Top Euro court tells cops, spies that yelling ‘national security’ isn’t enough to force ISPs to hand over massive piles of people’s private data

Top Euro court tells cops, spies that yelling ‘national security’ isn’t enough to force ISPs to hand over massive piles of people’s private data

Analysis In a massive win for privacy rights, a preliminary ruling from the European Court of Justice (ECJ) has made clear that national security concerns do not override citizens’ data privacy. Thus, ISPs should not be forced to hand over personal information without clear justification.

That doesn’t mean that the intelligence and security services cannot oblige communications companies to hand over information, especially when it comes to terrorism suspects. But it does mean that those requests will need to be done “on an exceptional and temporary basis,” as opposed to sustained blanket harvesting of information – and only when justified by “overriding considerations relating to threats to public security or national security.”

In other words, a US-style hovering up of personal data is not legal under European law.

The decision this week is not currently binding – the full court has yet to decide – though in roughly 80 per cent of cases the court sides with the preliminary ruling put forward by its Advocate General, in this case Campos Sánchez-Bordona.

The ruling could also have significant implications for the UK which has passed a law that gives the security services extraordinary reach and powers – which is in a legal limbo due to the ongoing Brexit plans to leave the European Union.

If this week’s ruling is adopted by the full court, the UK will be able to retain its current laws, though it would almost certainly face legal challenges and would have a hard time reaching an agreement with Europe over data-sharing – something that could have enormous security and economic implications.

The ruling itself was sparked by a legal challenge from Privacy International against the UK’s Investigatory Powers Act (IPA) as well as a French data retention law.

In essence, the issue was whether national governments can oblige private parties – in this case, mostly ISPs – to hand over personal details by simply saying there were national security issues at hand.

The ruling says, no, it cannot: the European Directive on privacy and electronic communications continues to apply, and is not superseded by security claims. It does not apply to public bodies who are obliged to do what the government says.

Key part

This is the key part of the ruling: “The provisions of the directive will not apply to activities which are intended to safeguard national security and are undertaken by the public authorities themselves, without requiring the cooperation of private individuals and, therefore, without imposing on them obligations in the management of business” (UK Case C-623/17, paragraph 34/79).”

That is explained in slightly more accessible language in a ECJ press release [PDF] today. It says that: “When the cooperation of private parties, on whom certain obligations are imposed, is required, even when that is on grounds of national security, that brings those activities into an area governed by EU law: the protection of privacy enforceable against those private actors.”

Privacy International also has its own explanation of the ruling. It is, unsurprisingly, happy about things, with its legal director Caroline Wilson Palow saying that the opinion “is a win for privacy.”

“We all benefit when robust rights schemes, like the EU Charter of Fundamental Rights, are applied and followed,” she said. “If the Court agrees with the AG’s opinion, then unlawful bulk surveillance schemes, including one operated by the UK, will be reined in.”

The decision follows a long-running battle between the authorities who claims that EU data privacy law doesn’t apply to national security – in large part because they want unfettered access to data sources to assist in investigations – and privacy advocates concerned about Europe creating an American mass surveillance system.

Privacy advocates have won the argument in this preliminary ruling. It’s worth noting that the ECJ has repeatedly come down on the side of individual rights over governmental assertions when it comes to digital data, so this ruling is likely to become legally binding when the full court considers it.

The upshot is that the French law – which requires phone companies and ISPs to store and provide a wealth of data on all their customers, including location – will almost certainly have to be rewritten.


The ruling does acknowledge the legitimate concerns behind the law, noting that it came “against a background of serious and persistent threats to national security, in particular the terrorist threat.” But it said the data storing is “general and indiscriminate, and therefore is a particularly serious interference in the fundamental rights enshrined in the Charter.”

It goes on: “The fight against terrorism must not be considered solely in terms of practical effectiveness, but in terms of legal effectiveness, so that its means and methods should be compatible with the requirements of the rule of law.”

Any new law aimed at keeping location and other data will have to be “carried out in accordance with established procedures for accessing legitimately retained personal data and are subject to the same safeguards.”

A British eavesdropper in the shadows

It’s cool for Brit snoops to break the law, says secretive spy court. Just hold on while we pull off some legal jujitsu to let MI5 off the hook…


Thanks to Brexit, the UK situation is more complicated. The UK, in theory at least, will be able to make its own laws – even if those amount to state surveillance of all citizens. So while the IPA breaks European law, according to this preliminary ruling, the UK could in theory retain it.

But, as with so many other things around Brexit, the truth is that the UK cannot exist in the modern world as its own digital island and so will have to reach some kind of agreement with Europe, or face the risk of being cut off from the continent when it comes to sharing data.

Despite the entire case being largely about the controversial UK law, the issue of Brexit makes it much more complicated and so the preliminary ruling concludes that the ECJ should respond “in the following terms.”

“Article 4 TEU and Article 1(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) should be interpreted as precluding national legislation which imposes an obligation on providers of electronic communications networks to provide the security and intelligence agencies of a Member State with ‘bulk communications data’ which entails the prior general and indiscriminate collection of that data.”

In other words, the laws is a disgrace but, hey, you seem to want to go your own way so have at it. ®

Sponsored: Detecting cyber attacks as a small to medium business


via The Register – Security

January 16, 2020 at 01:12AM

What do you think about this?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s