Compliance Management, Government Regulations, Network Security, Privacy

EU’s privacy statutes preclude U.K.’s data retention legislation, court rules

The European Court of Justice ruled on Wednesday that the U.K.'s Data Retention and Investigatory Powers Act (DRIPA) of 2014 is effectively invalidated by European Union statutes that protect citizens from the indiscriminate collection and retention of electronic data.

The decision could theoretically give a boost to privacy advocates as they pressure to U.K. lawmakers to scale back certain controversial surveillance measures in the recently passed Investigatory Powers Act of 2016. Nicknamed the Snoopers' Charter, the legislation amended DRIPA, giving intelligence and law-enforcement authorities new powers to collect communications data and content in bulk.

However, the ruling may ultimately be marginalized by the U.K.'s eventual exit from the EU, at which time it would no longer be subject to overarching European law.

“We are disappointed with the judgment from the European Court of Justice and will be considering its potential implications,” said a spokesperson from the U.K.'s Home Office, in a statement. “It will now be for the Court of Appeal to determine the case. The government will be putting forward robust arguments to the Court of Appeal about the strength of our existing regime for communications data retention and access.

The EU Court of Justice inherited the case after the High Court of Justice of England and Wales ruled that DRIPA violated aspects of European privacy law that were previously clarified by an earlier EU Court of Justice decision concerning the retention of telecommunications data – a ruling known as the Digital Rights Ireland judgment. That decision declared invalid an older European Parliament directive that permitted the retention, in bulk, of citizens' telecom metadata for a period of six to 24 months.

Before taking up the case, the U.K. Court of Appeal requested a preliminary judgment by the EU Court of Justice to determine if national data collection laws such as DRIPA are compatible with EU law.

“In today's judgment, the Court's answer is that EU law precludes national legislation that prescribes general and indiscriminate retention of data,” the Court announced in a press release, essentially stating that EU policy supersedes any national law.

The initial legal dispute specifically concerned Article 1 of DRIPA, which states that the Secretary of State for the Home Department (more commonly known as the Home Office) has the power to require a public telecom operator to retain relevant electronic metadata on its uses if deemed necessary to achieve certain objectives, which are further articulated in the legislation.

The complainants in the case, Member of Parliament Tom Watson, Peter Brice and Geoffrey Lewis, are challenging that the Article is in violation of with the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights.

The EU court's ruling also applied to a second legal dispute heard in Sweden. In this case, the telecommunications company Tele2 Sverige clashed with the Swedish National Post and Telecom Authority over its decision, following the Digital Rights Ireland case, to no longer retain customer data and also erase previously recorded data. Swedish law requires telecom services to retain all traffic and location data of its users, with no exceptions, the release explains.

The Court of Justice noted in its judgment that mass, indiscriminate retention of telecom metadata constitutes an invasion of privacy, as it is “liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.”

The Court also opined that national legislation such as those argued in the proceedings typically “does not require there to be any relationship between the data which must be retained and a threat to public security. In particular, it is not restricted to retention in relation to (i) data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime."

Such legislation “therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society,” the Court continued.

The Court did, however, note that European privacy protections do not preclude nations from requiring retention of limited, targeted data sets for the purposes of fighting serious crime.

“Given the importance of communications data to preventing and detecting crime, we will ensure plans are in place so that the police and other public authorities can continue to acquire such data in a way that is consistent with EU law and our obligation to protect the public,” said the spokesperson from the U.K.'s Home Office.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.