Governments may order telcos to retain customer data, but only to fight serious crime, a top European Union judge has advised.
Lobby groups European Digital Rights (EDRi) and Privacy International welcomed the recommendation, saying it adds to a growing body of legal opinion opposing mass data retention. It could even, said Privacy International, derail the U.K.'s Investigatory Powers Bill, introduced in March by Theresa May, then home secretary and now prime minister.
Advocate General Henrik Saugmandsgaard Øe advised that a general obligation to retain data may be compatible with EU law, but cautioned that laws imposing such obligations should respect personal privacy and impose strict controls on access to the retained data, its security, and the period it is kept. Furthermore, such obligations can only be justified when strictly necessary in the fight against serious crime.
Øe gave his opinion Tuesday on two cases before the Court of Justice of the EU challenging data retention laws in Sweden and the U.K. Such opinions are only advisory but are often followed by the full court, which is now beginning its deliberations on the cases.
The CJEU was called on to rule on legal questions referred by national courts in Sweden and the U.K. regarding the retention of telecommunications metadata: information about who contacted whom, when, how, and for how long. Such information can be useful in investigating crimes, but its mass retention without good reason is considered by some a breach of privacy rights.
That was the view of the CJEU when, in 2014, it struck down the 2006 EU Data Retention Directive in a case involving Digital Rights Ireland.
However, since then, EU member states have continued to introduce or enforce data retention legislation in conflict with the CJEU's ruling, according to EDRi.
"It is time for EU member states to start respecting the law. It is time for the European Commission to do its job to ensure that the law is respected," EDRi executive director Joe McNamee said via email. "Data retention is an extreme measure which can only be implemented if the criteria repeatedly laid down by the court are respected."
Privacy International general counsel Caroline Wilson Palow hopes the CJEU will follow the advocate general's opinion, which she sees as a serious blow to the U.K.'s Investigatory Powers Bill, she said via email.
The mass surveillance powers the bill would introduce go far beyond the tackling serious crime that the advocate general sees as acceptable.
"They would give a range of public bodies, not just the police and intelligence agencies, the power to access the personal data of innocent people, often without any form of warrant," she wrote.
The fate of the Investigatory Powers Bill depends on a number of factors. The upper house of the U.K.'s parliament, the House of Lords, still has a final say in its content.
Beyond that, even if the CJEU declares its surveillance powers illegal under EU law, there remains the question of whether the U.K. will remain part of the EU for long enough for it to matter. In the wake of the June 23 "Brexit" referendum vote, Prime Minister May plans to lead the U.K. out of the EU and, perhaps, beyond the reach of the CJEU's rulings.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.