The Court of Justice of the EU considers in a judgment that states do not have the right to impose on their operators “Transmit or keep undifferentiated” connection data on their subscribers. The CJEU nevertheless admits some exceptions to this principle, as in the fight against terrorism, but these measures must now be limited in time or replaced by targeted collection.
The European Court of Justice has decided to limit the power of member states in matters of mass surveillance. The supreme body therefore now prohibits France, for example, from forcing its operators and ISPs (Orange, SFR, Bouygues and Free / Free Mobile) to collect and keep data such as location or metadata in the name of the fight against crime or national security. A practice, however, common in several European countries, including France.
The CJEU’s decision mainly targets the“widespread and massive” employment of this type of collection in the absence of a “serious threat”. The court was in fact seized by several associations for the defense of Internet users, including La Quadrature du Net and Privacy International. Because since a Tele2 judgment in 2016 (which had first ruled against mass surveillance) and the practices of member states thereafter (which continued to do so), the subject lacked clarification.
Europe bans states from massive and widespread data collection
Especially since the EU Treaty provides that national security “Remains the sole responsibility of each member state”. However, as our colleagues from La Tribune point out, this same provision is contradicted by the European directive of 2002 “Privacy and electronic communications”. The text provides that any exemption allowing mass collection cannot become the rule.. By deciding once again against mass collection, the CJEU still provides some exceptions.
In its judgment, the CJEU indeed admits that States can carry out such collections in the event of “Serious threat to national security”. But first the threat must be “actual and current or foreseeable ” and collection validated by parliamentarians. If it is generalized and undifferentiated, this collection must be “Temporally limited to what is strictly necessary”. States can also, however, practice more targeted collections aimed at “persons in respect of whom there is a valid reason to suspect that they are involved in terrorist activities ”.
This collection can also take place within the framework of the fight against serious crime and the prevention of threats to public security. However, “such interference with fundamental rights must be accompanied by effective guarantees and supervised by a judge or an independent administrative authority“. National judges are also now ordered to no longer rely on evidence from a “Generalized and undifferentiated data retention” contravening this new case law.
Britain collateral victim
Yet there should be other major consequences. As the Finantial Times points out, CJEU ruling should further reduce the UK’s chances of signing an intelligence-sharing treaty with the European Union. The British government is calling for data sharing to continue after leaving the Union without imposing new safeguards. The problem is that the law in the United Kingdom provides for the massive collection and retention of connection data.
This now directly contravenes the rules in force on the continent. More generally, Brussels will now have to decide with which states Europe can share data – for example in the context of the fight against terrorism. For this, the institutions will assess more harshly the practices of third countries in terms of privacy and personal data to compare them with its own. Only states with the same type of protection will be able to share their data with the EU without the need to put in place protection mechanisms.
Read also: Facebook – Europe urges social network to adapt to EU rules
For now negotiations between Great Britain and Brussels on an exit agreement from the EU are progressing very slowly, to the point that the prospect of an exit from Great Britain without an agreement on January 1, 2020 seems more and more likely. The main risk of an exit without agreement – on this one side only – are the costs for businesses that depend on data transfers between Europe and Britain. In particular, the Finantial Times believes that businesses on the continent could be discouraged from investing in the UK by very expensive legal audits that are essential to the continuation of their activities.