'General and indiscriminate' data retention laws prohibited, rules EU court

Out-Law News | 21 Dec 2016 | 3:08 pm | 4 min. read

The UK government is under pressure to change newly-enacted surveillance laws in light of an EU court ruling.

On Wednesday morning, the Court of Justice of the EU (CJEU) set out how national laws on the retention of electronic communications data and on access to that data by national authorities should be framed to comply with EU law, following requests for clarity by courts in the UK and Sweden.

The CJEU said EU law precludes EU countries from passing a law that "provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication" in order to help fight crime.

It also said that EU law does permit national law makers to, "as a preventive measure", require traffic and location data to be retained on a targeted basis, but only where the objective of the data retention rules is to fight "serious crime".

Limits must be set out "with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary", it ruled.

"If it is to be ensured that data retention is limited to what is strictly necessary … the retention of data must continue nonetheless to meet objective criteria, that establish a connection between the data to be retained and the objective pursued," the CJEU said. "In particular, such conditions must be shown to be such as actually to circumscribe, in practice, the extent of that measure and, thus, the public affected."

National laws developed in this context must also specify a "prior review" process to allow a court or other "independent administrative authority" to evaluate authorities' requests for data to be retained, the CJEU said. The 'prior review' process should apply "except in cases of validly established urgency", it said.

In addition, it said providers of electronic communications services must "guarantee a particularly high level of protection and security" for the data they are required to retain "by means of appropriate technical and organisational measures". This means that national legislation must, at the very least, require data to be irreversibly destroyed at the end of the data retention period and for the data to be stored within the EU, the CJEU said.

The ruling could result in the government justifying data collection for reasons related to national security rather than to combat serious crime as covered by the ruling. Data protection law expert Kristina Holt of Pinsent Masons, the law firm behind Out-Law.com, said that this could mean that the number of agencies allowed to access the collected data would be reduced to just a handful.

Civil liberty groups said the CJEU's ruling will require the UK government to make amendments to its Investigatory Powers Act, which was only recently enacted.

Martha Spurrier, director of human rights campaign group Liberty, said: "Today’s judgment upholds the rights of ordinary British people not to have their personal lives spied on without good reason or an independent warrant. The government must now make urgent changes to the Investigatory Powers Act to comply with this."

The Investigatory Powers Act gives UK authorities, such as intelligence agencies and law enforcement bodies, powers to enlist the help of telecoms companies in tackling serious crime and protecting the UK's economic interests, among other priorities listed in the legislation.

Under the Act, telecoms companies can be required to retain and disclose data, intercept communications, or assist with equipment interference. UK intelligence agencies also have a qualified right to obtain personal datasets in bulk for national security reasons under warrants that would be issued by UK ministers. A range of other privacy safeguards, including a special privacy clause, and oversight mechanisms, are built in to the new legislation.

New regulations have been made by the government to bring many of the provisions of the Investigatory Powers Act into force on 30 December. Those provisions are set to replace laws set out in the Data Retention and Investigatory Powers Act (DRIPA) which expires on 31 December.

DRIPA was introduced into UK law in 2014 after being fast-tracked through the UK parliament. The UK government at the time pressed for DRIPA to be passed into law after another judgment of the CJEU invalidated the EU's Data Retention Directive, and the national legislation which implemented the Directive in the UK and other EU countries.

However, a legal challenge against DRIPA by two UK MPs, was launched shortly after the new legislation came into force, with concerns raised that the faults with the Data Retention Directive had been repeated in DRIPA and that the Act infringed privacy rights.

In July last year the High Court in London ruled that DRIPA was incompatible with human rights legislation but that decision was appealed by the UK government to the Court of Appeal. The Court of Appeal asked the CJEU to help it determine whether DRIPA is compatible with EU law and the requirements set out in the EU court's previous ruling on the Data Retention Directive.

A Home Office spokesperson said the government is "disappointed with the judgment" and that it "will be considering its potential implications".

The spokesperson said: “It will now be for the Court of Appeal to determine the case. The government will be putting forward robust arguments to the Court of Appeal about the strength of our existing regime for communications data retention and access. Given the importance of communications data to preventing and detecting crime, we will ensure plans are in place so that the police and other public authorities can continue to acquire such data in a way that is consistent with EU law and our obligation to protect the public."

The Court of Appeal is not expected to rule until after the new year. The government said it will not make any changes to UK law until the Court of Appeal decides how the CJEU ruling should be applied.

"Although we have contingency plans in place, should changes be required to our regime these would need to be implemented in a way that created a sensible and sustainable long-term solution and without harming important operations or putting lives at risk," the government said. "This would take time which we hope the Court of Appeal would give us."