In 2017 rights advocacy organization Privacy International initiated a legal challenge against bulk data retention by European law enforcement agencies. After three years of litigation, just this morning, the Court of Justice of the European Union (CJEU) finally issued a landmark judgement siding with Privacy International in a collection of four cases brought against retention schemes in the UK, France, and Belgium.
In the ruling, the European Court of Justice wrote that current European privacy rights “preclude national legislation requiring providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.”
Privacy International heralded the ruling as a significant victory for privacy rights and a major blow to security and law enforcement agencies.
“Today's judgment reinforces the rule of law in the EU,” legal director of Privacy International Catherine Wilson Palow wrote in a statement to Motherboard. “In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies.”
Law enforcement and intelligence agencies in both Europe and the United States have long collected and retained metadata from telecommunication providers like Deutsche Telekom, Vodafone, and Verizon in the name of national security. While law enforcement and intelligence agencies often claim that metadata collection is harmless, the reality is that metadata, especially when analyzed in bulk, can reveal intimate details about people’s lives, including their locations, jobs, and behaviors.
Privacy groups have criticised these bulk data retention schemes as unnecessarily intrusive, arguing that security agencies use it out of convenience, rather than necessity. They’ve also questioned how effective it is in the first place. A report released last week by European Digital Rights (EDRi), points to numerous cases in which “data errors, inaccurate interpretations and false positives raise serious questions about the effectiveness of data retention practices,” including a revelation that 10,000 criminal cases in Denmark used flawed telecommunication data as evidence.
States have also abused bulk data retention schemes in the past to target private citizens for political purposes. In Poland, for example, at least ten journalists critical of the far-right Law and Justice Party (PIS) were surveilled using data requested from telecommunications companies. This data was then used to identify the journalists’ sources.
Privacy International’s victory is the latest in a series of legal battles which have sought to reign in the often expansive powers handed over to security and law enforcement agencies. In July, for example, the European Union’s court struck down an EU-US data sharing agreement over privacy concerns. Today’s decision helps to keep that momentum going, says Diego Naranjo, a human rights lawyer and head of policy at EDRi. He also thinks it’s important that the average citizen recognizes what this victory actually means.
“People have to understand what’s at stake here,” Naranjo told Motherboard. “They might think ‘oh what does it matter if somebody knows who I had a phone call with or for how long.’ While it’s true that these individual data points may not be extremely revealing, once you connect the dots between them you can paint an incredibly accurate picture of a person.”
Now that blanket data retention is found to be incompatible with EU regulations, the court requires law enforcement agencies to use alternative and potentially less intrusive methods instead. It’s important to note that data retention hasn’t been banned entirely, but per the court’s ruling they must now be targeted to specific individuals and investigations, and not blanket surveillance of entire populations. Even then, targeted requests should only be used in “serious criminal offences” or exceptional threats to national security, and would require a warrant.
Yet, while some privacy activists may be celebrating the court’s ruling, others point out that there’s also reason for a degree of skepticism. In the past, security and law enforcement agencies have consistently shown that they are perfectly comfortable operating on the edges (or in some cases completely outside the boundaries) of legality.
“There’s much creativity in the national security sector. Only after a new surveillance practice has been detected is it possible to test its legality in the courts. This takes years,” dr. Kristina Irion, a researcher specializing in information law at the University of Amsterdam wrote in an email to Motherboard. “In the case of data retention by law enforcement agencies, it tends to be a jack-in-the-box: every time the lid is closed, it jumps out again.”
Then there’s the question of how stringently any legal decision will be enforced. While the European Commision has been tougher on private companies violating privacy laws like the GDPR, historically it has been more reticent to take action against member states who do the same. There are also fears that member states will attempt to maximally interpret some of the more vague portions of the judgement.
Despite this, giving the courts the regulatory power to challenge member states who allow the use of blanket data retention schemes is a big first step in of itself. In one of the firmest statements in the judgement for example, the court writes that national courts must disregard any evidence obtained by mass data retention.
And, according to Naranjo, it’s a sorely needed moral boost for privacy groups who can at times feel like they’re stuck in an endless game of whack-a-mole with intelligence agencies.
“Of course, agencies and law enforcement are going to try to undermine all the work we do and are doing. But I do think we are making progress. We’re activists, we kind of have to be optimists.”