Governance , Legislation & Litigation , Privacy

EU Mass Surveillance Alive and Well, Privacy Groups Warn

Campaigners Seek Court Sanctions to End Blanket Communications Data Retention
EU Mass Surveillance Alive and Well, Privacy Groups Warn
Some of the signatories to an open letter calling on the sanctions for companies that mandate blanket retention of communications data.

Privacy rights groups are calling on the Court of Justice of the European Union to clamp down on at least 17 EU governments that require domestic telecommunications firms to store all communications data (see Europe Seeks More Mass Surveillance).

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

An open letter released on Monday, signed by more than 60 privacy rights groups, NGOs and academics, among others, calls on the European Commission to uphold "the rights of EU citizens and residents" by referring all non-compliant EU member states to the CJEU for sanctions.

Signatories to the "stop data retention" letter include Bits of Freedom, Digital Rights Ireland, Electronic Frontier Norway, Franciliens.net as well as the U.K.'s Liberty, Open Rights Group and Privacy International.

"Blanket and indiscriminate retention of communications data - who we interact with, as well as when, how, and where - is a very intrusive form of surveillance. Communications data is no less sensitive than the content of communications," Privacy International says in a statement. "Despite two major rulings by the CJEU, which made blanket and indiscriminate retention of personal data unlawful, the majority of EU member states have yet to stop the form of surveillance."

Indeed, numerous governments do not appear to have altered their bulk data collection practices. Two years ago, the U.K. Parliament passed the controversial Investigatory Powers Act 2016. The much pilloried legislation - branded the Snooper's Charter by critics - enshrines the government's right to "bulk data collection" despite the CJEU having previously ruled that such untargeted collection violates human rights (see Britain's New Mass Surveillance Law Presages Crypto Fight).

"The courts were completely clear: no blanket retention," says Jim Killock, executive director at Open Rights Group. "Governments do not get to pick and choose what courts tell them."

But Corey Stoughton, Liberty's advocacy director, says the U.K. government "knows full well that it's breaking the law" and by doing so, violating people's privacy rights. "Every single day intelligence agencies collect details of thousands of our calls and messages in arrogant defiance of the courts," Stoughton says. "By invading our privacy they undermine our free press, our freedom of speech and our ability to explore new ideas."

But in April, the U.K.'s High Court of Justice gave the government six months to redraft the Investigatory Powers Act after ruling that the law was incompatible with EU law on two fronts. "Access to retained data is not limited to the purpose of combating 'serious crime," the court found. In addition, it said, "access to retained data is not subject to prior review by a court or an independent administrative body."

Data Retention Directive: Invalid

In the EU, bulk data retention was enshrined via the Data Protection Directive of 2006, formally known as Directive 2006/24 of the European Parliament. The directive concerns "the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks."

As is typical with a directive, EU member states had transposed it into national law.

But in 2014, the CJEU ruled that the directive was invalid. In December 2016, it reiterated the same principles in a ruling that touched on two joined cases - Tele2 Sverige AB and Watson, the latter referring to a case filed by U.K. Labour MP Tom Watson, currently the deputy leader of the party.

In its ruling, the court stated that the Data Retention Directive "exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society."

Despite the 2014 and 2016 rulings, Privacy International says that of the 28 EU member states, it still counts at least 17 countries that mandate "general and non-targeted bulk data retention," in violation of CJEU's rulings.

Those countries are Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, France, Germany, Hungary, Ireland, Italy, Luxembourg, Poland, Portugal, Slovenia, Spain, Sweden and the United Kingdom.

Complaints Filed in 11 Countries

The publishing of the open letter has been accompanied by privacy groups filing complaints with the European Commission against 11 of those EU member states - Belgium, Czech Republic, France, Germany, Ireland, Italy, Poland, Portugal, Spain, Sweden and the United Kingdom - seeking an end to their mass surveillance practices.

Owing to governments failing to alter their legal frameworks in response to the CJEU of the rulings, privacy groups want to see a crackdown.

"We are filing complaints to the European Commission, to demand action, and to stand for the protection of fundamental rights enshrined in Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union, as interpreted by the Grand Chamber of the European Court of Justice," the group says.

"We call for the application of sanctions for non-compliant member states by referring to the Court of Justice, which should logically strike down all current data retention national frameworks," the group says.

Campaigners say action by EU officials is overdue.

"There should have been no need ... to file complaints to the European Commission," says Tomaso Falchetta, head of advocacy and policy at Privacy International. "Governments have already been told clearly and unequivocally through two key rulings that they must stop blanket and indiscriminate retention of personal data. In a world when more and more data can be generated, collected, shared, and exploited by governments and companies alike, strong privacy protections must be enforced."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.