Cases of ‘general and indiscriminate’ data retention by EU national security authorities seriously interfere with the privacy protections enshrined in the EU Charter of Fundamental Rights, according to a non-binding opinion from the European Court of Justice delivered on Wednesday (15 January).

Advocate General Manuel Campos Sánchez-Bordona submitted an opinion on cases involving authorities in the UK, France and Belgium, and whether security agencies should be able to access data held by electronic communications providers.

The ECJ will consider the Advocate-General’s opinion and issue its own judgment in the forthcoming months.

On Wednesday, Sánchez-Bordona noted that the “general and indiscriminate retention of all traffic and location data of all subscribers and registered users is disproportionate” and authorities should rather conduct a “limited and discriminate retention of data,” unless in the case of a ‘state of emergency’ whereby national legislation could make the provision for “imposing an obligation to retain data that is extensive and general.”

ePrivacy directive

The relevant law in the Advocate General’s opinion is the 2002 ePrivacy directive.

Article 15(1) of the law states that member states have the authority to pass legislation that puts limits on electronic communications privacy rights, “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security,” as well as in the case of preventing criminal activity.”

While Sánchez-Bordona stated that the EU’s ePrivacy directive protects national security services in the retention of user data when such an activity is carried out solely by a public authority, he also said that when private companies are involved in the storing of data, even in the case of national security, then EU law precludes national legislation.

EU Charter

With reference to French legislation which forces telecoms firms to retain, “in a general and indiscriminate fashion,” the traffic and location data of users, the Advocate General concluded that the measures provide a “particularly serious interference in the fundamental rights enshrined in the Charter.”

Article 8 of the EU Charter of Fundamental Rights covers the protection of personal data for EU subjects.

Sánchez-Bordona added that the French legislation equally contravenes the ePrivacy directive, in that it “imposes no obligation to notify the data subject of the processing of their personal data.”

Privacy activists praised the opinion delivered from the ECJ.

“The opinion is a win for privacy. We all benefit when robust rights schemes, like the EU Charter of Fundamental Rights, are applied and followed,” said Caroline Wilson Palow, legal director of Privacy International.

UK Surveillance operations

Referring to Sánchez-Bordona’s opinion that UK legislation, which provides for the bulk acquisition and use of communications data by intelligence agencies, is precluded by the ePrivacy directive, Palow said that, should the Court agree with the opinion, bulk surveillance operations should be reined in.

In 2018, the European Court of Human Rights ruled that GCHQ, the UK government’s intelligence and security organisation, had breached human rights in its mass surveillance programme, being in violation of Article 8 of the Charter.

The court also observed that of the data under surveillance, no safeguards were put in place to ensure the protection of confidential material that was obtained, breaching Article 10, freedom of expression. The judges found that the data retrieved by GCHQ’s surveillance programme “could reveal a great deal about a person’s habit and contacts.”

Meanwhile, Diego Naranjo, head of policy at the digital rights advocacy group EDRi, said that Wednesday’s opinion could go some way in ensuring that the EU doesn’t attempt to propose legislation that may infringe on fundamental rights in the future.

“While combating crime and terrorism are legitimate goals, this should not come at the expense of fundamental rights,” Naranjo said in a statement. “It’s crucial to ensure that the EU upholds the Charter of Fundamental Rights and prevents any new proposal for data retention legislation of a general and indiscriminate nature.”

In 2014, the European Court of Justice declared the EU Data Retention Directive invalid saying it contravened privacy rights in the EU Charter. This resulted in an increased reliance on the ePrivacy directive’s provision for data retention regimes.

In addition, the court later ruled in the 2016 Tele2/Watson case, that general and indiscriminate retention of data was illegal.

[Edited by Zoran Radosavljevic]