounds of national security, that brings those activities into an area governed by EU law: the protection of privacy enforceable against those private actors.”

Privacy International also has its own explanation of the opinion. It is, unsurprisingly, happy about things, with its legal director Caroline Wilson Palow saying that it "is a win for privacy."

"We all benefit when robust rights schemes, like the EU Charter of Fundamental Rights, are applied and followed," she said. "If the Court agrees with the AG’s opinion, then unlawful bulk surveillance schemes, including one operated by the UK, will be reined in."

The newly issued opinion follows a long-running battle between the authorities who claims that EU data privacy law doesn’t apply to national security - in large part because they want unfettered access to data sources to assist in investigations - and privacy advocates concerned about Europe creating an American mass surveillance system.

Privacy advocates have won the argument in this document. It’s worth noting that the ECJ has repeatedly come down on the side of individual rights over governmental assertions when it comes to digital data, so this opinion is likely to become legally binding when the full court considers it.

The upshot is that the French law - which requires phone companies and ISPs to store and provide a wealth of data on all their customers, including location - will almost certainly have to be rewritten.

Interference

The AG does acknowledge the legitimate concerns behind the law, noting that it came “against a background of serious and persistent threats to national security, in particular the terrorist threat.” But it said the data storing is “general and indiscriminate, and therefore is a particularly serious interference in the fundamental rights enshrined in the Charter.”

Advocate General Campos Sánchez-Bordona goes on: “The fight against terrorism must not be considered solely in terms of practical effectiveness, but in terms of legal effectiveness, so that its means and methods should be compatible with the requirements of the rule of law.”

Any new law aimed at keeping location and other data will have to be “carried out in accordance with established procedures for accessing legitimately retained personal data and are subject to the same safeguards.”

Thanks to Brexit, the UK situation is more complicated. The UK, in theory at least, will be able to make its own laws - even if those amount to state surveillance of all citizens. So while the IPA breaks European law, according to this preliminary ruling, the UK could in theory retain it.

But, as with so many other things around Brexit, the truth is that the UK cannot exist in the modern world as its own digital island and so will have to reach some kind of agreement with Europe, or face the risk of being cut off from the continent when it comes to sharing data.

Despite the entire case being largely about the controversial UK law, the issue of Brexit makes it much more complicated and so the AG concludes that the ECJ should respond “in the following terms.”

“Article 4 TEU and Article 1(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) should be interpreted as precluding national legislation which imposes an obligation on providers of electronic communications networks to provide the security and intelligence agencies of a Member State with ‘bulk communications data’ which entails the prior general and indiscriminate collection of that data.”

In other words, the laws is a disgrace but, hey, you seem to want to go your own way, so have at it. ®