At the end of January, the Advocate General (AG) of Europe’s highest court said that indiscriminate data retention is disproportionate and may breach fundamental rights.

AG Campos Sánchez-Bordona of the Court of Justice of the European Union (CJEU), was examining four cases regarding data retention regimes in France, Belgium and the UK. Specifically, under what conditions the security and intelligence agencies can access mass communications data retained by telecommunications providers.

Many governments across the continent are keen to reintroduce data retention, despite the EU Data Retention Directive being struck down by the court in 2014 for contravening privacy rights in the EU Charter. A further ruling in 2016 – in the Tele2/Watson case – found that “general and indiscriminate retention” of data was outright illegal.

But last year, the European Council said that “data retention is an essential tool for investigating serious crime efficiently.” Governments also hope to rely on special opt-outs and exemptions for national security agencies.

But the AG opinion makes clear that EU member states cannot rely on the exception of national security from the EU’s remit when they impose data retention obligations on telco providers. Essentially, the AG said that blanket retention of telecommunication data is disproportionate even to the goal of national security and combating crime and terrorism, and must be scrutinized under EU law — namely the 2002 ePrivacy Directive.

Although the AG’s opinions are not legally binding, the court usually follows the advice.

In the UK case, digital rights NGO, Privacy International, challenged the bulk acquisition and use of communications data by GCHQ, MI5 and MI6. That challenge led to the Investigatory Powers Tribunal (IPT), which asked the CJEU to decide, whether requiring telco providers to turn over communications data in bulk to the security and intelligence agencies falls within the scope of EU law. And, if so, what safeguards should apply.

The French case, brought by another civil rights NGO, La Quadrature du Net, also asked whether general and indiscriminate data retention was permissible under EU law.

Mass surveillance, even if motivated by national security concerns, is insidious and eroding of privacy rights. Not to mention the potential chilling effects on free speech and communication as citizens self-censor. Blanket retention of telecoms data is a hugely invasive surveillance measure of the entire population.

Fortunately, the AG proposes to uphold the case-law of Tele2/Watson and stressed that “a general and indiscriminate retention of all traffic and location data of all subscribers and registered users is disproportionate.” Only limited and discriminate retention is permitted under EU law, he said.

“Once again, the Advocate General of the CJEU has firmly sided to defend the right to privacy,” said Diego Naranjo, Head of Policy at European digital rights group, EDRi. “The European Commission needs to take note of yet another strong message against illegal data retention laws. While combating crime and terrorism are legitimate goals, this should not come at the expense of fundamental rights. It’s crucial to ensure that the EU upholds the Charter of Fundamental Rights and prevents any new proposal for data retention legislation of a general and indiscriminate nature.”

Caroline Wilson Palow, Legal Director of Privacy International, agreed: “The opinion is a win for privacy. We all benefit when robust rights schemes, like the EU Charter of Fundamental Rights, are applied and followed. If the Court agrees with the AG’s opinion, then unlawful bulk surveillance schemes, including one operated by the UK, will be reined in.” For now – all bets are off as to what measures a post-Brexit Britain will take.

Pirate Party MEP, Patrick Breyer, was also clear: “Blanket and indiscriminate telecommunications data retention is the most privacy invasive instrument and the least popular surveillance measure that was ever adopted by the EU. Recording all contacts and movements undermines the protection of journalistic sources, disrupts confidential counselling and can make even the highest ranking officials susceptible to blackmailing. Such invasive surveillance of the entire population is irresponsible and has repeatedly been ruled disproportionate and violating fundamental rights by the European Court of Justice. Independent studies have proven that EU countries without compulsory data retention regimes, such as Germany, are statistically just as successful in prosecuting crime as countries that rely on easy to circumvent blanket data retention laws.”

AG opinion makes clear that EU member states cannot rely on the exception of #nationalsecurity to reintroduce #dataretention. #respectdata Click to Tweet

In 2010, Breyer with more than 40,000 other people filed a complaint with the German constitutional court against Germany’s first data retention law. The Federal Constitutional Court overturned the law.

“The EU must do better in targeting criminals and sufficiently funding law enforcement rather than wildly start to gather information on the private lives of all 500 million Europeans. This metadata makes us naked and can be used to make predictions on our future movements. It is irresponsible to gather such information and expose it to risks of abuse and data theft,” continued Breyer.

The Court’s final judgment is expected in the next few months. If it follows the AG opinion, expect much grumbling followed by complex maneuvering from EU capitals as governments try to find a way around yet another roadblock. The price of privacy is constant vigilance against state mission creep.