Government-led mass surveillance schemes in Belgium, France and the United Kingdom were delivered a potential blow by an opinion from the advocate-general of the EU's top court in Luxembourg on Wednesday (15 January).

While not binding, the opinion is already being celebrated as a victory among some privacy defenders, amid their larger efforts to curtail abusive policies that force companies to blanket retain the personal data of people for police and national security access.

Student or retired? Then this plan is for you.

The opinion noted, among other things, that state efforts to combat terrorism must comply with EU privacy laws.

"This is good news," Diego Naranjo of the Brussels-based European Digital Rights group told EUobserver, noting governments may no longer use national security as an excuse to ignore an EU law known as the e-privacy directive to sweep up telecommunication data.

Naranjo believes the judges at the Luxembourg-based European Court of Justice (ECJ) are likely to follow the opinion because of pre-existing case law that also aligns to views held by civil society and academics alike.

The court had in 2014 already declared the EU data retention directive invalid and then two years later, in a separate case, ruled that the general and indiscriminate retention of communications was unlawful.

Similar comments were made by the London-based charity Privacy International, who had filed the initial complaint against the UK. In a statement, Privacy International's legal director Caroline Wilson Palow described the opinion as a boost for privacy.

"We all benefit when robust rights schemes, like the EU Charter of Fundamental Rights, are applied and followed. If the court agrees with the AG's opinion, then unlawful bulk-surveillance schemes, including one operated by the UK, will be reined in," she said.

Spy and security agencies

Should the ECJ follow the opinion then government access to things like traffic and location data will be more much restricted, requiring all three countries to possibly amend their own rulebooks.

The issue revolves around a series of national laws that allow spy and security agencies total access to phone and internet users' data.

In the UK, the current law means requiring companies to hand over in bulk all communication data to the security and intelligence agencies. In France, it means making the firms retain subscriber traffic and location data.

Manuel Campos Sánchez-Bordona, the advocate-general behind the opinion, was more forgiving in the Belgian case noting its law could be maintained in "exceptional and temporary basis" and only for a limited time and when absolutely needed.

But his broad assessment was clear. Sánchez-Bordona said the "means and methods of combating terrorism must be compatible with the requirements of the rule of law."

That includes limiting access to data following a prior review carried out either by a court or by an independent administrative authority.

And - if it doesn't jeapordise ongoing investigations - people should also be notified if their details are being accessed.

However, the advocate-general also left the door open to wider surveillance "in exceptional situations characterised by an imminent threat or an extraordinary risk."

Terror threat

Whatever the outcome of the final judgement, authorities in Belgium and France, not withstanding the UK's end-of-the-month exit from the European Union, are likely to take issue with the opinion.

All three had suffered major terrorist attacks in recent years.

The French ministry of defence in 2016 had already tried to dismiss the case brought against it by the Paris-based NGO La Quadrature du Net. Similar efforts were tabled by France's prime minister in 2016 and then again in 2018.