Court Decision on European Mass Surveillance and the Consequences for Brexit

Grafitti of a surveillance camera on a concrete wall with the text 'for your safety & our curiosity'.
Photo taken by Etienne Girardet.

As a member of the European Union, member states are obliged to abide by some of the strictest privacy laws in the world. The General Data Protection Regulation (GDPR) is the most well-known of these, but there are others. The ePrivacy Directive gives protections to EU citizens through preventing or restricting online communications, and then there are general privacy provisions within The European Convention of Human Rights and The Charter of Fundamental Rights of the European Union. All these laws help to give EU citizens the right to a private personal life.

Throughout the current and historical privacy laws, a consistent theme has been the use of ‘necessity’, ‘proportionality’ and ‘data retention’ provisions.

  • Necessity means that any data processing that is performed should be strictly necessary to achieve the intended purpose, e.g. collecting and processing someone’s political affiliations is not necessary to deliver an item that someone has ordered online; therefore, this would be prohibited.
  • Proportionality relates to balancing a citizen’s rights against the need to perform processing. If data processing infringes on someone’s right to privacy or any other right (as may be the case if a government is investigating someone for a crime), the scope of the investigation should be proportionate to the nature of the crime, i.e. the government must balance their need to maintain law and order vs. the rights of their citizens. It would not be proportionate to extensively spy on a citizen if they are suspected of going slightly over the speed limit in their vehicle.
  • Data retention provisions relate to not storing personal data for longer than it is needed. Companies are legally obliged to keep records of their past employees for things such as tax purposes, e.g. in the UK, you are required to keep these records for 6 years after the employee has left, after which the records must be deleted

These privacy laws apply to both legal entities (alive citizens and companies) and to the national governments. Although the privacy laws apply to both, there are limited exemptions for governments. Governments are allowed some discrepancy with regards to maintaining national security. It is this area which the Court of Justice of the European Union (CJEU) ruled on this week.

As technology has developed and people have put their entire lives in the online world, governments have seized this opportunity to perform mass surveillance and snooping on both their own and foreign citizens. The most prominent revelation was by Edward Snowden in 2013 who leaked to the world the unfiltered and invasive access that the US and UK governments had to citizens’ private lives. If you are interested in refreshing yourself on this topic, read Tacita’s article: ‘A Timeline of US Mass Surveillance, International Privacy Agreements, and a Disgruntled Austrian’.

Today, UK, French and Belgian national governments all use some form of mass surveillance. In the UK this is called ‘The Investigatory Powers Bill’, colloquially known as the ‘Snoopers’ Charter’. This bill, amongst other things, allows the UK intelligence agencies and law enforcement to: carry out bulk collection of communications data; bulk interception of communication data; it forces communication service providers to store website browsing history of users for one year; gives polices forces some ability to spy without the need for a warrant; and requires these communication service providers to assist with removing encryption. This bill can give government employees access to all forms of messages (email, instant messages, text messages, etc.), private photos, location data, history of internet searches, and history of website visits of any person in the UK. An important point to note is that this spying is untargeted; the UK government agencies intercept messages/communications regardless or not if a person is suspected of committing a crime.

In recent years, privacy groups have taken claims to EU courts arguing that the mass surveillance by UK, French and Belgian governments is illegal. The privacy groups argue that the spying is not necessary or proportionate for the purposes of maintaining national security and that by keeping this mass surveillance data for indefinite periods it is against the data retention principles of many European privacy laws. The UK, French and Belgian government have put forward the argument that as this data processing relates to national security, it is outside the scope of European laws.

The CJEU refuted the claims that mass surveillance is outside their jurisdiction and issued a ruling on the 6th October 2020. The courts found that the indiscriminate nature of the surveillance and the storage of said data for indefinite periods is unlawful. The courts conceded that mass surveillance can be necessary if and when a credible, serious threat to national security arises. This result is likely to curb the powers of the spying agencies in their respective countries.

An interesting consequence of this ruling is the result that it may have on the UK post-Brexit. The UK transitional period ends in December of 2020. Currently the UK and the EU are negotiating various international agreements, one of which is how personal data transfers will work post-Brexit.

Currently, the UK and EU can freely transfer personal data between each other with only minor restrictions. This is because both share the same privacy laws. The ideal situation for the UK would be if the EU gave the UK an adequacy decision. An adequacy decision can be thought of as a stamp of approval from the EU, stating that a countries privacy laws are on par with those within the EU. An adequacy decision would allow the continual, uninterrupted flow of data for businesses between the UK and EU.

The court ruling last week is a message from the EU courts to the UK government. It states that an adequacy decision is not guaranteed and that attempts to deviate from strict European privacy laws will not be well received. This is a similar message to the one that the USA received from the EU back in July. If the UK fails to receive an adequacy decision, it will not bring the UK or EU economies to a grinding halt, but it will cause a very significant amount of bureaucracy for many organisations.

About Us: Tacita are GDPR compliance experts. Tacita help clients achieve and maintain GDPR compliance. Get in touch to explore our range of GDPR services including the Tacita GDPR Audit, GDPR Consultant Service and the GDPR Toolkit.

Share this article: